93 lines
2.8 KiB
TOML
93 lines
2.8 KiB
TOML
# cargo-deny v2 configuration for Pezkuwi SDK
|
|
# https://embarkstudios.github.io/cargo-deny/
|
|
|
|
[graph]
|
|
targets = [
|
|
{ triple = "wasm32-unknown-unknown" },
|
|
{ triple = "x86_64-unknown-linux-gnu" },
|
|
{ triple = "x86_64-unknown-linux-musl" },
|
|
]
|
|
# Exclude no_std test runtime crates that cause krates crate to panic
|
|
# with "unable to locate std" when resolving the dependency graph.
|
|
exclude = ["bizinikiwi-test-runtime-transaction-pool"]
|
|
|
|
# Advisory database - check for known vulnerabilities
|
|
# In v2: all vulnerability/unsound/notice advisories automatically emit errors.
|
|
# Use `ignore` to suppress specific advisories.
|
|
[advisories]
|
|
yanked = "warn"
|
|
# All unmaintained crates are transitive upstream dependencies we cannot replace.
|
|
# Track via quarterly review instead of blocking CI.
|
|
unmaintained = "none"
|
|
ignore = [
|
|
# wasmtime 37.0.3: no patch release for 37.x branch. Upgrade to 41+ requires
|
|
# major API changes in pezsc-executor-wasmtime. Tracked for future major upgrade.
|
|
"RUSTSEC-2026-0006", # wasmtime segfault with f64.copysign on x86-64
|
|
"RUSTSEC-2026-0020", # wasmtime guest-controlled resource exhaustion
|
|
"RUSTSEC-2026-0021", # wasmtime panic in wasi:http/types.fields
|
|
|
|
# rsa 0.9.10: no upstream fix available. Pulled transitively by sqlx-mysql
|
|
# (used in pezpallet-revive-eth-rpc). Not used for cryptographic signing in our chain.
|
|
"RUSTSEC-2023-0071", # rsa Marvin Attack timing sidechannel
|
|
|
|
# tracing-subscriber 0.2.25: pulled by ark-relations 0.5.1 (latest).
|
|
# Upstream arkworks hasn't updated to tracing-subscriber 0.3.x yet.
|
|
"RUSTSEC-2025-0055", # tracing-subscriber ANSI log poisoning
|
|
|
|
# lru 0.12.5: IterMut Stacked Borrows violation. Pulled by smoldot-light.
|
|
# 0.12.5 is latest version, no patch available yet.
|
|
"RUSTSEC-2026-0002", # lru IterMut internal pointer invalidation
|
|
]
|
|
|
|
# License compliance
|
|
# In v2: all licenses are denied unless explicitly allowed.
|
|
# Removed v1 fields: unlicensed, deny, copyleft, allow-osi-fsf-free, default
|
|
[licenses]
|
|
confidence-threshold = 0.8
|
|
allow = [
|
|
"Apache-2.0 WITH LLVM-exception",
|
|
"Apache-2.0",
|
|
"BSD-2-Clause",
|
|
"BSD-3-Clause",
|
|
"BSL-1.0",
|
|
"CC0-1.0",
|
|
"CDLA-Permissive-2.0",
|
|
"GPL-3.0-only WITH Classpath-exception-2.0",
|
|
"GPL-3.0-only",
|
|
"GPL-3.0-or-later WITH Classpath-exception-2.0",
|
|
"GPL-3.0-or-later",
|
|
"ISC",
|
|
"MIT",
|
|
"MIT-0",
|
|
"MPL-2.0",
|
|
"NCSA",
|
|
"OpenSSL",
|
|
"Unicode-3.0",
|
|
"Unicode-DFS-2016",
|
|
"Unlicense",
|
|
"Zlib",
|
|
]
|
|
exceptions = [
|
|
# ring uses a custom ISC-style license
|
|
{ allow = ["OpenSSL"], name = "ring" },
|
|
]
|
|
|
|
[licenses.private]
|
|
ignore = true
|
|
|
|
# Banned crates and duplicate version detection
|
|
[bans]
|
|
multiple-versions = "warn"
|
|
wildcards = "allow"
|
|
highlight = "simplest-path"
|
|
deny = []
|
|
skip = []
|
|
skip-tree = []
|
|
|
|
# Source origin checks
|
|
[sources]
|
|
unknown-registry = "warn"
|
|
unknown-git = "warn"
|
|
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
|
|
allow-git = []
|