Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Weak but enabled dependency isn't included in graph #50

Closed
MarijnS95 opened this issue Nov 8, 2022 · 0 comments · Fixed by #51
Closed

Weak but enabled dependency isn't included in graph #50

MarijnS95 opened this issue Nov 8, 2022 · 0 comments · Fixed by #51
Labels
bug Something isn't working

Comments

@MarijnS95
Copy link

MarijnS95 commented Nov 8, 2022
edited
Loading

Describe the bug
Since cargo-deny 0.13.2, which upgraded to krates 0.12.3 we get a strange warning on our repo:

warning[license-exception-not-encountered]: license exception was not encountered
  ┌─ laz-license-repro/deny.toml:8:14
  │
8 │     { name = "laz", allow = ["LGPL-2.1"] },
  │              ^^^^^ unmatched license exception

The laz crate is optional=true included via las, but we enable that feature unconditionally and expect laz to be part of the crate graph:

las = { version = "0.7", features = ["laz"] }

To Reproduce
Steps to reproduce the behavior:

Take this Cargo.toml:

[package]
name = "laz-license-repro"
version = "0.1.0"
license = "Apache-2.0"

[dependencies]
# laz = "0.6"
las = { version = "0.7", features = ["laz"] }

And this deny.toml:

[licenses]
allow = [
    "MIT",
    "Apache-2.0",
    "Unicode-DFS-2016",
]
exceptions = [
    { name = "laz", allow = ["LGPL-2.1"] },
]

[[licenses.clarify]]
name = "laz"
expression = "LGPL-2.1"
license-files = [
    # bonus: this crate states `license-file = "COPYING"` but `cargo-deny` insists on using `LICENSE.txt`?
    # { path = "COPYING", hash = 0xc5199cf9 },
    { path = "LICENSE.txt", hash = 0xc5199cf9 },
]

Run cargo-deny and observe:

$ cargo deny check license
warning[license-exception-not-encountered]: license exception was not encountered
  ┌─ laz-license-repro/deny.toml:8:14

8 │     { name = "laz", allow = ["LGPL-2.1"] },
  │              ^^^^^ unmatched license exception

licenses ok

Expected behavior
No warnings. And when laz would be removed from license.exceptions cargo-deny must complain about LGPL-2.1 not being allowed.

Device:

  • OS: Linux
  • Version: Cargo deny 0.13.2 and up

Additional context
Feel free to uncomment # laz = "0.6" and observe what cargo-deny output we expect when this crate is definitely part of the graph. For example, without the license.clarify cargo-deny rightfully complains about error[unlicensed]: laz = 0.6.4 is unlicensed but it doesn't do that anymore when the crate is transitively included via las = { version = "0.7", features = ["laz"] }.
@MarijnS95 MarijnS95 added the bug Something isn't working label Nov 8, 2022
@Jake-Shadle Jake-Shadle mentioned this issue Nov 8, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix index override EmbarkStudios/krates
1 participant
@MarijnS95