1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# cargo-deny configuration.
#
# Docs: https://embarkstudios.github.io/cargo-deny/
# Run locally: `just security` or `cargo deny check`
#
# Editing rules of thumb:
# * If a security advisory is unavoidable (e.g. transitive dep with no
# fix yet), add it to `[advisories].ignore` *with a comment* linking
# to the upstream issue and an estimated unblock date.
# * If a new dep brings in a license not on the allow list below, prefer
# replacing the dep over adding the license. License-graph drift is
# hard to undo.
# * `[bans].deny` is the place to record "we tried this crate and it was
# bad" - keeps the lesson with the codebase.
[]
= true
# ─────────────────────────────────────────────────────────────────────────
# Advisories - RustSec database checks. Overlaps with `cargo audit`; we
# keep both because they fail differently (audit is fast and focused;
# deny is policy-driven and can also catch yanked crates and unmaintained
# advisories).
# ─────────────────────────────────────────────────────────────────────────
[]
= ["https://github.com/rustsec/advisory-db"]
= "deny"
# Advisories we currently accept because the fix lives in an upstream crate we
# don't control. Re-evaluate when bumping the listed parent dep. Keep one entry
# per ID with a `reason` pointing at the blocker.
= [
# quick-xml: unbounded namespace-declaration allocation (DoS) and quadratic
# run time on duplicate attribute names. Pulled in via self_update ->
# ureq -> ureq-proto. No compatible fix in current dep tree.
{ = "RUSTSEC-2026-0194", = "quick-xml 0.38.4 via self_update -> ureq; no compatible fix in current dep tree" },
{ = "RUSTSEC-2026-0195", = "quick-xml 0.38.4 via self_update -> ureq; no compatible fix in current dep tree" },
]
# ─────────────────────────────────────────────────────────────────────────
# Licenses - allowlist model. This list is intentionally conservative for
# proprietary internal use: copyleft (GPL/AGPL/LGPL) is excluded so it
# can't sneak in transitively.
#
# When a new permissive license shows up in a dep, evaluate it explicitly
# rather than auto-allowing - the SPDX list is large.
# ─────────────────────────────────────────────────────────────────────────
[]
= 0.9
= [
"0BSD",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"BSL-1.0",
"CC0-1.0",
# Linux Foundation's permissive data-licence. Permissive, not
# copyleft, no patent grant, no copyleft-style propagation -
# obligations equivalent to MIT/BSD-3. Currently used by
# `webpki-roots`, which embeds the Mozilla CA bundle (a dataset)
# and reaches us transitively via `hyper-rustls` from both
# `gcp-bigquery-client` and `firestore`.
"CDLA-Permissive-2.0",
"ISC",
"MIT",
"MPL-2.0",
"Unicode-3.0",
"Zlib",
]
= []
# These transitive crates declare only `license-file` (no SPDX `license`
# expression) in their manifest. License detection from the bundled LICENSE
# text already succeeds, but we pin the expression via `clarify` so resolution
# is deterministic instead of depending on askalono's confidence score. The
# `hash` is a crc32 of the LICENSE file; if upstream changes it, the
# clarification stops applying and we re-verify.
#
# Note: cargo-deny still emits an informational `no-license-field` *warning*
# for these crates (it flags the missing manifest field regardless of how the
# license is resolved). There is no config switch to silence it short of the
# upstream crates adding a `license` field.
[[]]
= "cfg_block"
= "Apache-2.0"
= [{ = "LICENSE", = 0x0fb72a18 }]
[[]]
= "sigstore-protobuf-specs-derive"
= "Apache-2.0"
= [{ = "LICENSE", = 0x86e2b4b4 }]
# Don't require this crate (or any other `publish = false` workspace
# member) to declare a license - internal apps aren't published.
[]
= true
# ─────────────────────────────────────────────────────────────────────────
# Bans - duplicate versions, wildcards, blocklist.
#
# `multiple-versions = "warn"` because pinning the entire ecosystem to a
# single version of every transitive dep is a fight you can't win. Bump
# to "deny" only after consolidating duplicates.
# ─────────────────────────────────────────────────────────────────────────
[]
= "warn"
= "deny"
= []
= []
= []
# ─────────────────────────────────────────────────────────────────────────
# Sources - only crates.io is allowed. Pulls from arbitrary git repos
# are denied; if you need one, list its URL under `allow-git` *with a
# comment* explaining why.
# ─────────────────────────────────────────────────────────────────────────
[]
= "deny"
= "deny"
= ["https://github.com/rust-lang/crates.io-index"]
= []