Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wildcard version warnings generated for local file dependencies #241

Open
repi opened this issue Aug 10, 2020 · 5 comments
Open

Wildcard version warnings generated for local file dependencies #241

repi opened this issue Aug 10, 2020 · 5 comments
Labels
bug Something isn't working

Comments

@repi
Copy link
Contributor

repi commented Aug 10, 2020

PR #227 seems to generate wildcard warnings when using standard path dependencies and specifying no version (as one is using the local file version), don't think that should generate warnings.

Such as:

[dependencies]
telemetry = { path = "../telemetry" }

Think we should only generate wildcard warnings when one is explicitly using the version field for the crates.io version.

Note that one can also use both a path depependency and a version dependency, where building locally uses the path dependency and building from a crates.io published dependency uses the specific version, then the wildcard warning should still trigger if using wildcard version:

[dependencies]
telemetry = { path = "../telemetry", version = "*" }

cc @khodzha @Jake-Shadle

@repi repi added the bug Something isn't working label Aug 10, 2020
@khodzha
Copy link
Contributor

khodzha commented Aug 18, 2020

i dug around a bit and couldnt find a way to distinguish { path = "../telemetry", version = "*" } and { path = "../telemetry" } based on cargo metadata output 😞

@repi
Copy link
Contributor Author

repi commented Aug 18, 2020

Ouch that is unfortunate, this we do have to have some solution for as it is very common, hmm. Maybe one have to extend cargo-metadata to distinguish it there (if possible) and expose that?

@Stupremee
Copy link
Contributor

I don't think that's possible because not even cargo knows that. (At least their metadata output)

@Jake-Shadle
Copy link
Member

This relates a bit to #136, where the intention would be to actual properly parse Cargo.toml manifests for doing error reporting, so having that utility (probably in a separate crate eg krates probably) would mean you could query both the cargo metadata, but also the actual entry in the manifest to distinguish between them for special cases such as this.

repi added a commit that referenced this issue Aug 27, 2020
At least until #241 has been resolved, because right now every project using cargo-deny will get warnings by default on all of their valid local file dependencies. Which is not a great default
mergify bot pushed a commit that referenced this issue Aug 27, 2020
At least until #241 has been resolved, because right now every project using cargo-deny will get warnings by default on all of their valid local file dependencies. Which is not a great default
@jplatte
Copy link
Contributor

jplatte commented Feb 15, 2021

It would be nice if I could configure cargo-deny to only warn on / error on wildcard registry dependencies (not git or path dependencies), regardless of whether it was specified explicitly or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

5 participants