Create config that allows everything

Question

Create config that allows everything

banool opened this issue 9 months ago · comments

Daniel Porteous (dport) commented 9 months ago

I just started with cargo deny and I'm finding myself overwhelmed by the config. I was sort of hoping that if I just deleted everything it would deny nothing by default, but this doesn't seem to be the default behavior.

First off, I think this might be a nicer dev experience, allowing folks to opt in to checks over time. But barring that, I don't suppose there is an example config out there that means cargo deny check does nothing. I'd love to start with that and then add my own things to check.

Thanks a lot!

Jake Shadle · Answer 1 · Thu Sep 07 2023 18:24:41 GMT+0800 (China Standard Time)

Most config options have a default lint level that matches the default config that gets generated if you don't have one already or you run init. You can either edit that default config to allow everything, or use -A denied to allow errors, or you can run individual checks like cargo deny check license sources bans advisories and fix each section as you go. IMO these are enough tools to gradually integrate a suitable config for your project, but I suppose I am biased in this regard.

Daniel Porteous (dport) · Answer 2 · Thu Sep 07 2023 18:56:57 GMT+0800 (China Standard Time)

I managed to get a config that allows everything by default like this, at least for my project:

[advisories]
vulnerability = "allow"
unmaintained = "allow"
notice = "allow"
unsound = "allow"
yanked = "allow"

[licenses]
unlicensed = "allow"
copyleft = "allow"
default = "allow"

[bans]
multiple-versions = "allow"
wildcards = "allow"
workspace-default-features = "allow"
external-default-features = "allow"
deny = []

[sources]
unknown-registry = "allow"
unknown-git = "allow"

I think it'd make sense for this to be the default, otherwise people new to cargo deny will be hit with a bunch of issues out of the gate. But I understand having an opinionated set of default checks too. Just my two cents!

Johan Andersson · Answer 3 · Thu Sep 07 2023 19:56:36 GMT+0800 (China Standard Time)

we typically want to be somewhat opinionated with this, but maybe one could add your full-allow config to the docs? so new users that want to approach it that way can use that?

Daniel Porteous (dport) · Answer 4 · Fri Sep 08 2023 00:03:29 GMT+0800 (China Standard Time)

That works for me! Want me to open a PR? If you point me to the right place in the docs that'd be helpful.

Daniel Porteous (dport) · Answer 5 · Fri Sep 08 2023 00:21:25 GMT+0800 (China Standard Time)

One other thing I need to change for this default is maybe including something about only checking normal deps, not build and dev deps, but I can't figure that out.

Daniel Porteous (dport) · Answer 6 · Fri Sep 08 2023 00:36:40 GMT+0800 (China Standard Time)

To keep it clean I asked about it here: #563.