1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# cargo-deny policy for http-handle.
#
# Tightens the supply-chain audit at PR time. Run locally with:
# cargo deny check
# Or scope to a single category:
# cargo deny check {licenses,advisories,bans,sources}
[]
# Skip dev-dependencies for the bans/sources/duplicate checks — they
# pull a long tail (criterion, plotters, proptest, …) that we don't
# ship and don't want governing the policy.
= true
[]
# Permissive licenses we accept from dependencies, plus the crate's own
# AGPL-3.0-only (the project license, not a downstream dependency).
= [
"AGPL-3.0-only",
"Apache-2.0",
"CC0-1.0",
"ISC",
"MIT",
"Unicode-3.0",
"Zlib",
]
= 0.93
[]
# Treat all unmaintained / yanked crates as warnings (don't fail PR
# entirely on transitives we can't pin), but fail on actual security
# advisories. Specific ignores can be added here with rationale.
= "deny"
= []
[]
= "warn"
= "all"
# Crates we explicitly forbid (e.g. abandoned or known-bad).
= []
# Skip duplicate detection for these crates — useful when several
# transitives wedge us into multiple versions of a low-level dep.
= []
= []
[]
# All crates must come from the official registry by default. Add
# allow-git / allow-registry entries here if a vetted git source is
# ever required.
= "deny"
= "deny"