1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# cargo-deny configuration
# Run: cargo deny check
# Install: cargo install cargo-deny
[]
= 2
= "~/.cargo/advisory-db"
= ["https://github.com/rustsec/advisory-db"]
= "deny"
= "warn"
= "deny"
= "warn"
# Known unmaintained dependencies we accept (via transitive deps)
= [
# bincode 1.x - via hnsw_rs, mitigated by blake3 checksum verification
"RUSTSEC-2025-0141",
# derivative - via keyring -> secret-service -> zbus chain (optional feature)
"RUSTSEC-2024-0388",
# instant - via keyring -> zbus chain (optional feature)
"RUSTSEC-2024-0384",
# number_prefix - via indicatif (progress bars only)
"RUSTSEC-2025-0119",
# paste - via tokenizers (upstream dependency)
"RUSTSEC-2024-0436",
]
[]
= 2
# Confidence threshold for detecting license
= 0.8
# List of allowed licenses (SPDX identifiers)
= [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"BSL-1.0",
"ISC",
"Unlicense",
"Zlib",
"0BSD",
"CC0-1.0",
"MPL-2.0",
"Unicode-3.0",
"Unicode-DFS-2016",
"CDLA-Permissive-2.0",
]
# Copyleft licenses that require careful consideration
# copyleft = "warn"
[]
# Lint level for multiple versions of the same crate
= "warn"
# Lint level for crates with wildcard dependencies
= "warn"
# Allow-list specific crate duplicates we accept
# skip = []
[]
# Only allow crates from crates.io
= "deny"
= "deny"
# Allow specific git sources if needed
# allow-git = []