Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Treat git dependencies the same as path dependencies for allow-wildcard-paths. #599

Merged
merged 1 commit into from
Feb 5, 2024

Conversation

kpreid
Copy link
Contributor

@kpreid kpreid commented Feb 4, 2024

Fixes #488, making it possible to ban wildcards without also banning git-only dependencies.

This may not be a perfect fit for some use cases — arguably git dependencies are less implicitly-versioned than path dependencies since path dependencies are typically always the same revision of the same repo, but git dependencies might be cargo updated to totally different code. But I can't think of an alternative that's equal-or-better in correctness short of introducing even more configuration.

(I suspect that the whole idea of counting path-only or git-only deps as wildcard versions ever is wrong, because the Cargo documentation says that “…the version key always implies that the package is available in a registry. version, git, and path keys are considered separate locations for resolving the dependency” — which implies that a dep without version is different from a dep with a wildcard version. However, figuring out Cargo's behavior there and how cargo-deny should treat it feels like a rabbit hole I don't want to go down just to fix #488. I left a TODO comment suggesting further consideration.)

Copy link
Member

@Jake-Shadle Jake-Shadle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR (and adding a test!)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Wildcard version warnings generated git dependencies with fixed commit
2 participants