Wildcard version warnings generated for local file dependencies

[repi]

PR #227 seems to generate wildcard warnings when using standard path dependencies and specifying no version (as one is using the local file version), don't think that should generate warnings.

Such as:

[dependencies]
telemetry = { path = "../telemetry" }

Think we should only generate wildcard warnings when one is explicitly using the version field for the crates.io version.

Note that one can also use both a path depependency and a version dependency, where building locally uses the path dependency and building from a crates.io published dependency uses the specific version, then the wildcard warning should still trigger if using wildcard version:

[dependencies]
telemetry = { path = "../telemetry", version = "*" }

cc @khodzha @Jake-Shadle

[khodzha]

i dug around a bit and couldnt find a way to distinguish { path = "../telemetry", version = "*" } and { path = "../telemetry" } based on cargo metadata output :disappointed:

[repi]

Ouch that is unfortunate, this we do have to have some solution for as it is very common, hmm. Maybe one have to extend cargo-metadata to distinguish it there (if possible) and expose that?

[Stupremee]

I don't think that's possible because not even cargo knows that. (At least their metadata output)

[Jake-Shadle]

This relates a bit to #136, where the intention would be to actual properly parse Cargo.toml manifests for doing error reporting, so having that utility (probably in a separate crate eg krates probably) would mean you could query both the cargo metadata, but also the actual entry in the manifest to distinguish between them for special cases such as this.

[jplatte]

It would be nice if I could configure cargo-deny to only warn on / error on wildcard registry dependencies (not git or path dependencies), regardless of whether it was specified explicitly or not.