Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): Add deny.yaml and a cargo deny CI job to check dependencies #3005

Closed
wants to merge 1 commit into from
Closed

chore(deps): Add deny.yaml and a cargo deny CI job to check dependencies #3005

wants to merge 1 commit into from

Conversation

iamjpotts
Copy link
Contributor

@iamjpotts iamjpotts commented Jan 23, 2024
edited
Loading

cargo deny checks for dependencies with vulnerabilities, vulnerability advisories, unmaintained crates, duplicate dependencies, and other issues.

  • Add deny.yaml
  • Add exceptions for warnings without a resolution available
  • Add license line license = "MIT OR Apache-2.0" to sqlx-test crate to satisfy license checker. This license spec matches what is already in the workspace Cargo.toml file
  • Change sqlx-test crate to reference sqlx crate via workspace=true rather than a path`
  • Change Cargo.toml at workspace root to reference sqlx-test using its version number

@iamjpotts
Copy link
Contributor Author

Made the tempdir -> tempfile replacement its own PR: #3006

@iamjpotts iamjpotts force-pushed the 20240122-cargo-deny branch 3 times, most recently from c0f6b85 to 1ed24b5 Compare January 23, 2024 14:11
@iamjpotts
Copy link
Contributor Author

Moved env_logger upgrade to its own PR: #3009.

@iamjpotts
Copy link
Contributor Author

Moved criterion crate upgrade to #3010.

@iamjpotts iamjpotts force-pushed the 20240122-cargo-deny branch 2 times, most recently from 86567fc to b3c2400 Compare January 26, 2024 13:42
@iamjpotts iamjpotts force-pushed the 20240122-cargo-deny branch from b3c2400 to e63b3b7 Compare January 31, 2024 01:14
@iamjpotts iamjpotts force-pushed the 20240122-cargo-deny branch from e63b3b7 to 3a0415a Compare March 19, 2024 02:52
@iamjpotts iamjpotts force-pushed the 20240122-cargo-deny branch from 3a0415a to 57217f7 Compare July 11, 2024 00:11
@iamjpotts
chore(deps): Add deny.yaml and a cargo deny CI job to check dependenc…
259fe4f 
…ies for vulnerabilities

Signed-off-by: Joshua Potts <8704475+iamjpotts@users.noreply.github.com>
@iamjpotts iamjpotts force-pushed the 20240122-cargo-deny branch from 57217f7 to 259fe4f Compare July 11, 2024 00:14
@iamjpotts
Copy link
Contributor Author

Related: #1297

@abonander
Copy link
Collaborator

I'm not super interested in this. Too many RUSTSEC advisories are filed for trivial things like crates being unmaintained (it's only an issue if there's also high-impact bugs and PRs aren't getting merged) and our CI breaks enough as it is. Weak features in Cargo also result in a lot of false-positives (#3211).

For issues that really matter, people are pretty quick to call them out or open a PR anyway.

@abonander abonander closed this Jul 16, 2024
@iamjpotts iamjpotts deleted the 20240122-cargo-deny branch August 21, 2024 01:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@iamjpotts @abonander