-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add cargo-deny check to CI #661
Conversation
[cargo-deny](https://github.com/EmbarkStudios/cargo-deny) is an amazing tool that protects from: * duplicated crates (code bloat) * copy-left licenses in the dependency tree * RUSTSEC advisories Try it: ```sh cargo install cargo-deny cargo deny --all-features --log-level error check ```
b075f75
to
0faf56a
Compare
Oh wow. This is very nice! I guess I should hold off on that 2.8.0 release and see if we can get this in. |
Great! Thanks! |
Hej @emilk This is new to me. So when we now have a problem with duplicates: https://github.com/algesten/ureq/actions/runs/6361674777/job/17276257519 What do we do?
|
Often you can solve it by strategically downgrading or upgrading some crates using Sometimes you need to make a PR to an upstream package, or poke their maintainer to release a new version. For small duplicate dependencies you can add an exception in In this case I believe you can solve it with This will update the versions in |
Perfect! Thanks for the explanation. I didn't know the Thanks! |
You did this:: url = "=2.3.1" which is NOT the same. This forces url 2.3.1 on all downstream users of It is almost never the right choice to use |
Right. So what you're saying is that we are only going to make the lock file have 2.3.1, which satisfies |
Exactly - consumers will have to do a similar |
Inspired by ureq [doing the same](algesten/ureq#661) This will help us keep track of our dependencies and make sure we aren't using ones with the wrong licenses.
Inspired by ureq [doing the same](algesten/ureq#661) This will help us keep track of our dependencies and make sure we aren't using ones with the wrong licenses.
Inspired by ureq [doing the same](algesten/ureq#661) This will help us keep track of our dependencies and make sure we aren't using ones with the wrong licenses.
cargo-deny is an amazing tool that protects from:
Try it:
cargo-deny
to prevent duplicate dependencies #653Note that this requires the
Cargo.lock
file to be checked in.