- Updated the caching code to handle the recent changes to crates.io dump format
- Fixed the tool reporting transitive optional dependencies that are disabled by features as part of supply chain surface
- Removed test JSON data from the git tree, matching the crates.io package to the git state again
- Upgraded to cargo-metadata v0.23
- Fixed support for Windows by switching from
xdgcrate todirscrate for discovering the cache directory
- Improved the message displayed when the latest data dump is considered outdated (contribution by @smoelius)
- Bumped dependencies in Cargo.lock by running
cargo update - Resolved some Clippy lints
- Add
--no-devflag to omit dev dependencies (contribution by @smoelius)
- Upgrade to
bpaf0.7
- Fix
--featuresflag not being honored if--targetis also passed
- Renamed
--cache_max_ageto--cache-max-agefor consistency with Cargo flags - Accept flags such as
--targetdirectly, without relying on the escape hatch of passing cargo metadata arguments after-- - No longer default to
--all-features, handle features via the same flags as Cargo itself - The json schema is now printed separately, use
cargo supply-chain json --print-schemato get it - Dropped the
helpsubcommand. Use--helpinstead, e.g.cargo supply-chain crates --help
Internal improvements:
- Migrate to bpaf CLI parser, chosen for its balance of expressiveness vs complexity and supply chain sprawl
- Add tests for the CLI interface
- Do not regenerate the JSON schema on every build; saves a bit of build time and a bit of dependencies in production builds
- Added
jsonsubcommand providing structured output and more details - Added
-d,--diffableflag for diff-friendly output mode to all subcommands - Reduced the required download size for
updatesubcommand from ~350Mb to ~60Mb - Added a detailed progress bar to all subcommands using
indicatif - Fixed interrupted
updatesubcommand considering its cache to be fresh. Other subcommands were not affected and would simply fetch live data. - If a call to
cargo metadatafails, show an error instead of panicking - The list of crates in the output of
publisherssubcommand is now sorted
- Fix help text sometimes being misaligned
- Change download progress messages to start counting from 1 rather than from 0
- Only print warnings about crates.io that are immediately relevant to listing dependencies and publishers
- Drop extreaneous files from the tarball uploaded to crates.io
- Drop
authorssubcommand - Add
helpsubcommand providing detailed help for each subcommand - Bring help text more in line with Cargo help text
- Warn about a large amount of data to be downloaded in
updatesubcommand - Buffer reads and writes to cache files for a 6x speedup when using cache
- Report failure instead of panicking on network failure in
updatesubcommand - Correctly handle errors returned by the remote server
- In case of network failure, retry with exponential backoff up to 3 times
- Use local certificate store instead of bundling the trusted CA certificates
- Refactor argument parsing to use
pico-argsinstead of hand-rolled parser
crates- Shows the people or groups with publisher rights for each crate.publishers- Is the reverse ofcrates, grouping by publisher instead.update- Caches the data dumps fromcrates.ioto avoid crawling the web service when lookup up publisher and author information.
Initial release, supports one command:
authors- Crawl through Cargo.toml of all crates and list their authors. Authors might be listed multiple times. For each author, differentiate if they are known by being mentioned in a crate from the local workspace or not. Support for crawlingcrates.iosourced packages is planned.publishers- Doesn't do anything right now.