-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathdeny.toml
More file actions
167 lines (141 loc) · 7.12 KB
/
deny.toml
File metadata and controls
167 lines (141 loc) · 7.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
# cargo-deny configuration
# https://embarkstudios.github.io/cargo-deny/
[graph]
# Exclude test-only crate from all checks
exclude = ["aletheia-integration-tests"]
[[advisories.ignore]]
id = "RUSTSEC-2024-0320"
reason = "yaml-rust unmaintained — transitive via syntect/aletheia-tui, no safe upgrade"
[[advisories.ignore]]
id = "RUSTSEC-2025-0141"
reason = "bincode unmaintained — transitive via syntect/aletheia-tui, no safe upgrade"
[[advisories.ignore]]
id = "RUSTSEC-2024-0436"
reason = "paste unmaintained, transitive via tokenizers; no safe upgrade"
[[advisories.ignore]]
id = "RUSTSEC-2025-0134"
reason = "rustls-pemfile 2.x unmaintained — transitive via qdrant-client → tonic 0.12. Blocked until qdrant-client upgrades tonic to 0.13+"
[[advisories.ignore]]
id = "RUSTSEC-2026-0097"
reason = "rand 0.8 unsound only with custom logger using rand::rng() — not our usage. Transitive via qdrant-client → tonic 0.12 + spreadsheet-ods + phf. Blocked on upstream migrations to rand 0.9+"
[licenses]
# WHY: `version = 2` enables modern SPDX 3.x parsing so "AGPL-3.0-or-later" /
# "LGPL-3.0-or-later" are accepted as bare license identifiers. Without this,
# the legacy parser rejects them with "expected a <bare-gnu-license>".
version = 2
allow = [
"MIT",
"Apache-2.0",
"AGPL-3.0-or-later",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Zlib",
"Unicode-3.0",
"BSL-1.0",
"CC0-1.0",
"0BSD",
"MPL-2.0", # option-ext, smartstring
"LGPL-3.0-or-later", # priority-queue
"CDLA-Permissive-2.0", # webpki-roots, webpki-root-certs
"bzip2-1.0.6", # libbz2-rs-sys (via zip 7.x), standalone bzip2 license
# Apache-2.0 with LLVM's additional permission for compiled output.
# Pulled in by typst-eval -> stacker -> psm -> ar_archive_writer (build).
# LLVM exception is a superset of Apache-2.0 (strictly more permissive).
"Apache-2.0 WITH LLVM-exception",
]
confidence-threshold = 0.8
[bans]
multiple-versions = "warn"
wildcards = "allow"
# WHY: "pure Rust, no C++" — rustls replaces openssl across the workspace.
deny = [
{ crate = "openssl-sys", wrappers = [] },
]
# Skip entries for duplicates caused by upstream constraints we cannot resolve.
# Each entry exempts the named version from the multiple-versions check.
# The newer/canonical version is not listed here and is kept as-is.
#
# Canonical versions: windows-sys 0.61, windows-targets 0.53, arch crates 0.53.
# Older versions are pulled in by transitive deps that haven't migrated yet.
skip = [
# WHY: jni 0.21 (via rustls-platform-verifier) pins windows-sys 0.45.
# Blocked until rustls-platform-verifier drops jni or jni upgrades.
{ name = "windows-sys", version = "=0.45.0" },
# WHY: ring 0.17 pins windows-sys 0.52.
# Blocked until ring releases a version using windows-sys 0.61.
{ name = "windows-sys", version = "=0.52.0" },
# WHY: arboard 3.6 (via parodos) pins windows-sys 0.60.
# Blocked until arboard releases a version using windows-sys 0.61.
{ name = "windows-sys", version = "=0.60.2" },
# WHY: windows-targets follows windows-sys version spread above.
# 0.42 from windows-sys 0.45 (jni chain).
# 0.52 from windows-sys 0.52 (ring chain).
{ name = "windows-targets", version = "=0.42.2" },
{ name = "windows-targets", version = "=0.52.6" },
# WHY: arch-specific crates follow windows-targets versions above.
{ name = "windows_aarch64_gnullvm", version = "=0.42.2" },
{ name = "windows_aarch64_gnullvm", version = "=0.52.6" },
{ name = "windows_aarch64_msvc", version = "=0.42.2" },
{ name = "windows_aarch64_msvc", version = "=0.52.6" },
{ name = "windows_i686_gnu", version = "=0.42.2" },
{ name = "windows_i686_gnu", version = "=0.52.6" },
{ name = "windows_i686_gnullvm", version = "=0.52.6" },
{ name = "windows_i686_msvc", version = "=0.42.2" },
{ name = "windows_i686_msvc", version = "=0.52.6" },
{ name = "windows_x86_64_gnu", version = "=0.42.2" },
{ name = "windows_x86_64_gnu", version = "=0.52.6" },
{ name = "windows_x86_64_gnullvm", version = "=0.42.2" },
{ name = "windows_x86_64_gnullvm", version = "=0.52.6" },
{ name = "windows_x86_64_msvc", version = "=0.42.2" },
{ name = "windows_x86_64_msvc", version = "=0.52.6" },
# WHY: spm_precompiled 0.1.4 (via tokenizers/aletheia-episteme) pins base64 0.13.
# spm_precompiled is unmaintained (last release 2022-05-30). Blocked until
# tokenizers replaces or forks spm_precompiled with a base64 0.22+ compatible
# version. Tracked in #2079.
{ name = "base64", version = "=0.13.1" },
# WHY: older crypto crates (aes/sha family) pin cpufeatures 0.2.
# Blocked until those crates release versions using cpufeatures 0.3.
{ name = "cpufeatures", version = "=0.2.17" },
# WHY: derive_builder_core pins the darling 0.20 proc-macro suite.
# Blocked until derive_builder migrates to darling 0.23.
{ name = "darling", version = "=0.20.11" },
{ name = "darling_core", version = "=0.20.11" },
{ name = "darling_macro", version = "=0.20.11" },
# WHY: tokenizers pins fancy-regex 0.14; syntect pins 0.16.
# Canonical: 0.17 (candle-transformers). Blocked on upstream migrations.
{ name = "fancy-regex", version = "=0.14.0" },
{ name = "fancy-regex", version = "=0.16.2" },
# WHY: rand 0.8/0.9 ecosystem chains pull in getrandom 0.2/0.3 respectively.
# Canonical: getrandom 0.4 (rand 0.10). Blocked on full rand ecosystem upgrade.
{ name = "getrandom", version = "=0.2.17" },
{ name = "getrandom", version = "=0.3.4" },
# WHY: dashmap (via fjall/aletheia-krites storage engine) pins hashbrown 0.14.
# Blocked until dashmap migrates to hashbrown 0.16.
{ name = "hashbrown", version = "=0.14.5" },
# WHY: getrandom 0.3 chain uses r-efi 5.x; getrandom 0.4 uses r-efi 6.x.
# Eliminated once getrandom 0.3 skip entry above takes effect.
{ name = "r-efi", version = "=5.3.0" },
# WHY: some deps have not yet migrated to rand 0.10 (e.g., rmcp uses 0.10,
# while older audio/crypto crates still pull rand 0.9).
# Blocked until all transitive deps migrate to rand 0.10.
{ name = "rand", version = "=0.9.4" },
# WHY: password-hash pins rand_core 0.6; rand 0.9 chain uses rand_core 0.9.
# Canonical: rand_core 0.10 (rand 0.10). Blocked on rand ecosystem upgrade.
{ name = "rand_core", version = "=0.6.4" },
{ name = "rand_core", version = "=0.9.5" },
# WHY: procfs (prometheus metrics client) pins rustix 0.38.
# Blocked until prometheus/procfs upgrades to rustix 1.x.
# (See also windows-sys 0.59 skip above — same dep chain.)
{ name = "rustix", version = "=0.38.44" },
# WHY: toml 0.8 (figment dependency) uses serde_spanned 0.6; toml 1.x uses 1.x.
# Same root cause as the toml/toml_datetime skips below.
{ name = "serde_spanned", version = "=0.6.9" },
# WHY: various transitive deps have not yet migrated to thiserror v2.
# Blocked until upstream crates release versions using thiserror 2.x.
{ name = "thiserror", version = "=1.0.69" },
{ name = "thiserror-impl", version = "=1.0.69" },
]
[sources]
unknown-registry = "deny"
unknown-git = "deny"