Bug: git dependencies flagged as wildcard dependencies when using allow-wildcard-paths = true
if published to a private registry
#646
Labels
bug
Something isn't working
Describe the bug
The implementation of #599, fixing #488, correctly addresses the case where a dependency uses
publish = false
in itsCargo.toml
.Unfortunately, it does not address the case where the dependency is published to a private registry. #599 made use of the
crate::Krate.is_private
function, but it doesn't pass the declared private registries. These are declared in the licenses section ofdeny.toml
:I can open a PR with a kludgy implementation that passes the
crate::licenses::cfg::ValidConfig
tocrate::bans::check
so one can extract the private registries before checking if the dependency is private:However, this does not seem like the best approach as it mixes configuration contexts across different types of checks, and it seems to me like a more expansive change to the private registry declaration would be needed in order to more cleanly organise the code.
To reproduce
Dependency declared as publishing to a private repo:
.cargo/config.toml
file:deny.toml
file:cargo-deny version
0.14.20
What OS were you running cargo-deny on?
Linux
Additional context
See https://github.com/joaommartins/cargo-deny/tree/fix-private-repo-dependency-wildcard for a wip implementation.
The text was updated successfully, but these errors were encountered: