deny.toml

[graph]
# Cargo deny will check dependencies via `--all-features`
all-features = true

[advisories]
# cargo-deny v2 schema: vulnerability, unmaintained, unsound, and notice
# advisories all fail the check by default. Yanked crates also fail.
# To bypass a specific advisory, add its RUSTSEC ID to `ignore` with a
# comment explaining why and an owner.
version = 2
yanked = "deny"
ignore = [
  # Runtime-object-store pulls `async-std` through `suppaftp`; no safe upgrade is available yet. Owner: runtime-object-store.
  "RUSTSEC-2025-0052",
  # Runtime serialization pulls `atomic-polyfill` through `postcard`/`heapless`; no safe upgrade is available yet. Owner: runtime.
  "RUSTSEC-2023-0089",
  # Retry utilities and async-openai pull `backoff`; no safe upgrade is available yet. Owner: runtime/llms.
  "RUSTSEC-2025-0012",
  # A transitive local-model dependency still pulls `dotenv`; no safe upgrade is available yet. Owner: llms.
  "RUSTSEC-2021-0141",
  # Local model search dependencies pull `fxhash`; no safe upgrade is available yet. Owner: llms.
  "RUSTSEC-2025-0057",
  # DNS dependencies pull `hickory-proto` 0.25.x through upstream crates pinned below 0.26. Owner: data connectors/runtime.
  "RUSTSEC-2026-0118",
  # DNS dependencies pull `hickory-proto` 0.25.x through upstream crates pinned below 0.26. Owner: data connectors/runtime.
  "RUSTSEC-2026-0119",
  # `instant` is pulled through `backoff`; no safe upgrade is available yet. Owner: runtime/llms.
  "RUSTSEC-2024-0384",
  # Progress-display dependencies pull `number_prefix`; no safe upgrade is available yet. Owner: llms.
  "RUSTSEC-2025-0119",
  # `paste` is widely used by proc-macro/data connector dependencies; no safe upgrade is available yet. Owner: runtime/data connectors.
  "RUSTSEC-2024-0436",
  # Object store signing dependencies pull `rsa`; no safe upgrade is available yet. Owner: data components/runtime.
  "RUSTSEC-2023-0071",
  # Legacy TLS dependencies pull `rustls-pemfile` 1.x; no safe upgrade is available yet. Owner: connector-mssql/runtime.
  "RUSTSEC-2025-0134",
  # Legacy `rustls` 0.21 dependencies pull `rustls-webpki` 0.101.x; newer 0.103.x is updated in Cargo.lock. Owner: AWS/MSSQL integrations.
  "RUSTSEC-2026-0098",
  # Legacy `rustls` 0.21 dependencies pull `rustls-webpki` 0.101.x; newer 0.103.x is updated in Cargo.lock. Owner: AWS/MSSQL integrations.
  "RUSTSEC-2026-0099",
  # Legacy `rustls` 0.21 dependencies pull `rustls-webpki` 0.101.x; newer 0.103.x is updated in Cargo.lock. Owner: AWS/MSSQL integrations.
  "RUSTSEC-2026-0104",
]

[bans]
allow-wildcard-paths = false
multiple-versions    = "allow"

[licenses]

allow = [
  "Apache-2.0 WITH LLVM-exception",
  "Apache-2.0",
  "BSD-2-Clause",
  "BSD-3-Clause",
  "BSL-1.0",
  "BlueOak-1.0.0",
  "CC0-1.0",
  "ISC",
  "MIT",
  "MPL-2.0",
  "Unicode-3.0",
  "CDLA-Permissive-2.0",
  "Zlib",
  "0BSD",
  "bzip2-1.0.6", # https://spdx.org/licenses/bzip2-1.0.6.html
  "NCSA" # University of Illinois/NCSA Open Source License (OSI-approved, FSF Free/Libre)
]
private = { ignore = false }
unused-allowed-license = "deny"

[sources]
unknown-git      = "deny"
unknown-registry = "deny"

# text-embeddings-* have empty license but belongs to the text-embeddings-inference / Apache-2.0 license
[[licenses.clarify]]
name = "text-embeddings-core"
expression = "Apache-2.0"
license-files = []

[[licenses.clarify]]
name = "text-embeddings-backend"
expression = "Apache-2.0"
license-files = []

[[licenses.clarify]]
name = "text-embeddings-backend-core"
expression = "Apache-2.0"
license-files = []

[[licenses.clarify]]
name = "text-embeddings-backend-candle"
expression = "Apache-2.0"
license-files = []

[[licenses.clarify]]
name = "candle-cublaslt"
version = "0.2.2"
expression = "Apache-2.0"
license-files = []

[[licenses.clarify]]
name = "candle-layer-norm"
version = "0.0.1"
expression = "Apache-2.0"
license-files = []

[[licenses.clarify]]
name = "model2vec-rs"
version = "0.1.3"
expression = "MIT"
license-files = []

[[licenses.clarify]]
name = "cfg_block"
version = "0.1.1"
expression = "Apache-2.0"
license-files = []