Use `cargo-deny` to prevent duplicate dependencies

Question

Use `cargo-deny` to prevent duplicate dependencies

emilk opened this issue a year ago · comments

ureq v2.7.1 imports two different versions of rustls-webpki

    = rustls-webpki v0.100.2
      ├── ureq v2.7.1
      └── webpki-roots v0.23.1
          └── ureq v2.7.1
          
    = rustls-webpki v0.101.4
      └── rustls v0.21.6
          └── ureq v2.7.1

This leads to extra compile time and code bloat.

We can prevent this by running cargo-deny on CI https://github.com/EmbarkStudios/cargo-deny

Martin Algesten · Answer 1 · Wed Aug 23 2023 15:12:41 GMT+0800 (China Standard Time)

Yeah. This would be really nice. A PR changing the github CI would be most welcome!

fredizzimo · Answer 2 · Sun Sep 03 2023 02:58:30 GMT+0800 (China Standard Time)

There's also a security issue in the 0.100.2, version, so it would be nice to get this updated. Dependabot reports it here for us https://github.com/neovide/neovide/security/dependabot/15