EmbarkStudios · Jake-Shadle · Jun 11, 2025 · Jun 11, 2025 · Jun 11, 2025 · Jun 11, 2025
@@ -8,6 +8,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- next-header -->
 ## [Unreleased] - ReleaseDate
+### Changed
+- [PR#773](https://github.com/EmbarkStudios/cargo-deny/pull/773) changed cargo-deny's duplicate detection to automatically ignore versions whose only dependent is another version of the same crate.
+
 ## [0.18.2] - 2025-03-10
 ### Added
 - [PR#753](https://github.com/EmbarkStudios/cargo-deny/pull/753) resolved [#752](https://github.com/EmbarkStudios/cargo-deny/issues/752) by adding back the `advisories.unmaintained` config option. See the [docs](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-unmaintained-field-optional) for how it can be used. The default matches the current behavior, which is to error on any `unmaintained` advisory, but adding `unmaintained = "workspace"` to the `[advisories]` table will mean unmaintained advisories will only error if the crate is a direct dependency of your workspace.

@@ -65,7 +65,7 @@ fern = "0.7"
 # Glob matching
 globset = "0.4"
 # Native executable detection
-goblin = { version = "0.9", default-features = false, features = [
+goblin = { version = "0.10", default-features = false, features = [
   "elf32",
   "elf64",
   "mach32",
@@ -105,7 +105,7 @@ spdx = "0.10"
 # Lazy
 strum = { version = "0.27", features = ["derive"] }
 # Index retrieval and querying
-tame-index = { version = "0.21", default-features = false, features = [
+tame-index = { version = "0.22", default-features = false, features = [
   "git",
   "local",
   "sparse",
@@ -118,7 +118,7 @@ time = { version = "0.3", default-features = false, features = [
 # Deserialization of configuration files and crate manifests
 toml-span = { version = "0.5", features = ["reporting"] }
 # Small fast hash crate
-twox-hash = { version = "2.0", default-features = false, features = ["xxhash32"] }
+twox-hash = { version = "2.1", default-features = false, features = ["xxhash32"] }
 # Url parsing/manipulation
 url = "2.5"
 # Directory traversal
@@ -140,7 +140,7 @@ features = [
 fs_extra = "1.3"
 # Snapshot testing
 insta = { version = "1.43", features = ["json"] }
-tame-index = { version = "0.21", features = ["local-builder"] }
+tame-index = { version = "0.22", features = ["local-builder"] }
 time = { version = "0.3", features = ["serde"] }
 toml-span = { version = "0.5", features = ["serde"] }
 # We use this for creating fake crate directories for crawling license files on disk

@@ -30,11 +30,10 @@ skip = [
     { crate = "[email protected]", reason = "gix uses this old version" },
     { crate = "[email protected]", reason = "reqwest -> system-configuration uses this old version" },
     { crate = "[email protected]", reason = "ring uses this old version" },
-    { crate = "[email protected]", reason = "semver trick" },
 ]
 skip-tree = [
     { crate = "[email protected]", reason = "a foundational crate for many that bumps far too frequently to ever have a shared version" },
-    { crate = "[email protected]", reason = "gix depends on both the 1.0 and 2.0 versions" },
+    { crate = "[email protected]", reason = "rustsec depends 1.0, patched, but not released https://github.com/rustsec/rustsec/commit/9b97c0fc155752c8298a5b5406eb175765ceac93" },
 ]
 
 [sources]

@@ -381,6 +381,30 @@ pub fn check(
     );
 
     let report_duplicates = |multi_detector: &mut MultiDetector<'_>, sink: &mut diag::ErrorSink| {
+        if multi_detector.dupes.len() != 1 {
+            // Filter out crates that depend on another version of themselves https://github.com/dtolnay/semver-trick
+            multi_detector.dupes.retain(|(index, _)| {
+                let krate = &ctx.krates[*index];
+
+                // We _could_ just see if this crate's dependencies is another
+                // version of itself, but that means if there are other versions
+                // of the crate then the version that is doing the trick is not
+                // reported, so we do the more expensive check for the direct
+                // dependents
+                let direct = ctx
+                    .krates
+                    .direct_dependents(ctx.krates.nid_for_kid(&krate.id).unwrap());
+
+                let res = !direct.iter().all(|dir| dir.krate.name == krate.name);
+
+                if !res {
+                    log::debug!("ignoring duplicate crate '{krate}', its only dependents was another version of itself");
+                }
+
+                res
+            });
+        }
+
         let skipped = multi_detector
             .dupes
             .iter()

@@ -194,7 +194,7 @@ fn ignores_dev() {
         r#"
 multiple-versions = 'deny'
 skip = [
-    { name = 'block-buffer', version = "=0.7.3" },
+    "block-buffer@0.7.3"
 ]
 "#,
     );

@@ -369,7 +369,7 @@ expression: diags
       "labels": [
         {
           "column": 1,
-          "line": 50,
+          "line": 51,
           "message": "lock entries",
           "span": "generic-array 0.12.4 registry+https://github.com/rust-lang/crates.io-index\ngeneric-array 0.14.5 registry+https://github.com/rust-lang/crates.io-index"
         }

@@ -315,7 +315,7 @@ expression: diags
       "labels": [
         {
           "column": 1,
-          "line": 31,
+          "line": 32,
           "message": "lock entries",
           "span": "digest 0.8.1 registry+https://github.com/rust-lang/crates.io-index\ndigest 0.10.3 registry+https://github.com/rust-lang/crates.io-index"
         }
@@ -526,7 +526,7 @@ expression: diags
       "labels": [
         {
           "column": 1,
-          "line": 50,
+          "line": 51,
           "message": "lock entries",
           "span": "generic-array 0.12.4 registry+https://github.com/rust-lang/crates.io-index\ngeneric-array 0.14.5 registry+https://github.com/rust-lang/crates.io-index"
         }
@@ -535,5 +535,59 @@ expression: diags
       "severity": "error"
     },
     "type": "diagnostic"
+  },
+  {
+    "fields": {
+      "code": "duplicate",
+      "graphs": [
+        {
+          "Krate": {
+            "name": "webpki-roots",
+            "version": "0.25.4"
+          },
+          "parents": [
+            {
+              "Krate": {
+                "name": "minreq",
+                "version": "2.13.4"
+              },
+              "parents": [
+                {
+                  "Krate": {
+                    "name": "duplicates",
+                    "version": "0.1.0"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "Krate": {
+            "name": "webpki-roots",
+            "version": "0.26.11"
+          },
+          "parents": [
+            {
+              "Krate": {
+                "name": "duplicates",
+                "version": "0.1.0"
+              }
+            }
+          ]
+        }
+      ],
+      "labels": [
+        {
+          "column": 1,
+          "line": 140,
+          "message": "lock entries",
+          "span": "webpki-roots 0.25.4 registry+https://github.com/rust-lang/crates.io-index\nwebpki-roots 0.26.11 registry+https://github.com/rust-lang/crates.io-index"
+        }
+      ],
+      "message": "found 2 duplicate entries for crate 'webpki-roots'",
+      "severity": "error"
+    },
+    "type": "diagnostic"
   }
 ]
@@ -141,4 +141,19 @@ expression: dup_graphs.lock()
         }
     }
     ,
+    digraph {
+        0 [label="0.25.4", shape=box, style=rounded, color=red]
+        1 [label="0.26.11", shape=box, style=rounded, color=red]
+        2 [label="duplicates 0.1.0", shape=box, style=rounded]
+        3 [label="minreq 2.13.4", shape=box, style=rounded]
+        2 -> 1 [color=red]
+        3 -> 0 [color=blue]
+        2 -> 3 [color=blue]
+        subgraph cluster_0 {
+            {rank=same 0 1 }
+            style="rounded,filled";
+            label="webpki-roots"
+        }
+    }
+    ,
 ]
@@ -3,16 +3,70 @@ source: tests/bans.rs
 expression: diags
 ---
 [
+  {
+    "fields": {
+      "code": "duplicate",
+      "graphs": [
+        {
+          "Krate": {
+            "name": "webpki-roots",
+            "version": "0.25.4"
+          },
+          "parents": [
+            {
+              "Krate": {
+                "name": "minreq",
+                "version": "2.13.4"
+              },
+              "parents": [
+                {
+                  "Krate": {
+                    "name": "duplicates",
+                    "version": "0.1.0"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "Krate": {
+            "name": "webpki-roots",
+            "version": "0.26.11"
+          },
+          "parents": [
+            {
+              "Krate": {
+                "name": "duplicates",
+                "version": "0.1.0"
+              }
+            }
+          ]
+        }
+      ],
+      "labels": [
+        {
+          "column": 1,
+          "line": 140,
+          "message": "lock entries",
+          "span": "webpki-roots 0.25.4 registry+https://github.com/rust-lang/crates.io-index\nwebpki-roots 0.26.11 registry+https://github.com/rust-lang/crates.io-index"
+        }
+      ],
+      "message": "found 2 duplicate entries for crate 'webpki-roots'",
+      "severity": "error"
+    },
+    "type": "diagnostic"
+  },
   {
     "fields": {
       "code": "unmatched-skip",
       "graphs": [],
       "labels": [
         {
-          "column": 15,
+          "column": 6,
           "line": 4,
           "message": "unmatched skip configuration",
-          "span": "block-buffer"
+          "span": "block-buffer@0.7.3"
         }
       ],
       "message": "skipped crate 'block-buffer = =0.7.3' was not encountered",