1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# cargo-deny configuration for RavenClaws
# See: https://embarkstudios.github.io/cargo-deny/
[]
# Skip duplicate detection for these targets (we only care about the host)
= [
{ = "x86_64-unknown-linux-gnu" },
{ = "aarch64-unknown-linux-gnu" },
{ = "x86_64-apple-darwin" },
{ = "aarch64-apple-darwin" },
{ = "x86_64-unknown-linux-musl" },
]
= false
= false
[]
= 1
[]
# Path to the advisory database (local clone)
= "~/.cargo/advisory-db"
# Fetch the advisory database before checking
= ["https://github.com/rustsec/advisory-db"]
# Ignored advisories
# RUSTSEC-2024-0384: `instant` crate is unmaintained but pulled in by `notify` (v0.8 scheduler feature)
# No safe upgrade available; `notify` v7 still depends on `instant`
# RUSTSEC-2024-0436: `paste` crate is unmaintained — transitive dep of wasmtime 28, no alternative
# RUSTSEC-2025-0046: wasmtime Host panic with fd_renumber WASIp1 — not applicable, we don't use WASIp1
# RUSTSEC-2025-0118: wasmtime Unsound API access to shared linear memory — accepted risk, plugins are trusted
# RUSTSEC-2026-0020: wasmtime Guest-controlled resource exhaustion in WASI — accepted risk, plugins are trusted
# RUSTSEC-2026-0021: wasmtime Panic adding excessive fields to wasi:http/types.fields — not applicable, no HTTP fields
# RUSTSEC-2026-0085 through RUSTSEC-2026-0096: wasmtime 28 vulnerabilities — all accepted risks, plugins are trusted code
= [
"RUSTSEC-2024-0384",
"RUSTSEC-2024-0436",
"RUSTSEC-2025-0046",
"RUSTSEC-2025-0118",
"RUSTSEC-2026-0020",
"RUSTSEC-2026-0021",
"RUSTSEC-2026-0085",
"RUSTSEC-2026-0086",
"RUSTSEC-2026-0087",
"RUSTSEC-2026-0088",
"RUSTSEC-2026-0089",
"RUSTSEC-2026-0091",
"RUSTSEC-2026-0092",
"RUSTSEC-2026-0093",
"RUSTSEC-2026-0094",
"RUSTSEC-2026-0095",
"RUSTSEC-2026-0096",
]
[]
# AGPLv3-or-later is our license. Allowed dependencies must be compatible.
= [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Unicode-3.0",
"Unicode-DFS-2016",
"Zlib",
"0BSD",
"CC0-1.0",
"MPL-2.0",
"OpenSSL",
"BSL-1.0",
"NCSA",
"Python-2.0",
"WTFPL",
"Unlicense",
"AGPL-3.0-or-later",
"CDLA-Permissive-2.0",
]
# Confidence threshold for license detection
= 0.8
# Exceptions for specific crates that use allowed copyleft licenses
= [
# Allow each exception with a reason
{ = ["AGPL-3.0-or-later"], = "RavenClaws", = "*" },
]
[]
# Ignore workspace crates that aren't published
= false
= []
[]
# Prevent multiple versions of the same crate
= "deny"
# Allow wildcard dependencies
= "allow"
# Highlight duplicate versions
= "all"
# Workspace default features
= "allow"
= "allow"
# Allow workspace crates automatically
= false
# Specific crates to deny entirely
= []
# Skip these crates when checking for duplicates
= [
# winnow has 3 versions: 0.6 (cron), 0.7 (toml_edit), 1.0 (config/toml)
# All are transitive deps with no unified upgrade path
{ = "winnow", = "0.6" },
{ = "winnow", = "0.7" },
]
= []
[]
# Only allow crates from crates.io (no git/path dependencies in release)
= "deny"
= "deny"
= [
"https://github.com/rustsec/advisory-db",
"https://github.com/rust-lang/crates.io-index",
]
= []