2024-08-02 17:33:41 +02:00
|
|
|
[output]
|
|
|
|
# When outputting inclusion graphs in diagnostics that include features, this
|
|
|
|
# option can be used to specify the depth at which feature edges will be added.
|
|
|
|
# This option is included since the graphs can be quite large and the addition
|
|
|
|
# of features from the crate(s) to all of the graph roots can be far too verbose.
|
|
|
|
# This option can be overridden via `--feature-depth` on the cmd line
|
|
|
|
feature-depth = 1
|
|
|
|
|
|
|
|
[advisories]
|
|
|
|
# Opt-in to new config format - https://github.com/EmbarkStudios/cargo-deny/pull/611
|
|
|
|
version = 2
|
|
|
|
|
|
|
|
# The path where the advisory databases are cloned/fetched into
|
|
|
|
db-path = "$CARGO_HOME/advisory-dbs"
|
|
|
|
# The url(s) of the advisory databases to use
|
|
|
|
db-urls = ["https://github.com/rustsec/advisory-db"]
|
|
|
|
# A list of advisory IDs to ignore. Note that ignored advisories will still
|
|
|
|
# output a note when they are encountered.
|
|
|
|
ignore = []
|
|
|
|
|
|
|
|
[licenses]
|
|
|
|
# Opt-in to new config format - https://github.com/EmbarkStudios/cargo-deny/pull/611
|
|
|
|
version = 2
|
|
|
|
|
|
|
|
# Licenses we accept, identified by their SPDX short identifier (+ optional
|
|
|
|
# exception) from https://spdx.org/licenses/
|
|
|
|
allow = [
|
|
|
|
"Apache-2.0",
|
|
|
|
"BSD-2-Clause",
|
|
|
|
"BSD-2-Clause-Patent",
|
|
|
|
"BSD-3-Clause",
|
|
|
|
"MIT",
|
|
|
|
"MPL-2.0",
|
|
|
|
]
|
|
|
|
unused-allowed-license = "allow"
|
|
|
|
exceptions = [
|
|
|
|
{ allow = ["Unicode-DFS-2016"], crate = "unicode-ident" },
|
|
|
|
]
|
|
|
|
# Default confidence is 0.8, let's require a higher confidence level for now.
|
|
|
|
# We can lower this later if it's too pedantic.
|
|
|
|
confidence-threshold = 0.95
|
|
|
|
|
|
|
|
[bans]
|
|
|
|
# Lint level for when multiple versions of the same crate are detected. Deny
|
|
|
|
# for now to make this super obvious, though we might wish to change this back
|
|
|
|
# to the default of warn if that gets too disruptive.
|
|
|
|
#
|
|
|
|
# Background reading about the use of this check is at:
|
|
|
|
# https://embarkstudios.github.io/cargo-deny/checks/bans/index.html#use-case---duplicate-version-detection
|
|
|
|
multiple-versions = "deny"
|
|
|
|
skip = [
|
|
|
|
# When encountering multiple versions of crates that we wish to tolerate,
|
|
|
|
# specify a `<=1.2.3` for the OLDEST version in use. That way, as soon as
|
|
|
|
# whichever dependency holding us back is updated, one of two things can
|
|
|
|
# happen:
|
|
|
|
#
|
|
|
|
# 1. The dependency is updated to a version that is compatible with the
|
|
|
|
# other dependencies, resolving the duplication. At this point a WARNING
|
|
|
|
# will be generated that the `<=1.2.3` version no longer matches anything.
|
|
|
|
# 2. The dependency is updated to a version that is still not compatible
|
|
|
|
# with the other dependencies, at which point the ban action will FAIL the
|
|
|
|
# result. We can then choose to again skip that version, or decide more
|
|
|
|
# drastic action is needed.
|
|
|
|
"syn:<=1.0.109",
|
2023-12-28 23:27:02 -06:00
|
|
|
# filetime depends on redox_syscall which depends on bitflags 1.x, whereas
|
|
|
|
# other dependencies in our tree depends on bitflags 2.x. This should solve
|
|
|
|
# itself when a new release is made for filetime, as redox_syscall is
|
|
|
|
# deprecated and already replaced by libredox anyway
|
|
|
|
# (https://github.com/alexcrichton/filetime/pull/103)
|
|
|
|
"bitflags:<=1.3.2",
|
2024-08-02 17:33:41 +02:00
|
|
|
]
|
|
|
|
wildcards = "deny"
|
|
|
|
allow-wildcard-paths = false
|
|
|
|
|
|
|
|
[sources]
|
|
|
|
unknown-registry = "deny"
|
|
|
|
unknown-git = "deny"
|
|
|
|
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
|
|
|
|
allow-git = []
|