fix(deps): update dependency cargo-deny to v0.19.4

[renovate]

This PR contains the following updates:

Package	Update	Change
cargo-deny	patch	0.19.0 → 0.19.4

---

Release Notes

EmbarkStudios/cargo-deny (cargo-deny)

v0.19.4

Compare Source

Fixed

• PR#847 and PR#848 resolved #​846, which was an advisory parsing bug that only affected Windows.

v0.19.3

Compare Source

Fixed

• PR#847 resolved #​846, which only affected Windows.

v0.19.2

Compare Source

Fixed

• PR#845 fixed structural issues with SARIF output, resolving #​818. Thanks @​KyleChamberlin!

v0.19.1

Compare Source

Fixed

• PR#833 fixed an issue where the maximum advisory database staleness was over 14 years instead of the intended 90 days.
• PR#839 fixed an issue where unsound advisories would appear for transitive dependencies despite requesting them only for workspace dependencies, resolving #​829.
• PR#840 resolved #​797 by passing --filter-platform when collecting cargo metadata if only a single target was requested either in the config or via the command line.
• PR#841 fixed an issue where --frozen would not disable fetching of the advisory DB, resolving #​759.
• PR#842 and PR#844 updated crates. Notably krates was updated to resolve two issues with crates being pruned from the graph used when running checks. Resolving these two issues may mean that updating cargo-deny may highlight issues that were previously hidden.
  • EmbarkStudios/krates#106 would fail to pull in crates brought in via a feature if that crate had its lib target renamed by the package author.
  • EmbarkStudios/krates#109 would fail to bring in optional dependencies if they were brought in by a weak feature in a crate also brought in by a weak feature.

Changed

• PR#830 removed gix in favor of shelling out to git. This massively improves build times and eases maintenance as gix bumps minor versions quite frequently. If cargo-deny is used in an environment that for some reason allows internet access but doesn't have git available, the advisory database would need to be updated before calling cargo-deny.
• PR#838 removed rustsec in favor of manually implemented advisory parsing and checking, with a nightly cron job that checks that the implementation exactly matches rustsec on the official rustsec advisory db.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 05:59 AM, on day 3 of the month (* 0-5 3 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud