Cargo audit doesn't report all issues without `--deny warnings`

[martin-t]

Example: https://github.com/quininer/x11-clipboard on commit 54096beb:

• cargo audit doesn't report any issues
• cargo audit --deny warnings reports error: 1 denied warning found! - a soundness issue

This often results in the awkward situation that i run audit locally, see no issues and push but later get an email about failing CI (because i deny warns on CI).

I think this is a bug but I've run into this many times yet haven't seen anybody else complain about it so maybe it's intentional? I don't see any benefit to doing this and I think hiding issues from devs by default is a bad idea.

[tarcieri]

What we display by default has been shaped by a never-ending series of complaints from people with different and often conflicting priorities.

It seems last we netted out, unsound informational advisories are not displayed by default.

You can enable them on a per-project basis by adding the following to .cargo/audit.toml (and also using a per-project config will prevent CI from diverging from what you get locally):

[advisories]
informational_warnings = ["unmaintained", "unsound"]

Generally I'd agree they should probably be on by default, at least until the next person complains of alert fatigue.

[Shnatsel]

I believe the action items here are:

1. Re-enable reporting of informational advisories by default, as warnings
2. Make sure warnings do not result in exit code other than 0 unless --deny warnings is passed

[sidunder]

I'll take this on.