-
-
Notifications
You must be signed in to change notification settings - Fork 30
Expand file tree
/
Copy pathdeny.toml
More file actions
109 lines (105 loc) · 4.81 KB
/
Copy pathdeny.toml
File metadata and controls
109 lines (105 loc) · 4.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# cargo-deny configuration
# https://embarkstudios.github.io/cargo-deny/
[advisories]
# Deny known vulnerable crates
db-path = "~/.cargo/advisory-db"
db-urls = ["https://github.com/rustsec/advisory-db"]
# Temporary ignore for unmaintained crates (tracked in #227)
# Review these periodically - tracked in #346
ignore = [
"RUSTSEC-2025-0141", # bincode (via iai-callgrind) - dev-only dependency, low risk
"RUSTSEC-2026-0173", # proc-macro-error2 unmaintained (via iai-callgrind) - dev-only dependency, no safe upgrade
]
[licenses]
# Allow common permissive licenses
allow = [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Zlib",
"0BSD",
"CC0-1.0",
"MPL-2.0",
"Unicode-3.0",
"Unicode-DFS-2016",
]
# The confidence threshold for detecting a license from license text
confidence-threshold = 0.8
[bans]
# Lint level for when multiple versions of the same crate are detected
# Changed from "warn" to "deny" to prevent dependency bloat and supply chain risk.
#
# Rationale for "deny" strictness:
# - Reduces binary size by eliminating duplicate dependencies
# - Minimizes supply chain attack surface (fewer crate versions = fewer audit targets)
# - Forces explicit resolution of dependency conflicts
# - Prevents subtle bugs from different versions of the same crate interacting
#
# If this fails, resolve by:
# 1. Updating dependencies: cargo update -p <crate>
# 2. Using [bans.skip] to allowlist specific duplicates (with justification)
# 3. Filing issues with upstream crates to align dependency versions
multiple-versions = "deny"
# Lint level for when a crate is found that doesn't match any allowed/denied crates
wildcards = "allow"
# List of crates to deny
deny = []
# List of crates to skip when checking for duplicates
# Temporary allowlist for known duplicates (tracked in #227)
skip = [
# Known-duplicate allowlist. Each entry is a crate where two
# different major versions coexist because we and a transitive
# dep depend on different majors. Wildcard version matches any
# present versions — survives routine dep bumps without needing
# the exact pin refresh every time. Scan with:
#
# python -c "import re, collections; c = collections.defaultdict(set);
# [c[m.group(1)].add(m.group(2)) for m in re.finditer(
# r'\[\[package\]\]\\nname = \"([^\"]+)\"\\nversion = \"([^\"]+)\"',
# open('Cargo.lock').read())];
# print([k for k,v in c.items() if len(v) > 1])"
#
{ name = "bitflags", version = "*" }, # globwalk uses v1, others v2
{ name = "core-foundation", version = "*" }, # system-configuration v0.7 vs v0.10
{ name = "getrandom", version = "*" }, # dirs v0.2, others v0.3/v0.4
{ name = "hashbrown", version = "*" }, # multi-version fanout
{ name = "itertools", version = "*" }, # v0.11 vs v0.13
{ name = "jni-sys", version = "*" }, # android/JNI multi-major
{ name = "r-efi", version = "*" }, # v5 vs v6 (efi bootloader deps)
{ name = "serde_spanned", version = "*" }, # rust-i18n's 0.6 vs our 1.x
{ name = "thiserror", version = "*" }, # many crates use v1, others v2
{ name = "thiserror-impl", version = "*" },
{ name = "toml", version = "*" }, # rust-i18n's 0.8, our 1.x
{ name = "toml_datetime", version = "*" }, # follows toml
{ name = "tower", version = "*" }, # tower-lsp v0.4, rmcp v0.5
{ name = "wit-bindgen", version = "*" }, # wasm-bindgen fanout
{ name = "winnow", version = "*" }, # toml 0.8 uses v0.7, toml 1.x uses v1.0
# Windows target crates fan out to many concurrent versions as
# transitive deps update at different cadences. Wildcard match
# so the list doesn't need a refresh every time tokio/notify/jni
# move to a new windows-* family.
{ name = "windows-sys", version = "*" },
{ name = "windows-targets", version = "*" },
{ name = "windows_aarch64_gnullvm", version = "*" },
{ name = "windows_aarch64_msvc", version = "*" },
{ name = "windows_i686_gnu", version = "*" },
{ name = "windows_i686_gnullvm", version = "*" },
{ name = "windows_i686_msvc", version = "*" },
{ name = "windows_x86_64_gnu", version = "*" },
{ name = "windows_x86_64_gnullvm", version = "*" },
{ name = "windows_x86_64_msvc", version = "*" },
]
# List of crates to skip when checking for duplicates (tree-wide)
skip-tree = []
[sources]
# Lint level for crates from unknown registries
unknown-registry = "warn"
# Lint level for crates from git repositories
unknown-git = "warn"
# List of allowed registries
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
# List of allowed git sources (for development forks if needed)
allow-git = []