Fixup options/cfg names and docs

docs/src/checks/bans/cfg.md

@@ -16,6 +16,10 @@ Determines what happens when multiple versions of the same crate are encountered
 * `warn` (default) - Prints a warning for each crate with duplicates, but does not fail the check.
 * `allow` - Ignores duplicate versions of the same crate.
 
+### The `multiple-versions-include-dev` field (optional)
+
+If `true`, `dev-dependencies` are included when checking for multiple versions of crates. By default this is false, and any crates that are only reached via dev dependency edges are ignored when checking for multiple versions. Note that this also means that `skip` and `skip` tree are not used, which may lead to warnings about unused configuration.
+
 ### The `wildcards` field (optional)
 
 Determines what happens when a dependency is specified with the `*` (wildcard) version.

docs/src/checks/cfg.md

@@ -28,15 +28,15 @@ The `targets` field allows you to specify one or more targets which you **actual
 
 The [target triple](https://forge.rust-lang.org/release/platform-support.html) for the target you wish to filter target specific dependencies with. If the target triple specified is **not** one of the targets builtin to `rustc`, the configuration check for that target will be limited to only the raw `[target.<target-triple>.dependencies]` style of target configuration, as `cfg()` expressions require us to know the details about the target.
 
-#### The `exclude` field (optional)
+#### The `targets.features` field (optional)
 
-Just as with the [`--exclude`](../cli/common.md#--exclude) command line option, this field allows you to specify one or more [Package ID specifications](https://doc.rust-lang.org/cargo/commands/cargo-pkgid.html) that will cause the crate(s) in question to be excluded from the crate graph that is used for the operation you are performing.
+Rust `cfg()` expressions support the [`target_feature = "feature-name"`](https://doc.rust-lang.org/reference/attributes/codegen.html#the-target_feature-attribute) predicate, but at the moment, the only way to actually pass them when compiling is to use the `RUSTFLAGS` environment variable. The `features` field allows you to specify 1 or more `target_feature`s you plan to build with, for a particular target triple. At the time of this writing, cargo-deny does not attempt to validate that the features you specify are actually valid for the target triple, but this is [planned](https://github.com/EmbarkStudios/cfg-expr/issues/1).
 
-Note that excluding a crate is recursive, if any of its transitive dependencies are only referenced via the excluded crate, they will also be excluded from the crate graph.
+### The `exclude` field (optional)
 
-#### The `features` field (optional)
+Just as with the [`--exclude`](../cli/common.md#--exclude) command line option, this field allows you to specify one or more [Package ID specifications](https://doc.rust-lang.org/cargo/commands/cargo-pkgid.html) that will cause the crate(s) in question to be excluded from the crate graph that is used for the operation you are performing.
 
-Rust `cfg()` expressions support the [`target_feature = "feature-name"`](https://doc.rust-lang.org/reference/attributes/codegen.html#the-target_feature-attribute) predicate, but at the moment, the only way to actually pass them when compiling is to use the `RUSTFLAGS` environment variable. The `features` field allows you to specify 1 or more `target_feature`s you plan to build with, for a particular target triple. At the time of this writing, cargo-deny does not attempt to validate that the features you specify are actually valid for the target triple, but this is [planned](https://github.com/EmbarkStudios/cfg-expr/issues/1).
+Note that excluding a crate is recursive, if any of its transitive dependencies are only referenced via the excluded crate, they will also be excluded from the crate graph.
 
 ### The `all-features` field (optional)
 
@@ -54,6 +54,10 @@ If set, and `--features` is not specified on the cmd line, these features will b
 
 The maximum depth that features will be displayed when inclusion graphs are included in diagnostics, unless specified via `--feature-depth` on the command line. Only applies to diagnostics that actually print features. If not specified defaults to `1`.
 
+### The `exclude-dev` field (optional)
+
+If set to `true`, all `dev-dependencies`, even one for workspace crates, are not included in the crate graph used for any of the checks. This option can also be enabled on cmd line with `--exclude-dev` either [before](../cli/common.md#--exclude-dev) or [after](../cli/check.md#--exclude-dev) the `check` subcommand.
+
 ### The `[licenses]` section
 
 See the [licenses config](licenses/cfg.html) for more info.

docs/src/checks/licenses/cfg.md

@@ -41,6 +41,10 @@ allow = [
 ]
 ```
 
+### The `include-dev` field (optional)
+
+If `true`, licenses are checked even for `dev-dependencies`. By default this is false as `dev-dependencies` are not used by downstream crates, nor part of binary artifacts.
+
 ### The `unlicensed` field (optional)
 
 Determines what happens when a crate has not explicitly specified its license terms, and no license information could be confidently detected via `LICENSE*` files in the crate's source.

docs/src/cli/check.md

@@ -36,6 +36,10 @@ When running the `advisories` check, the configured advisory database will be fe
 
 This option is also set if the `--offline` flag is used in the global options.
 
+### `--exclude-dev`
+
+If set to `true`, all `dev-dependencies`, even one for workspace crates, are not included in the crate graph used for any of the checks.
+
 ### `-D, --deny <DENY>`
 
 Set lint denied

docs/src/cli/common.md

@@ -24,6 +24,10 @@ Space-separated list of features to enable when determining which crates to cons
 
 Forces all workspace crates to be used as roots in the crate graph that we operate on, unless they are excluded by other means. By default, if you specify a [virtual manifest](https://doc.rust-lang.org/cargo/reference/manifest.html#virtual-manifest), all crates in the workspace will be used as roots. However, if you specify a normal package manifest somewhere inside a workspace, only that crate will be used as a graph root, and only other workspaces crates it depends on will be included in the graph. If you want to specify a sub-crate in a workspace, but still include all other crates in the workspace, you can use this flag.
 
+### `--exclude-dev`
+
+If set to `true`, all `dev-dependencies`, even one for workspace crates, are not included in the crate graph used for any of the checks.
+
 ### `--exclude`
 
 Exclude the specified package(s) from the crate graph. Unlike other cargo subcommands, it doesn't have to be used in conjunction with the `--workspace` flag. This flag may be specified multiple times.

src/cargo-deny/check.rs

@@ -93,6 +93,9 @@ pub struct Args {
     /// When running the `advisories` check, the configured advisory database will be fetched and opened. If this flag is passed, the database won't be fetched, but an error will occur if it doesn't already exist locally.
     #[arg(short, long)]
     pub disable_fetch: bool,
+    /// If set, excludes all dev-dependencies, not just ones for non-workspace crates
+    #[arg(long)]
+    pub exclude_dev: bool,
     /// To ease transition from cargo-audit to cargo-deny, this flag will tell cargo-deny to output the exact same output as cargo-audit would, to `stdout` instead of `stderr`, just as with cargo-audit.
     ///
     /// Note that this flag only applies when the output format is JSON, and note that since cargo-deny supports multiple advisory databases, instead of a single JSON object, there will be 1 for each unique advisory database.
@@ -131,7 +134,7 @@ struct Config {
     no_default_features: bool,
     /// By default, dev dependencies for workspace crates are not ignored
     #[serde(default)]
-    ignore_dev_dependencies: bool,
+    exclude_dev: bool,
 }
 
 struct ValidConfig {
@@ -145,7 +148,7 @@ struct ValidConfig {
     feature_depth: Option<u32>,
     all_features: bool,
     no_default_features: bool,
-    ignore_dev_dependencies: bool,
+    exclude_dev: bool,
 }
 
 impl ValidConfig {
@@ -216,7 +219,7 @@ impl ValidConfig {
             let all_features = cfg.all_features;
             let no_default_features = cfg.no_default_features;
             let features = cfg.features;
-            let ignore_dev_dependencies = cfg.ignore_dev_dependencies;
+            let exclude_dev = cfg.exclude_dev;
 
             (
                 diags,
@@ -231,7 +234,7 @@ impl ValidConfig {
                     all_features,
                     no_default_features,
                     features,
-                    ignore_dev_dependencies,
+                    exclude_dev,
                 },
             )
         };
@@ -282,7 +285,7 @@ pub(crate) fn cmd(
         all_features,
         no_default_features,
         features,
-        ignore_dev_dependencies,
+        exclude_dev,
     } = ValidConfig::load(
         krate_ctx.get_config_path(args.config.clone()),
         krate_ctx.get_local_exceptions_path(),
@@ -315,23 +318,15 @@ pub(crate) fn cmd(
 
     let feature_depth = args.feature_depth.or(feature_depth);
 
-    // If not specified on the cmd line, fallback to the feature related config options
-    if !krate_ctx.all_features {
-        krate_ctx.all_features = all_features;
-    }
-
-    if !krate_ctx.no_default_features {
-        krate_ctx.no_default_features = no_default_features;
-    }
+    krate_ctx.all_features |= all_features;
+    krate_ctx.no_default_features |= no_default_features;
+    krate_ctx.exclude_dev |= exclude_dev | args.exclude_dev;
 
+    // If not specified on the cmd line, fallback to the feature related config options
     if krate_ctx.features.is_empty() {
         krate_ctx.features = features;
     }
 
-    if !krate_ctx.ignore_dev {
-        krate_ctx.ignore_dev = ignore_dev_dependencies;
-    }
-
     let mut krates = None;
     let mut license_store = None;
     let mut advisory_dbs = None;

src/cargo-deny/common.rs

@@ -62,7 +62,7 @@ pub struct KrateContext {
     /// If true, allows using the crates.io git index, otherwise the sparse index
     /// is assumed to be the only index
     pub allow_git_index: bool,
-    pub ignore_dev: bool,
+    pub exclude_dev: bool,
 }
 
 impl KrateContext {
@@ -182,7 +182,7 @@ impl KrateContext {
 
         gb.ignore_kind(
             DepKind::Dev,
-            if self.ignore_dev {
+            if self.exclude_dev {
                 krates::Scope::All
             } else {
                 krates::Scope::NonWorkspace

src/cargo-deny/main.rs

@@ -96,8 +96,8 @@ pub(crate) struct GraphContext {
     #[arg(long)]
     pub(crate) allow_git_index: bool,
     #[arg(long)]
-    /// If set, ignores all dev dependencies, not just ones for non-workspace crates
-    pub(crate) ignore_dev: bool,
+    /// If set, excludes all dev-dependencies, not just ones for non-workspace crates
+    pub(crate) exclude_dev: bool,
 }
 
 /// Lints your project's crate graph
@@ -296,7 +296,7 @@ fn real_main() -> Result<(), Error> {
         locked: args.ctx.locked,
         offline: args.ctx.offline,
         allow_git_index: args.ctx.allow_git_index,
-        ignore_dev: args.ctx.ignore_dev,
+        exclude_dev: args.ctx.exclude_dev,
     };
 
     let log_ctx = crate::common::LogContext {

src/licenses/cfg.rs

@@ -172,7 +172,7 @@ pub struct Config {
     /// If true, performs license checks for dev-dependencies for workspace
     /// crates as well
     #[serde(default)]
-    pub include_dev_dependencies: bool,
+    pub include_dev: bool,
 }
 
 impl Default for Config {
@@ -189,7 +189,7 @@ impl Default for Config {
             allow: Vec::new(),
             clarify: Vec::new(),
             exceptions: Vec::new(),
-            include_dev_dependencies: false,
+            include_dev: false,
         }
     }
 }
@@ -344,7 +344,7 @@ impl crate::cfg::UnvalidatedConfig for Config {
             denied,
             allowed,
             ignore_sources,
-            include_dev_dependencies: self.include_dev_dependencies,
+            include_dev: self.include_dev,
         }
     }
 }
@@ -440,7 +440,7 @@ pub struct ValidConfig {
     pub clarifications: Vec<ValidClarification>,
     pub exceptions: Vec<ValidException>,
     pub ignore_sources: Vec<url::Url>,
-    pub include_dev_dependencies: bool,
+    pub include_dev: bool,
 }
 
 #[cfg(test)]

src/licenses/gather.rs

@@ -464,7 +464,7 @@ impl Gatherer {
         let files_lock = std::sync::Arc::new(parking_lot::RwLock::new(files));
 
         // Most users will not care about licenses for dev dependencies
-        let krates = if cfg.map_or(false, |cfg| cfg.include_dev_dependencies) {
+        let krates = if cfg.map_or(false, |cfg| cfg.include_dev) {
             krates.krates().collect()
         } else {
             krates.krates_filtered(krates::DepKind::Dev)

tests/licenses.rs

@@ -291,7 +291,7 @@ fn handles_dev_dependencies() {
         r#"
 allow = ['Apache-2.0']
 deny = ['GPL-3.0']
-include-dev-dependencies = true
+include-dev = true
 "#,
     );
 

tests/snapshots/cargo_deny__test__cargo_deny-check.snap

@@ -33,6 +33,9 @@ Options:
 
           When running the `advisories` check, the configured advisory database will be fetched and opened. If this flag is passed, the database won't be fetched, but an error will occur if it doesn't already exist locally.
 
+      --exclude-dev
+          If set, excludes all dev-dependencies, not just ones for non-workspace crates
+
       --audit-compatible-output
           To ease transition from cargo-audit to cargo-deny, this flag will tell cargo-deny to output the exact same output as cargo-audit would, to `stdout` instead of `stderr`, just as with cargo-audit.
 

tests/snapshots/cargo_deny__test__cargo_deny.snap

@@ -86,8 +86,8 @@ Options:
       --allow-git-index
           If set, the crates.io git index is initialized for use in fetching crate information, otherwise it is enabled only if using a cargo < 1.70.0 without the sparse protocol enabled
 
-      --ignore-dev
-          If set, ignores all dev dependencies, not just ones for non-workspace crates
+      --exclude-dev
+          If set, excludes all dev-dependencies, not just ones for non-workspace crates
 
   -h, --help
           Print help (see a summary with '-h')