cargo-deny icon indicating copy to clipboard operation
cargo-deny copied to clipboard

Published 20 hours ago verified publisher icon EmbarkStudios

Surprising default configuration for advisories

Open djc opened this issue 2 years ago • 1 comments

Describe the bug

I was surprised to note that RUSTSEC-2022-0049 (which I happen to be aware of as a chrono maintainer) only generated a warning. After looking at the documentation I noticed that unsound defaults to warn, which I find quite surprising. Similarly, I think something stricter would be a better default for yanked.

In particular, this feedback pertains to running EmbarkStudios/cargo-deny-action@v1 in CI, where I'm pretty unlikely to notice the warnings -- and I think both of these should be noticeable by default when run in CI.

djc avatar Aug 17 '22 08:08 djc

The defaults were chose as warn basically because:

  1. unsound advisories are informational and distinct from vulnerabilities, with a lower priority and thus a lower level.
  2. People already complain about new advisories breaking their CI, yanking is in a similar vein, breaking your CI with no meaningful changes in the project.

These could be of course changed it would just be a breaking change that would require a new version of the action as well.

Jake-Shadle avatar Aug 30 '22 14:08 Jake-Shadle