### What does this PR try to resolve?
cargo-auditable 0.7.0 will use the unstable Cargo SBOM precursor files
if a user configures Cargo to generate the SBOM files. cargo-auditable
assumes that the package ID specifiers in Cargo SBOM files are fully
qualified.
We'd like to enforce this assumption in Cargo so we can keep our package
ID spec parsing simpler by not considering non-fully qualified package
ID specs. This PR updates the cargo docs to state where fully qualified
package ID specs are used, and also adds SBOMs to the existing `cargo
pkgid` test that is currently enforcing consistency between the various
usages of fully qualified package id specs.
Previously raised at [#t-cargo > sbom missing name, version, source @
💬](https://rust-lang.zulipchat.com/#narrow/channel/246057-t-cargo/topic/sbom.20missing.20name.2C.20version.2C.20source/near/525443447)
### How to test and review this PR?
Change doesn't affect current behaviour.
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
|
[cargo-semver-checks](https://redirect.github.com/obi1kenobi/cargo-semver-checks)
| minor | `0.41.0` -> `0.42.0` |
---
### Release Notes
<details>
<summary>obi1kenobi/cargo-semver-checks (cargo-semver-checks)</summary>
###
[`v0.42.0`](https://redirect.github.com/obi1kenobi/cargo-semver-checks/compare/v0.41.0...v0.42.0)
[Compare
Source](https://redirect.github.com/obi1kenobi/cargo-semver-checks/compare/v0.41.0...v0.42.0)
</details>
---
### Configuration
📅 **Schedule**: Branch creation - Every minute ( * * * * * ) (UTC),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/rust-lang/cargo).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNy4yIiwidXBkYXRlZEluVmVyIjoiNDEuMTcuMiIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119-->
### What does this PR try to resolve?
This is prep for updating `toml` which will change some of these error
messages
### How to test and review this PR?
### What does this PR try to resolve?
Implements another part of feature unification (#14774,
[rfc](1c590ce05d/text/3692-feature-unification.md)).
The `workspace` option was implemented in #15157, this adds the
`package` option.
### How to test and review this PR?
The important change is changing `WorkspaceResolve` so it can contain
multiple `ResolvedFeature`s. Along with that, it also needs to know
which specs those features are resolved for. This was used in several
other places:
- `cargo fix --edition` (from 2018 to 2021) - I think it should be ok to
disallow using `cargo fix --edition` when someone already uses this
feature.
- building std - it should be safe to assume std is not using this
feature so I just unwrap there. I'm not sure if some attempt to later
feature unification would be better.
- `cargo tree` - I just use the first feature set. This is definitely
not ideal, but I'm not entirely sure what's the correct solution here.
Printing multiple trees? Disallowing this, forcing users to select only
one package?
Based on comments in #15157 I've added tests first with `selected`
feature unification and then changed that after implementation. I'm not
sure if that's how you expect the tests to be added first, if not, I can
change the history.
I've expanded the test checking that this is ignored for `cargo install`
although it should work the same way even if it is not ignored
(`selected` and `package` are the same thing when just one package is
selected).
### What does this PR try to resolve?
I know that us not publishing `build-rs` recently came up and was
surprised to see this wasn't fixed. Unsure where that conversation is or
what happened with it.
Looks like it was in #15567 and there was no follow up on my side...
### How to test and review this PR?
Fixes#15647.
When dry-run publishing workspace without bumping versions first, the
package-verification step would fail because it would see checksum
mismatches between the old lock file (that saw index deps) and the new
lock file where those index deps got replaced by local packages with the
same version.
In this PR, the packaging step modifies the old lock file's checksums
before re-resolving, but only in dry-run mode.
### What does this PR try to resolve?
This PR changes the triggering `rustc` lint in the
`fix_only_once_for_duplicates` test from `unused_must_use` to
`forgetting_references`, because we are changing in
https://github.com/rust-lang/rust/pull/143030 the interaction between
that lint and macros.
This is required as it blocking the rust PR,
https://github.com/rust-lang/rust/pull/143030#issuecomment-3009124056.
### How to test and review this PR?
Look at the test changes.
This adds a `http.proxy-cainfo` option to Cargo which reads CA
information from a bundle to pass through to the underlying `libcurl`
call. This should allow configuration of Cargo in situations where SSL
proxy is used.
Similar to https://github.com/rust-lang/cargo/pull/2917.
cc #15376
