1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# cargo-deny policy for metrics-lib (v0.9.5+).
# Run locally with: cargo deny --workspace check all
[]
= true
[]
# Newer cargo-deny schema requires explicit `version`; pin to v2.
= 2
# Warn on yanked crates; let security advisories fail.
= "warn"
# Known transitive unmaintained-crate advisories we accept.
= [
# `atty` (unmaintained) reaches us only through the pinned
# `criterion = "=0.4.0"` dev-dependency (criterion ⇒ clap 3 ⇒
# atty). The `=0.4.0` pin exists for github-action-benchmark
# output-layout compatibility — see the comment in Cargo.toml.
# Migration to criterion 0.5 is queued for the v1.0 release once
# the benchmark-action JSON shape is reconciled.
"RUSTSEC-2024-0375",
]
# The `unmaintained` field has been split; let cargo-deny use defaults.
[]
# Detect accidentally pulling the same crate at multiple major versions.
= "warn"
# `wildcards` discourages `*` dep specs; we don't use any, so make it
# strict.
= "deny"
[]
# Required: every dependency must carry a license we recognise.
= 2
= [
"MIT",
"MIT-0",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Zlib",
"Unicode-DFS-2016",
"Unicode-3.0",
"CC0-1.0",
]
# Confidence threshold for license detection on crates with no SPDX
# expression — 0.8 is the cargo-deny default.
= 0.8
[]
# Only crates.io and the rust-lang Git mirror are allowed.
= "deny"
= "deny"
= ["https://github.com/rust-lang/crates.io-index"]
= []