Python/uv - uv - Gitea: Git with a cup of tea

Commit Graph

Author	SHA1	Message	Date
Zanie Blue	21b9f62dbf	Update "Viewing the version" docs (#13241 ) Updates this section for - #12349 - #13108	2025-05-01 08:55:52 -04:00
Charlie Marsh	a261995449	Use base client pattern in more sites (#13227 ) ## Summary For consistency. No functional changes.	2025-04-30 20:00:59 -04:00
Meitar Reihan	0593b967ba	Add `python-downloads-json-url` option for `uv.toml` to configure custom Python installations via JSON URL (#12974 ) ## Summary Part of #12838. Allow users to configure `python-downloads-json-url` in `uv.toml` and not just from env. I followed similar PR #8695, so same as there it's also available in the CLI (I think maybe it's better not to be configurable from the CLI, but since the mirror parameters are, I think it's better to do the same) ## Test Plan <!-- How was it tested? -->	2025-04-30 15:52:11 -04:00
Meitar Reihan	5ee54b4fa3	minify and filter embed managed pythons json on compile time (#12967 ) ## Summary In #10939 I added the generated `crates/uv-python/src/download-metadata-minified.json` file which is a minified version of `crates/uv-python/download-metadata.json`. The main reason for this PR is to avoid bloating the git objects as this is a single-line file. As a bonus, I also filtered the embed json to include only the versions for the compiled target. Which should improve the binary size and performance by a bit. ## Test Plan <!-- How was it tested? -->	2025-04-30 15:51:03 -04:00
Zanie Blue	481d05d8df	Bump version to 0.7.2 (#13240 )	2025-04-30 14:01:58 -05:00
Aria Desires	f91b4aeb66	hard error `uv version` for more cli flags (#13203 )	2025-04-30 17:39:11 +00:00
Zanie Blue	671d609127	Improve trace log for retryable errors (#13228 ) Previously, this looked like > TRACE Considering retry of error: Error { kind: WrappedReqwestError(Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("pkgs.dev.azure.com")), port: None, path: "/My-Project-Name/_packaging/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX/pypi/download/rr-config/4/rr_config-4.0.0-py3-none-any.whl", query: None, fragment: None }, WrappedReqwestError(Reqwest(reqwest::Error { kind: Status(405), url: "https://pkgs.dev.azure.com/My-Project-Name/_packaging/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX/pypi/download/rr-config/4/rr_config-4.0.0-py3-none-any.whl" }))) }	2025-04-30 12:29:47 -05:00
Zanie Blue	d8e472cfa8	Use "error" instead of "warning" for self-update message (#13229 ) Closes https://github.com/astral-sh/uv/issues/13221	2025-04-30 12:23:30 -05:00
Zanie Blue	a9ab39ad6f	Fix patching of `clang` in managed Python sysconfig (#13237 ) Regressed in https://github.com/astral-sh/uv/pull/12239/files#r2069106892 because additional entries override the previous one in the mapping. Now, we can apply multiple patches in-order. Closes #13236	2025-04-30 12:23:22 -05:00
konsti	9ea0fdcee9	Respect `--project` in `uv version` (#13230 ) Previously, we were using the wrong `Workspace` discovery and would report the version of the workspace root, which would iterate up from the `--project` directory and return the workspace root (with or without a project in the root). Instead, we need `ProjectWorkspace` discovery that returns the closest project. This fixes `uv version --project <path>` where `<path>` belongs to a workspace member. Fixes #13213	2025-04-30 16:11:50 +00:00
Zanie Blue	3a87b6374a	Fix incorrect venv invalidation for pre-release Python versions (#13234 ) I think this regressed in https://github.com/astral-sh/uv/pull/13027 — I misunderstood what versions could be represented in the `pyvenv.cfg` (I assumed they _never_ included pre-release components). Closes #13233	2025-04-30 10:55:22 -05:00
Fernando Pérez-García	9558a86e65	Fix PR links in CHANGELOG (#13220 ) <!-- Thank you for contributing to uv! To help us out with reviewing, please consider the following: - Does this pull request include a summary of the change? (See below.) - Does this pull request include a descriptive title? - Does this pull request include references to any relevant issues? --> ## Summary <!-- What's the purpose of the change? What does it do, and why? --> I noticed a couple of broken links in the release description, so I'm fixing them here.	2025-04-30 12:22:19 +02:00
konsti	dfec52bf51	Fix changelog indentation level (#13219 ) <!-- Thank you for contributing to uv! To help us out with reviewing, please consider the following: - Does this pull request include a summary of the change? (See below.) - Does this pull request include a descriptive title? - Does this pull request include references to any relevant issues? --> ## Summary <!-- What's the purpose of the change? What does it do, and why? --> ## Test Plan <!-- How was it tested? -->	2025-04-30 10:11:49 +00:00
konsti	90f46f89a5	Bump version to 0.7.1 (#13218 ) Revert fix handling of authentication when encountering redirects ([#13215](https://github.com/astral-sh/uv/pull/13215))	2025-04-30 11:41:55 +02:00
John Mumm	c73819371c	Revert fix handling of authentication when encountering redirects (#13215 ) These changes to redirect handling appear to have caused #13208. This PR reverts the redirect changes to give us time to investigate.	2025-04-30 10:53:10 +02:00
Charlie Marsh	6bce5d712f	Add support for BLAKE2b-256 (#13204 ) ## Summary You can upload these to PyPI and `warehouse` will validate them.	2025-04-29 18:39:41 -04:00
Charlie Marsh	62bca8c34c	Stylize version warning with bold, yellow, etc. (#13202 )	2025-04-29 16:37:00 -05:00
Zanie Blue	1e8e08def2	Bump version to 0.7.0 and write changelog (#13201 ) The changelog diff is deranged. Rendered at https://github.com/astral-sh/uv/blob/zb/changelog-07/CHANGELOG.md#070 --------- Co-authored-by: Charlie Marsh <charlie.r.marsh@gmail.com> Co-authored-by: Brent Westbrook <36778786+ntBre@users.noreply.github.com>	2025-04-29 16:37:00 -05:00
Zanie Blue	f84faf726a	Make uv’s first-index strategy more secure by default by failing early on authentication failure (#12805 ) uv’s default index strategy was designed with dependency confusion attacks in mind. [According to the docs](https://docs.astral.sh/uv/configuration/indexes/#searching-across-multiple-indexes), “if a package exists on an internal index, it should always be installed from the internal index, and never from PyPI”. Unfortunately, this is not true in the case where authentication fails on that internal index. In that case, uv will simply try the next index (even on the `first-index` strategy). This means that uv is not secure by default in this common scenario. This PR causes uv to stop searching for a package if it encounters an authentication failure at an index. It is possible to opt out of this behavior for an index with a new `pyproject.toml` option `ignore-error-codes`. For example: ``` [[tool.uv.index]] name = "my-index" url = "<index-url>" ignore-error-codes = [401, 403] ``` This will also enable users to handle idiosyncratic registries in a more fine-grained way. For example, PyTorch registries return a 403 when a package is not found. In this PR, we special-case PyTorch registries to ignore 403s, but users can use `ignore-error-codes` to handle similar behaviors if they encounter them on internal registries. Depends on #12651 Closes #9429 Closes #12362	2025-04-29 16:37:00 -05:00
Charlie Marsh	11d00d21f7	Reject non-PEP 751 TOML files in install commands (#13120 ) If you pass a TOML file to `uv pip install` that isn't recognized, we should just reject it instead of assuming `requirements.txt`. I just don't see a real case where it's better to let the command proceed.	2025-04-29 16:37:00 -05:00
Charlie Marsh	3ace372158	Reject non-PEP 751 filenames in `uv pip compile` and `uv export` (#13119 ) We shouldn't let users create files that won't work in subsequent commands. Closes https://github.com/astral-sh/uv/issues/13117.	2025-04-29 16:37:00 -05:00
Zanie Blue	e8524ebea4	Fix display name for `uvx --version` (#13109 ) Based on #13108 because I don't want to deal with rebasing conflicts across `main` and `release/070`. ``` ❯ .uvx --version uv-tool-uvx 0.6.16+23 (`33b8b7340` 2025-04-25) ❯ uvx --version uvx 0.6.16+23 (`33b8b7340` 2025-04-25) ``` For posterity, chased this down via https://github.com/clap-rs/clap/pull/3693 and https://github.com/clap-rs/clap/issues/1382	2025-04-29 16:37:00 -05:00
Zanie Blue	60a164abbb	Remove `--version` from subcommands (#13108 ) Supersedes https://github.com/astral-sh/uv/pull/12439 — does not use the Clap macro so we retain control over the messages Closes #12431 `0077a67b34` pulls `uv run` and `uv tool run` test changes from https://github.com/astral-sh/uv/pull/12439	2025-04-29 16:37:00 -05:00
Zanie Blue	b6df755c9b	Omit Python 3.7 downloads from managed versions (#13022 ) Removes Python 3.7 installation support. The following are available today and would no longer be available ``` cpython-3.7.9-windows-x86_64-none <download available> cpython-3.7.9-windows-x86-none <download available> cpython-3.7.9-macos-x86_64-none <download available> cpython-3.7.9-linux-x86_64-gnu <download available> cpython-3.7.7-windows-x86_64-none <download available> cpython-3.7.7-windows-x86-none <download available> cpython-3.7.7-macos-x86_64-none <download available> cpython-3.7.7-linux-x86_64-gnu <download available> cpython-3.7.6-windows-x86_64-none <download available> cpython-3.7.6-windows-x86-none <download available> pypy-3.7.13-windows-x86_64-none <download available> pypy-3.7.13-macos-x86_64-none <download available> pypy-3.7.13-linux-x86_64-gnu <download available> pypy-3.7.13-linux-x86-gnu <download available> pypy-3.7.13-linux-s390x-gnu <download available> pypy-3.7.13-linux-aarch64-gnu <download available> pypy-3.7.12-windows-x86_64-none <download available> pypy-3.7.12-macos-x86_64-none <download available> pypy-3.7.12-linux-x86_64-gnu <download available> pypy-3.7.12-linux-x86-gnu <download available> pypy-3.7.12-linux-s390x-gnu <download available> pypy-3.7.12-linux-aarch64-gnu <download available> pypy-3.7.10-windows-x86_64-none <download available> pypy-3.7.10-macos-x86_64-none <download available> pypy-3.7.10-linux-x86_64-gnu <download available> pypy-3.7.10-linux-x86-gnu <download available> pypy-3.7.10-linux-s390x-gnu <download available> pypy-3.7.10-linux-aarch64-gnu <download available> pypy-3.7.9-windows-x86-none <download available> pypy-3.7.9-macos-x86_64-none <download available> pypy-3.7.9-linux-x86_64-gnu <download available> pypy-3.7.9-linux-x86-gnu <download available> pypy-3.7.9-linux-s390x-gnu <download available> pypy-3.7.9-linux-aarch64-gnu <download available> ``` All the CPython ones should absolutely not be available, as they're not even the last security patch release. I'm on the fence about PyPy?	2025-04-29 16:37:00 -05:00
Charlie Marsh	8bb5b63009	Make `--frozen` and `--no-sources` conflicting options (#12671 ) Alternatively, we could just warn. Closes https://github.com/astral-sh/uv/issues/12653.	2025-04-29 16:37:00 -05:00
Aria Desires	f401d9ba8f	change `uv version` to be an interface for project version reads and edits (#12349 ) This is a reimplementation of #7248 with a new CLI interface. The old `uv version` is now `uv self version` (also it has gained a `--short` flag for parity). The new `uv version` is now an interface for getting/setting the project version. To give a modicum of support for migration, if `uv version` is run and we fail to find/read a `pyproject.toml` we will fallback to `uv self version`. `uv version --project .` prevents this fallback from being allowed. The new API of `uv version` is as follows: * pass nothing to read the project version * pass a version to set the project version * `--bump major\|minor\|patch` to semver-bump the project version * `--dry-run` to show the result but not apply it * `--short` to have the final printout contain only the final version * `--output-format json` to get the final printout as json ``` $ uv version myfast 0.1.0 $ uv version --bump major --dry-run myfast 0.1.0 => 1.0.0 $ uv version 1.2.3 --dry-run myfast 0.1.0 => 1.2.3 $ uv version 1.2.3 myfast 0.1.0 => 1.2.3 $ uv version --short 1.2.3 $ uv version --output-format json { "package_name": "myfast", "version": "1.2.3", "commit_info": null } ``` Fixes #6298	2025-04-29 16:37:00 -05:00
Zanie Blue	de1479c4ef	Use index URL instead of package URL for keyring credential lookups (#12651 ) Some registries (like Azure Artifact) can require you to authenticate separately for every package URL if you do not authenticate for the /simple endpoint. These changes make the auth middleware aware of index URL endpoints and attempts to fetch keyring credentials for such an index URL when making a request to any URL it's a prefix of. The current uv behavior is to cache credentials either at the request URL or realm level. But with these changes, we also need to cache credentials at the index level. Note that when uv does not detect an index URL for a request URL, it will continue to apply the old behavior. Addresses part of #4056 Closes #4583 Closes #11236 Closes #11391 Closes #11507	2025-04-29 16:37:00 -05:00
Zanie Blue	514a7ea6df	Require the command in `uvx <name>` to be available in the Python environment (#11603 ) Closes https://github.com/astral-sh/uv/issues/7804 Includes a few small minor changes to the messaging, but the primary change is that in, e.g., `uvx foo`, if the `foo` package does not provide the `foo` executable we will no longer execute an arbitrary `foo` executable if present on the `PATH`. This prevents confusing and surprising behavior, such as the user reported where they did `uv tool install foobar` (which provides `foo`) then `uvx foo` (which does not provide `foo`) later falls back to the executable provided by `foobar` since it's on the `PATH`. We don't enforce this for `--from`, so things like `uvx --from foo bash -c "..."` are still totally valid. We also still allow `uvx foo` where the `foo` executable is provided by a _dependency_ of `foo` instead of `foo` itself. Most of the diff here is consolidating the logic of the `hint_on_not_found` and `warn_executable_not_provided_by_package ` utilities.	2025-04-29 16:37:00 -05:00
Zanie Blue	6cc2202799	Ignore arbitrary Python requests in version files (#12909 ) Closes https://github.com/astral-sh/uv/issues/12605	2025-04-29 16:37:00 -05:00
Zanie Blue	1988e209ef	Treat empty `UV_PYTHON_INSTALL_DIR` as unset (#12907 ) Same as https://github.com/astral-sh/uv/pull/12905 — found via regex	2025-04-29 16:37:00 -05:00
Zanie Blue	cac6560b4f	Treat empty `UV_TOOL_DIR` as unset (#12905 ) Closes https://github.com/astral-sh/uv/issues/8608	2025-04-29 16:37:00 -05:00
Aria Desires	318949ade6	Error on unknown dependency object specifiers (#12841 ) This reverts commit `dd788a0f47`. And relands #12811, for 0.7.0	2025-04-29 16:37:00 -05:00
Charlie Marsh	990c59ddb6	Add ROCm example to the PyTorch guide (#13200 ) ## Summary Closes https://github.com/astral-sh/uv/issues/13197#issuecomment-2839707240.	2025-04-29 15:13:13 -04:00
Charlie Marsh	241b013600	Upgrade PyTorch guide to CUDA 12.8 and PyTorch 2.7 (#13199 )	2025-04-29 15:08:13 -04:00
konsti	b1fd3e3409	Fix typo (`-r`) in changelog (#13194 ) Fixes #13193	2025-04-29 13:33:49 +00:00
Charlie Marsh	a3dae2512c	Disallow mixing requirements across PyTorch indexes (#13179 ) ## Summary If you use `--torch-backend=auto`, we want to avoid selecting (e.g.) a `+cu124` build of `torch` alongside a `+cu126` build of `torchvision`.	2025-04-28 20:06:18 +00:00
Bartosz Sokorski	6292748371	Add poetry-core as a build backend option (#12781 ) <!-- Thank you for contributing to uv! To help us out with reviewing, please consider the following: - Does this pull request include a summary of the change? (See below.) - Does this pull request include a descriptive title? - Does this pull request include references to any relevant issues? --> ## Summary <!-- What's the purpose of the change? What does it do, and why? --> This adds `poetry-core` as a build backend choice. ## Test Plan <!-- How was it tested? --> --------- Co-authored-by: konstin <konstin@mailbox.org>	2025-04-28 19:11:52 +00:00
Ahmed Ilyas	4680c9b22d	Add more default group tests and fix default groups for `uv add` (#13182 ) ## Summary Brings in a bug fix for `uv add` w.r.t default groups from https://github.com/astral-sh/uv/pull/12964, see comment: https://github.com/astral-sh/uv/pull/12964#discussion_r2060775131 Adds additional test coverage for default groups in `run`, `remove`, `add`. ## Test Plan `cargo test`	2025-04-28 15:02:43 -04:00
Ahmed Ilyas	f872917d33	Refactor `ExtraSpecification` to support `default-extras` (#12964 ) ## Summary Part of #8607. This is a pure refactor aimed at paving the way for supporting the `default-extras` configuration in the `pyproject.toml` file. The `ExtraSpecification` struct has been refactored to align more closely with the [`DependencyGroups`](`256b100a9e/crates/uv-configuration/src/dependency_groups.rs (L9)`) struct. ## Test Plan Existing tests.	2025-04-28 13:30:14 -04:00
konsti	85d8b07026	Remove flyte-short-incompatible benchmark for too many false positives (#13181 ) The benchmark has recurring false positives (https://github.com/astral-sh/uv/issues?q=flyte-short-incompatible%20), so we're removing it.	2025-04-28 18:01:34 +02:00
Charlie Marsh	bb0158d005	Use `upload-time` rather than `upload_time` in `uv.lock` (#13176 ) ## Summary In https://github.com/astral-sh/uv/pull/12968, we added support for upload time to `uv.lock`, but stylized as `upload_time`. The other keys in `uv.lock` use kebab casing, as in common in Python formats, so this really should've been `upload-time`. I want to change it ASAP to minimize churn for users. Any users that already upgraded will of course experience churn in their files a second time. But if we don't change it now, we'll only increase the surface area of affected users. So, this PR uses `upload-time` instead, but continues reading `upload_time` to make it non-breaking.	2025-04-28 11:01:17 -04:00
renovate[bot]	37bd1d9547	Update Rust crate rustix to v1 (#13168 )	2025-04-28 08:49:51 -04:00
renovate[bot]	f8f1b9c505	Update taiki-e/install-action action to v2.50.3 (#13161 )	2025-04-28 08:48:37 -04:00
renovate[bot]	6402f98cbd	Update Rust crate windows to 0.61.0 (#13159 ) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [windows](https://redirect.github.com/microsoft/windows-rs) \| dependencies \| minor \| `0.59.0` -> `0.61.0` \| --- ### Release Notes <details> <summary>microsoft/windows-rs (windows)</summary> ### [`v0.61.0`](https://redirect.github.com/microsoft/windows-rs/releases/tag/0.61.0) [Compare Source](https://redirect.github.com/microsoft/windows-rs/compare/0.60.0...0.61.0) Major crate updates: - `windows` 0.59.0 - `windows-core` 0.59.0 - `windows-implement` 0.59.0 - `windows-interface` 0.59.0 - `windows-targets` 0.53.0 - `windows_i686_msvc` 0.53.0 - `windows_x86_64_msvc` 0.53.0 - `windows_aarch64_msvc` 0.53.0 - `windows_i686_gnu` 0.53.0 - `windows_x86_64_gnu` 0.53.0 - `windows_i686_gnullvm` 0.53.0 - `windows_x86_64_gnullvm` 0.53.0 - `windows_aarch64_gnullvm` 0.53.0 - `windows-bindgen` 0.59.0 - `windows-registry` 0.4.0 - `windows-result` 0.3.0 - `windows-strings` 0.3.0 - `cppwinrt` 0.2.0 Minor crate updates: - `windows-version` 0.1.2 Excluded: - `windows-sys` 0.59.0 Things to keep in mind: - The tag/release names no longer map directly to the crate versions, so to [find samples](https://redirect.github.com/microsoft/windows-rs/tree/master/crates/samples) for a particular release requires looking at [the releases](https://redirect.github.com/microsoft/windows-rs/releases) page and finding the release that most recently updated a particular crate. - The `windows-bindgen` crate includes the major code generation overhaul that brings many improvements - be sure to check out the PR description for more information. The resulting code gen depends on the new version of `windows-core` and its dependencies, unless you include the `--sys` option. [#3359](https://redirect.github.com/microsoft/windows-rs/issues/3359) - The `cppwinrt` crate constitutes a major update due to streamlining the error handling. [#3415](https://redirect.github.com/microsoft/windows-rs/issues/3415) - The `windows-registry`, `windows-strings,` and `windows-result` crates are also major version updates since they include small breaking changes. - The `windows-targets` crate finally receives a major version update, the first in over a year. This is due to [#3359](https://redirect.github.com/microsoft/windows-rs/issues/3359) and [#3342](https://redirect.github.com/microsoft/windows-rs/issues/3342) potentially introducing breaking changes. Although unlikely, these updates introduced sufficient changes that make it hard to ensure that the `windows-targets` libs don't break existing code. As we're updating `windows-targets` anyway, I took the liberty to bump the MSRV to 1.60 - to match the latest version of `windows-sys` - and remove the old but unused doc macro feature. Both remained for compatibility with very old dependents of the `windows-targets` crate. - The `windows-version` crate receives a minor update to update its dependency on the `windows-targets` crate. - Beyond these specifics, this update is the culmination of around 6 months worth of work on the `windows-rs` project. The biggest improvements comes from the new code generation engine, but many other improvements are now also available for production. This includes support for many new lints, warnings, and suggestions provided by the Rust toolchain; much smaller code gen thanks to deriving many more traits; more efficient code gen; major improvements to WinRT type system and implementation support; more robust and consistent error handling; stock collection and async support; improved support for class hierarchies; and much more! In addition to "what's changed" below, check out what's changed for notes for [0.60.0](https://redirect.github.com/microsoft/windows-rs/releases/tag/0.60.0) and [0.59.0](https://redirect.github.com/microsoft/windows-rs/releases/tag/0.59.0) for additional changes that roll up to the crates published as part of this release. #### What's Changed - Remove improper_ctypes workaround by [@ChrisDenton](https://redirect.github.com/ChrisDenton) in [https://github.com/microsoft/windows-rs/pull/3296](https://redirect.github.com/microsoft/windows-rs/pull/3296) - Bump rollup from 2.79.1 to 2.79.2 in /web/features by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/microsoft/windows-rs/pull/3299](https://redirect.github.com/microsoft/windows-rs/pull/3299) - Update jsonschema requirement from 0.20 to 0.21 by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/microsoft/windows-rs/pull/3301](https://redirect.github.com/microsoft/windows-rs/pull/3301) - Address Rust nightly compiler warnings by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3311](https://redirect.github.com/microsoft/windows-rs/pull/3311) - Update jsonschema requirement from 0.21 to 0.22 by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/microsoft/windows-rs/pull/3310](https://redirect.github.com/microsoft/windows-rs/pull/3310) - Update workflows to ignore paths on pull request by [@riverar](https://redirect.github.com/riverar) in [https://github.com/microsoft/windows-rs/pull/3312](https://redirect.github.com/microsoft/windows-rs/pull/3312) - Fix remaining `std` references in `windows` and `windows-core` crates for `no_std` builds by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3317](https://redirect.github.com/microsoft/windows-rs/pull/3317) - Bump cookie and express in /web/features by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/microsoft/windows-rs/pull/3318](https://redirect.github.com/microsoft/windows-rs/pull/3318) - Fix nested struct sort order by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3321](https://redirect.github.com/microsoft/windows-rs/pull/3321) - Update jsonschema requirement from 0.22 to 0.23 by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/microsoft/windows-rs/pull/3323](https://redirect.github.com/microsoft/windows-rs/pull/3323) - Add `unwrap` helper for `NTSTATUS` by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3324](https://redirect.github.com/microsoft/windows-rs/pull/3324) - Bump http-proxy-middleware from 2.0.6 to 2.0.7 in /web/features by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/microsoft/windows-rs/pull/3331](https://redirect.github.com/microsoft/windows-rs/pull/3331) - Remove "implement" feature by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3333](https://redirect.github.com/microsoft/windows-rs/pull/3333) - Update web workflow by [@riverar](https://redirect.github.com/riverar) in [https://github.com/microsoft/windows-rs/pull/3344](https://redirect.github.com/microsoft/windows-rs/pull/3344) - Update Windows metadata by [@riverar](https://redirect.github.com/riverar) in [https://github.com/microsoft/windows-rs/pull/3342](https://redirect.github.com/microsoft/windows-rs/pull/3342) - Bump cross-spawn from 7.0.3 to 7.0.6 in /web/features by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/microsoft/windows-rs/pull/3347](https://redirect.github.com/microsoft/windows-rs/pull/3347) - fix: remove use of std in windows-strings h! macro by [@vthib](https://redirect.github.com/vthib) in [https://github.com/microsoft/windows-rs/pull/3356](https://redirect.github.com/microsoft/windows-rs/pull/3356) - Major `windows-bindgen` update by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3359](https://redirect.github.com/microsoft/windows-rs/pull/3359) - Harden reg-free class activation by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3365](https://redirect.github.com/microsoft/windows-rs/pull/3365) - Simpler bindings generation by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3367](https://redirect.github.com/microsoft/windows-rs/pull/3367) - `windows-bindgen` should generate `no_std` bindings by default by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3366](https://redirect.github.com/microsoft/windows-rs/pull/3366) - Prefer optional over convertible parameters by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3368](https://redirect.github.com/microsoft/windows-rs/pull/3368) - Remove unused extensions by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3369](https://redirect.github.com/microsoft/windows-rs/pull/3369) - Simpler code generation by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3370](https://redirect.github.com/microsoft/windows-rs/pull/3370) - Update dependencies by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3374](https://redirect.github.com/microsoft/windows-rs/pull/3374) - Simpler code gen for Boolean parameters by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3373](https://redirect.github.com/microsoft/windows-rs/pull/3373) - Remap `BOOLEAN` to `bool` by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3376](https://redirect.github.com/microsoft/windows-rs/pull/3376) - Avoid generating `transmute` for input value type parameter bindings by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3377](https://redirect.github.com/microsoft/windows-rs/pull/3377) - Fix macro docs by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3378](https://redirect.github.com/microsoft/windows-rs/pull/3378) - Streamline error handling in `windows-bindgen` by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3379](https://redirect.github.com/microsoft/windows-rs/pull/3379) - Improve WinRT event representation and testing by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3382](https://redirect.github.com/microsoft/windows-rs/pull/3382) - Use `track_caller` to make debugging `bindgen` build script errors easier by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3383](https://redirect.github.com/microsoft/windows-rs/pull/3383) - `windows-bindgen` now uses `Ref` and `OutRef` for COM interface traits by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3386](https://redirect.github.com/microsoft/windows-rs/pull/3386) - Add static event test/sample for WinRT by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3389](https://redirect.github.com/microsoft/windows-rs/pull/3389) - Verify param direction by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3390](https://redirect.github.com/microsoft/windows-rs/pull/3390) - Ensure external references to static factories are generated correctly by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3392](https://redirect.github.com/microsoft/windows-rs/pull/3392) - Update `windows-bindgen` to support `unsafe_op_in_unsafe_fn` by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3393](https://redirect.github.com/microsoft/windows-rs/pull/3393) - Make `Ref` work with more than just interface types by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3394](https://redirect.github.com/microsoft/windows-rs/pull/3394) - Add PR preview deployments to web workflow by [@riverar](https://redirect.github.com/riverar) in [https://github.com/microsoft/windows-rs/pull/3395](https://redirect.github.com/microsoft/windows-rs/pull/3395) - Adjust web workflow to use gh-pages branch by [@riverar](https://redirect.github.com/riverar) in [https://github.com/microsoft/windows-rs/pull/3397](https://redirect.github.com/microsoft/windows-rs/pull/3397) - Streamline CRA deps and webpack config by [@riverar](https://redirect.github.com/riverar) in [https://github.com/microsoft/windows-rs/pull/3396](https://redirect.github.com/microsoft/windows-rs/pull/3396) - Address nightly clippy warnings about operator precedence by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3414](https://redirect.github.com/microsoft/windows-rs/pull/3414) - Detect unsupported array parameters by [@iancormac84](https://redirect.github.com/iancormac84) in [https://github.com/microsoft/windows-rs/pull/3402](https://redirect.github.com/microsoft/windows-rs/pull/3402) - `cppwinrt` should consistently panic on failure by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3415](https://redirect.github.com/microsoft/windows-rs/pull/3415) - Shorten sample crate names by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3416](https://redirect.github.com/microsoft/windows-rs/pull/3416) - Use `track_caller` to make debugging `cppwinrt` build script errors easier by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3417](https://redirect.github.com/microsoft/windows-rs/pull/3417) - Fix provenance in direct32 sample by [@ChrisDenton](https://redirect.github.com/ChrisDenton) in [https://github.com/microsoft/windows-rs/pull/3419](https://redirect.github.com/microsoft/windows-rs/pull/3419) - Update web workflow to use external origin by [@riverar](https://redirect.github.com/riverar) in [https://github.com/microsoft/windows-rs/pull/3420](https://redirect.github.com/microsoft/windows-rs/pull/3420) - Avoid `transmute` where possible by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3421](https://redirect.github.com/microsoft/windows-rs/pull/3421) - Update GitHub Actions runners by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3423](https://redirect.github.com/microsoft/windows-rs/pull/3423) - Improve feature search UX, add dark mode, and update deps by [@riverar](https://redirect.github.com/riverar) in [https://github.com/microsoft/windows-rs/pull/3422](https://redirect.github.com/microsoft/windows-rs/pull/3422) - Release 0.61.0 by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3418](https://redirect.github.com/microsoft/windows-rs/pull/3418) #### New Contributors - [@iancormac84](https://redirect.github.com/iancormac84) made their first contribution in [https://github.com/microsoft/windows-rs/pull/3402](https://redirect.github.com/microsoft/windows-rs/pull/3402) Full Changelog: https://github.com/microsoft/windows-rs/compare/0.60.0...0.61.0 ### [`v0.60.0`](https://redirect.github.com/microsoft/windows-rs/releases/tag/0.60.0) [Compare Source](https://redirect.github.com/microsoft/windows-rs/compare/0.59.0...0.60.0) This release includes an update to the [windows-registry](https://crates.io/crates/windows-registry) and [windows-strings](https://crates.io/crates/windows-strings) crates, mainly to provide various improvements to registry support for [rustup](https://redirect.github.com/rust-lang/rustup). #### What's Changed - Add precise registry types and allocation-free queries and updates by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3184](https://redirect.github.com/microsoft/windows-rs/pull/3184) - Add registry `Value` to/from `HSTRING` conversion by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3190](https://redirect.github.com/microsoft/windows-rs/pull/3190) - Replace `From<&str>` for `GUID` with `TryFrom<&str>` by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3193](https://redirect.github.com/microsoft/windows-rs/pull/3193) - Remove uneeded feature dependencies by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3201](https://redirect.github.com/microsoft/windows-rs/pull/3201) - docs: add root level documentation for all libraries by [@Nerixyz](https://redirect.github.com/Nerixyz) in [https://github.com/microsoft/windows-rs/pull/3202](https://redirect.github.com/microsoft/windows-rs/pull/3202) - Cleanup doc testing by [@Nerixyz](https://redirect.github.com/Nerixyz) in [https://github.com/microsoft/windows-rs/pull/3205](https://redirect.github.com/microsoft/windows-rs/pull/3205) - Revert cfg doc by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3206](https://redirect.github.com/microsoft/windows-rs/pull/3206) - Remove workaround for "unused" private fields by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3207](https://redirect.github.com/microsoft/windows-rs/pull/3207) - Immutable Event implementation by [@lifers](https://redirect.github.com/lifers) in [https://github.com/microsoft/windows-rs/pull/3198](https://redirect.github.com/microsoft/windows-rs/pull/3198) - Always treat warnings as errors by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3210](https://redirect.github.com/microsoft/windows-rs/pull/3210) - Consistent allocation failure handling by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3209](https://redirect.github.com/microsoft/windows-rs/pull/3209) - Improve class hierarchy support by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3212](https://redirect.github.com/microsoft/windows-rs/pull/3212) - Consistent allocation failure for stock collections by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3216](https://redirect.github.com/microsoft/windows-rs/pull/3216) - Consistent allocation failure for `windows-registry` by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3215](https://redirect.github.com/microsoft/windows-rs/pull/3215) - Add default "std" feature for `windows-registry` crate by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3214](https://redirect.github.com/microsoft/windows-rs/pull/3214) - Overhaul async and future support by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3213](https://redirect.github.com/microsoft/windows-rs/pull/3213) - Addressing new nightly Clippy warning by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3222](https://redirect.github.com/microsoft/windows-rs/pull/3222) - Add async `ready` support by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3221](https://redirect.github.com/microsoft/windows-rs/pull/3221) - Bump micromatch from 4.0.5 to 4.0.8 in /web/features by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/microsoft/windows-rs/pull/3223](https://redirect.github.com/microsoft/windows-rs/pull/3223) - Add file dialog sample by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3226](https://redirect.github.com/microsoft/windows-rs/pull/3226) - Use relative path for extension by [@glandium](https://redirect.github.com/glandium) in [https://github.com/microsoft/windows-rs/pull/3224](https://redirect.github.com/microsoft/windows-rs/pull/3224) - Simplify trait bounds for interface implementations by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3227](https://redirect.github.com/microsoft/windows-rs/pull/3227) - Remove unnecessary closure from generated code by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3228](https://redirect.github.com/microsoft/windows-rs/pull/3228) - Bump webpack from 5.90.2 to 5.94.0 in /web/features by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/microsoft/windows-rs/pull/3236](https://redirect.github.com/microsoft/windows-rs/pull/3236) - Add async `spawn` support by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3235](https://redirect.github.com/microsoft/windows-rs/pull/3235) - Nightly Clippy warning about assumed lifetime by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3243](https://redirect.github.com/microsoft/windows-rs/pull/3243) - Regenerate GNU libs by [@riverar](https://redirect.github.com/riverar) in [https://github.com/microsoft/windows-rs/pull/3241](https://redirect.github.com/microsoft/windows-rs/pull/3241) - Add support for composable constructors by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3246](https://redirect.github.com/microsoft/windows-rs/pull/3246) - Use workspace dependencies where practical by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3248](https://redirect.github.com/microsoft/windows-rs/pull/3248) - Add test folders by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3252](https://redirect.github.com/microsoft/windows-rs/pull/3252) - Improve interop testing by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3253](https://redirect.github.com/microsoft/windows-rs/pull/3253) - Avoid deriving `Eq` for structs containing floating point type parameters by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3255](https://redirect.github.com/microsoft/windows-rs/pull/3255) - Add test for composable type authoring support by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3259](https://redirect.github.com/microsoft/windows-rs/pull/3259) - Factory cache statics don't need to be public by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3261](https://redirect.github.com/microsoft/windows-rs/pull/3261) - Allow `noexcept` methods in a composable hierarchy by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3262](https://redirect.github.com/microsoft/windows-rs/pull/3262) - Group more of the WinRT tests together by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3263](https://redirect.github.com/microsoft/windows-rs/pull/3263) - Remove "riddle" and metadata generation by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3266](https://redirect.github.com/microsoft/windows-rs/pull/3266) - Improvements to `windows-metadata` by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3268](https://redirect.github.com/microsoft/windows-rs/pull/3268) - We can now derive `Eq` and `PartialEq` for structs containing callbacks by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3270](https://redirect.github.com/microsoft/windows-rs/pull/3270) - Simpler "retval" heuristic by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3271](https://redirect.github.com/microsoft/windows-rs/pull/3271) - Test error handling for `windows-bindgen` crate by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3272](https://redirect.github.com/microsoft/windows-rs/pull/3272) - Exclude `web` on most workflows by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3279](https://redirect.github.com/microsoft/windows-rs/pull/3279) - Bump serve-static and express in /web/features by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/microsoft/windows-rs/pull/3274](https://redirect.github.com/microsoft/windows-rs/pull/3274) - Update jsonschema requirement from 0.18 to 0.19 by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/microsoft/windows-rs/pull/3283](https://redirect.github.com/microsoft/windows-rs/pull/3283) - Move `VARIANT` support to the `windows` crate by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3282](https://redirect.github.com/microsoft/windows-rs/pull/3282) - Update `jsonschema` dependency by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3286](https://redirect.github.com/microsoft/windows-rs/pull/3286) - Expand `raw-dylib` testing by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3287](https://redirect.github.com/microsoft/windows-rs/pull/3287) - Fix for `cppwinrt` concurrency issue by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3289](https://redirect.github.com/microsoft/windows-rs/pull/3289) - Address Rust nightly compiler warnings by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3292](https://redirect.github.com/microsoft/windows-rs/pull/3292) - Add `Deref` implementation for `HSTRING` by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3291](https://redirect.github.com/microsoft/windows-rs/pull/3291) - Release 0.60.0 by [@kennykerr](https://redirect.github.com/kennykerr) in [https://github.com/microsoft/windows-rs/pull/3293](https://redirect.github.com/microsoft/windows-rs/pull/3293) #### New Contributors - [@lifers](https://redirect.github.com/lifers) made their first contribution in [https://github.com/microsoft/windows-rs/pull/3198](https://redirect.github.com/microsoft/windows-rs/pull/3198) Full Changelog: https://github.com/microsoft/windows-rs/compare/0.59.0...0.60.0 </details> --- ### Configuration 📅 Schedule: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/astral-sh/uv). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNTcuMyIsInVwZGF0ZWRJblZlciI6IjM5LjI1Ny4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJpbnRlcm5hbCJdfQ==--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: konstin <konstin@mailbox.org>	2025-04-28 13:36:29 +02:00
konsti	b33a19689c	Optional managed Python archive download cache (#12175 ) Part of #11834 Currently, all Python installation are a streaming download-and-extract. With this PR, we add the `UV_PYTHON_CACHE_DIR` variable. When set, the installation is split into downloading the interpreter into `UV_PYTHON_CACHE_DIR` and extracting it there from a second step. If the archive is already present in `UV_PYTHON_CACHE_DIR`, we skip the download. The feature can be used to speed up tests and CI. Locally for me, `cargo test -p uv -- python_install` goes from 43s to 7s (1,7s in release mode) when setting `UV_PYTHON_CACHE_DIR`. It can also be used for offline installation of Python interpreter, by copying the archives to a directory in the offline machine, while the path rewriting is still performed on the target machine on installation.	2025-04-28 12:09:09 +02:00
renovate[bot]	cfe82dc22a	Update EmbarkStudios/cargo-deny-action action to v2 (#13164 ) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [EmbarkStudios/cargo-deny-action](https://redirect.github.com/EmbarkStudios/cargo-deny-action) \| action \| major \| `v1` -> `v2.0.11` \| --- ### Release Notes <details> <summary>EmbarkStudios/cargo-deny-action (EmbarkStudios/cargo-deny-action)</summary> ### [`v2.0.11`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v2.0.11) [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v2.0.10...v2.0.11) #### \[0.18.2] - 2025-03-10 ##### Added - [PR#753](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/753) resolved [#752](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/752) by adding back the `advisories.unmaintained` config option. See the [docs](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-unmaintained-field-optional) for how it can be used. The default matches the current behavior, which is to error on any `unmaintained` advisory, but adding `unmaintained = "workspace"` to the `[advisories]` table will mean unmaintained advisories will only error if the crate is a direct dependency of your workspace. #### \[0.18.1] - 2025-02-27 ##### Fixed - [PR#749](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/749) updated `krates` to pull in the fix for [EmbarkStudios/krates#100](https://redirect.github.com/EmbarkStudios/krates/issues/100). ### [`v2.0.10`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v2.0.10) [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v2.0.9...v2.0.10) - [PR#96](https://redirect.github.com/EmbarkStudios/cargo-deny-action/pull/96) resolved [#94](https://redirect.github.com/EmbarkStudios/cargo-deny-action/issues/94) by switching to the directory the manifest path is located in and doing `rustup toolchain install` if `rustup show` failed due to any reason ### [`v2.0.9`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v2.0.9): Release 2.0.9 - cargo-deny 0.18.0 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v2.0.8...v2.0.9) - [`d8395c1`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/commit/d8395c1) removed the rustup update. ### [`v2.0.8`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v2.0.8) [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v2.0.7...v2.0.8) - [PR#93](https://redirect.github.com/EmbarkStudios/cargo-deny-action/pull/93) pins to a hash instead of tag, avoiding future breakage from eg. rustup changes. ### [`v2.0.7`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v2.0.7): Release 2.0.7 - cargo-deny 0.18.0 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v2.0.6...v2.0.7) - [PR#92](https://redirect.github.com/EmbarkStudios/cargo-deny-action/pull/92) fixed an issue introduced by the latest rustup release. ### [`v2.0.6`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v2.0.6): Release 2.0.6 - cargo-deny 0.18.0 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v2.0.5...v2.0.6) ##### Changed - [PR#746](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/746) changed the directory naming of advisory databases, [again](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/745), so the name uses the last path component and a different, but also stable, hashing algorithm. Eg. the default `https://github.com/rustsec/advisory-db` will now be placed in `$CARGO_HOME/advisory-dbs/advisory-db-3157b0e258782691`. - [PR#746](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/746) changed the MSRV to 1.85.0 and uses edition 2024. ##### Fixed - [PR#746](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/746) fixes an issue when using cargo 1.85.0 where source urls were not being properly assigned to crates.io due to the constant being used no longer matching the new path used in cargo 1.85.0 causing eg. workspace dependency checks to fail. ### [`v2.0.5`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v2.0.5): Release 2.0.5 - cargo-deny 0.17.0 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v2.0.4...v2.0.5) ##### Changed - [PR#745](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/745) updated `tame-index` to [0.18.0](https://redirect.github.com/EmbarkStudios/tame-index/releases/tag/0.18.0) so that cargo 1.85.0 is transparently supported along with older cargo versions. - [PR#745](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/745) now uses the same stable hashing as cargo 1.85.0 for the advisory databases, which changes their path, but will notably now be the same across all host platforms. ### [`v2.0.4`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v2.0.4): Release 2.0.4 - cargo-deny 0.16.3 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v2.0.3...v2.0.4) - Update base image to rust 1.83.0 so that version 4 lockfiles are supported with no config changes ### [`v2.0.3`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v2.0.3): Release 2.0.3 - cargo-deny 0.16.3 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v2.0.2...v2.0.3) ##### Changed - [PR#721](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/721) updated `rust-version` to 1.81.0 to accurately reflect the minimum rust version required to compile, resolving [#720](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/720). - [PR#722](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/722) updated the SPDX license list to 3.25.0. ##### Fixed - [PR#726](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/726) resolved [#725](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/725) by adding the `unnecessary-skip` diagnostic, emitted when there is a `skip` configured for a crate that only has one version in the graph. ### [`v2.0.2`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v2.0.2): Release 2.0.2 - cargo-deny 0.16.2 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v2.0.1...v2.0.2) ##### Fixed - [PR#703](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/703) resolved [#696](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/696) by no longer emitting errors when failing to deserialize deprecated fields, and removed some lingering documentation that wasn't removed in [PR#611](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/611). - [PR#719](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/719) updated to `krates` -> 0.17.5, fixing an issue where `cargo-deny` could [panic](https://redirect.github.com/EmbarkStudios/krates/issues/97) due to [incorrectly resolving](https://redirect.github.com/EmbarkStudios/krates/issues/84) features for different versions of the same crate referenced by a single crate. - [PR#719](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/719) resolved [#706](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/706) by removing a warning issued when users use ignored scheme modifiers for source urls. - [PR#719](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/719) resolved [#718](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/718) by updating the book with missing arguments. ##### Added - [PR#715](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/715) resolved [#714](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/714) by adding support for Edition 2024. Thanks [@kpcyrd](https://redirect.github.com/kpcyrd)! - [PR#710](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/710) resolved [#708](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/708) by allowing for unpublished workspace crates to be excluded from the dependency graph that checks are run against, either via the `--exclude-unpublished` CLI argument or the `graph.exclude-unpublished` config field. Thanks [@Tastaturtaste](https://redirect.github.com/Tastaturtaste)! ##### Changed - [PR#711](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/711) updated `goblin` -> 0.9.2 - [PR#713](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/713) updated various crates, notably `rustsec` -> 0.30. ### [`v2.0.1`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v2.0.1): Release 2.0.1 - cargo-deny 0.16.1 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v2...v2.0.1) ##### Fixed - [PR#691](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/691) fixed an issue where workspace dependencies that used the current dir '.' path component would incorrectly trigger the `unused-workspace-dependency` lint. ### [`v2.0.0`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v2.0.0): Release 2.0.0 - cargo-deny 0.16.0 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.6.3...v2) #### `Action` ##### Added - [PR#78](https://redirect.github.com/EmbarkStudios/cargo-deny-action/pull/78) added SSH support, thanks [@nagua](https://redirect.github.com/nagua)! ##### Changed - This release includes breaking changes in cargo-deny, so this release begins the `v2` tag, using `v1` will be stable but not follow future `cargo-deny` releases. #### `cargo-deny` ##### Removed - [PR#681](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/681) finished the deprecation introduced in [PR#611](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/611), making the usage of the deprecated fields into errors. ##### `[advisories]` The following fields have all been removed in favor of denying all advisories by default. To ignore an advisory the [`ignore`](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-ignore-field-optional) field can be used as before. - `vulnerability` - Vulnerability advisories are now `deny` by default - `unmaintained` - Unmaintained advisories are now `deny` by default - `unsound` - Unsound advisories are now `deny` by default - `notice` - Notice advisories are now `deny` by default - `severity-threshold` - The severity of vulnerabilities is now irrelevant ##### `[licenses]` The following fields have all been removed in favor of denying all licenses that are not explicitly allowed via either [`allow`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-allow-field-optional) or [`exceptions`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-exceptions-field-optional). - `unlicensed` - Crates whose license(s) cannot be confidently determined are now always errors. The [`clarify`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-clarify-field-optional) field can be used to help cargo-deny determine the license. - `allow-osi-fsf-free` - The OSI/FSF Free attributes are now irrelevant, only whether it is explicitly allowed. - `copyleft` - The copyleft attribute is now irrelevant, only whether it is explicitly allowed. - `default` - The default is now `deny`. - `deny` - All licenses are now denied by default, this field added nothing. ##### Changed - [PR#685](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/685) follows up on [PR#673](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/673), moving the fields that were added to their own separate [`bans.workspace-dependencies`](https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html#the-workspace-dependencies-field-optional) section. This is an unannounced breaking change but is fairly minor and 0.15.0 was never released on github actions so the amount of people affected by this will be (hopefully) small. This also makes the workspace duplicate detection off by default since the field is optional, but makes it so that if not specified workspace duplicates are now `deny` instead of `warn`. ##### Fixed - [PR#685](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/685) resolved [#682](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/682) by adding the `include-path-dependencies` field, allowing path dependencies to be ignored if it is `false`. ### [`v1.6.3`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.6.3): Release 1.6.3 - cargo-deny 0.14.21 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.6.2...v1.6.3) ##### Fixed - [PR#643](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/643) resolved [#629](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/629) by making the hosted git (github, gitlab, bitbucket) org/user name comparison case-insensitive. Thanks [@pmnlla](https://redirect.github.com/pmnlla)! - [PR#649](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/649) fixed an issue where depending on the same crate multiple times by using different `cfg()/triple` targets could cause features to be resolved incorrectly and thus crates to be not pulled into the graph used for checking. #### \[0.14.20] - 2024-03-23 ##### Fixed - [PR#642](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/642) resolved [#641](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/641) by pinning `gix-transport` (and its unique dependencies) to 0.41.2 as a workaround for `cargo install` not using the lockfile. See [this issue](https://redirect.github.com/Byron/gitoxide/issues/1328) for more information. ### [`v1.6.2`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.6.2): Release 1.6.2 - cargo-deny 0.14.19 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.6.1...v1.6.2) ##### Changed - [PR#639](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/639) updated tame-index to avoid an error if you don't used `--locked`. #### \[0.14.18] - 2024-03-21 ##### Fixed - [PR#638](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/638) resolved [#636](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/636) by updating `krates`. #### \[0.14.17] - 2024-03-17 ##### Changed - [PR#631](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/631) improved the diagnostic for when the yank check fails due to some issue with retrieving or reading the index information. - [PR#633](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/633) updated `gix` -> 0.60. ### [`v1.6.1`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.6.1) [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.6.0...v1.6.1) ##### Fixed - [PR#626](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/626) resolved [#625](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/625) by explicitly checking that a license identified as Pixar was actually (probably) the Pixar license, instead of a normal Apache-2.0 license. ### [`v1.6.0`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.6.0) [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.5.15...v1.6.0) #### action changes - Color output is now always enabled so that colors show up in the action output. #### 0.14.15 ##### Added - [PR#618](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/618) added metadata notes to diagnostics when a license is rejected, as well as removing span information for accepted licenses unless the log level is `info` or higher to make the diagnostic clearer by default. #### 0.14.14 ##### Fixed - [PR#617](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/617) resolved [#576](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/576) by updating the SPDX license list to 3.23. #### 0.14.13 ##### Fixed - [PR#615](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/615) fixed an issue introduced in [PR#605](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/605) where the various `bans` diagnostic codes could not have their lint level changed via the CLI. It also introduced the `deprecated` diagnostic code. #### 0.14.12 ##### Changed - [PR#605](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/605) did a major refactor of configuration, both how it is deserialized and changing (hopefully improving) many options. - [PR#605](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/605) moved `targets`, `exclude`, `all-features`, `features`, `no-default-features`, and `exclude` into the `[graph]` table. - [PR#605](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/605) moved `feature-depth` into the `[output]` table. ##### Added - [PR#613](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/613) added support for [basic shell expansion](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-db-path-field-optional) to `advisories.db-path`, which expands support beyond just `~` to include environment variable expansion. ##### Fixed - [PR#601](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/601) resolved [#600](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/600) by outputting the correct spans when a license was both allowed and denied. - [PR#605](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/605) resolved [#264](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/264) be replacing `toml` and `serde` with `toml-span`. - [PR#605](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/605) resolved [#539](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/539) by simplifying the very common `name = "<crate_name>", version = "<requirements>"` used to target specific crates into either a plain [package spec string](https://embarkstudios.github.io/cargo-deny/checks/cfg.html#string-format) or the simpler `crate = "<package spec>"`. - [PR#605](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/605) resolved [#578](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/578) by adding a `reason = "<reason>"` field to many fields within the configuration that are provided in diagnostics. `[bans.deny]` also has an additional `use-instead = "<url/crate_name>"`. [PR#610](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/610) did this for the `advisories.ignore` field. - [PR#605](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/605) resolved [#579](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/579) by allowing yanked crates to be ignored by specifying a [PackageSpec](https://embarkstudios.github.io/cargo-deny/checks/cfg.html#package-specs) in the `[advisories.ignore]` array. ##### Deprecated - [PR#606](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/606) and [PR#611](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/611) together deprecated several fields listed below. See [PR#611](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/611) for how to change your config to opt-in to the new behavior that will become the default when the deprecated fields are removed in a future minor version. - `[advisories]` - `vulnerability` - `unmaintained` - `unsound` - `notice` - `severity-threshold` - `[licenses]` - `unlicensed` - `allow-osi-fsf-free` - `copyleft` - `default` - `deny` ### [`v1.5.15`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.5.15): Release 1.5.15 - cargo-deny 0.14.11 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.5.14...v1.5.15) ##### Fixed - Resolved [https://github.com/EmbarkStudios/cargo-deny-action/issues/71](https://redirect.github.com/EmbarkStudios/cargo-deny-action/issues/71) that was introduced in the previous release. ### [`v1.5.14`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.5.14): Release 1.5.14 - cargo-deny 0.14.11 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.5.13...v1.5.14) ##### Added - Added the `manifest-path` key as a shorthand for doing `arguments: --manifest-path <path>` ### [`v1.5.13`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.5.13): Release 1.5.13 - cargo-deny 0.14.11 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.5.12...v1.5.13) ##### Fixed - [PR#599](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/599) resolved [#488](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/488) by treating git and path sources differently. Thanks [@kpreid](https://redirect.github.com/kpreid)! ### [`v1.5.12`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.5.12): Release 1.5.12 - cargo-deny 0.14.10 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.5.11...v1.5.12) ##### Fixed - [PR#596](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/596) updated `krates` again to pull in [krates#77](https://redirect.github.com/EmbarkStudios/krates/pull/77). ### [`v1.5.11`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.5.11): Release 1.5.11 - cargo-deny 0.14.9 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.5.10...v1.5.11) ##### Fixed - [PR#594](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/594) updated `krates` again to pull in [krates#75](https://redirect.github.com/EmbarkStudios/krates/pull/75). ### [`v1.5.10`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.5.10): Release 1.5.10 - cargo-deny 0.14.8 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.5.9...v1.5.10) ##### Fixed - [PR#592](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/592) updated `krates` again to pull in [krates#73](https://redirect.github.com/EmbarkStudios/krates/pull/73). ### [`v1.5.9`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.5.9): Release 1.5.9 - cargo-deny 0.14.7 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.5.8...v1.5.9) ##### Fixed - [PR#591](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/591) updated `krates` again to pull in [krates#71](https://redirect.github.com/EmbarkStudios/krates/pull/71). ### [`v1.5.8`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.5.8): Release 1.5.8 - cargo-deny 0.14.6 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.5.7...v1.5.8) ##### Fixed - [PR#590](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/590) updated `krates` to fix an issue with crates that directly have a dependency on 2 or more versions of the same crate. ##### Added - [PR#590](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/590) resolved [#405](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/405) by emitting warnings when a `wrapper` crate for a banned crate does not have a dependency on that crate. ##### Changed - [PR#591](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/591) updated `gix` and `tame-index`. ### [`v1.5.7`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.5.7): Release 1.5.7 - cargo-deny 0.14.5 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.5.6...v1.5.7) ##### Fixed - [PR#588](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/588) resolved an issue introduced in \[0.14.4] where features that reference dev-only dependencies in non-workspace crates would cause a [panic](https://redirect.github.com/EmbarkStudios/krates/issues/66). ### [`v1.5.6`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.5.6): Release 1.5.6 - cargo-deny 0.14.4 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.5.5...v1.5.6) ##### Fixed - [PR#586](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/586) resolved 2 issues with crate graph creation, see [krates#60](https://redirect.github.com/EmbarkStudios/krates/issues/60) and [krates#64](https://redirect.github.com/EmbarkStudios/krates/issues/64) for more details. ### [`v1.5.5`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.5.5): Release 1.5.5 - cargo-deny 0.14.2 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.5.4...v1.5.5) ##### Added - [PR#545](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/545) added the ability to specify additional license exceptions via [additional configuration files](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#additional-exceptions-configuration-file). - [PR#549](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/549) added the [`bans.build`](https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html#the-build-field-optional) configuration option, opting in to checking for [file extensions](https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html#the-script-extensions-field-optional), [native executables](https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html#the-executables-field-optional), and [interpreted scripts](https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html#the-interpreted-field-optional). This resolved [#43](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/43). ##### Changed - [PR#557](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/557) introduced changes to how [`dev-dependencies`](https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#development-dependencies) are handled. By default, crates that are only used as dev-dependencies (ie, there are no normal nor build dependency edges linking them to other crates) will no longer be considered when checking for [`multiple-versions`](https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html#the-multiple-versions-field-optional) violations. This can be re-enabled via the [`bans.multiple-versions-include-dev`](https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html#the-multiple-versions-include-dev-field-optional) config field. Additionally, licenses are no longer checked for `dev-dependencies`, but can be re-enabled via [`licenses.include-dev`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-include-dev-field-optional) the config field. `dev-dependencies` can also be completely disabled altogether, but this applies to all checks, including `advisories` and `sources`, so is not enabled by default. This behavior can be enabled by using the [`exclude-dev`](https://embarkstudios.github.io/cargo-deny/checks/cfg.html#the-exclude-dev-field-optional) field, or the `--exclude-dev` command line flag. This change resolved [#322](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/322), [#329](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/329), [#413](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/413) and [#497](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/497). ##### Fixed - [PR#549](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/549) fixed [#548](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/548) by correctly locating cargo registry indices from an git ssh url. - [PR#549](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/549) fixed [#552](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/552) by correctly handling signal interrupts and removing the advisory-dbs lock file. - [PR#549](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/549) fixed [#553](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/553) by adding the `native-certs` feature flag that can enable the OS native certificate store. ##### Deprecated - [PR#549](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/549) moved `bans.allow-build-scripts` to [`bans.build.allow-build-scripts`](https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html#the-allow-build-scripts-field-optional). `bans.allow-build-scripts` is still supported, but emits a warning. ### [`v1.5.4`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.5.4): Release 1.5.4 - cargo-deny 0.14.0 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.5.3...v1.5.4) Updated the cargo version to 1.71.0 which should give significant improvements to run times due to using the crates.io sparse index instead of the old git index. ### [`v1.5.3`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.5.3): Release 1.5.3 - cargo-deny 0.14.0 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.5.2...v1.5.3) ##### Changed - [PR#520] resolved [#522](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/522) by completely removing all dependencies upon `git2` and `openssl`. This was done by transitioning from `git2` -> `gix` for all git operations, both directly in this crate, as well as replacing [`crates-index`](https://redirect.github.com/frewsxcv/rust-crates-index) with [`tame-index`](https://redirect.github.com/EmbarkStudios/tame-index). - [PR#520] bumped the MSRV from `1.65.0` -> `1.70.0` - [PR#523](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/523) added "(try `cargo update -p <crate_name>`)" when an advisory is detected for a crate. Thanks [@Victor-N-Suadicani](https://redirect.github.com/Victor-N-Suadicani)! ##### Fixed - [PR#520] resolved [#361](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/361) by printing output when a fetch is being performed to clarify what is taking time. - [PR#520] (possibly) resolved [#435](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/435) by switching all git operations from `git2` to `gix`. - [PR#520] resolved [#439](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/439) by using minimal refspecs for cloning and fetching all remote git repositories (indices or advisory databases) where only the remote HEAD is needed to update the local repository, regardless of the default remote branch pointed to by HEAD. - [PR#520] resolved [#446](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/446) by ensuring (and testing) that crates from non-registry sources are not checked for advisories, eg. in the case that a local crate is named and versioned the same as a crate from crates.io that has an advisory that affects it. - [PR#520] resolved [#515](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/515) by always opening the correct registry index based upon the environment. - [PR#531](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/531) resolved [#210](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/210) by adding `osi` and `fsf` options to `licenses.allow-osi-fsf-free`. Thanks [@zkxs](https://redirect.github.com/zkxs)! - [PR#533](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/533) resolved [#521](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/521) and [#524](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/524) by allowing clarifications to add files that are used to verify the license information is up to date, rather than needing to match one of the license files that was discovered. - [PR#534](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/534) resolved [#479](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/479) by improving how advisory databases are cloned and/or fetched, notably each database now uses `gix`'s [file-based locking](https://docs.rs/gix-lock/7.0.2/gix_lock/struct.Marker.html#method.acquire_to_hold_resource) to ensure that only one process has mutable access to an advisory database repo at a time. ##### Removed - [PR#520] removed all features, notably `standalone`. This is due to cargo still being in transition from `git2` -> `gix` and having no way to compiled without OpenSSL. Once cargo is a better state with regards to this we can add back that feature. [PR#520]: https://redirect.github.com/EmbarkStudios/cargo-deny/pull/520 ### [`v1.5.2`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.5.2): Release 1.5.2 - cargo-deny 0.13.9 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.5.1...v1.5.2) ##### Fixed - [PR#506](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/506) replaced `atty` (unmaintained) with `is-terminal`. Thanks [@tottoto](https://redirect.github.com/tottoto)! - [PR#511](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/511) resolved [#494](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/494), [#507](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/507), and [#510](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/510) by fixing up how and when urls are normalized. - [PR#512](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/512) resolved [#509](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/509) by fixing casing of the root configuration keys. - [PR#513](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/513) resolved [#508](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/508) by correctly using the crates.io sparse index when checking for yanked crates if specified by the user, as well as falling back to the regular git index if the sparse index is not present. ### [`v1.5.1`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.5.1): Release 1.5.1 - cargo-deny 0.13.8 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.5.0...v1.5.1) ##### Added - [PR#504](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/504) (though really [PR#365](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/365)) resolved [#350](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/350) by adding the `deny-multiple-versions` field to `bans.deny` entries, allowing specific crates to deny multiple versions while allowing/warning on them more generally. Thanks [@leops](https://redirect.github.com/leops)! - [PR#493](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/493) resolved [#437](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/437) by also looking for deny configuration files in `.cargo`. Thanks [@DJMcNab](https://redirect.github.com/DJMcNab)! - [PR#502](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/502) resolved [#500](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/500) by adding initial support for [sparse indices](https://blog.rust-lang.org/inside-rust/2023/01/30/cargo-sparse-protocol.html). ##### Fixed - [PR#503](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/503) resolved [#498](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/498) by falling back to more lax parsing of the SPDX expression of crate if fails to parse according to the stricter but more correct rules. ### [`v1.5.0`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.5.0): Release 1.5.0 - cargo-deny 0.13.7 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.4.0...v1.5.0) Update from cargo-deny 0.13.5 to 0.13.7, apparently I missed two releases, that's embarrassing. #### 0.13.7 ##### Fixed - [PR#491](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/491) resolved [#490](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/490) by building libgit2 from vendored sources instead of relying on potentially outdated packages. #### 0.13.6 ##### Changed - [PR#489](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/489) updated dependencies, notably `clap`, `cargo`, and `git2` ##### Added - [PR#485](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/485) added this project and repository to our Security Bug Bounty Program and has Private vulnerability reporting enabled. See [`SECURITY.md`](./SECURITY.md) for more details. - [PR#487](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/487) added `allow-wildcard-paths`, fixing [#488](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/448) by allowing wildcards to be denied, but allowing them for internal, private crates. Thanks [@sribich](https://giqthub.com/sribich)! ##### Fixed - [PR#489](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/489) fixed an issue where git sources where `branch=master` would be incorrectly categorized as not specifying the branch (ie use HEAD of default branch). ### [`v1.4.0`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.4.0): Release 1.4.0 - cargo-deny 0.13.5 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.3.2...v1.4.0) ##### Changed - Updated to cargo-deny 0.13.5 ### [`v1.3.2`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.3.2): - cargo-deny 0.12.1 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.3.1...v1.3.2) ##### Added - [PR#54](https://redirect.github.com/PR/cargo-deny-action/issues/54) resolved [#53](https://redirect.github.com/EmbarkStudios/cargo-deny-action/issues/53) by adding the `credentials` parameter for passing in a private access token to allow cargo to fetch private github repositories. Thanks [@danielhaap83](https://redirect.github.com/danielhaap83)! ### [`v1.3.1`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.3.1): - cargo-deny 0.12.1 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.3.0...v1.3.1) ##### Fixed - [PR#426](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/426) fixed an oversight in [PR#422](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/422), fully resolving [#412](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/412) by allowing both `https` and `ssh` URLs for advisory databases. Thanks [@jbg](https://redirect.github.com/jbg)! ##### Changed - [PR#427](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/427) updated dependencies. ### [`v1.3.0`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.3.0): - cargo-deny 0.12.0 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.17...v1.3.0) ##### Removed - [PR#423](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/423) removed the `fix` subcommand. This functionality was far too complicated for far too little benefit. ##### Fixed - [PR#420](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/420) resolved [#388](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/388) by adding the ability to fetch advisory databases via the `git` CLI. Thanks [@danielhaap83](https://redirect.github.com/danielhaap83)! - [PR#422](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/422) fixed [#380](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/380) and [#410](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/410) by updating a few transitive dependencies that use `git2`, as well as removing the usage of `rustsec`'s `git` feature so that we now use `git2 v0.14`, resolving a crash issue in new `libgit2` versions available in eg. rolling release distros such as Arch. This should also make it easier to update and improve git related functionality since more of it is inside cargo-deny itself now. - [PR#424](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/424) really fixed (there's even a test now!) [#384](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/384) by adding each version's reverse dependency graph in the ascending order. ### [`v1.2.17`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.2.17): - cargo-deny 0.11.4 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.16...v1.2.17) #### Changed - [PR#51](https://redirect.github.com/EmbarkStudios/cargo-deny-action/pull/51) updated the image to use Rust 1.60.0 by default. Thanks [@MarcoIeni](https://redirect.github.com/MarcoIeni)! ### [`v1.2.16`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.2.16): - cargo-deny 0.11.4 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.15...v1.2.16) #### Added - [PR#49](https://redirect.github.com/EmbarkStudios/cargo-deny-action/pull/49) added the `command-arguments` option to the action. Thanks [@ryo33](https://redirect.github.com/ryo33)! ### [`v1.2.15`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.2.15): - cargo-deny 0.11.3 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.14...v1.2.15) ##### Fixed - Accidentally change how arguments were forwarded to cargo-deny which broken more complicated invocations ### [`v1.2.14`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.2.14): - cargo-deny 0.11.3 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.13...v1.2.14) ##### Added - Added `git` to the image, resolving [#40](https://redirect.github.com/EmbarkStudios/cargo-deny-action/issues/40) ### [`v1.2.13`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.2.13): - cargo-deny 0.11.3 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.12...v1.2.13) ##### Changed - Added the `rust-version` github actions variable, allowing you to specify a specific cargo version to use when running cargo-deny, including nightly, or other unstable versions. ### [`v1.2.12`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.2.12): - cargo-deny 0.11.3 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.11...v1.2.12) ##### Fixed - [PR#407](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/407) resolved [#406](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/406) by always checking license exceptions first. ### [`v1.2.11`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.10...v1.2.11) [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.10...v1.2.11) ### [`v1.2.10`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.2.10): - cargo-deny 0.11.1 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.9...v1.2.10) ##### Added - [PR#391](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/391) resolved [#344](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/344) by adding `[licenses.ignore-sources]` to ignore license checking for crates sourced from 1 or more specified registries. Thanks [@ShellWowza](https://redirect.github.com/ShellWowza)! - [PR#396](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/396) resolved [#366](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/366) by also looking for `.deny.toml` in addition to `deny.toml` if a config file is not specified. ##### Changed - [PR#392](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/392) updated all dependencies. ##### Fixed - [PR#393](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/393) resolved [#371](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/371) by changing the default for version requirements specified in config files to accept all versions, rather than using the almost-but-not-quite default of ``. - [PR#394](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/394) resolved [#147](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/147) by ignore all* private crates, not only the ones in the workspace. - [PR#395](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/395) resolved [#375](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/375) by fixing a potential infinite loop when using `[bans.skip-tree]`. ### [`v1.2.9`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.2.9): - cargo-deny 0.11.0 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.8...v1.2.9) Fixed image to use proper tag. ### [`v1.2.8`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.2.8): - cargo-deny 0.11.0 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.7...v1.2.8) Updated the cargo version in the image to 1.57.0 to allow for the use of [custom profiles](https://doc.rust-lang.org/cargo/reference/profiles.html#custom-profiles). ### [`v1.2.7`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.2.7): v1.2.6 - cargo-deny 0.11.0 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.6...v1.2.7) #### \[0.11.0] - 2021-12-06 ##### Changed - [PR#382](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/382) updated dependencies and bumped the Minimum Stable Rust Version to 1.56.1. #### \[0.10.3] - 2021-11-22 ##### Changed - [PR#379](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/379) updated `askalono` which got rid of the `failure` dependency, which was pulling in a lot of additional crates that are now gone. ##### Fixed - [PR#379](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/379) fixed [#378](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/378) which was an edge case where the `sources` check was executed against a crate that didn't use any crates from crates.io, and the config file was shorter than the crates.io URL. #### \[0.10.2] - 2021-11-21 ##### Fixed - [PR#376](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/376) fixed the JSON formatting when using `--format json` output option. Thanks [@dnaka91](https://redirect.github.com/dnaka91)! ##### Changed - [PR#377](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/377) updated dependencies. #### \[0.10.1] - 2021-11-10 ##### Fixed - [PR#347](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/374) resolved [#372](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/372) by correcting a slight mistake that resulted in an incorrect hash making cargo-deny unable to lookup index or crate information from the local file system. #### \[0.10.0] - 2021-10-29 ##### Added - [PR#353](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/353) resolved [#351](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/351) by adding the `sources.private` field to blanket allow git repositories sourced from a particular url. - [PR#359](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/359) resolved [#341](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/341) and [#357](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/357) by adding support for the [`--frozen`, `--locked`, and `--offline`](https://doc.rust-lang.org/cargo/commands/cargo-metadata.html#manifest-options) flags to determine whether network access is allowed, and whether the `Cargo.lock` file can be created and/or modified. - [PR#368](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/368) added the `licenses.unused-allowed-license` field to control whether the [L006 - license was not encountered](https://embarkstudios.github.io/cargo-deny/checks/licenses/diags.html#l006---license-was-not-encountered) diagnostic. Thanks [@thomcc](https://redirect.github.com/thomcc)! ##### Changed - [PR#358](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/358) bumped the Minimum Stable Rust Version to 1.53.0. - [PR#358](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/358) bumped various dependencies, notably `semver` to `1.0.3`. #### \[0.9.1] - 2021-03-26 ##### Changed - Updated dependencies ### [`v1.2.6`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.2.6): Release 1.2.6 - cargo-deny 0.9.1 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.5...v1.2.6) ##### Changed - Updated dependencies ### [`v1.2.5`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.2.5): - cargo-deny 0.9.0 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.4...v1.2.5) ##### Changed - Updated `krates`, which in turn uses an updated `cargo_metadata` which uses [`camino`](https://docs.rs/camino) for utf-8 paths. Rather than support both vanilla Path/Buf and Utf8Path/Buf, cargo-deny now just uses Utf8Path/Buf, which means that non-utf-8 paths for things like your Cargo.toml manifest or license paths will no longer function. This is a breaking change, that can be reverted if it disruptive for users, but the assumption is that cargo-deny is operating on normal checkouts of rust repositories that are overwhelmingly going to be utf-8 compatible paths. ### [`v1.2.4`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.2.4): Update image [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.3...v1.2.4) Updates the base image to rust 1.50.0 to fix issue if you pin to it via eg rust-toolchain. ### [`v1.2.3`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.2.3): - cargo-deny 0.8.5 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.2...v1.2.3) ##### Added - [PR#315](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/315) resolved [#312](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/312) by adding support for excluding packages in the deny configuration file, in addition to the existing support for the `--exclude` CLI option. Thanks [@luser](https://redirect.github.com/luser)! ##### Fixed - [PR#318](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/318) fixed [#316](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/316) by adding a workaround for crate versions with pre-release identifiers in them that could be erroneously marked as matching advisories in an advisory database. Thanks for reporting this [@djc](https://redirect.github.com/djc)! ### [`v1.2.2`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.2.2): - cargo-deny 0.8.4 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.2.1...v1.2.2) ##### Changed - Updated dependencies, notably `rustsec`, `crossbeam`\, and `cargo`. - Bumped the Minimum Stable Rust Version to 1.44.1. ### [`v1.2.1`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/v1.2.1): - cargo-deny 0.8.1 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/1.2.0...v1.2.1) Updates cargo-deny from 0.7.3 -> 0.8.1 ##### Added - [PR#238](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/238) resolved [#225](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/225) by adding a `wrappers` field to `[bans.deny]` entries, which allows the banned crate to be used only if it is a direct dependency of one of the wrapper crates. Thanks [@Stupremee](https://redirect.github.com/Stupremee)! - [PR#244](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/244) resolved [#69](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/69) by adding support for multiple advisory databases, which will all be checked during the `advisory` check. Thanks [@Stupremee](https://redirect.github.com/Stupremee)! - [PR#243](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/243) resolved [#54](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/54) by adding support for compiling and using `cargo` crate directly via the `standalone` feature. This allows `cargo-deny` to be used without cargo being installed, but it still requires [rustc](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/295) to be available. Thanks [@Stupremee](https://redirect.github.com/Stupremee)! - [PR#275](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/275) resolved [#64](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/64) by adding a diagnostic when a user tries to ignore an advisory identifier that doesn't exist in any database. - [PR#262](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/262) added the `fix` subcommand, which was added to bring `cargo-deny` to feature parity with `cargo-audit` so that it can take over for `cargo-audit` as the [official frontend](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/194) for the the [RustSec Advisory Database](https://redirect.github.com/RustSec/advisory-db). ##### Changed - `advisories.db-url` has been deprecated in favor of `advisories.db-urls` since multiple databses are now supported. - `advisories.db-path` is now no longer the directory into which the advisory database is cloned into, but rather a root directory where each unique database is placed in a canonicalized directory similar to how `.cargo/registry/index` directories work. - [PR#274](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/274) resolved [#115](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/115) by normalizing git urls. Thanks [@senden9](https://redirect.github.com/senden9)! ##### Fixed - [#265](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/265) A transitive dependency (`smol_str`) forced the usage of the latest Rust stable version (1.46) which was unintended. We now state the MSRV in the README and check for it in CI so that changing the MSRV is a conscious decision. - [PR#287](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/287) fixed [#286](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/286), which could happen if using a git source where the representation differed slightly between the user specified id and the id used for dependencies. - [PR#249](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/249) fixed [#190](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/190) by printing a different diagnostic for when the path specified for a clarification license file could not be found. Thanks [@khodzha](https://redirect.github.com/khodzha)! - [PR#297](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/297) fixed a couple of diagnostics to have codes. - [PR#296](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/296) resolved [#288](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/288) by improving the information in diagnostics pertaining to advisories. Thanks [@tomasfarias](https://redirect.github.com/tomasfarias)! ### [`v1.2.0`](https://redirect.github.com/EmbarkStudios/cargo-deny-action/releases/tag/1.2.0): - cargo-deny 0.8.1 [Compare Source](https://redirect.github.com/EmbarkStudios/cargo-deny-action/compare/v1.1.0...1.2.0) Updates cargo-deny from 0.7.3 -> 0.8.1 ##### Added - [PR#238](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/238) resolved [#225](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/225) by adding a `wrappers` field to `[bans.deny]` entries, which allows the banned crate to be used only if it is a direct dependency of one of the wrapper crates. Thanks [@Stupremee](https://redirect.github.com/Stupremee)! - [PR#244](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/244) resolved [#69](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/69) by adding support for multiple advisory databases, which will all be checked during the `advisory` check. Thanks [@Stupremee](https://redirect.github.com/Stupremee)! - [PR#243](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/243) resolved [#54](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/54) by adding support for compiling and using `cargo` crate directly via the `standalone` feature. This allows `cargo-deny` to be used without cargo being installed, but it still requires [rustc](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/295) to be available. Thanks [@Stupremee](https://redirect.github.com/Stupremee)! - [PR#275](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/275) resolved [#64](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/64) by adding a diagnostic when a user tries to ignore an advisory identifier that doesn't exist in any database. - [PR#262](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/262) added the `fix` subcommand, which was added to bring `cargo-deny` to feature parity with `cargo-audit` so that it can take over for `cargo-audit` as the [official frontend](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/194) for the the [RustSec Advisory Database](https://redirect.github.com/RustSec/advisory-db). ##### Changed - `advisories.db-url` has been deprecated in favor of `advisories.db-urls` since multiple databses are now supported. - `advisories.db-path` is now no longer the directory into which the advisory database is cloned into, but rather a root directory where each unique database is placed in a canonicalized directory similar to how `.cargo/registry/index` directories work. - [PR#274](https://redirect.github.com/EmbarkStudios/cargo-deny/pull/274) resolved [#115](https://redirect.github.com/EmbarkStudios/cargo-deny/issues/115) by normalizing git urls. Thanks [@senden9](https://redirect.github.com/senden9)! ##### Fixe </details> --- ### Configuration 📅 Schedule: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore*: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/astral-sh/uv). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNTcuMyIsInVwZGF0ZWRJblZlciI6IjM5LjI1Ny4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJpbnRlcm5hbCJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-04-28 10:56:57 +02:00
renovate[bot]	aacf2a724c	Update astral-sh/setup-uv action to v6 (#13162 ) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [astral-sh/setup-uv](https://redirect.github.com/astral-sh/setup-uv) \| action \| major \| `v5.4.2` -> `v6.0.0` \| --- ### Release Notes <details> <summary>astral-sh/setup-uv (astral-sh/setup-uv)</summary> ### [`v6.0.0`](https://redirect.github.com/astral-sh/setup-uv/releases/tag/v6.0.0): 🌈 activate-environment and working-directory [Compare Source](https://redirect.github.com/astral-sh/setup-uv/compare/v5.4.2...v6.0.0) ##### Changes This version contains some breaking changes which have been gathering up for a while. Lets dive into them: - [Activate environment](#activate-environment) - [Working Directory](#working-directory) - [Default `cache-dependency-glob`](#default-cache-dependency-glob) - [Use default cache dir on self hosted runners](#use-default-cache-dir-on-self-hosted-runners) ##### Activate environment In previous versions using the input `python-version` automatically activated a venv at the repository root. This led to some unwanted side-effects, was sometimes unexpected and not flexible enough. The venv activation is now explicitly controlled with the new input `activate-environment` (false by default): ```yaml - name: Install the latest version of uv and activate the environment uses: astral-sh/setup-uv@v6 with: activate-environment: true - run: uv pip install pip ``` The venv gets created by the [`uv venv`](https://docs.astral.sh/uv/pip/environments/) command so the python version is controlled by the `python-version` input or the files `pyproject.toml`, `uv.toml`, `.python-version` in the `working-directory`. ##### Working Directory The new input `working-directory` controls where we look for `pyproject.toml`, `uv.toml` and `.python-version` files which are used to determine the version of uv and python to install. It can also be used to control where the venv gets created. ```yaml - name: Install uv based on the config files in the working-directory uses: astral-sh/setup-uv@v6 with: working-directory: my/subproject/dir ``` > \[!CAUTION] > > The inputs `pyproject-file` and `uv-file` have been removed. ##### Default `cache-dependency-glob` [@ssbarnea](https://redirect.github.com/ssbarnea) found out that the default `cache-dependency-glob` was not suitable for a lot of users. The old default ```yaml cache-dependency-glob: \| */requirements.txt /uv.lock ``` is changed and should cover over 99.5% of use cases: ```yaml cache-dependency-glob: \| /(requirements\|constraints).(txt\|in) /pyproject.toml /uv.lock ``` > \[!NOTE] > > This shouldn't be a breaking change. The only thing you may notice is that your caches get invalidated once. ##### Use default cache dir on self hosted runners The directory where uv stores its cache was always set to a directory in `RUNNER_TEMP`. For self-hosted runners this made no sense as this gets cleaned after every run and led to slower runs than necessary. On self-hosted runners `UV_CACHE_DIR` is no longer set and the [default cache directory](https://docs.astral.sh/uv/concepts/cache/#cache-directory) is used instead. ##### 🚨 Breaking changes - Change default cache-dependency-glob [@eifinger](https://redirect.github.com/eifinger) ([#352](https://redirect.github.com/astral-sh/setup-uv/issues/352)) - No default UV_CACHE_DIR on selfhosted runners [@eifinger](https://redirect.github.com/eifinger) ([#380](https://redirect.github.com/astral-sh/setup-uv/issues/380)) - new inputs activate-environment and working-directory [@eifinger](https://redirect.github.com/eifinger) ([#381](https://redirect.github.com/astral-sh/setup-uv/issues/381)) ##### 🧰 Maintenance - chore: update known checksums for 0.6.16 @[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#378](https://redirect.github.com/astral-sh/setup-uv/issues/378)) - chore: update known checksums for 0.6.15 @[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#377](https://redirect.github.com/astral-sh/setup-uv/issues/377)) ##### 📚 Documentation - bump to v6 in README [@eifinger](https://redirect.github.com/eifinger) ([#382](https://redirect.github.com/astral-sh/setup-uv/issues/382)) - log info on venv activation [@eifinger](https://redirect.github.com/eifinger) ([#375](https://redirect.github.com/astral-sh/setup-uv/issues/375)) </details> --- ### Configuration 📅 Schedule: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/astral-sh/uv). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNTcuMyIsInVwZGF0ZWRJblZlciI6IjM5LjI1Ny4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJpbnRlcm5hbCJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2025-04-28 10:53:35 +02:00
John Mumm	4ee4a8861e	Implement RFC 7231 compliant relative URI and fragment handling in redirects (#13050 ) This PR restores #13041 and integrates two PRs from @zanieb: * #13038 * #13040 It also adds tests for relative URI and fragment handling. Closes #13037. --------- Co-authored-by: Zanie Blue <contact@zanie.dev>	2025-04-28 09:07:06 +02:00
renovate[bot]	576a4ae3a7	Update Rust crate tempfile to v3.19.1 (#13158 )	2025-04-28 03:08:02 +00:00
renovate[bot]	0f58828003	Update Swatinem/rust-cache action to v2.7.8 (#13160 )	2025-04-27 22:30:40 -04:00

... 14 15 16 17 18 ...

7187 Commits All Branches Search

7187 Commits

All Branches