sqlx icon indicating copy to clipboard operation
sqlx copied to clipboard
verified publisher icon launchbadge

chore(deps): Add deny.yaml and a cargo deny CI job to check dependencies

Open iamjpotts opened this issue 2 years ago • 3 comments

cargo deny checks for dependencies with vulnerabilities, vulnerability advisories, unmaintained crates, duplicate dependencies, and other issues.

  • Add deny.yaml
  • Add exceptions for warnings without a resolution available
  • Add license line license = "MIT OR Apache-2.0" to sqlx-test crate to satisfy license checker. This license spec matches what is already in the workspace Cargo.toml file

iamjpotts avatar Jan 23 '24 03:01 iamjpotts

Made the tempdir -> tempfile replacement its own PR: https://github.com/launchbadge/sqlx/pull/3006

iamjpotts avatar Jan 23 '24 03:01 iamjpotts

Moved env_logger upgrade to its own PR: https://github.com/launchbadge/sqlx/pull/3009.

iamjpotts avatar Jan 23 '24 23:01 iamjpotts

Moved criterion crate upgrade to https://github.com/launchbadge/sqlx/pull/3010.

iamjpotts avatar Jan 23 '24 23:01 iamjpotts

Related: https://github.com/launchbadge/sqlx/issues/1297

iamjpotts avatar Jul 11 '24 02:07 iamjpotts

I'm not super interested in this. Too many RUSTSEC advisories are filed for trivial things like crates being unmaintained (it's only an issue if there's also high-impact bugs and PRs aren't getting merged) and our CI breaks enough as it is. Weak features in Cargo also result in a lot of false-positives (https://github.com/launchbadge/sqlx/issues/3211).

For issues that really matter, people are pretty quick to call them out or open a PR anyway.

abonander avatar Jul 16 '24 00:07 abonander