feat: replace cargo audit with cargo deny #1597
Conversation
| #db-urls = ["https://github.com/rustsec/advisory-db"] | ||
| # A list of advisory IDs to ignore. Note that ignored advisories will still | ||
| # output a note when they are encountered. | ||
| ignore = [ |
There was a problem hiding this comment.
Currently suppressed advisories.
There was a problem hiding this comment.
It would be good to get @Stebalien's opinions on this since I don't know cargo very deeply. But as it is this looks like a strict improvement to me.
| "RUSTSEC-2024-0370", # proc-macro-error is unmaintained | ||
| "RUSTSEC-2024-0384", # instant is unmaintained | ||
| "RUSTSEC-2024-0421", # idna version is too old | ||
| "RUSTSEC-2021-0145", # atty issue | ||
| "RUSTSEC-2024-0375", # atty unmaintained | ||
| "RUSTSEC-2024-0402", # hashbrown issue |
There was a problem hiding this comment.
All except "RUSTSEC-2024-0384" should be fixed by #1599. Unfortunately, we still pull in instant because ethers is deprecated.
There was a problem hiding this comment.
I'd merge this as-is, then update the deps later.
|
By "I'd merge this" I guess I mean "I'm merging this". CI is currently broken. |
Makes sense, I'll cut the excessive fat in a follow-up PR. |
Replaced cargo audit with a more comprehensive cargo deny. Note that the currently used Cargo Audit Action is no longer maintained and repository archived.
The included
deny.toml(mostly generated withcargo deny init) includes advisory exceptions on dependencies, which should be eventually tackled. I can create corresponding issues - from a quick glimpse most have a known solution (update or replace the dep with a maintained one).We might want to further customize the configuration file, e.g. if licensing is something we need to watch for.