Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide utilities to respond to cargo deny bans check lints #561

Open
Veetaha opened this issue Sep 7, 2023 · 0 comments
Open

Provide utilities to respond to cargo deny bans check lints #561

Veetaha opened this issue Sep 7, 2023 · 0 comments

Comments

@Veetaha
Copy link
Contributor

Veetaha commented Sep 7, 2023

In our private repository we have more than a 100 duplicate dependencies, and deduplicating them is painful. It is also painful to maintain the deny.toml file with all the bans.skip and bans.skip_tree entries manually.

In fact, even though the bans.skip_tree is intended as a "wildcard skip", but this one hides too many things, and naive developers sometimes put the skip config under skip_tree by mistake therefore making things ever worse.

I developed a nushell script that automates the management of deny.toml by generating the skip configuration and automates running the granular cargo update command to try updating the dependencies within the compatible ranges to avoid duplicates.

I wrote some docs in our private notion knowledgebase, but published it to the public under this link.

I think the nushell script I developed there could already be used by anyone to automate the maintenance of the deny.toml file, and it could also be used as a good POC for rewriting this implementation in Rust and including it into cargo-deny.

Generate the bans.skip configuration automatically

cargo deny has enough information to be able to generate the bans.skip list automatically. There could be a command in cargo deny that does the same thing as deny.nu skips command in the script shared above.

However, cargo-deny could benefit from toml_edit Rust crate to make the modifications in deny.toml without requiring the user to copy and paste the TOML output from the terminal.

More info in the post

Run cargo update with all the parent packages of the duplicate dependency

If you run deny.nu dedup it will run the cargo update command, but it will take care to pass -p parameters with the package names that comprise the parent crates for the duplicate. This way you can granularly update the dependency tree.

More info in the post

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant