Prep release (#719)

Resolves: #706
Resolves: #718

CHANGELOG.md

@@ -8,6 +8,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- next-header -->
 ## [Unreleased] - ReleaseDate
+### Fixed
+- [PR#703](https://github.com/EmbarkStudios/cargo-deny/pull/703) resolved [#696](https://github.com/EmbarkStudios/cargo-deny/issues/696) by no longer emitting errors when failing to deserialize deprecated fields, and removed some lingering documentation that wasn't removed in [PR#611](https://github.com/EmbarkStudios/cargo-deny/pull/611).
+- [PR#719](https://github.com/EmbarkStudios/cargo-deny/pull/719) updated to `krates` -> 0.17.5, fixing an issue where `cargo-deny` could [panic](https://github.com/EmbarkStudios/krates/issues/97) due to [incorrectly resolving](https://github.com/EmbarkStudios/krates/issues/84) features for different versions of the same crate referenced by a single crate.
+- [PR#719](https://github.com/EmbarkStudios/cargo-deny/pull/719) resolved [#706](https://github.com/EmbarkStudios/cargo-deny/issues/706) by removing a warning issued when users use ignored scheme modifiers for source urls.
+- [PR#719](https://github.com/EmbarkStudios/cargo-deny/pull/719) resolved [#718](https://github.com/EmbarkStudios/cargo-deny/issues/718) by updating the book with missing arguments.
+
+### Added
+- [PR#715](https://github.com/EmbarkStudios/cargo-deny/pull/715) resolved [#714](https://github.com/EmbarkStudios/cargo-deny/issues/714) by adding support for Edition 2024. Thanks [@kpcyrd](https://github.com/kpcyrd)!
+- [PR#710](https://github.com/EmbarkStudios/cargo-deny/pull/710) resolved [#708](https://github.com/EmbarkStudios/cargo-deny/issues/708) by allowing for unpublished workspace crates to be excluded from the dependency graph that checks are run against, either via the `--exclude-unpublished` CLI argument or the `graph.exclude-unpublished` config field. Thanks [@Tastaturtaste](https://github.com/Tastaturtaste)!
+
+### Changed
+- [PR#711](https://github.com/EmbarkStudios/cargo-deny/pull/711) updated `goblin` -> 0.9.2
+- [PR#713](https://github.com/EmbarkStudios/cargo-deny/pull/713) updated various crates, notably `rustsec` -> 0.30.
+
 ## [0.16.1] - 2024-08-05
 ### Fixed
 - [PR#691](https://github.com/EmbarkStudios/cargo-deny/pull/691) fixed an issue where workspace dependencies that used the current dir '.' path component would incorrectly trigger the `unused-workspace-dependency` lint.

docs/src/checks/cfg.md

@@ -72,6 +72,10 @@ If set, and `--features` is not specified on the cmd line, these features will b
 
 If set to `true`, all `dev-dependencies`, even one for workspace crates, are not included in the crate graph used for any of the checks. This option can also be enabled on cmd line with `--exclude-dev` either [before](../cli/common.md#--exclude-dev) or [after](../cli/check.md#--exclude-dev) the `check` subcommand.
 
+### The `exclude-unpublished` field (optional)
+
+If set to `true`, workspace crates marked as `publish = false` will not be used as roots in the dependency graph, meaning they, and any dependencies they have that aren't directly or indirectly referenced by workspace crates that _are_ published, will be excluded from the dependency graph that checks are executed against.
+
 ## The `output` field (optional)
 
 ### The `feature-depth` field (optional)

docs/src/cli/common.md

@@ -72,6 +72,31 @@ Possible values:
 
 One or more platforms to filter crates with. If a dependency is target specific, it will be ignored if it does not match at least 1 of the specified targets. This overrides the top-level [`targets = []`](../checks/cfg.md) configuration value.
 
-### `--offline`
+### `--exclude-unpublished`
 
-Disables network I/O.
+If set, exclude unpublished workspace members from graph roots.
+
+Workspace members are considered unpublished if they they are explicitly marked with `publish = false`. Note that the excluded workspace members are still used for the initial dependency resolution by cargo, which might affect the exact version of used dependencies.
+
+### `--allow-git-index`
+
+If set, the crates.io git index is initialized for use in fetching crate information, otherwise it is enabled only if using a cargo < 1.70.0 without the sparse protocol enabled
+
+### [`--locked`](https://doc.rust-lang.org/cargo/commands/cargo-fetch.html#option-cargo-fetch---locked)
+
+Asserts that the exact same dependencies and versions are used as when the existing Cargo.lock file was originally generated. Cargo will exit with an error when either of the following scenarios arises:
+
+* The lock file is missing.
+* Cargo attempted to change the lock file due to a different dependency resolution.
+
+### [`--offline`](https://doc.rust-lang.org/cargo/commands/cargo-fetch.html#option-cargo-fetch---offline)
+
+Prevents Cargo and `cargo-deny` from accessing the network for any reason. Without this flag, Cargo will stop with an error if it needs to access the network and the network is not available. With this flag, Cargo will attempt to proceed without the network if possible.
+
+Beware that this may result in different dependency resolution than online mode. Cargo will restrict itself to crates that are downloaded locally, even if there might be a newer version as indicated in the local copy of the index. See the cargo-fetch(1) command to download dependencies before going offline.
+
+`cargo-deny` will also not fetch advisory databases with this option, meaning that any new or updated advisories since the last time the database(s) were fetched won't be known and thus won't be checked against the dependency graph.
+
+### [`--frozen`](https://doc.rust-lang.org/cargo/commands/cargo-fetch.html#option-cargo-fetch---frozen)
+
+Equivalent to specifying both `--locked` and `--offline`.

docs/src/cli/list.md

@@ -4,6 +4,12 @@ Similarly to [cargo-license](https://github.com/onur/cargo-license), `list` prin
 
 ## Options
 
+### `-c, --config <CONFIG>`
+
+Path to the config to use
+
+Defaults to `<cwd>/deny.toml` if not specified
+
 ### `-f, --format`
 
 The format of the output
@@ -12,13 +18,7 @@ The format of the output
 * `json`
 * `tsv`
 
-### `--color`
-
-Output coloring, only applies to the `human` format.
-
-* `auto` (default) - Only colors if stdout is a TTY
-* `always` - Always emits colors
-* `never` - Never emits colors
+### [`--color`](../cli/common.md#--color)
 
 Colors:
 

src/cargo-deny/main.rs

@@ -79,30 +79,31 @@ pub(crate) struct GraphContext {
     /// Space or comma separated list of features to activate
     #[arg(long, value_delimiter = ',')]
     pub(crate) features: Vec<String>,
-    /// Require Cargo.lock and cache are up to date
+    /// Equivalent to specifying both `--locked` and `--offline`
     #[arg(long)]
     pub(crate) frozen: bool,
-    /// Require Cargo.lock is up to date
-    #[arg(long)]
-    pub(crate) locked: bool,
     /// Run without accessing the network.
     ///
     /// If used with the `check` subcommand, this disables advisory database
     /// fetching
     #[arg(long)]
     pub(crate) offline: bool,
+    /// Assert that `Cargo.lock` will remain unchanged
+    #[arg(long)]
+    pub(crate) locked: bool,
     /// If set, the crates.io git index is initialized for use in fetching crate information, otherwise it is enabled
     /// only if using a cargo < 1.70.0 without the sparse protocol enabled
     #[arg(long)]
     pub(crate) allow_git_index: bool,
-    #[arg(long)]
     /// If set, excludes all dev-dependencies, not just ones for non-workspace crates
-    pub(crate) exclude_dev: bool,
     #[arg(long)]
+    pub(crate) exclude_dev: bool,
     /// If set, exclude unpublished workspace members from graph roots.
-    /// Workspace members are considered unpublished if they they are explicitly marked with `publish = false` as such.
+    ///
+    /// Workspace members are considered unpublished if they they are explicitly marked with `publish = false`.
     /// Note that the excluded workspace members are still used for the initial dependency resolution by cargo,
     /// which might affect the exact version of used dependencies.
+    #[arg(long)]
     pub(crate) exclude_unpublished: bool,
 }
 

src/sources/cfg.rs

@@ -157,15 +157,6 @@ impl cfg::UnvalidatedConfig for Config {
 
             if let Some(start_scheme) = astr.find("://") {
                 if let Some(i) = astr[..start_scheme].find('+') {
-                    ctx.push(
-                        Diagnostic::warning()
-                            .with_message("scheme modifiers are unnecessary")
-                            .with_labels(vec![Label::primary(
-                                ctx.cfg_id,
-                                aurl.span.start..aurl.span.start + start_scheme,
-                            )]),
-                    );
-
                     skip = i + 1;
                 }
             }

src/sources/snapshots/cargo_deny__sources__cfg__test__deserializes_sources_cfg.snap

@@ -1,9 +1,6 @@
 ---
 source: src/sources/cfg.rs
 expression: diags
+snapshot_kind: text
 ---
-warning: scheme modifiers are unnecessary
-  ┌─ tests/cfg/sources.toml:7:6
-  │
-7 │     "sparse+https://fake.sparse.com",
-  │      ━━━━━━━━━━━━
+

tests/snapshots/cargo_deny__test__cargo_deny.snap

@@ -1,6 +1,7 @@
 ---
 source: src/cargo-deny/main.rs
 expression: help_text
+snapshot_kind: text
 ---
 Cargo plugin to help you manage large dependency graphs
 
@@ -73,24 +74,26 @@ Options:
           Space or comma separated list of features to activate
 
       --frozen
-          Require Cargo.lock and cache are up to date
-
-      --locked
-          Require Cargo.lock is up to date
+          Equivalent to specifying both `--locked` and `--offline`
 
       --offline
           Run without accessing the network.
 
           If used with the `check` subcommand, this disables advisory database fetching
 
+      --locked
+          Assert that `Cargo.lock` will remain unchanged
+
       --allow-git-index
           If set, the crates.io git index is initialized for use in fetching crate information, otherwise it is enabled only if using a cargo < 1.70.0 without the sparse protocol enabled
 
       --exclude-dev
           If set, excludes all dev-dependencies, not just ones for non-workspace crates
 
       --exclude-unpublished
-          If set, exclude unpublished workspace members from graph roots. Workspace members are considered unpublished if they they are explicitly marked with `publish = false` as such. Note that the excluded workspace members are still used for the initial dependency resolution by cargo, which might affect the exact version of used dependencies
+          If set, exclude unpublished workspace members from graph roots.
+
+          Workspace members are considered unpublished if they they are explicitly marked with `publish = false`. Note that the excluded workspace members are still used for the initial dependency resolution by cargo, which might affect the exact version of used dependencies.
 
   -h, --help
           Print help (see a summary with '-h')