-
Notifications
You must be signed in to change notification settings - Fork 175
Expand file tree
/
Copy pathdeny.toml
More file actions
143 lines (135 loc) · 4.87 KB
/
deny.toml
File metadata and controls
143 lines (135 loc) · 4.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# This section is considered when running `cargo deny check advisories`
# More documentation for the advisories section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
[advisories]
version = 2
yanked = "warn"
ignore = [
# derivative is unmaintained (used by boojum)
"RUSTSEC-2024-0388",
# paste! is unmaintained
"RUSTSEC-2024-0436",
# number_prefix is unmaintained
"RUSTSEC-2025-0119",
# rustls-pemfile is unmaintained
"RUSTSEC-2025-0134",
# aws-lc-sys 0.37.1 — multiple advisories, transitive dep via rustls
# TODO: bump aws-lc-sys to patched version
"RUSTSEC-2026-0044",
"RUSTSEC-2026-0045",
"RUSTSEC-2026-0046",
"RUSTSEC-2026-0047",
"RUSTSEC-2026-0048",
# rustls-webpki 0.103.9
# TODO: bump rustls-webpki to patched version
"RUSTSEC-2026-0049",
# tar 0.4.44 — symlink check bypass + header size check
# TODO: bump tar to patched version
"RUSTSEC-2026-0067",
"RUSTSEC-2026-0068",
]
# This section is considered when running `cargo deny check bans`.
# More documentation about the 'bans' section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
[bans]
# Lint level for when multiple versions of the same crate are detected
multiple-versions = "allow"
# Lint level for when a crate version requirement is `*`
wildcards = "allow"
highlight = "all"
# List of crates to deny
# Certain crates/versions that will be skipped when doing duplicate detection.
skip = []
# Similarly to `skip` allows you to skip certain crates during duplicate
# detection. Unlike skip, it also includes the entire tree of transitive
# dependencies starting at the specified crate, up to a certain depth, which is
# by default infinite
skip-tree = []
deny = [
"openssl", # Only use rust-tls in the project
]
[licenses]
version = 2
confidence-threshold = 0.8
# List of explicitly allowed licenses
# See https://spdx.org/licenses/ for list of possible licenses
# [possible values: any SPDX 3.7 short identifier (+ optional exception)].
allow = [
"0BSD",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"BSL-1.0",
"CC0-1.0",
"CDDL-1.0",
"CDLA-Permissive-2.0",
"ISC",
"MIT",
"MPL-2.0",
"OpenSSL",
"Unicode-3.0",
"Unicode-DFS-2016",
"Unlicense",
"WTFPL",
"Zlib",
]
# Allow 1 or more licenses on a per-crate basis, so that particular licenses
# aren't accepted for every possible crate as with the normal allow list
exceptions = [
# CC0 is a permissive license but somewhat unclear status for source code
# so we prefer to not have dependencies using it
# https://tldrlegal.com/license/creative-commons-cc0-1.0-universal
{ allow = ["CC0-1.0"], name = "trezor-client" },
{ allow = ["CC0-1.0"], name = "notify" },
{ allow = ["CC0-1.0"], name = "dunce" },
{ allow = ["CC0-1.0"], name = "aurora-engine-modexp" },
# Allow CDLA-Permissive-2.0 for webpki crates
{ allow = ["CDLA-Permissive-2.0"], name = "webpki-root-certs" },
{ allow = ["CDLA-Permissive-2.0"], name = "webpki-roots" },
# Rendered mdBook HTML source code includes attribution as required by CC-BY-4.0
{ allow = ["CC-BY-4.0", "MIT"], name = "font-awesome-as-a-crate" },
]
# copyleft = "deny"
# See note in unicode-ident's readme!
[[licenses.clarify]]
name = "unicode-ident"
version = "*"
expression = "(MIT OR Apache-2.0) AND Unicode-DFS-2016"
license-files = [{ path = "LICENSE-UNICODE", hash = 0x3fb01745 }]
[[licenses.clarify]]
name = "ring"
version = "*"
expression = "OpenSSL"
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]
# This section is considered when running `cargo deny check sources`.
# More documentation about the 'sources' section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
[sources]
# Lint level for what to happen when a crate from a crate registry that is not
# in the allow list is encountered
unknown-registry = "warn"
# Lint level for what to happen when a crate from a git repository that is not
# in the allow list is encountered
unknown-git = "deny"
allow-git = [
"https://github.com/foundry-rs/foundry",
"https://github.com/alloy-rs/alloy",
"https://github.com/alloy-rs/chains",
"https://github.com/foundry-rs/compilers",
"https://github.com/foundry-rs/foundry-fork-db",
"https://github.com/matter-labs/zksync-telemetry",
"https://github.com/matter-labs/anvil-zksync",
"https://github.com/Romsters/posthog-rs",
"https://github.com/paradigmxyz/revm-inspectors",
"https://github.com/paradigmxyz/solar",
"https://github.com/bluealloy/revm",
# Only for tests.
"https://github.com/rust-cli/rexpect",
# Tempo
"https://github.com/tempoxyz/tempo",
# Transitive dependency of Tempo
"https://github.com/paradigmxyz/reth",
]
[sources.allow-org]
github = ["matter-labs", "Moonsong-Labs"]