pezkuwichain/pezkuwi-sdk
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Files
main
pezkuwi-sdk/deny.toml
T
pezkuwichain 787efa3cce fix(security): update vulnerable dependencies, clean up deny.toml 
Cargo.lock updates (cargo update):
- tar 0.4.44 -> 0.4.45 (RUSTSEC-2026-0067, RUSTSEC-2026-0068)
- rustls-webpki 0.103.9 -> 0.103.11 (RUSTSEC-2026-0049)
- tracing-subscriber 0.3.22 -> 0.3.23
- yamux 0.13.8 -> 0.13.10 (RUSTSEC-2024-0428 for 0.13.x branch)

deny.toml: remove fixed advisory ignores, add accurate tracking comments

Remaining known issues (cannot fix without toolchain/vendor upgrade):
- wasmtime 37.x: fix in 42.x requires rustc 1.91 (pinned to 1.88)
- yamux 0.12.1: locked by libp2p-yamux 0.47.0 in zombienet vendor
2026-04-14 00:15:21 +03:00

96 lines
3.1 KiB
TOML
Raw Permalink Blame History

# cargo-deny v2 configuration for Pezkuwi SDK
# https://embarkstudios.github.io/cargo-deny/
[graph]
targets = [
{ triple = "wasm32-unknown-unknown" },
{ triple = "x86_64-unknown-linux-gnu" },
{ triple = "x86_64-unknown-linux-musl" },
]
# Exclude no_std test runtime crates that cause krates crate to panic
# with "unable to locate std" when resolving the dependency graph.
exclude = ["bizinikiwi-test-runtime-transaction-pool"]
# Advisory database - check for known vulnerabilities
# In v2: all vulnerability/unsound/notice advisories automatically emit errors.
# Use `ignore` to suppress specific advisories.
[advisories]
yanked = "warn"
# All unmaintained crates are transitive upstream dependencies we cannot replace.
# Track via quarterly review instead of blocking CI.
unmaintained = "none"
ignore = [
# wasmtime 37.0.3: fix requires 42.0.2 but cranelift-assembler-x64 0.129+ needs
# rustc 1.91.0 — our toolchain is pinned to 1.88.0. Unblock by upgrading toolchain.
# Note: we do NOT use Winch backend or Component Model, so sandbox-escape CVEs
# (Winch/aarch64) and string-transcoding CVEs (Component Model) do not apply.
# Remaining real risk: pooling allocator data leakage (RUSTSEC-2026-0006).
"RUSTSEC-2026-0006", # wasmtime segfault with f64.copysign on x86-64
"RUSTSEC-2026-0020", # wasmtime WASI guest-controlled resource exhaustion
"RUSTSEC-2026-0021", # wasmtime panic in wasi:http/types.fields
# rsa 0.9.10: Marvin Attack timing sidechannel. Pulled transitively by
# sqlx-mysql (pezpallet-revive-eth-rpc). Not used for cryptographic signing.
"RUSTSEC-2023-0071", # rsa Marvin Attack
# tracing-subscriber 0.2.25: ANSI log injection. Pulled by ark-relations 0.5.1.
# Our 0.3.x is updated to 0.3.23 (fixed). 0.2.x used only by arkworks internals.
"RUSTSEC-2025-0055", # tracing-subscriber ANSI escape (0.2.x, arkworks transitive)
# yamux 0.12.1: libp2p-yamux 0.47.0 (vendor/pezkuwi-zombienet-sdk) pins to 0.12.x.
# Fix requires 0.13.10. Upgrade path: update libp2p in zombienet vendor.
"RUSTSEC-2024-0428", # yamux remote panic via malformed Data frame (< 0.13.10)
]
# License compliance
# In v2: all licenses are denied unless explicitly allowed.
# Removed v1 fields: unlicensed, deny, copyleft, allow-osi-fsf-free, default
[licenses]
confidence-threshold = 0.8
allow = [
"Apache-2.0 WITH LLVM-exception",
"Apache-2.0",
"BSD-2-Clause",
"BSD-3-Clause",
"BSL-1.0",
"CC0-1.0",
"CDLA-Permissive-2.0",
"GPL-3.0-only WITH Classpath-exception-2.0",
"GPL-3.0-only",
"GPL-3.0-or-later WITH Classpath-exception-2.0",
"GPL-3.0-or-later",
"ISC",
"MIT",
"MIT-0",
"MPL-2.0",
"NCSA",
"OpenSSL",
"Unicode-3.0",
"Unicode-DFS-2016",
"Unlicense",
"Zlib",
]
exceptions = [
# ring uses a custom ISC-style license
{ allow = ["OpenSSL"], name = "ring" },
]
[licenses.private]
ignore = true
# Banned crates and duplicate version detection
[bans]
multiple-versions = "warn"
wildcards = "allow"
highlight = "simplest-path"
deny = []
skip = []
skip-tree = []
# Source origin checks
[sources]
unknown-registry = "warn"
unknown-git = "warn"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = []
Reference in New Issue View Git Blame Copy Permalink