# Objective
Cargo-deny has being updated and now some keys are being deprecated.
Fix these warnings:
<details>
```rs
warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/611 for details
┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:6:1
│
6 │ vulnerability = "deny"
│ ^^^^^^^^^^^^^
warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/611 for details
┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:7:1
│
7 │ unmaintained = "deny"
│ ^^^^^^^^^^^^
warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/611 for details
┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:9:1
│
9 │ notice = "deny"
│ ^^^^^^
warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/611 for details
┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:13:1
│
13 │ unlicensed = "deny"
│ ^^^^^^^^^^
warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/611 for details
┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:14:1
│
14 │ copyleft = "deny"
│ ^^^^^^^^
warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/611 for details
┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:15:1
│
15 │ default = "deny"
│ ^^^^^^^
warning[deprecated]: this key has been moved to [graph]
┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:1:1
│
1 │ all-features = true
│ ^^^^^^^^^^^^
```
</details>
This also fix ci by temporarily skipping the check for cpal
dependencies.
https://github.com/bevyengine/bevy/issues/11917#issuecomment-1953629729
## Solution
- Remove keys deprecated.
- Update the list of licenses allowed. (All these licenses are already
being use for some dependencies)
- Skip cpal dependencies to avoid falining in CI, while we wait for new
releases
https://github.com/bevyengine/bevy/issues/11917#issuecomment-1953629729
# Objective
- Standardize fmt for toml files
## Solution
- Add [taplo](https://taplo.tamasfe.dev/) to CI (check for fmt and diff
for toml files), for context taplo is used by the most popular extension
in VScode [Even Better
TOML](https://marketplace.visualstudio.com/items?itemName=tamasfe.even-better-toml
- Add contribution section to explain toml fmt with taplo.
Now to pass CI you need to run `taplo fmt --option indent_string=" "` or
if you use vscode have the `Even Better TOML` extension with 4 spaces
for indent
---------
Co-authored-by: Alice Cecile <alice.i.cecile@gmail.com>
# Objective
- Job cargo deny for bans is failing too often to be useful
- Having only one version of all dependencies is not realistic
## Solution
- Only warn on multiple dependencies of a crate
- Deny some specific crates that we know shouldn't be present multiple
time
# Objective
- Make the dependency job successful again
## Solution
- Update the list of duplicates
- Remove a security issue exception not needed anymore
- Also update a dependency that was missed by dependabot
# Objective
- Add basic spatial audio support to Bevy
- this is what rodio supports, so no HRTF, just simple stereo channel manipulation
- no "built-in" ECS support: `Emitter` and `Listener` should be components that would automatically update the positions
This PR goal is to just expose rodio functionality, made possible with the recent update to rodio 0.16. A proper ECS integration opens a lot more questions, and would probably require an RFC
Also updates rodio and fixes#6122
# Objective
Fixes#7654
## Solution
Add `windows v0.43` to the list of skipped dependencies checked by CI (until `gilrs` publishes a new release with `windows v0.44`)
# Objective
- Update winit to 0.28
## Solution
- Small API change
- A security advisory has been added for a unmaintained crate used by a dependency of winit build script for wayland
I didn't do anything for Android support in this PR though it should be fixable, it should be done in a separate one, maybe https://github.com/bevyengine/bevy/pull/6830
---
## Changelog
- `window.always_on_top` has been removed, you can now use `window.window_level`
## Migration Guide
before:
```rust
app.new()
.add_plugins(DefaultPlugins.set(WindowPlugin {
primary_window: Some(Window {
always_on_top: true,
..default()
}),
..default()
}));
```
after:
```rust
app.new()
.add_plugins(DefaultPlugins.set(WindowPlugin {
primary_window: Some(Window {
window_level: bevy:🪟:WindowLevel::AlwaysOnTop,
..default()
}),
..default()
}));
```
# Objective
- Update `wgpu` to 0.14.0, `naga` to `0.10.0`, `winit` to 0.27.4, `raw-window-handle` to 0.5.0, `ndk` to 0.7.
## Solution
---
## Changelog
### Changed
- Changed `RawWindowHandleWrapper` to `RawHandleWrapper` which wraps both `RawWindowHandle` and `RawDisplayHandle`, which satisfies the `impl HasRawWindowHandle and HasRawDisplayHandle` that `wgpu` 0.14.0 requires.
- Changed `bevy_window::WindowDescriptor`'s `cursor_locked` to `cursor_grab_mode`, change its type from `bool` to `bevy_window::CursorGrabMode`.
## Migration Guide
- Adjust usage of `bevy_window::WindowDescriptor`'s `cursor_locked` to `cursor_grab_mode`, and adjust its type from `bool` to `bevy_window::CursorGrabMode`.
# Objective
The `deny.toml` file defines some crates that are skipped for duplicate dependency detection, because the issues are deeper in the dependency tree and not easily fixable.
However, two of those exceptions are no longer necessary.
## Solution
Remove `hashbrown` and `mio` from the skipped crates, according to `cargo deny check` this is no longer needed.
# Objective
DioxusLabs and Bevy have taken over maintaining what was our abandoned ui layout dependency [stretch](https://github.com/vislyhq/stretch). Dioxus' fork has had a lot of work done on it by @alice-i-cecile, @Weibye , @jkelleyrtp, @mockersf, @HackerFoo, @TimJentzsch and a dozen other contributors and now is in much better shape than stretch was. The updated crate is called taffy and is available on github [here](https://github.com/DioxusLabs/taffy) ([taffy](https://crates.io/crates/taffy) on crates.io). The goal of this PR is to replace stretch v0.3.2 with taffy v0.1.0.
## Solution
I changed the bevy_ui Cargo.toml to depend on taffy instead of stretch and fixed all the errors rustc complained about.
---
## Changelog
Changed bevy_ui layout dependency from stretch to taffy (the maintained fork of stretch).
fixes#677
## Migration Guide
The public api of taffy is different from that of stretch so please advise me on what to do here @alice-i-cecile.
# Objective
- Update hashbrown to 0.12
## Solution
- Replace #4004
- As the 0.12 is already in Bevy dependency tree, it shouldn't be an issue to update
- The exception for the 0.11 should be removed once https://github.com/zakarumych/gpu-descriptor/pull/21 is merged and released
- Also removed a few exceptions that weren't needed anymore
# Objective
Fixes#4353. Fixes#4431. Picks up fixes for a panic for `gilrs` when `getGamepads()` is not available.
## Solution
Update the `gilrs` to `v0.9.0`. Changelog can be seen here: dba36f9186
EDIT: Updated `uuid` to 1.1 to avoid duplicate dependencies. Added `nix`'s two dependencies as exceptions until `rodio` updates their deps.
# Objective
- CI is giving a warning about duplicate dependency because of a differing versions between `winit` and `ahash` of https://github.com/bytecodealliance/wasi
- PRs that are mergeable look like they're not.
## Solution
- Add this crate to the list of ignored duplicates
# Objective
- Nightly checks where disabled because of a bug in Rust
- Dependency checks are failing because of a new duplicate
## Solution
- Now that https://github.com/rust-lang/rust/pull/92175 has been merged, re-enable nightly checks
- Add the new duplicate dependency to the known list
- Removed `Inflector` dependency as it's not used anymore
Co-authored-by: François <8672791+mockersf@users.noreply.github.com>
# Objective
- mp3 feature of rodio has dependencies that are not maintained with security issues
- mp3 feature of rodio doesn't build in wasm
- mp3 feature of rodio uses internal memory allocation that cause rejection from Apple appstore
## Solution
- Use vorbis instead of mp3 by default
Co-authored-by: François <8672791+mockersf@users.noreply.github.com>
# Objective
Fixes#3352Fixes#3208
## Solution
- Update wgpu to 0.12
- Update naga to 0.8
- Resolve compilation errors
- Remove [[block]] from WGSL shaders (because it is depracated and now wgpu cant parse it)
- Replace `elseif` with `else if` in pbr.wgsl
# Objective
- With the removal of the old renderer, Bevy doesn't depend on spirv-reflect 🎉
## Solution
- Remove its advisory from the ignored list
Co-authored-by: François <8672791+mockersf@users.noreply.github.com>
# Objective
- there are a few new versions for `ron`, `winit`, `ndk`, `raw-window-handle`
- `cargo-deny` is failing due to new security issues / duplicated dependencies
## Solution
- Update our dependencies
- Note all new security issues, with which of Bevy direct dependency it comes from
- Update duplicate crate list, with which of Bevy direct dependency it comes from
`notify` is not updated here as it's in #2993
# Objective
- We currently depends on ndk 0.2, 0.3, 0.4
- Only 0.2 dependencies comes from Bevy itself
## Solution
- Replace #1371
- Update Bevy to ndk-glue 0.4
- Also fixes duplicate dependency CI issue
# Objective
- MPL should not be an authorised license for all crates
## Solution
- Add exception for MPL for wgpu and hexasphere
- Remove security issue for a crate we don't depend on anymore
After winit update in #2186, a bunch of duplicated dependencies changed.
Most are related to a new dependency, https://github.com/onurzdg/mio-misc, that has a few older versions in its dependencies
https://github.com/EmbarkStudios/cargo-deny
cargo-deny is a tool that can issue errors for dependency issues, among other:
* security issues in a crate
* duplicated dependencies with different versions
* unauthorised license
Added cargo-deny with an opinionated configuration:
* No middle ground with warnings, either allow or deny
* Not added to Bors, we probably don't want to block a PR on something that may happen from outside
* Different github workflow than CI to run only when Cargo.toml files are changed, or on a schedule
* Each check in its own job to help readability
* Initial config makes Bevy pass all check
Pushing a first commit with commented config to show errors