EmbarkStudios · mergify · Feb 5, 2024 · Feb 4, 2024
@@ -32,11 +32,11 @@ Determines what happens when a dependency is specified with the `*` (wildcard) v
 
 If specified, alters how the `wildcard` field behaves:
 
-* [path](https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-path-dependencies) `dependencies` in **private** crates will no longer emit a warning or error.
-* path `dev-dependencies` in both public and private crates will no longer emit a warning or error.
-* path `dependencies` and `build-dependencies` in **public** crates will continue to produce warnings and errors.
+* [path](https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-path-dependencies) or [git](https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-dependencies-from-git-repositories) `dependencies` in **private** crates will no longer emit a warning or error.
+* path or git `dev-dependencies` in both public and private crates will no longer emit a warning or error.
+* path or git `dependencies` and `build-dependencies` in **public** crates will continue to produce warnings and errors.
 
-Being limited to private crates is due to crates.io not allowing packages to be published with `path` dependencies except for `dev-dependencies`.
+Being limited to private crates is due to crates.io not allowing packages to be published with `path` or `git` dependencies except for `dev-dependencies`.
 
 ### The `highlight` field (optional)
 

@@ -786,12 +786,13 @@ pub fn check(
                                 let is_private = krate.is_private(&[]);
 
                                 wildcards.retain(|dep| {
+                                    let is_path_or_git = is_path_or_git_dependency(dep);
                                     if is_private {
-                                        dep.path.is_none()
+                                        !is_path_or_git
                                     } else {
-                                        let is_path_dev_dependency = dep.path.is_some()
+                                        let is_path_non_dev_dependency = is_path_or_git
                                             && dep.kind != DependencyKind::Development;
-                                        is_path_dev_dependency || dep.path.is_none()
+                                        is_path_non_dev_dependency || !is_path_or_git
                                     }
                                 });
                             }
@@ -1415,3 +1416,15 @@ fn validate_file_checksum(path: &crate::Path, expected: &cfg::Checksum) -> anyho
     validate_checksum(std::io::BufReader::new(file), expected)?;
     Ok(())
 }
+
+/// Returns true if the dependency has a `path` or `git` source.
+///
+/// TODO: Possibly what we actually care about, where this is used in the wildcard check, is
+/// “is not using any registry source”.
+fn is_path_or_git_dependency(dep: &krates::cm::Dependency) -> bool {
+    dep.path.is_some()
+        || dep
+            .source
+            .as_ref()
+            .is_some_and(|url| url.starts_with("git+"))
+}
@@ -96,6 +96,22 @@ allow-wildcard-paths = true
     insta::assert_json_snapshot!(diags);
 }
 
+/// Ensures that dependencies with wildcard and git are allowed for private packages
+#[test]
+fn allow_git_wildcards_private_package() {
+    let diags = gather_bans(
+        func_name!(),
+        KrateGather::new("wildcards/allow-git"),
+        r#"
+multiple-versions = 'allow'
+wildcards = 'deny'
+allow-wildcard-paths = true
+"#,
+    );
+
+    insta::assert_json_snapshot!(diags);
+}
+
 /// Ensures that multiple versions are always deterministically sorted by
 /// version number
 /// See <https://github.com/EmbarkStudios/cargo-deny/issues/384>

@@ -0,0 +1,5 @@
+---
+source: tests/bans.rs
+expression: diags
+---
+[]
@@ -0,0 +1,14 @@
+[package]
+name = "wildcards-test-allow-git"
+version = "0.1.0"
+authors = []
+edition = "2018"
+license = "MIT"
+
+publish = false
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+# An arbitrary choice of actually existant Git repository
+wildcards-test-allow-git = { package = "krates", git = "https://github.com/EmbarkStudios/krates", rev = "b03ecd6f3204a1b1ec04fbaead2d0d122a3a4494" }
@@ -0,0 +1 @@
+fn main() {}