1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# deny.toml — cargo-deny configuration for okami
#
# Schema reference: https://embarkstudios.github.io/cargo-deny/
# Verified against cargo-deny v0.19 schema.
#
# Sections:
# [advisories] — RustSec advisory DB: vulnerabilities, unsound code, unmaintained crates.
# [licenses] — SPDX license allowlist for the full transitive dependency tree.
# [bans] — Duplicate-version detection and wildcard-version policy.
# [sources] — Restrict package sources to crates.io; deny unknown registries and git sources.
# ---------------------------------------------------------------------------
# [advisories]
# Checks the RustSec Advisory Database for known vulnerabilities, unsound
# code, and unmaintained crates. Vulnerabilities always produce errors in
# cargo-deny v0.18+ and cannot be downgraded (use ignore for targeted
# exceptions with documented justification only).
# ---------------------------------------------------------------------------
[]
# Use the default RustSec advisory DB (https://github.com/rustsec/advisory-db).
# db-urls defaults to this; no override needed.
# unmaintained = "all": any crate with an unmaintained advisory errors,
# whether direct or transitive. Direct deps that are knowingly unmaintained
# but safe are listed in the ignore block below with rationale.
= "all"
# unsound = "all": any crate with an unsoundness advisory errors.
= "all"
# Targeted exceptions — each entry MUST have a documented reason.
= [
# RUSTSEC-2025-0141: bincode 1.x — the bincode maintainer team disbanded
# due to a harassment incident and declared v1.3.3 a "complete, final"
# release. No security vulnerability exists; the crate is feature-frozen,
# not broken. Okami uses bincode only for internal serialization with
# allocation bounds (PR #4 added a deserialization cap). Upgrading to an
# alternative (postcard, bitcode) is tracked as a separate maintenance
# item. Safe to suppress here.
{ = "RUSTSEC-2025-0141", = "bincode 1.3.3 is feature-frozen but not broken; okami applies allocation caps (PR #4). Migration to a maintained alternative is a separate task." },
]
# ---------------------------------------------------------------------------
# [licenses]
# Every crate in the transitive dependency tree must have a license that
# satisfies at least one SPDX identifier in the allow list. The list below
# was derived by running `cargo deny check licenses` against the actual
# Cargo.lock and adding every identifier that appeared in an OR expression
# where at least one alternative is OSI-approved and permissive.
#
# Notably absent:
# LGPL-2.1-or-later — appears only in `r-efi` as a third OR option
# alongside MIT and Apache-2.0; cargo-deny resolves the OR by finding
# MIT/Apache-2.0 first. No LGPL crate is being linked.
# GPL-* — not present anywhere in the dep tree.
# ---------------------------------------------------------------------------
[]
= [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception", # rustc/LLVM-derived crates (e.g. wasi)
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Unicode-DFS-2016",
"Unicode-3.0", # unicode-ident — "(MIT OR Apache-2.0) AND Unicode-3.0"
"CC0-1.0",
"Zlib",
"MPL-2.0",
"0BSD",
"BSL-1.0",
"Unlicense", # memchr — "Unlicense OR MIT"; both are in the allowlist
]
# Require 93% license-text confidence to avoid misidentification.
# Stricter than the 0.8 default; appropriate for a security-focused crate.
= 0.93
# ---------------------------------------------------------------------------
# [bans]
# Warns on duplicate transitive versions (noise signal for future dep
# consolidation), and hard-denies wildcard version constraints.
#
# Duplicate versions in this project come from the PQC dep tree (lupine uses
# newer digest/sha2/sha3 than the stable ecosystem), which is unavoidable
# without upstream version alignment. `multiple-versions = "warn"` flags
# them without blocking PRs.
# ---------------------------------------------------------------------------
[]
# Warn on duplicate crate versions in the dep tree — doesn't block PRs but
# surfaces consolidation opportunities.
= "warn"
# Deny `version = "*"` in any Cargo.toml in the workspace.
= "deny"
# No crates are unconditionally banned yet.
= []
# No skip entries — the duplicate-version warnings from lupine's PQC dep
# tree are transient (expected to resolve as the ecosystem converges on
# newer digest/sha2/sha3 versions). No skip needed as these are warnings,
# not errors.
= []
# ---------------------------------------------------------------------------
# [sources]
# Restrict package origin to crates.io. Any crate pulled from an unknown
# registry or an unlisted git source fails the check.
# ---------------------------------------------------------------------------
[]
= "deny"
= "deny"
# Only crates.io is an allowed registry.
= ["https://github.com/rust-lang/crates.io-index"]
# No git sources — all dependencies are published crates.
= []