# Changelog
All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## 0.21.0 (2024-10-29)

### Added
- V4 lockfile support ([#1275])

### Changed
- Bump `auditable-info` => 0.8; `auditable-serde` => v0.7 ([#1229])
- Bump `abscissa` to v0.8 ([#1262])
- Bump `rustsec` to v0.30; adds V4 lockfile support ([#1275])

[#1229]: https://github.com/rustsec/rustsec/pull/1229
[#1262]: https://github.com/rustsec/rustsec/pull/1262
[#1275]: https://github.com/rustsec/rustsec/pull/1275

## 0.20.1 (2024-08-16)

TODO

## 0.20.0 (2024-02-16)

### Changed

 - Completely rewritten `cargo audit fix` subcommand ([#1113])
   - Now it edits `Cargo.lock` as opposed to `Cargo.toml`, and performs only semver-compatible upgrades.
   - Fixes are performed by calling `cargo update`, migrating away from the unmaintained `cargo-edit-9` crate.
   - The subcommand is still experimental, and its behavior may change in the future. It still requires enabling the non-default `fix` feature.
 - Require `tame-index` 0.9.3 or later, fixing [issues with some enterprise firewalls](https://github.com/rustsec/rustsec/issues/1058). ([#1103])

[#1103]: https://github.com/rustsec/rustsec/pull/1103
[#1113]: https://github.com/rustsec/rustsec/pull/1113

## 0.19.0 (2024-02-03)

### Fixed

 - Fix `--color=auto` always printing terminal escape sequences ([#1057])

### Changed

 - Display the chain of errors instead of just the top-level error for more complete error reporting ([#1063])
 - Upgrade to clap 4.x and abscissa-core 0.7.x. This may have introduced minor changes to the command-line interface. This is the reason for the minor version bump. ([#1092])

[#1057]: https://github.com/rustsec/rustsec/pull/1057
[#1063]: https://github.com/rustsec/rustsec/pull/1063
[#1092]: https://github.com/rustsec/rustsec/pull/1092

## 0.18.3 (2023-10-24)

### Fixed

 - Fix a deadlock when the `Cargo.lock` file is missing. It only occurs with `rustsec` v0.28.3 or later. ([#1051])

[#1051]: https://github.com/rustsec/rustsec/pull/1051

## 0.18.2 (2023-09-25)

### Fixed

- Fix [RUSTSEC-2023-0064](https://rustsec.org/advisories/RUSTSEC-2023-0064.html) security issue by requiring `rustsec` 0.28.2 or higher.

[#980]: https://github.com/rustsec/rustsec/pull/980

## 0.18.1 (2023-08-31)

### Fixed

- Release workflow: don't enable `fix` and `vendored-openssl` features ([#980])

[#980]: https://github.com/rustsec/rustsec/pull/980

## 0.18.0 (2023-08-31)

### Added

 - Implement proper attribution for advisories licensed under CC-BY ([#955])
 - `cargo audit bin` no longer shows warnings not applicable to the binary type (e.g. no more reports of Windows-only unsoundness in ELF binaries). Previously this was implemented for vulnerabilities, but not warnings. ([#964])

### Changed

 - Upgraded to `rustsec` v0.28, bringing performance, security and compatibility improvements, but also temporarily dropping support for CPU platforms other than x86 and ARM. See the [rustsec changelog](https://github.com/rustsec/rustsec/blob/main/rustsec/CHANGELOG.md) for details.

[#955]: https://github.com/rustsec/rustsec/pull/955
[#964]: https://github.com/rustsec/rustsec/pull/964

## 0.17.6 (2023-05-10)

### Added

 - Upgraded to `cargo-lock` v9.0.0, which enables support for sparse registries.
 - When scanning binary files, the binary's platform is taken into account. This prevents scenarios such as Windows-only vulnerabilities being reported on Linux binaries ([#814])

### Fixed

 - Advisories about `cargo audit` itself are no longer printed multiple times when scanning multiple files ([#848])

[#848]: https://github.com/rustsec/rustsec/pull/848

## 0.17.5 (2023-03-23)

### Added

 - Vulnerability severity is now included in the `cargo audit` output, if known ([#825])

### Changed

 - Advisories marked `informational = unsound` are now reported by default, but only as warnings ([#819]). They do not cause the audit to fail, i.e. the exit code of the process is still 0. This behavior can be suppressed through the configuration file.

### Fixed

 - The help text now correctly refers to the command as `cargo audit` instead of `cargo audit audit` ([#824])
 - The `--version` argument now works correctly, reporting the current version ([#838])

[#819]: https://github.com/rustsec/rustsec/pull/819
[#824]: https://github.com/rustsec/rustsec/pull/824
[#825]: https://github.com/rustsec/rustsec/pull/825
[#838]: https://github.com/rustsec/rustsec/pull/838

## 0.17.4 (2022-11-08)
### Fixed

 - Checks for yanked crates were broken since 0.17.0. This release restores them and adds tests to prevent future regressions.

### Changed
 - Binary scanning is enabled by default and documented as such. It can still be disabled by disabling the `binary-scanning` feature.

## 0.17.3 (2022-11-01)
### Added

 - `cargo audit bin` now attempts to detect dependencies in binaries not built with [`cargo auditable`](https://github.com/rust-secure-code/cargo-auditable) by parsing the panic messages ([#729]). This only detects about a half of the dependency list and never detects C code such as OpenSSL, but works on any Rust binaries built with `cargo`.
 - Added integration tests for the `--deny=warnings` flag.

### Fixed

 - `cargo audit bin --deny=warnings` no longer exits after finding the first binary with warnings.

### Changed

 - Up to 5x faster `cargo audit bin` when scanning multiple files thanks to caching crates.io index lookups (implemented in `rustsec` crate).
 - Notices about `cargo audit` or `rustsec` will now result in a scanning error being reported (exit code 2) as opposed to reporting them as vulnerabilities in the scanned binary (exit code 1). They are treated as warnings by default, so `--deny=warnings` is required to observe the new behavior.
 - The `binary-scanning` feature that adds the `cargo audit bin` subcommand is now enabled by default, but is not documented as such.

[#729]: https://github.com/rustsec/rustsec/pull/729

## 0.17.2 (2022-10-07)
### Changed

 - Fixed the screenshot URL in README.md

## 0.17.1 (2022-10-07)
### Added

 - Initial support for scanning binaries built with [`cargo auditable`](https://github.com/rust-secure-code/cargo-auditable)

## 0.17.0 (2022-05-23)
### Changed
- Update Abscissa to 0.6; replace `gumdrop` with `clap` v3 ([#525])
- 2021 edition upgrade ([#539])
- MSRV 1.57 ([#539], [#574])
- Bump `rustsec` to v0.26 ([#574])

### Fixed
- Terminal output fixups ([#570])

### Removed
- Unused `lazy_static` from dependencies ([#500])
- Deprecated `--deny-warnings` CLI option ([#545])

[#500]: https://github.com/rustsec/rustsec/pull/500
[#525]: https://github.com/rustsec/rustsec/pull/525
[#539]: https://github.com/rustsec/rustsec/pull/539
[#545]: https://github.com/rustsec/rustsec/pull/54qgq5
[#570]: https://github.com/rustsec/rustsec/pull/570
[#574]: https://github.com/rustsec/rustsec/pull/574

## 0.16.0 (2021-11-15)
### Changed
- Bump `rustsec` dependency to v0.25; MSRV 1.52 ([#480])

### Fixed
- Parse `--color=auto` correctly ([#436])

[#436]: https://github.com/rustsec/rustsec/pull/436
[#480]: https://github.com/rustsec/rustsec/pull/480

## 0.15.2 (2021-09-11)
### Added
- `vendored-libgit2` feature ([#432])

[#432]: https://github.com/rustsec/rustsec/pull/432

## 0.15.1 (2021-09-10)
### Changed
- Pin `thiserror` and `zeroize` to avoid MSRV breakages ([#415])

[#415]: https://github.com/rustsec/rustsec/pull/415

## 0.15.0 (2021-07-01)
### Added
- New exit status (`2`) for Cargo.lock parsing errors ([#368])

### Changed
- Bump `rustsec` crate dependency to v0.24 ([#388])

[#368]: https://github.com/RustSec/cargo-audit/pull/368
[#388]: https://github.com/RustSec/cargo-audit/pull/388

## 0.14.1 (2021-04-29)
### Added
- Generate release builds with github actions ([#337])

### Changed
- Bump rustsec from 0.23.2 to 0.23.3 ([#333])

[#333]: https://github.com/RustSec/cargo-audit/pull/333
[#337]: https://github.com/RustSec/cargo-audit/pull/337

## 0.14.0 (2021-03-07)
### Changed
- When running in no-fetch mode, allow accessing a non-git repo ([#315])
- Enable informational warnings with deny ([#320])
- Bump `rustsec` dependency to v0.23 ([#327]) 
- MSRV 1.46+ ([#327])

[#315]: https://github.com/RustSec/cargo-audit/pull/315
[#320]: https://github.com/RustSec/cargo-audit/pull/320
[#327]: https://github.com/RustSec/cargo-audit/pull/327

## 0.13.1 (2020-10-27)
### Changed
- Split `-D`/`--deny` and `--deny-warnings` ([#278])
- Bump `rustsec` crate to v0.22.2 ([#277])

### Fixed
- JSON serialization ([#277])

[#278]: https://github.com/RustSec/cargo-audit/pull/278
[#a277]: https://github.com/RustSec/cargo-audit/pull/277

## 0.13.0 (2020-10-26) [YANKED]
### Added
- Support for project specific config directories ([#252]) 

### Changed
- Bump `rustsec` crate to v0.22; MSRV 1.41+ ([#271])
- JSON report format changes ([#271])
- Presenter improvements ([#268])
- Make warning types an argument ([#206])

### Fixed
- `fix --dry-run` no longer requires argument ([#231])

[#271]: https://github.com/RustSec/cargo-audit/pull/258
[#268]: https://github.com/RustSec/cargo-audit/pull/268
[#255]: https://github.com/RustSec/cargo-audit/pull/255
[#252]: https://github.com/RustSec/cargo-audit/pull/252
[#231]: https://github.com/RustSec/cargo-audit/pull/231
[#206]: https://github.com/RustSec/cargo-audit/pull/206

## 0.12.1 (2020-09-22)
- Pin `smol_str` to v0.1.16 to ensure MSRV 1.41 compatibility ([#255], [#258])

[#258]: https://github.com/RustSec/cargo-audit/pull/258
[#255]: https://github.com/RustSec/cargo-audit/pull/255

## 0.12.0 (2020-05-06)
- Update `rustsec` crate to v0.20 ([#221])
- Regenerate lockfile after `cargo audit fix` ([#219])
- Update dependencies; MSRV 1.40+ ([#216])

[#221]: https://github.com/RustSec/cargo-audit/pull/221
[#219]: https://github.com/RustSec/cargo-audit/pull/219
[#216]: https://github.com/RustSec/cargo-audit/pull/216

## 0.11.2 (2020-02-07)
- Improve yanked crate auditing messages and config ([#200])
- Fix `-c`/`--color` command line argument ([#199])

[#200]: https://github.com/RustSec/cargo-audit/pull/200
[#199]: https://github.com/RustSec/cargo-audit/pull/199

## 0.11.1 (2020-01-24)
- Add `vendored-openssl` feature ([#193])

[#193]: https://github.com/RustSec/cargo-audit/pull/193

## 0.11.0 (2020-01-22)
- Update `rustsec` crate to v0.17 release; MSRV 1.39+ ([#186], [#188])
- Warn for yanked crates ([#180])
- Respect sources of dependencies when auditing ([#175])
- Upgrade to `abscissa` v0.5 ([#174])
- `cargo audit fix` subcommand ([#157], [#166], [#181])

[#188]: https://github.com/RustSec/cargo-audit/pull/188
[#186]: https://github.com/RustSec/cargo-audit/pull/186
[#181]: https://github.com/RustSec/cargo-audit/pull/181
[#180]: https://github.com/RustSec/cargo-audit/pull/180
[#175]: https://github.com/RustSec/cargo-audit/pull/175
[#174]: https://github.com/RustSec/cargo-audit/pull/174
[#166]: https://github.com/RustSec/cargo-audit/pull/166
[#157]: https://github.com/RustSec/cargo-audit/pull/157

## 0.10.0 (2019-10-13)
- Upgrade `rustsec` to v0.16; new self-audit system ([#155])
- Upgrade to Abscissa v0.4; MSRV 1.36 ([#154])

[#155]: https://github.com/RustSec/cargo-audit/pull/155
[#154]: https://github.com/RustSec/cargo-audit/pull/154

## 0.9.3 (2019-10-08)
- Update to `rustsec` crate v0.15.2 ([#149])
- presenter: Cleanups for informational advisories ([#148])
- presenter: Print better message when no solution is available ([#144])

[#149]: https://github.com/RustSec/cargo-audit/pull/149
[#148]: https://github.com/RustSec/cargo-audit/pull/148
[#144]: https://github.com/RustSec/cargo-audit/pull/144

## 0.9.2 (2019-10-01)
- Update to `rustsec` crate v0.15 ([#138])

[#138]: https://github.com/RustSec/cargo-audit/pull/138

## 0.9.1 (2019-09-25)
- Update to `rustsec` crate v0.14.1 ([#134])

[#134]: https://github.com/RustSec/cargo-audit/pull/134

## 0.9.0 (2019-09-25)
- Add `--deny-warnings` option ([#128])
- Upgrade to `rustsec` crate v0.14 ([#126])
- Configuration file: `~/.cargo/audit.toml` ([#123], [#125])
- Fix `--help` ([#113])
- Warn for outdated `rustsec` crate versions ([#112])
- Display warnings for select informational advisories ([#110])
- Display dependency trees with each advisory ([#109])

[#128]: https://github.com/RustSec/cargo-audit/pull/128
[#126]: https://github.com/RustSec/cargo-audit/pull/126
[#125]: https://github.com/RustSec/cargo-audit/pull/125
[#123]: https://github.com/RustSec/cargo-audit/pull/123
[#113]: https://github.com/RustSec/cargo-audit/pull/113
[#112]: https://github.com/RustSec/cargo-audit/pull/112
[#110]: https://github.com/RustSec/cargo-audit/pull/110
[#109]: https://github.com/RustSec/cargo-audit/pull/109

## 0.8.1 (2019-08-25)
- Fix `--version` ([#101])

[#101]: https://github.com/RustSec/cargo-audit/pull/101

## 0.8.0 (2019-08-16)
- Use the Abscissa application framework ([#85], [#87], [#92], [#94])
- Implement `--no-fetch` ([#97])
- Add support for reading lockfiles from STDIN ([#98])

[#98]: https://github.com/RustSec/cargo-audit/pull/98
[#97]: https://github.com/RustSec/cargo-audit/pull/97
[#94]: https://github.com/RustSec/cargo-audit/pull/94
[#92]: https://github.com/RustSec/cargo-audit/pull/92
[#87]: https://github.com/RustSec/cargo-audit/pull/87
[#85]: https://github.com/RustSec/cargo-audit/pull/85

## 0.7.0 (2019-07-15)
- Switch from `term` to `termcolor` crate ([#83])
- Update `gumdrop` to v0.6, `rustsec` crate to v0.12; min Rust 1.32+ ([#82])
- Produce valid JSON when no vulnerabilities are detected ([#77])
- Implement `--ignore` option ([#75])

[#83]: https://github.com/RustSec/cargo-audit/pull/83
[#82]: https://github.com/RustSec/cargo-audit/pull/82
[#77]: https://github.com/RustSec/cargo-audit/pull/77
[#75]: https://github.com/RustSec/cargo-audit/pull/75

## 0.6.1 (2018-12-16)
- Fix option parsing ([#64])

[#64]: https://github.com/RustSec/cargo-audit/pull/64

## 0.6.0 (2018-12-15)
- Update to Rust 2018 edition ([#61])
- Update to `rustsec` crate v0.10 ([#59])
- Prevent `--help` from exiting with error ([#57])
- Add `--json` flag for JSON output ([#41])

[#61]: https://github.com/RustSec/cargo-audit/pull/61
[#59]: https://github.com/RustSec/cargo-audit/pull/59
[#57]: https://github.com/RustSec/cargo-audit/pull/57
[#41]: https://github.com/RustSec/cargo-audit/pull/41

## 0.5.2 (2018-07-29)
- Have `cargo audit version` exit with status `0` ([#38])

[#38]: https://github.com/RustSec/cargo-audit/pull/38

## 0.5.1 (2018-07-29)
- Refactoring and UI improvements ([#37])

[#37]: https://github.com/RustSec/cargo-audit/pull/37

## 0.5.0 (2018-07-29)
- Upgrade `rustsec` crate to 0.9 ([#36])

[#36]: https://github.com/RustSec/cargo-audit/pull/36

## 0.4.0 (2018-07-24)
- Honor the `affected_platforms` attribute ([#35])
- Update `rustsec` crate dependency to `0.8` series ([#34])
- Update `term` crate dependency to `0.5` series ([#31])

[#35]: https://github.com/RustSec/cargo-audit/pull/35
[#34]: https://github.com/RustSec/cargo-audit/pull/34
[#31]: https://github.com/RustSec/cargo-audit/pull/31

## 0.3.2 (2018-07-23)
- README.md: Use `<img>` tag for screenshot so it renders on crates.io ([#28])

[#28]: https://github.com/RustSec/cargo-audit/pull/28

## 0.3.1 (2018-07-23)
- Use ` OR ` delimiter to display patched versions ([#25])
- Fix `cargo audit --version` ([#24])

[#25]: https://github.com/RustSec/cargo-audit/pull/25
[#24]: https://github.com/RustSec/cargo-audit/pull/24

## 0.3.0 (2018-07-23)
- Near rewrite of cargo-audit using `rustsec` 0.7.0 ([#22])

[#22]: https://github.com/RustSec/cargo-audit/pull/22

## 0.2.1 (2017-09-24)
- Use crate isatty to resolve Windows build errors ([#14])

[#14]: https://github.com/RustSec/cargo-audit/pull/14

## 0.2.0 (2017-03-05)
- Upgrade to rustsec 0.6.0 crate ([#12])
- Configurable colors ([#10])
- Avoid panicking if there are no dependencies ([#8])
- Handle error and instruct the user to generate a lockfile before audit ([#6])

[#12]: https://github.com/RustSec/cargo-audit/pull/12
[#10]: https://github.com/RustSec/cargo-audit/pull/10
[#8]: https://github.com/RustSec/cargo-audit/pull/8
[#6]: https://github.com/RustSec/cargo-audit/pull/6

## 0.1.1 (2017-02-27)
- Make cargo-audit a proper cargo subcommand ([#2])

[#2]: https://github.com/RustSec/cargo-audit/pull/2

## 0.1.0 (2017-02-27)
- Initial release