cargo-deny icon indicating copy to clipboard operation
cargo-deny copied to clipboard
verified publisher icon EmbarkStudios

Allow setting bans.multiple-versions to level 'note'

Open ojob opened this issue 2 months ago β€’ 2 comments

Is your feature request related to a problem? Please describe.

I develop a small-size project at work, that then runs as a service on a server. Hence, compile-time and binary size are of no concern, and I can leave with duplicate dependencies.

Currently, the output of cargo deny check looks like the following:

(...  many rows before ...)
warning[duplicate]: found 2 duplicate entries for crate 'zerovec-derive'
    β”Œβ”€ /home/joel/si-interne/pdfg/Cargo.lock:368:1
    β”‚  
368 β”‚ β•­ zerovec-derive 0.10.3 registry+https://github.com/rust-lang/crates.io-index
369 β”‚ β”‚ zerovec-derive 0.11.1 registry+https://github.com/rust-lang/crates.io-index
    β”‚ β•°β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ lock entries
    β”‚  
    β”œ zerovec-derive v0.10.3
      └── zerovec v0.10.4
          β”œβ”€β”€ icu_collections v1.5.0
          β”‚  (... etc ...)

 advisories ok: 0 errors, 0 warnings, 0 notes
       bans ok: 0 errors, 32 warnings, 0 notes
   licenses ok: 0 errors, 0 warnings, 384 notes
    sources ok: 0 errors, 0 warnings, 0 notes

This is a lot of interesting stuff, but as it’s OK to keep these duplicates for now, I would prefer not to have them reported as warnings, in particular as CI artifact that is recorded for audits.

So I tried to change the setting of deny.toml bans.multiple-versions to note / info / notice, but this is not permitted:

error[unexpected-value]: expected '["allow", "warn", "deny"]'
    β”Œβ”€ /home/joel/si-interne/pdfg/Cargo-deny.toml:168:22
    β”‚
168 β”‚ multiple-versions = "notice"
    β”‚                      ━━━━━━ unexpected value

So it appears that duplicates are either errors, warnings, or untold; there seems to be no way to report them as notes, even if this level exists in final statistics.

Describe the solution you'd like

Allow setting deny.toml bans.multiple-versions to note level, so that these are reported as interesting-but-not-problematic in the statistics.

Describe alternatives you've considered

Setting bans.multiple-versions to allow just hide the duplicates’ statistics. So instead of being kind of a false alarm, I just lose the information.

Additional context

n/a

ojob avatar Oct 02 '25 12:10 ojob

I'm not sure I understand the need for this. The warn setting for the various fields exists precisely for when you want to be notified of something, but not actually fail the check, adding a notice option would just mean that the exact same information would be emitted at a different level but not actually have an affect on whether the check succeeds or not.

Jake-Shadle avatar Oct 03 '25 08:10 Jake-Shadle

Currently, there are currently three levels in cargo deny statistics, that in my company we understand as follows:

  • error , which is blocking, as reporting unallowable issues
  • warn, which reports stuff that is of prior interest, and may be declared as non-allowable with --warning=deny
  • note, which is reporting stuff of interest, just for notice

That is, warn level is understood as "something we can live with, but that needs to be fixed in a close future". In short, some sort of technical debt, that management should keep in mind.

In the frame of current project though, duplicate dependencies are not really an issue, so not something to be warned about, but that we still want to keep in mind, in order to optimize for binary size someday.

Such findings should therefore be configurable to appear at note level, instead of hiding them completely, hence this enhancement request.

ojob avatar Oct 03 '25 14:10 ojob