1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# cargo-deny configuration for feather-reader.
#
# Run locally with: cargo deny check
# Runs in CI (see .github/workflows/ci.yml, job `cargo-deny`).
#
# Four independent gates:
# * advisories — RustSec vuln/unmaintained/yanked check (belt-and-suspenders
# alongside `cargo audit`; deny.toml covers licenses+bans that audit can't).
# * licenses — every crate in the tree must carry an AGPL-3.0-compatible,
# OSI-approved license (this crate ships AGPL-3.0-only).
# * bans — duplicate-version hygiene + an explicit deny list.
# * sources — only crates.io (no unvetted git/registry sources).
[]
# Evaluate all target platforms so a Linux-only advisory on a Windows-only crate
# doesn't silently pass on the dev Mac. all-features keeps the graph honest.
= true
[]
# Uses the default RustSec advisory DB (https://github.com/rustsec/advisory-db).
# `version = 2` is the current schema: unmaintained/yanked default to "warn",
# and any actual vulnerability is an error (build-breaking).
= 2
# --- un-actionable transitive advisory escape hatch ---------------------------
# When a RustSec advisory fires on a *transitive* dep with no fixed release yet
# (or the fix is a semver-major bump we can't take), add its RUSTSEC id here with
# a one-line justification + a link, rather than pinning the whole DB open.
# Keep this list SHORT and revisit on every Dependabot bump. Example:
# ignore = [
# # RUSTSEC-YYYY-NNNN: <crate> — <why un-actionable> — <tracking link>
# ]
= []
[]
# version 2: `allow` is the allowlist; anything not listed is an error. We only
# admit OSI-approved / public-domain-equivalent licenses that are compatible
# with distributing this crate under AGPL-3.0-only. (No copyleft stronger than
# MPL-2.0's file-level copyleft appears in the tree.)
= 2
= [
"AGPL-3.0-only", # this crate
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"MIT",
"MIT-0",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"BSL-1.0", # ryu — permissive, AGPL-compatible
"0BSD",
"CC0-1.0", # public-domain dedication
"Unlicense", # public-domain dedication
"Zlib",
"MPL-2.0", # cssparser, dtoa-short — file-level copyleft, compatible
"Unicode-3.0", # ICU crates
"CDLA-Permissive-2.0", # webpki-roots — permissive data license
]
# `confidence-threshold` 0.9 keeps license-file heuristics strict.
= 0.9
# Per-crate clarifications for crates whose SPDX expression cargo-deny can't
# resolve on its own would go here. None needed for the current tree.
[]
# Duplicate *major* versions are a warning (transitive churn is normal in a
# large async tree); flip to "deny" once the tree stabilizes pre-1.0-release.
= "warn"
# Prefer the highest semver-compatible version when the graph could pick either.
= "deny" # no `foo = "*"` dependencies
= true # path deps (none today) may omit versions
= [
# Add crates we never want pulled in, e.g. an accidental native-tls/openssl
# path (this crate is deliberately rustls-only):
# { name = "openssl-sys" },
]
[]
# Only crates.io. Any git or alternative-registry source is an error — no
# unvetted supply-chain inputs.
= "deny"
= "deny"
= ["https://github.com/rust-lang/crates.io-index"]