Skip to content

chore(deps): bump EmbarkStudios/cargo-deny-action from 1 to 2#45

Merged
nficano merged 2 commits into
mainfrom
dependabot/github_actions/EmbarkStudios/cargo-deny-action-2
May 22, 2026
Merged

chore(deps): bump EmbarkStudios/cargo-deny-action from 1 to 2#45
nficano merged 2 commits into
mainfrom
dependabot/github_actions/EmbarkStudios/cargo-deny-action-2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 22, 2026
edited
Loading

Bumps EmbarkStudios/cargo-deny-action from 1 to 2.

Release notes

Sourced from EmbarkStudios/cargo-deny-action's releases.

Release 2.0.19 - cargo-deny 0.19.7

Changed

Release 2.0.18 - cargo-deny 0.19.5

Fixed

Release 2.0.17 - cargo-deny 0.19.2

Fixed

Release 2.0.16 - cargo-deny 0.19.1

Fixed

  • PR#833 fixed an issue where the maximum advisory database staleness was over 14 years instead of the intended 90 days.
  • PR#839 fixed an issue where unsound advisories would appear for transitive dependencies despite requesting them only for workspace dependencies, resolving #829.
  • PR#840 resolved #797 by passing --filter-platform when collecting cargo metadata if only a single target was requested either in the config or via the command line.
  • PR#841 fixed an issue where --frozen would not disable fetching of the advisory DB, resolving #759.
  • PR#842 and PR#844 updated crates. Notably krates was updated to resolve two issues with crates being pruned from the graph used when running checks. Resolving these two issues may mean that updating cargo-deny may highlight issues that were previously hidden.
    • EmbarkStudios/krates#106 would fail to pull in crates brought in via a feature if that crate had its lib target renamed by the package author.
    • EmbarkStudios/krates#109 would fail to bring in optional dependencies if they were brought in by a weak feature in a crate also brought in by a weak feature.

Changed

  • PR#830 removed gix in favor of shelling out to git. This massively improves build times and eases maintenance as gix bumps minor versions quite frequently. If cargo-deny is used in an environment that for some reason allows internet access but doesn't have git available, the advisory database would need to be updated before calling cargo-deny.
  • PR#838 removed rustsec in favor of manually implemented advisory parsing and checking, with a nightly cron job that checks that the implementation exactly matches rustsec on the official rustsec advisory db.

Release 2.0.15 - cargo-deny 0.19.0

Changed

  • PR#802 made relative paths passed to --config be resolved relative to the current working directory (rather than the resolved manifest path's directory).
  • PR#825 updated gix, reqwest, and tame-index to newer versions. The reqwest 0.13 changes means it is no longer possible to choose the source of root certificates for gix, so that decision is now left to rustls-platform-verifier. The native-certs feature has thus been removed, and cargo-deny no longer defaults to using webpki-roots.

Fixed

  • PR#802 fixed path handling of paths passed to --config, resolving #748.
  • PR#819 added locations to all SARIF results since that's mandatory for valid SARIF.
  • PR#821 fixed compilation on an Alpine host.

Added

  • PR#795 added [bans.allow-workspace] to allow workspace crates while denying all external crates.
  • PR#800 added [licenses.include-build] to toggle whether build dependencies are included in the license check.
  • PR#823 added [advisories.unused-ignored-advisory] to disable the warning when an advisory is ignored but not encountered in the crate graph.
  • PR#826 added [advisories.unsound] to determine which crates can show unsound advisories, similarly to the unmaintained field. Defaults to workspace crates, ignoring unsound advisories for transitive dependencies, resolving #824.

Release 2.0.14 - cargo-deny 0.18.6

0.18.5

Changed

  • PR#789 changed it so that release binaries are now built with LTO.
  • PR#790 and PR#794 updated various crates.

Added

  • PR#790 added SARIF as an output format, usable via --format sarif. The current output for this format is experimental and may change in future updates.

... (truncated)

Commits

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 22, 2026

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot
chore(deps): bump EmbarkStudios/cargo-deny-action from 1 to 2
5c27825 
Bumps [EmbarkStudios/cargo-deny-action](https://github.com/embarkstudios/cargo-deny-action) from 1 to 2.
- [Release notes](https://github.com/embarkstudios/cargo-deny-action/releases)
- [Commits](EmbarkStudios/cargo-deny-action@v1...v2)

---
updated-dependencies:
- dependency-name: EmbarkStudios/cargo-deny-action
  dependency-version: '2'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/EmbarkStudios/cargo-deny-action-2 branch from b64b35f to 5c27825 Compare May 22, 2026 14:08
@nficano nficano merged commit 03c69a0 into main May 22, 2026
2 checks passed
@dependabot dependabot Bot deleted the dependabot/github_actions/EmbarkStudios/cargo-deny-action-2 branch May 22, 2026 15:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nficano