pezkuwichain/pezkuwi-sdk
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Files
b4b60ca49d9d81fec3aa533d999f54579c56c139
pezkuwi-sdk/deny.toml
T
pezkuwichain b4b60ca49d fix(security): upgrade deps and enforce security audit workflow 
- Upgrade bytes 1.11.0 → 1.11.1 (RUSTSEC-2026-0007 integer overflow)
- Upgrade time 0.3.46 → 0.3.47 (RUSTSEC-2026-0009 DoS stack exhaustion)
- Upgrade git2 0.20.3 → 0.20.4 (RUSTSEC-2026-0008 undefined behavior)
- Upgrade keccak 0.1.5 → 0.1.6 (RUSTSEC-2026-0012 unsoundness)
- Add ignore rules in deny.toml for unfixable upstream advisories
  (wasmtime 37.x, rsa, tracing-subscriber 0.2.x, lru)
- Remove continue-on-error from security-audit workflow — audit is now
  enforced and will block CI on new unignored vulnerabilities
2026-03-05 03:00:59 +03:00

89 lines
2.6 KiB
TOML
Raw Blame History

# cargo-deny v2 configuration for Pezkuwi SDK
# https://embarkstudios.github.io/cargo-deny/
[graph]
targets = [
{ triple = "wasm32-unknown-unknown" },
{ triple = "x86_64-unknown-linux-gnu" },
{ triple = "x86_64-unknown-linux-musl" },
]
# Exclude no_std test runtime crates that cause krates crate to panic
# with "unable to locate std" when resolving the dependency graph.
exclude = ["bizinikiwi-test-runtime-transaction-pool"]
# Advisory database - check for known vulnerabilities
# In v2: all vulnerability/unsound/notice advisories automatically emit errors.
# Use `ignore` to suppress specific advisories.
[advisories]
yanked = "warn"
unmaintained = "workspace"
ignore = [
# wasmtime 37.0.3: no patch release for 37.x branch. Upgrade to 41+ requires
# major API changes in pezsc-executor-wasmtime. Tracked for future major upgrade.
"RUSTSEC-2026-0006", # wasmtime segfault with f64.copysign on x86-64
"RUSTSEC-2026-0020", # wasmtime guest-controlled resource exhaustion
"RUSTSEC-2026-0021", # wasmtime panic in wasi:http/types.fields
# rsa 0.9.10: no upstream fix available. Pulled transitively by sqlx-mysql
# (used in pezpallet-revive-eth-rpc). Not used for cryptographic signing in our chain.
"RUSTSEC-2023-0071", # rsa Marvin Attack timing sidechannel
# tracing-subscriber 0.2.25: pulled by ark-relations 0.5.1 (latest).
# Upstream arkworks hasn't updated to tracing-subscriber 0.3.x yet.
"RUSTSEC-2025-0055", # tracing-subscriber ANSI log poisoning
# lru 0.12.5: IterMut Stacked Borrows violation. Pulled by smoldot-light.
# 0.12.5 is latest version, no patch available yet.
"RUSTSEC-2026-0002", # lru IterMut internal pointer invalidation
]
# License compliance
# In v2: all licenses are denied unless explicitly allowed.
# Removed v1 fields: unlicensed, deny, copyleft, allow-osi-fsf-free, default
[licenses]
confidence-threshold = 0.8
allow = [
"Apache-2.0 WITH LLVM-exception",
"Apache-2.0",
"BSD-2-Clause",
"BSD-3-Clause",
"BSL-1.0",
"CC0-1.0",
"GPL-3.0-only WITH Classpath-exception-2.0",
"GPL-3.0-only",
"GPL-3.0-or-later WITH Classpath-exception-2.0",
"GPL-3.0-or-later",
"ISC",
"MIT",
"MIT-0",
"MPL-2.0",
"OpenSSL",
"Unicode-3.0",
"Unicode-DFS-2016",
"Unlicense",
"Zlib",
]
exceptions = [
# ring uses a custom ISC-style license
{ allow = ["OpenSSL"], name = "ring" },
]
[licenses.private]
ignore = true
# Banned crates and duplicate version detection
[bans]
multiple-versions = "warn"
wildcards = "allow"
highlight = "simplest-path"
deny = []
skip = []
skip-tree = []
# Source origin checks
[sources]
unknown-registry = "warn"
unknown-git = "warn"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = []
Reference in New Issue View Git Blame Copy Permalink