This way it's easier to manipulate the URL at will. Since there is no validation, users of URLs should never take a parsed structure, but instead take the path or URL directly to parse it themselves.
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Byron <63622+Byron@users.noreply.github.com>
3cfd7fa (#1927) removed `LicenseRef-ring` from the `cargo deny`
license allowlist, because we no longer used any `ring` version old
enough to involve the old custom license. But the associated entry
in the `license.clarify` array that definded `LicenseRef-ring` was
not removed, even though it's not needed either given that the
license it clarifies is no longer referenced. This cleans that up.
This turns the comment in `cargo.deny` explaining why we currently
ignore the informational advisory RUSTSEC-2024-0436 in `paste` into
data that could be parsed and displayed by tools, by using the form
with `id` and `reason` fields, where the old comment text is the
value of the `reason` field.
This is one of the forms documented in:
https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-ignore-field-optional
Before this change, we get a warning:
$ cargo deny --workspace --all-features check licenses
warning[license-not-encountered]: license was not encountered
┌─ /home/ek/source/repos/gitoxide/deny.toml:32:6
│
32 │ "LicenseRef-ring",
│ ━━━━━━━━━━━━━━━ unmatched license allowance
licenses ok
The same warning is shown in the `cargo-deny` job check on CI.
This happens because `ring` no longer uses a custom/nonstandard
license, instead using `Apache-2.0 AND ISC` since version 0.17.10.
(See https://github.com/briansmith/ring/pull/2402 and
https://crates.io/crates/ring/versions for details.)
Nothing in this workspace depends directly or directly on old
versions of `ring` that use that license, so this removes it from
the list of licenses in `deny.toml`.
`cargo deny` warned that "Unicode-DFS-2016" appeared in the list of
allowed licenses but was not used by any dependency. This list had
both "Unicode-3.0" and "Unicode-DFS-2016".
Possibly relevant is that `unicode-ident` updated its license
in 1.0.14 (https://github.com/dtolnay/unicode-ident/pull/28),
changing from "Unicode-DFS-2016" to "Unicode-3.0".
The "Unicode-3.0" license was added to `deny.toml` in 5173e9a
(#1668), but "Unicode-DFS-2016" was not removed at that time. It
looks like some Unicode-related packages still used that license at
that time. But it does not seem to be needed here anymore.
In 0e9299c (#1854), RUSTSEC-2025-0007 was listed as ignored to let
`cargo deny advisories` pass. That advisory has been withdrawn, as
noted in https://rustsec.org/advisories/RUSTSEC-2025-0007.html:
> After this advisory was published, the author graciously agreed
> to give access to the rustls team. The rustls team is committed
> to providing security (only) maintenance for *ring* for the
> foreseeable future.
It is no longer necessary to list that advisory as ignored.
This reverts commit 0e9299c65e.
It's notable that this happens with `url` 2.5.1 which comes with
`idna` 1.0. It contains many fixes, for instance it seems to not
be vulnerable anymore to long input, but it fails with a seemingly
simple URL.
Previously ceiling directories that were UNC paths would not work together
with directories which were not due to different bases.
Now ceiling directories will be converted non-UNC paths before using them.
To make this work, we leave the `reqwest` configuration to downstream crates.
Note that this means downstream will have to select their TLS settings
themselves, so builds may fail after upgrade until this is done.
An example for a `reqwest` configuration can be found in the
`gitoxide` Cargo.toml in the root of the `gitoxide` repository.
