Transitive issues should be able to be handled differently to direct issues.

[stevenj]

Is your feature request related to a problem? Please describe.

Transitive dependency issues for "unmaintained" and "multiple crate versions" should be able to be handled differently to "direct dependency issues" in the project being checked.

Describe the solution you'd like

If a crate i use, eg "wasmtime" has an "unmaintained" crate in its heirarchy, I should be able to set that to either warn, or ignore in addition to error. Vs, if my direct dependencies end up "unmaintained". And I should be able to set that once for all transitive dependencies that become "unmaintained". However, if i directly used that same "unmaintained" crate, I would want to know about that via an error. At the moment I can't, once i disable it so that I don't get issues with wasmtimes dependencies, if it's introduced as a direct dependency it will equally get ignored. The two situations are very different.

The reason is, I have no capability to reasonably correct that wasmtime use an unmaintained crate, and I am not going to NOT use wasmtime because of it. its just noise. I shouldn't have to make a specific exclusion for it, i should just be able to configure the tool to say "warn on unmaintained transitive crates" or just ignore it as the case may be.

The same for multiple crate versions, in any reasonably complex project you get dozens of multiple crate issues, because unsurprisingly, my direct dependencies rely on crates that have different versions to each other. Thats unsolvable, and again its just noise.
I should be able to configure the tool to either warn, or ignore multiple crate versions if its a dependency of a dependency.

If my project has direct dependencies that use multiple crate versions or become unmaintained, that should be able to error, independent of what is done with transitive dependencies.

Describe alternatives you've considered

For unmaintained, the only option is to exclude them individually.
For multiple crate versions, the only solution i know of is to set it to warn, and just not get an error if any of my direct dependencies are using multiple versions of a crate.

There may be other transitive issues which should be treated differently to direct issues, but these two have bitten me recently when upgrading cargo deny to the latest version and updating the config.

[markdingram]

Related requirement -

After the completion of the addition of OnceCell in Rust 1.80+ a cargo deny user should be able to ban once_cell / lazy_static crates from being present as direct dependencies.

The crates will be in the transitive tree for quite some time - until every crate that does use once_cell reaches a suitable MSRV to move across. This presence of the crate in the transitive tree prevents using cargo deny to ban these crates currently.