# This file configures `cargo deny` for validating that dependencies are secure # (do not have security advisories), exclusively using licenses that we allow, # and are not in our banned crates list. # # It is worth calling out that `cargo deny` only looks at metadata of packages, # `cargo audit` performs the same security advisory checks but performs deep # scans on the content of the code as well to provide additional detections on # whether a vulnerability is present. The two tools should be used together. [advisories] # If we accept an advisory either because no fix is available and we need to # continue development, or because a vulnerability doesn't effect how we use # the other crate their identifier should be added to this list. It should be # periodically reviewed and cleaned out as fixes become available. ignore = [] [graph] # Collect metadata using all the features available in this repository. We do # not want security vulnerabilities in any of our subset of builds. all-features = true [licenses] # Licenses we always allow without any additional thoughts, this list should # only be updated when we encounter a dependency using a license we want to # include here rather than trying to proactively enumerate all acceptable # licenses. allow = ["Apache-2.0", "BSD-2-Clause", "MIT", "Unicode-DFS-2016", "Zlib"] # If we need to use a crate that violates our general policy, we can add that # to the list here to accept it. exceptions = [] [bans] multiple-versions = "deny" wildcards = "deny" # Certain crates/versions that will be skipped when doing duplicate detection. # They just couldn't be resolved ourselves. skip = [ { name = "regex-automata", version = "=0.1.10" }, { name = "regex-syntax", version = "=0.6.29" }, { name = "tracing-log", version = "=0.1.4" }, { name = "windows-targets", version = "=0.48.5" }, { name = "windows_aarch64_gnullvm", version = "=0.48.5" }, { name = "windows_aarch64_msvc", version = "=0.48.5" }, { name = "windows_i686_gnu", version = "=0.48.5" }, { name = "windows_i686_msvc", version = "=0.48.5" }, { name = "windows_x86_64_gnu", version = "=0.48.5" }, { name = "windows_x86_64_msvc", version = "=0.48.5" }, { name = "windows_x86_64_gnullvm", version = "=0.48.5" }, ] [sources] # We do not allow registries other than the official crates one which is known # by default. unknown-registry = "deny" # Using a git repository as a crate source is denied by default, to use a git # repo as a dependency source they must be reviewed and approved for use by the # lead project maintainer (who will approve the modifications to this file as # required by the CODEOWNERS file). unknown-git = "deny" # Crates that have been approved by the lead maintainer to use a git source allow-git = []