CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

0.17.3 (2022-11-01)

Added

• cargo audit bin now attempts to detect dependencies in binaries not built with cargo auditable by parsing the panic messages (#729). This only detects about a half of the dependency list and never detects C code such as OpenSSL, but works on any Rust binaries built with cargo.
• Added integration tests for the --deny=warnings flag.

Fixed

• cargo audit bin --deny=warnings no longer exits after finding the first binary with warnings.

Changed

• Up to 5x faster cargo audit bin when scanning multiple files thanks to caching crates.io index lookups (implemented in rustsec crate).
• Notices about cargo audit or rustsec will now result in a scanning error being reported (exit code 2) as opposed to reporting them as vulnerabilities in the scanned binary (exit code 1). They are treated as warnings by default, so --deny=warnings is required to observe the new behavior.

0.17.2 (2022-10-07)

Changed

• Fixed the screenshot URL in README.md

0.17.1 (2022-10-07)

Added

• Initial support for scanning binaries built with cargo auditable

0.17.0 (2022-05-23)

Changed

• Update Abscissa to 0.6; replace gumdrop with clap v3 (#525)
• 2021 edition upgrade (#539)
• MSRV 1.57 (#539, #574)
• Bump rustsec to v0.26 (#574)

Fixed

• Terminal output fixups (#570)

Removed

• Unused lazy_static from dependencies (#500)
• Deprecated --deny-warnings CLI option (#545)

0.16.0 (2021-11-15)

Changed

• Bump rustsec dependency to v0.25; MSRV 1.52 (#480)

Fixed

• Parse --color=auto correctly (#436)

0.15.2 (2021-09-11)

Added

• vendored-libgit2 feature (#432)

0.15.1 (2021-09-10)

Changed

• Pin thiserror and zeroize to avoid MSRV breakages (#415)

0.15.0 (2021-07-01)

Added

• New exit status (2) for Cargo.lock parsing errors (#368)

Changed

• Bump rustsec crate dependency to v0.24 (#388)

0.14.1 (2021-04-29)

Added

• Generate release builds with github actions (#337)

Changed

• Bump rustsec from 0.23.2 to 0.23.3 (#333)

0.14.0 (2021-03-07)

Changed

• When running in no-fetch mode, allow accessing a non-git repo (#315)
• Enable informational warnings with deny (#320)
• Bump rustsec dependency to v0.23 (#327)
• MSRV 1.46+ (#327)

0.13.1 (2020-10-27)

Changed

• Split -D/--deny and --deny-warnings (#278)
• Bump rustsec crate to v0.22.2 ([#277])

Fixed

• JSON serialization ([#277])

0.13.0 (2020-10-26) [YANKED]

Added

• Support for project specific config directories (#252)

Changed

• Bump rustsec crate to v0.22; MSRV 1.41+ (#271)
• JSON report format changes (#271)
• Presenter improvements (#268)
• Make warning types an argument (#206)

Fixed

• fix --dry-run no longer requires argument (#231)

0.12.1 (2020-09-22)

• Pin smol_str to v0.1.16 to ensure MSRV 1.41 compatibility (#255, #258)

0.12.0 (2020-05-06)

• Update rustsec crate to v0.20 (#221)
• Regenerate lockfile after cargo audit fix (#219)
• Update dependencies; MSRV 1.40+ (#216)

0.11.2 (2020-02-07)

• Improve yanked crate auditing messages and config (#200)
• Fix -c/--color command line argument (#199)

0.11.1 (2020-01-24)

• Add vendored-openssl feature (#193)

0.11.0 (2020-01-22)

• Update rustsec crate to v0.17 release; MSRV 1.39+ (#186, #188)
• Warn for yanked crates (#180)
• Respect sources of dependencies when auditing (#175)
• Upgrade to abscissa v0.5 (#174)
• cargo audit fix subcommand (#157, #166, #181)

0.10.0 (2019-10-13)

• Upgrade rustsec to v0.16; new self-audit system (#155)
• Upgrade to Abscissa v0.4; MSRV 1.36 (#154)

0.9.3 (2019-10-08)

• Update to rustsec crate v0.15.2 (#149)
• presenter: Cleanups for informational advisories (#148)
• presenter: Print better message when no solution is available (#144)

0.9.2 (2019-10-01)

• Update to rustsec crate v0.15 (#138)

0.9.1 (2019-09-25)

• Update to rustsec crate v0.14.1 (#134)

0.9.0 (2019-09-25)

• Add --deny-warnings option (#128)
• Upgrade to rustsec crate v0.14 (#126)
• Configuration file: ~/.cargo/audit.toml (#123, #125)
• Fix --help (#113)
• Warn for outdated rustsec crate versions (#112)
• Display warnings for select informational advisories (#110)
• Display dependency trees with each advisory (#109)

0.8.1 (2019-08-25)

• Fix --version (#101)

0.8.0 (2019-08-16)

• Use the Abscissa application framework (#85, #87, #92, #94)
• Implement --no-fetch (#97)
• Add support for reading lockfiles from STDIN (#98)

0.7.0 (2019-07-15)

• Switch from term to termcolor crate (#83)
• Update gumdrop to v0.6, rustsec crate to v0.12; min Rust 1.32+ (#82)
• Produce valid JSON when no vulnerabilities are detected (#77)
• Implement --ignore option (#75)

0.6.1 (2018-12-16)

• Fix option parsing (#64)

0.6.0 (2018-12-15)

• Update to Rust 2018 edition (#61)
• Update to rustsec crate v0.10 (#59)
• Prevent --help from exiting with error (#57)
• Add --json flag for JSON output (#41)

0.5.2 (2018-07-29)

• Have cargo audit version exit with status 0 (#38)

0.5.1 (2018-07-29)

• Refactoring and UI improvements (#37)

0.5.0 (2018-07-29)

• Upgrade rustsec crate to 0.9 (#36)

0.4.0 (2018-07-24)

• Honor the affected_platforms attribute (#35)
• Update rustsec crate dependency to 0.8 series (#34)
• Update term crate dependency to 0.5 series (#31)

0.3.2 (2018-07-23)

• README.md: Use <img> tag for screenshot so it renders on crates.io (#28)

0.3.1 (2018-07-23)

• Use OR delimiter to display patched versions (#25)
• Fix cargo audit --version (#24)

0.3.0 (2018-07-23)

• Near rewrite of cargo-audit using rustsec 0.7.0 (#22)

0.2.1 (2017-09-24)

• Use crate isatty to resolve Windows build errors (#14)

0.2.0 (2017-03-05)

• Upgrade to rustsec 0.6.0 crate (#12)
• Configurable colors (#10)
• Avoid panicking if there are no dependencies (#8)
• Handle error and instruct the user to generate a lockfile before audit (#6)

0.1.1 (2017-02-27)

• Make cargo-audit a proper cargo subcommand (#2)

0.1.0 (2017-02-27)

• Initial release