| [package] |
| name = "cargo-deny" |
| description = "Cargo plugin to help you manage large dependency graphs" |
| repository = "https://github.com/EmbarkStudios/cargo-deny" |
| version = "0.14.20" |
| authors = [ |
| "Embark <opensource@embark-studios.com>", |
| "Jake Shadle <jake.shadle@embark-studios.com>", |
| ] |
| edition = "2021" |
| license = "MIT OR Apache-2.0" |
| readme = "README.md" |
| documentation = "https://docs.rs/cargo-deny" |
| homepage = "https://github.com/EmbarkStudios/cargo-deny" |
| categories = ["development-tools::cargo-plugins"] |
| keywords = ["cargo", "license", "spdx", "ci", "advisories"] |
| exclude = ["docs/", "examples/", ".github/", "tests"] |
| rust-version = "1.70.0" |
| |
| [badges] |
| maintenance = { status = "actively-developed" } |
| |
| [[bin]] |
| name = "cargo-deny" |
| path = "src/cargo-deny/main.rs" |
| |
| [features] |
| default = ["reqwest/rustls-tls-webpki-roots", "tame-index/default"] |
| # Enables the use of OS native certificate store. |
| native-certs = ["reqwest/rustls-tls-native-roots", "tame-index/native-certs"] |
| |
| #default = ["vendored-openssl", "vendored-libgit2"] |
| # Allows the use of a vendored version openssl when compiling libgit, which allows |
| # us to compile static executables (eg musl) and avoid system dependencies |
| #vendored-openssl = ["cargo?/vendored-openssl", "git2/vendored-openssl"] |
| #vendored-libgit2 = ["cargo?/vendored-libgit2", "git2/vendored-libgit2"] |
| # Allows embedding cargo as a library so that we can run in minimal (eg container) |
| # environments that don't need to have cargo/rust installed on them for cargo-deny |
| # to still function |
| #standalone = ["cargo"] |
| |
| [dependencies] |
| # Output coloring |
| nu-ansi-term = "0.50" |
| # Easy errors |
| anyhow = "1.0" |
| # Used for detecting the license type of a file |
| askalono = { version = "0.4", default-features = false } |
| # Used to track various things during check runs |
| bitvec = { version = "1.0", features = ["alloc"] } |
| # Much nicer paths |
| camino = "1.1" |
| # Allows us to do eg cargo metadata operations without relying on an external cargo |
| #cargo = { version = "0.71", optional = true } |
| # Argument parsing, kept aligned with cargo |
| clap = { version = "4.3", features = ["derive", "env"] } |
| # Used for diagnostic reporting |
| codespan = { version = "0.11", features = ["serialization"] } |
| codespan-reporting = { version = "0.11", features = ["serialization"] } |
| # Brrrrr |
| crossbeam = "0.8" |
| # Logging utilities |
| fern = "0.6" |
| # Glob matching |
| globset = "0.4" |
| # Native executable detection |
| goblin = { version = "0.8", default-features = false, features = [ |
| "elf32", |
| "elf64", |
| "mach32", |
| "mach64", |
| "pe32", |
| "pe64", |
| ] } |
| # We need to figure out HOME/CARGO_HOME in some cases |
| home = "0.5" |
| # Provides graphs on top of cargo_metadata |
| krates = { version = "0.16", features = ["targets"] } |
| # Log macros |
| log = "0.4" |
| # Nicer sync primitives |
| parking_lot = "0.12" |
| # Moar brrrr |
| rayon = "1.4" |
| # HTTP client backing gix, we don't use it directly but need it here for configuration |
| # due to ...reasons |
| reqwest = { version = "0.11", default-features = false } |
| # sha-256 hash calculation, already a dependency via rustls/etc |
| ring = "0.17" |
| # Used for interacting with advisory databases |
| rustsec = { version = "0.29", default-features = false } |
| # Parsing and checking of versions/version requirements |
| semver = "1.0" |
| # Gee what could it be |
| serde = { version = "1.0", features = ["derive"] } |
| serde_json = "1.0" |
| # Avoid some heap allocations when we likely won't need them |
| smallvec = "1.9" |
| # Used for parsing and checking SPDX license expressions |
| spdx = "0.10" |
| # Lazy |
| strum = { version = "0.26", features = ["derive"] } |
| # Index retrieval and querying |
| tame-index = { version = "0.10", default-features = false, features = [ |
| "git", |
| "sparse", |
| ] } |
| # Timestamp emission |
| time = { version = "0.3", default-features = false, features = [ |
| "formatting", |
| "macros", |
| ] } |
| # Deserialization of configuration files and crate manifests |
| toml-span = { version = "0.2", features = ["reporting"] } |
| # Small fast hash crate |
| twox-hash = { version = "1.5", default-features = false } |
| # Url parsing/manipulation |
| url = "2.1" |
| # Directory traversal |
| walkdir = "2.3" |
| |
| # We clone/fetch advisory databases |
| [dependencies.gix] |
| version = "0.61" |
| default-features = false |
| features = [ |
| "blocking-http-transport-reqwest", |
| "blocking-network-client", |
| "interrupt", |
| "reqwest-for-configuration-only", |
| "worktree-mutation", |
| ] |
| |
| # Pin gix-transport to this version, people who don't use --locked will get 0.41.3 |
| # which is either itself broken, or else one the following versions it depends |
| # on has introduced a bug |
| # Removing h2 v0.4.3 |
| # Removing http v1.1.0 |
| # Removing http-body v1.0.0 |
| # Removing http-body-util v0.1.1 |
| # Removing hyper v1.2.0 |
| # Removing hyper-util v0.1.3 |
| # Removing pin-project v1.1.5 |
| # Removing pin-project-internal v1.1.5 |
| # Removing reqwest v0.12.1 |
| # Removing tower v0.4.13 |
| # Removing tower-layer v0.3.2 |
| gix-transport = "<=0.41.2" |
| |
| [dev-dependencies] |
| # Folder copying |
| fs_extra = "1.3" |
| # Snapshot testing |
| insta = { version = "1.21", features = ["json"] } |
| tame-index = { version = "0.10", features = ["local-builder"] } |
| time = { version = "0.3", features = ["serde"] } |
| toml-span = { version = "0.2", features = ["serde"] } |
| # We use this for creating fake crate directories for crawling license files on disk |
| tempfile = "3.1.0" |
| # divan = "0.1" |
| |
| # [[bench]] |
| # name = "license_data" |
| # harness = false |
| |
| [profile.dev.package.insta] |
| opt-level = 3 |
| |
| [profile.dev.package.similar] |
| opt-level = 3 |