-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathdeny.toml
More file actions
99 lines (91 loc) · 4.56 KB
/
deny.toml
File metadata and controls
99 lines (91 loc) · 4.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
[licenses]
# List of explicitly allowed licenses
# SPDX 2.1 license list - https://spdx.org/licenses/
allow = [
"MIT",
"MIT-0", # MIT No Attribution — superset of MIT (transitively via borrow-or-share)
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Unicode-3.0",
"Unlicense",
"Zlib",
"0BSD",
"BSL-1.0", # Boost Software License — OSI permissive (xxhash-rust)
"CC0-1.0", # Creative Commons Zero — public domain dedication (tiny-keccak)
"CDLA-Permissive-2.0", # Community Data License Agreement — permissive (webpki-roots ≥1.0)
"MPL-2.0", # Mozilla Public License 2.0 — weak copyleft, file-level (option-ext via dirs)
]
# Disallowed licenses are now expressed by omitting them from `allow` above —
# the legacy `deny` key was removed in cargo-deny 0.14
# (https://github.com/EmbarkStudios/cargo-deny/pull/611).
# The confidence threshold for detecting a license from a license text.
# Possible values are any number between 0.0 and 1.0.
confidence-threshold = 0.8
# Allow 1 or more licenses on a per-crate basis, so that particular licenses
# aren't accepted for every possible crate as with the normal allow list
exceptions = []
[bans]
# Lint level for when multiple versions of the same crate are detected
multiple-versions = "warn"
# Lint level for when a crate version requirement is '*'
wildcards = "allow"
# Fail the build if any of these known-bad transitive versions ever come back
# via a dep bump. lz4_flex 0.11.5 / 0.12.0 were yanked under RUSTSEC-2026-0041;
# we bumped past them and want to stay there.
deny = [
{ name = "lz4_flex", version = "=0.11.5" },
{ name = "lz4_flex", version = "=0.12.0" },
]
skip = []
skip-tree = []
[advisories]
# The path where the advisory database is cloned/fetched into
db-path = "~/.cargo/advisory-db"
# The url(s) of the advisory databases to use
db-urls = ["https://github.com/rustsec/advisory-db"]
# Ignored advisories are still reported as an info line but don't fail CI.
# Each entry must carry a justification + a revisit trigger in a comment.
ignore = [
# rustls-pemfile is unmaintained — pulled in transitively via tonic 0.12
# → qdrant-client. Upstream tonic has not migrated to rustls-pki-types yet.
# No fixed upgrade is available. Revisit when tonic releases a version
# that uses rustls-pki-types directly.
# https://rustsec.org/advisories/RUSTSEC-2025-0134
"RUSTSEC-2025-0134",
# The following 8 advisories are all "unmaintained" warnings on
# transitive deps with no upstream fix available. Each one is revisited
# whenever its parent crate is upgraded. Marked as ignored so the
# release gate (`just check`) doesn't fail on dep-tree state we cannot
# influence directly. Revisit when the parent crate migrates off them.
"RUSTSEC-2024-0388", # `derivative` unmaintained — via several proc-macro consumers
"RUSTSEC-2024-0384", # `instant` unmaintained — replaced upstream by `web-time` in some crates
"RUSTSEC-2024-0436", # `paste` unmaintained — pervasive proc-macro helper, no fix yet
"RUSTSEC-2024-0370", # `proc-macro-error` unmaintained — see RUSTSEC-2024-0436 for status
"RUSTSEC-2026-0097", # `rand` rng() unsoundness — fix is in `rand 0.9`, blocked by deps
# `lru` IterMut Stacked Borrows / internal-pointer issue — fix is in
# `lru >= 0.16.3`. We pulled symbi-shell off the vulnerable path by
# bumping ratatui 0.29 → 0.30, but `tantivy 0.24` (transitive via the
# `vector-lancedb` feature on symbi-runtime) still pins `lru ^0.12`.
# Bumping tantivy requires a lance / lancedb major bump, which is a
# bigger workstream. The advisory is **low** severity and the issue
# only triggers under Miri / Stacked Borrows analysis; not reachable
# from external input. Revisit when lance / lancedb / tantivy land a
# release with `lru >= 0.16.3`.
# https://rustsec.org/advisories/RUSTSEC-2026-0002
"RUSTSEC-2026-0002",
]
[sources]
# Lint level for what to happen when a crate from a crate registry that is
# not in the allow list is encountered
unknown-registry = "warn"
# Lint level for what to happen when a crate from a git repository that is not
# in the allow list is encountered
unknown-git = "warn"
# List of URLs for allowed crate registries. Defaults to the crates.io index
# if not specified. If it is specified but empty, no registries are allowed.
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
# List of URLs for allowed Git repositories
allow-git = []