diff --git a/docs/src/checks/bans/cfg.md b/docs/src/checks/bans/cfg.md index 6649e461..ab6b75aa 100644 --- a/docs/src/checks/bans/cfg.md +++ b/docs/src/checks/bans/cfg.md @@ -16,6 +16,10 @@ Determines what happens when multiple versions of the same crate are encountered * `warn` (default) - Prints a warning for each crate with duplicates, but does not fail the check. * `allow` - Ignores duplicate versions of the same crate. +### The `multiple-versions-include-dev` field (optional) + +If `true`, `dev-dependencies` are included when checking for multiple versions of crates. By default this is false, and any crates that are only reached via dev dependency edges are ignored when checking for multiple versions. Note that this also means that `skip` and `skip` tree are not used, which may lead to warnings about unused configuration. + ### The `wildcards` field (optional) Determines what happens when a dependency is specified with the `*` (wildcard) version. diff --git a/docs/src/checks/cfg.md b/docs/src/checks/cfg.md index 56f6bbd8..cc5f8f78 100644 --- a/docs/src/checks/cfg.md +++ b/docs/src/checks/cfg.md @@ -28,15 +28,15 @@ The `targets` field allows you to specify one or more targets which you **actual The [target triple](https://forge.rust-lang.org/release/platform-support.html) for the target you wish to filter target specific dependencies with. If the target triple specified is **not** one of the targets builtin to `rustc`, the configuration check for that target will be limited to only the raw `[target..dependencies]` style of target configuration, as `cfg()` expressions require us to know the details about the target. -#### The `exclude` field (optional) +#### The `targets.features` field (optional) -Just as with the [`--exclude`](../cli/common.md#--exclude) command line option, this field allows you to specify one or more [Package ID specifications](https://doc.rust-lang.org/cargo/commands/cargo-pkgid.html) that will cause the crate(s) in question to be excluded from the crate graph that is used for the operation you are performing. +Rust `cfg()` expressions support the [`target_feature = "feature-name"`](https://doc.rust-lang.org/reference/attributes/codegen.html#the-target_feature-attribute) predicate, but at the moment, the only way to actually pass them when compiling is to use the `RUSTFLAGS` environment variable. The `features` field allows you to specify 1 or more `target_feature`s you plan to build with, for a particular target triple. At the time of this writing, cargo-deny does not attempt to validate that the features you specify are actually valid for the target triple, but this is [planned](https://github.com/EmbarkStudios/cfg-expr/issues/1). -Note that excluding a crate is recursive, if any of its transitive dependencies are only referenced via the excluded crate, they will also be excluded from the crate graph. +### The `exclude` field (optional) -#### The `features` field (optional) +Just as with the [`--exclude`](../cli/common.md#--exclude) command line option, this field allows you to specify one or more [Package ID specifications](https://doc.rust-lang.org/cargo/commands/cargo-pkgid.html) that will cause the crate(s) in question to be excluded from the crate graph that is used for the operation you are performing. -Rust `cfg()` expressions support the [`target_feature = "feature-name"`](https://doc.rust-lang.org/reference/attributes/codegen.html#the-target_feature-attribute) predicate, but at the moment, the only way to actually pass them when compiling is to use the `RUSTFLAGS` environment variable. The `features` field allows you to specify 1 or more `target_feature`s you plan to build with, for a particular target triple. At the time of this writing, cargo-deny does not attempt to validate that the features you specify are actually valid for the target triple, but this is [planned](https://github.com/EmbarkStudios/cfg-expr/issues/1). +Note that excluding a crate is recursive, if any of its transitive dependencies are only referenced via the excluded crate, they will also be excluded from the crate graph. ### The `all-features` field (optional) @@ -54,6 +54,10 @@ If set, and `--features` is not specified on the cmd line, these features will b The maximum depth that features will be displayed when inclusion graphs are included in diagnostics, unless specified via `--feature-depth` on the command line. Only applies to diagnostics that actually print features. If not specified defaults to `1`. +### The `exclude-dev` field (optional) + +If set to `true`, all `dev-dependencies`, even one for workspace crates, are not included in the crate graph used for any of the checks. This option can also be enabled on cmd line with `--exclude-dev` either [before](../cli/common.md#--exclude-dev) or [after](../cli/check.md#--exclude-dev) the `check` subcommand. + ### The `[licenses]` section See the [licenses config](licenses/cfg.html) for more info. diff --git a/docs/src/checks/licenses/cfg.md b/docs/src/checks/licenses/cfg.md index 9e02d0a6..00c07e32 100644 --- a/docs/src/checks/licenses/cfg.md +++ b/docs/src/checks/licenses/cfg.md @@ -41,6 +41,10 @@ allow = [ ] ``` +### The `include-dev` field (optional) + +If `true`, licenses are checked even for `dev-dependencies`. By default this is false as `dev-dependencies` are not used by downstream crates, nor part of binary artifacts. + ### The `unlicensed` field (optional) Determines what happens when a crate has not explicitly specified its license terms, and no license information could be confidently detected via `LICENSE*` files in the crate's source. diff --git a/docs/src/cli/check.md b/docs/src/cli/check.md index 7e828fcc..ad3692a8 100644 --- a/docs/src/cli/check.md +++ b/docs/src/cli/check.md @@ -36,6 +36,10 @@ When running the `advisories` check, the configured advisory database will be fe This option is also set if the `--offline` flag is used in the global options. +### `--exclude-dev` + +If set to `true`, all `dev-dependencies`, even one for workspace crates, are not included in the crate graph used for any of the checks. + ### `-D, --deny ` Set lint denied diff --git a/docs/src/cli/common.md b/docs/src/cli/common.md index b27af45c..5a66305a 100644 --- a/docs/src/cli/common.md +++ b/docs/src/cli/common.md @@ -24,6 +24,10 @@ Space-separated list of features to enable when determining which crates to cons Forces all workspace crates to be used as roots in the crate graph that we operate on, unless they are excluded by other means. By default, if you specify a [virtual manifest](https://doc.rust-lang.org/cargo/reference/manifest.html#virtual-manifest), all crates in the workspace will be used as roots. However, if you specify a normal package manifest somewhere inside a workspace, only that crate will be used as a graph root, and only other workspaces crates it depends on will be included in the graph. If you want to specify a sub-crate in a workspace, but still include all other crates in the workspace, you can use this flag. +### `--exclude-dev` + +If set to `true`, all `dev-dependencies`, even one for workspace crates, are not included in the crate graph used for any of the checks. + ### `--exclude` Exclude the specified package(s) from the crate graph. Unlike other cargo subcommands, it doesn't have to be used in conjunction with the `--workspace` flag. This flag may be specified multiple times. diff --git a/src/cargo-deny/check.rs b/src/cargo-deny/check.rs index 35060fc4..286456ad 100644 --- a/src/cargo-deny/check.rs +++ b/src/cargo-deny/check.rs @@ -93,6 +93,9 @@ pub struct Args { /// When running the `advisories` check, the configured advisory database will be fetched and opened. If this flag is passed, the database won't be fetched, but an error will occur if it doesn't already exist locally. #[arg(short, long)] pub disable_fetch: bool, + /// If set, excludes all dev-dependencies, not just ones for non-workspace crates + #[arg(long)] + pub exclude_dev: bool, /// To ease transition from cargo-audit to cargo-deny, this flag will tell cargo-deny to output the exact same output as cargo-audit would, to `stdout` instead of `stderr`, just as with cargo-audit. /// /// Note that this flag only applies when the output format is JSON, and note that since cargo-deny supports multiple advisory databases, instead of a single JSON object, there will be 1 for each unique advisory database. @@ -131,7 +134,7 @@ struct Config { no_default_features: bool, /// By default, dev dependencies for workspace crates are not ignored #[serde(default)] - ignore_dev_dependencies: bool, + exclude_dev: bool, } struct ValidConfig { @@ -145,7 +148,7 @@ struct ValidConfig { feature_depth: Option, all_features: bool, no_default_features: bool, - ignore_dev_dependencies: bool, + exclude_dev: bool, } impl ValidConfig { @@ -216,7 +219,7 @@ impl ValidConfig { let all_features = cfg.all_features; let no_default_features = cfg.no_default_features; let features = cfg.features; - let ignore_dev_dependencies = cfg.ignore_dev_dependencies; + let exclude_dev = cfg.exclude_dev; ( diags, @@ -231,7 +234,7 @@ impl ValidConfig { all_features, no_default_features, features, - ignore_dev_dependencies, + exclude_dev, }, ) }; @@ -282,7 +285,7 @@ pub(crate) fn cmd( all_features, no_default_features, features, - ignore_dev_dependencies, + exclude_dev, } = ValidConfig::load( krate_ctx.get_config_path(args.config.clone()), krate_ctx.get_local_exceptions_path(), @@ -315,23 +318,15 @@ pub(crate) fn cmd( let feature_depth = args.feature_depth.or(feature_depth); - // If not specified on the cmd line, fallback to the feature related config options - if !krate_ctx.all_features { - krate_ctx.all_features = all_features; - } - - if !krate_ctx.no_default_features { - krate_ctx.no_default_features = no_default_features; - } + krate_ctx.all_features |= all_features; + krate_ctx.no_default_features |= no_default_features; + krate_ctx.exclude_dev |= exclude_dev | args.exclude_dev; + // If not specified on the cmd line, fallback to the feature related config options if krate_ctx.features.is_empty() { krate_ctx.features = features; } - if !krate_ctx.ignore_dev { - krate_ctx.ignore_dev = ignore_dev_dependencies; - } - let mut krates = None; let mut license_store = None; let mut advisory_dbs = None; diff --git a/src/cargo-deny/common.rs b/src/cargo-deny/common.rs index 108c6131..9e4afc57 100644 --- a/src/cargo-deny/common.rs +++ b/src/cargo-deny/common.rs @@ -62,7 +62,7 @@ pub struct KrateContext { /// If true, allows using the crates.io git index, otherwise the sparse index /// is assumed to be the only index pub allow_git_index: bool, - pub ignore_dev: bool, + pub exclude_dev: bool, } impl KrateContext { @@ -182,7 +182,7 @@ impl KrateContext { gb.ignore_kind( DepKind::Dev, - if self.ignore_dev { + if self.exclude_dev { krates::Scope::All } else { krates::Scope::NonWorkspace diff --git a/src/cargo-deny/main.rs b/src/cargo-deny/main.rs index 4838766c..740dd74f 100644 --- a/src/cargo-deny/main.rs +++ b/src/cargo-deny/main.rs @@ -96,8 +96,8 @@ pub(crate) struct GraphContext { #[arg(long)] pub(crate) allow_git_index: bool, #[arg(long)] - /// If set, ignores all dev dependencies, not just ones for non-workspace crates - pub(crate) ignore_dev: bool, + /// If set, excludes all dev-dependencies, not just ones for non-workspace crates + pub(crate) exclude_dev: bool, } /// Lints your project's crate graph @@ -296,7 +296,7 @@ fn real_main() -> Result<(), Error> { locked: args.ctx.locked, offline: args.ctx.offline, allow_git_index: args.ctx.allow_git_index, - ignore_dev: args.ctx.ignore_dev, + exclude_dev: args.ctx.exclude_dev, }; let log_ctx = crate::common::LogContext { diff --git a/src/licenses/cfg.rs b/src/licenses/cfg.rs index 3a277334..1c013ac6 100644 --- a/src/licenses/cfg.rs +++ b/src/licenses/cfg.rs @@ -172,7 +172,7 @@ pub struct Config { /// If true, performs license checks for dev-dependencies for workspace /// crates as well #[serde(default)] - pub include_dev_dependencies: bool, + pub include_dev: bool, } impl Default for Config { @@ -189,7 +189,7 @@ impl Default for Config { allow: Vec::new(), clarify: Vec::new(), exceptions: Vec::new(), - include_dev_dependencies: false, + include_dev: false, } } } @@ -344,7 +344,7 @@ impl crate::cfg::UnvalidatedConfig for Config { denied, allowed, ignore_sources, - include_dev_dependencies: self.include_dev_dependencies, + include_dev: self.include_dev, } } } @@ -440,7 +440,7 @@ pub struct ValidConfig { pub clarifications: Vec, pub exceptions: Vec, pub ignore_sources: Vec, - pub include_dev_dependencies: bool, + pub include_dev: bool, } #[cfg(test)] diff --git a/src/licenses/gather.rs b/src/licenses/gather.rs index 61c4f48c..62813004 100644 --- a/src/licenses/gather.rs +++ b/src/licenses/gather.rs @@ -464,7 +464,7 @@ impl Gatherer { let files_lock = std::sync::Arc::new(parking_lot::RwLock::new(files)); // Most users will not care about licenses for dev dependencies - let krates = if cfg.map_or(false, |cfg| cfg.include_dev_dependencies) { + let krates = if cfg.map_or(false, |cfg| cfg.include_dev) { krates.krates().collect() } else { krates.krates_filtered(krates::DepKind::Dev) diff --git a/tests/licenses.rs b/tests/licenses.rs index 6a34448d..b76309d6 100644 --- a/tests/licenses.rs +++ b/tests/licenses.rs @@ -291,7 +291,7 @@ fn handles_dev_dependencies() { r#" allow = ['Apache-2.0'] deny = ['GPL-3.0'] -include-dev-dependencies = true +include-dev = true "#, ); diff --git a/tests/snapshots/cargo_deny__test__cargo_deny-check.snap b/tests/snapshots/cargo_deny__test__cargo_deny-check.snap index 1c20a4de..9124a61d 100644 --- a/tests/snapshots/cargo_deny__test__cargo_deny-check.snap +++ b/tests/snapshots/cargo_deny__test__cargo_deny-check.snap @@ -33,6 +33,9 @@ Options: When running the `advisories` check, the configured advisory database will be fetched and opened. If this flag is passed, the database won't be fetched, but an error will occur if it doesn't already exist locally. + --exclude-dev + If set, excludes all dev-dependencies, not just ones for non-workspace crates + --audit-compatible-output To ease transition from cargo-audit to cargo-deny, this flag will tell cargo-deny to output the exact same output as cargo-audit would, to `stdout` instead of `stderr`, just as with cargo-audit. diff --git a/tests/snapshots/cargo_deny__test__cargo_deny.snap b/tests/snapshots/cargo_deny__test__cargo_deny.snap index 22965cff..5884731a 100644 --- a/tests/snapshots/cargo_deny__test__cargo_deny.snap +++ b/tests/snapshots/cargo_deny__test__cargo_deny.snap @@ -86,8 +86,8 @@ Options: --allow-git-index If set, the crates.io git index is initialized for use in fetching crate information, otherwise it is enabled only if using a cargo < 1.70.0 without the sparse protocol enabled - --ignore-dev - If set, ignores all dev dependencies, not just ones for non-workspace crates + --exclude-dev + If set, excludes all dev-dependencies, not just ones for non-workspace crates -h, --help Print help (see a summary with '-h')