There is a soundness issue with atty when building on Windows with a
custom allocator.
This PR switches direct dependencies on atty to is-terminal. New semver
compatible versions of clap and snapbox remove atty. #11417 upgrades
env_logger to remove it from there.
Fixes#11415
chore: Upgrade to env_logger
This removes one path to `atty`.
Others:
- clap: fixed in 4.0.27
- pretty-env-logger: seanmonstar/pretty-env-logger#52 needs to be resolved first
- snapbox: this will be fixed soonish but is also only a test dependency
- direct dependency
This is part of #11416
Change rustdoc-scrape-examples to be a target-level configuration
This PR addresses issues raised in rust-lang/cargo#9525. Specifically:
1. It enables examples to be scraped from `#[test]` functions, by passing additional flags to Rustdoc to ensure that these functions aren't ignored by rustc.
2. It moves the `arg` from `-Z rustdoc-scrape-examples={arg}` into a target-level configuration that can be added to Cargo.toml.
The added test `scrape_examples_configure_target` shows a concrete example. In short, examples will be default scraped from Example and Lib targets. Then the user can enable or disable scraping like so:
```toml
[lib]
doc-scrape-examples = false
[[test]]
name = "my_test"
doc-scrape-examples = true
```
This removes one path to `atty`.
Others:
- clap: fixed in 4.0.27
- pretty-env-logger: seanmonstar/pretty-env-logger#52 needs to be resolved first
- snapbox: this will be fixed soonish but is also only a test dependency
- direct dependency
This is part of #11416
Add warning when `cargo tree -i <spec>` can not find packages
### What does this PR try to resolve?
close https://github.com/rust-lang/cargo/issues/11315
Add warning when `cargo tree -i <spec>` can not find packages.
### How should we test and review this PR?
Please run the unit test.
Clean profile, patch, and replace in cargo remove
### What does this PR try to resolve?
This PR is part of the continued work on cargo remove (#11099, see deferred work).
After a successful removal of a dependency, clean up the profile, patch, and replace sections to remove all references to it.
**Note** the GC process was expanded to clean up not just references to the dependencies just removed, but also references of all dependencies. This was because there's not an easy way to determine which dependencies correspond to the given TOML keys, without either 1) figuring that out before the removal (therefore having to predict the behavior), or 2) returning that information from the remove function (somewhat unorthodox for an op).
### How should we review and test this PR?
Verify that the implementation makes sense and that the tests are sufficient.
chore: Upgrade miow
Upgrade `miow` to the latest release.
The main change from miow is the upgrade of transitive dependency `windows-sys` from 0.28 to 0.42, which removes a duplicate dependency for cargo.
Fix several tests that are waiting 60 seconds for publishing to time out
Several tests are missing the pre-publishing hack to avoid the 60 second wait-for-publish timeout.
r? `@epage`
Implement RFC 3139: alternative registry authentication support
Allows registries to request Cargo to send the authentication token for all requests, rather than just publish/yank, implementing [RFC 3139](https://github.com/rust-lang/cargo/issues/10474).
### Items from the [tracking issue](https://github.com/rust-lang/cargo/issues/10474)
> Do registries need a more fine-grained switch for which API commands require authentication?
This PR uses the `auth_required` boolean as described in the RFC.
> The RFC mentions adding --token to additional commands like install and search
These flags are not added by this PR.
> Consider changing the name and form of the X- header
Changed to the `www-authenticate` header as suggested by the comments.
> Will there be any concerns with the interaction with https://github.com/rust-lang/rfcs/pull/3231
Not that I know of.
-------------
Adds a new field `"auth-required": true` to `config.json` that indicates Cargo should include the token in all requests to a registry.
For HTTP registries, Cargo first attempts an un-authenticated request, then if that fails with HTTP 401, an authenticated request is attempted. The registry server may include a `www-authenticate` header with the HTTP 401 to instruct Cargo with URL the user can visit to acquire a token (crates.io/me).
Since the API URL is not known (because it's stored in the index), the unstable credential provider feature is modified to key off the index url, and the registry name is no longer provided.
To handle the case where an alternative registry's name is not known (such as coming from a lock file, or via `--index`), Cargo can now look up the token in the configuration by matching on the index URL. This introduces a new error if two alternative registries are configured with the same index URL.
Several operations, such as `cargo install` could have had a `--token` argument added, however it appears that Cargo would like to move away from passing the token on the command line for security reasons. In this case, users would need to configure the registry via the config file (or environment variables) when using `cargo install --index ...` or similar.
Fix cargo install --index when used with registry.default
Setting `registry.default` causes the `args.registry` call to return the default registry as if it were passed through `--registry`, which leaves the `--index` argument ignored in `cargo install`, since `registry` is checked first.
Fixes#11301 by checking for `index` before `registry`.
Note that if you try to pass both `--index` and `--registry`, then a command-line parser error (correctly) occurs:
```
The argument '--registry <REGISTRY>' cannot be used with '--index <INDEX>'
```
improve error message for cargo add/remove
### What does this PR try to resolve?
When I see the old error:
```
> cargo add paste
error: 2 packages selected. Please specify one with `-p <PKGID>`
```
I was a little bit confused, and thought it says there are 2 packages called "paste". The new message is similar to `cargo run`
Fix git2 safe-directory disable
The call to `set_verify_owner_validation` was not getting called unless a network configuration was found. This means in the common case that `cargo new` will fail when there is a safe-directory error. This fixes the issue by making sure that `set_verify_owner_validation` is called before the early-exits in `init_git_transports`.
Fixes#11365
fix: return non UTF-8 error message
Fixes https://github.com/rust-lang/cargo/issues/11311
### Test Steps
1. Create a new empty Git repository
2. Create a `.gitignore` that is not valid UTF-8, for instance `printf '\xFF\xFE' > .gitignore`
3. `cargo init`