| [graph] |
| # cargo-deny is really only ever intended to run on the "normal" tier-1 targets |
| targets = [ |
| "x86_64-unknown-linux-gnu", |
| "aarch64-unknown-linux-gnu", |
| "x86_64-unknown-linux-musl", |
| "aarch64-apple-darwin", |
| "x86_64-apple-darwin", |
| "x86_64-pc-windows-msvc", |
| ] |
| all-features = true |
| |
| [advisories] |
| version = 2 |
| ignore = [ |
| { id = "RUSTSEC-2022-0092", reason = "askalono always provides valid utf-8 files from a cache, this is not relevant" }, |
| ] |
| |
| [bans] |
| multiple-versions = "deny" |
| wildcards = 'deny' |
| deny = [ |
| { crate = "git2", use-instead = "gix" }, |
| { crate = "openssl", use-instead = "rustls" }, |
| { crate = "openssl-sys", use-instead = "rustls" }, |
| "libssh2-sys", |
| { crate = "cmake", use-instead = "cc" }, |
| { crate = "windows", reason = "bloated and unnecessary", use-instead = "ideally inline bindings, practically, windows-sys" }, |
| ] |
| skip = [ |
| { crate = "bitflags@1.3.2", reason = "https://github.com/seanmonstar/reqwest/pull/2130 should be in the next version" }, |
| { crate = "winnow@0.5.40", reason = "gix 0.59 was yanked, see https://github.com/Byron/gitoxide/issues/1309" }, |
| { crate = "heck@0.4.1", reason = "strum_macros uses this old version" }, |
| ] |
| skip-tree = [ |
| { crate = "windows-sys@0.48.0", reason = "a foundational crate for many that bumps far too frequently to ever have a shared version" }, |
| ] |
| |
| [sources] |
| unknown-registry = "deny" |
| unknown-git = "deny" |
| |
| [licenses] |
| version = 2 |
| # We want really high confidence when inferring licenses from text |
| confidence-threshold = 0.93 |
| allow = [ |
| "Apache-2.0", |
| "Apache-2.0 WITH LLVM-exception", |
| "MIT", |
| "MPL-2.0", |
| "BSD-3-Clause", |
| "ISC", |
| ] |
| exceptions = [ |
| # Use exceptions for these as they only have a single user |
| { allow = ["Zlib"], crate = "tinyvec" }, |
| { allow = ["Unicode-DFS-2016"], crate = "unicode-ident" }, |
| { allow = ["OpenSSL"], crate = "ring" }, |
| ] |
| |
| # Sigh |
| [[licenses.clarify]] |
| crate = "ring" |
| # SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses |
| # https://spdx.org/licenses/OpenSSL.html |
| # ISC - Both BoringSSL and ring use this for their new files |
| # MIT - "Files in third_party/ have their own licenses, as described therein. The MIT |
| # license, for third_party/fiat, which, unlike other third_party directories, is |
| # compiled into non-test libraries, is included below." |
| # OpenSSL - Obviously |
| expression = "ISC AND MIT AND OpenSSL" |
| license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }] |
| |
| [[licenses.clarify]] |
| crate = "webpki" |
| expression = "ISC" |
| license-files = [{ path = "LICENSE", hash = 0x001c7e6c }] |
| |
| # Actually "ISC-style" |
| [[licenses.clarify]] |
| crate = "rustls-webpki" |
| expression = "ISC" |
| license-files = [{ path = "LICENSE", hash = 0x001c7e6c }] |