-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdeny.toml
More file actions
59 lines (54 loc) · 1.76 KB
/
Copy pathdeny.toml
File metadata and controls
59 lines (54 loc) · 1.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# cargo-deny config. Scoped weekly via .github/workflows/security.yml.
# Not run on PR — that was the cargo-audit theater this replaces. Real
# regressions open a GitHub issue.
[graph]
all-features = true
[advisories]
version = 2
yanked = "deny"
ignore = [
# atomic-polyfill — upstream unmaintained, reachable only via
# heapless 0.7 → postcard 1 → beyond-handoff. Beyond-handoff's
# postcard chain has to update before this drops out; no CVE, dev/dep
# tree only.
{ id = "RUSTSEC-2023-0089", reason = "transitive via heapless 0.7 in beyond-handoff; no safe upgrade until postcard updates" },
# rustls-pemfile — upstream retired in favor of rustls-pki-types::pem.
# Pulled in by aws-smithy-http-client; no CVE, no client behavior change
# planned by AWS SDK yet. Revisit when aws-smithy-http-client migrates.
{ id = "RUSTSEC-2025-0134", reason = "transitive via aws-smithy-http-client; upstream retired, no safe upgrade" },
]
[licenses]
version = 2
# Permissive licenses allowed across the workspace + transitive deps.
allow = [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Unicode-3.0",
"Unicode-DFS-2016",
"Zlib",
"MPL-2.0",
"CC0-1.0",
"0BSD",
"BSL-1.0",
]
confidence-threshold = 0.8
unused-allowed-license = "allow"
# Weak-copyleft / corporate-unfriendly licenses are denied by omission from
# `allow`. Per-crate exceptions (e.g. ring's BoringSSL bits) go in `exceptions`.
exceptions = []
[bans]
multiple-versions = "allow"
wildcards = "allow"
# Populate when concrete bans are decided (e.g. ban openssl<0.10, tokio<1).
deny = []
skip = []
skip-tree = []
[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = []