Skip to content

Use cargo-deny for dependency linting#130

Draft
WillowGriffiths wants to merge 3 commits intomainfrom
add-cargo-deny
Draft

Use cargo-deny for dependency linting#130
WillowGriffiths wants to merge 3 commits intomainfrom
add-cargo-deny

Conversation

@WillowGriffiths
Copy link
Copy Markdown
Collaborator

@WillowGriffiths WillowGriffiths commented Apr 14, 2026
edited
Loading

This would prevent issues like #127 from cropping up in the future by using cargo-deny to lint dependencies for license conflicts and security advisories.

Considerations before merging:

  • Currently a number of unmaintained packages down the dependency graph are added to cargo-deny's 'ignore' list as they would otherwise be counted as blocking security advisories.

  • Gating the CI pipeline on security advisories may be problematic; it could begin to fail suddenly if a new security advisory is added to the registry.

  • ranges dependency uses LGPL-3.0-or-later license #127 must be fixed before the new tests can pass.

  • cargo-deny also flags up a few duplicate dependencies. Should this be considered important?

  • Tests pass

  • Appropriate changes to README are included in PR

Depends on #131.

@WillowGriffiths
Add cargo-deny configuration
4a39e8b 
The project currently fails due to the ranges crate's LGPL license
(see #127). In addition, some unmaintained dependencies were added to
the advisories ignore list. Perhaps this should be investigated.
@WillowGriffiths
Add CI step for cargo-deny linting
4849cd3
@WillowGriffiths
Add details of cargo-deny usage to README.md
8722ee1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@WillowGriffiths