deny.toml

# Configuration documentation:
#   https://embarkstudios.github.io/cargo-deny/index.html

[advisories]
version = 2
yanked = "deny"
ignore = [
    # paste crate is no longer maintained, but it is past 1.0
    # Keep this here until our transisent dependencies no longer
    # need it
    "RUSTSEC-2024-0436",
    # rustls-pemfile is unmaintained but still used as a transitive dependency
    # from object_store. We've removed our direct dependency and migrated to
    # rustls-pki-types. Remove once object_store updates.
    "RUSTSEC-2025-0134",
    # bincode is unmaintained but does not have any known issues;
    # there are multiple replacements at this time but there isn't
    # yet a clear choice
    "RUSTSEC-2025-0141",
    # rustls-webpki 0.102.8 CRL distribution point matching bug; low impact
    # (requires CA compromise). Stuck on 0.102.x via wasmtime's rustls 0.22.x
    # dep in datafusion-udf-wasm. Upstream also ignores this advisory.
    "RUSTSEC-2026-0049",
    # rustls-webpki 0.102.8 wildcard name-constraint bug; stuck on 0.102.x via
    # wasmtime's rustls 0.22.x dep in datafusion-udf-wasm. Upstream fix pulls in
    # newer DataFusion/wasmtime and is not yet compatible with this repo.
    "RUSTSEC-2026-0099",
    # rustls-webpki 0.102.8 URI name-constraint bug; same transitive 0.102.x path
    # via datafusion-udf-wasm/wasmtime/rustls 0.22.x, with the same current
    # incompatibility on the available upstream fix path.
    "RUSTSEC-2026-0098",
    # rustls-webpki CRL parsing reachable panic; only 0.103.13+ and 0.104.0-alpha.7+
    # ship the fix. The 0.103.x transitive is patched via the Cargo.toml pin bump,
    # but the 0.102.x transitive is still stuck via datafusion-udf-wasm/wasmtime/
    # rustls 0.22.x with no patched 0.102.x release available. We don't configure
    # CRLs anywhere in this repo, so the panic is unreachable in practice on that
    # remaining 0.102.x path.
    "RUSTSEC-2026-0104",

    # wasmtime 41.0.4 advisories (transitive dep via datafusion-udf-wasm)
    #
    # Wasm UDFs are disabled by default (udfs_enabled = false in iox_query config).
    # The Wasm component model code path is never entered unless explicitly enabled.
    # Additionally, none of the advisories match our runtime configuration:
    #
    # Winch compiler backend required (we use Cranelift, the default):
    "RUSTSEC-2026-0086", # GHSA-m9w2-8782-2946: host data leakage with 64-bit tables and Winch
    "RUSTSEC-2026-0089", # GHSA-q49f-xg75-m9xw: host panic on table.fill with Winch
    "RUSTSEC-2026-0094", # GHSA-f984-pcp8-v2p7: improperly masked table.grow return with Winch
    "RUSTSEC-2026-0095", # GHSA-xx5w-cvp6-jv83: Winch sandbox-escaping memory access
    #
    # Non-default runtime config required (we use defaults: spectre on, on-demand allocator):
    "RUSTSEC-2026-0087", # GHSA-qqfj-4vcm-26hv: f64x2.splat segfault (requires signals-based-traps disabled)
    "RUSTSEC-2026-0088", # GHSA-6wgr-89rj-399p: pooling allocator data leakage (requires pooling allocator)
    "RUSTSEC-2026-0096", # GHSA-jhxm-h53p-jm7w: aarch64 sandbox escape (requires spectre mitigations disabled)
    #
    # Component model features we don't use (no flags types, no cross-component string passing):
    "RUSTSEC-2026-0085", # GHSA-m758-wjhj-p3jq: panic lifting flags component value (no flags in our WIT)
    "RUSTSEC-2026-0092", # GHSA-jxhv-7h78-9775: panic on misaligned UTF-16 strings (cross-component only)
    "RUSTSEC-2026-0093", # GHSA-hx6p-xpx3-jvvv: heap OOB read in UTF-16 transcoding (cross-component only)
    #
    # Guest realloc validation (single-component host-guest interaction; low risk given UDFs are disabled):
    "RUSTSEC-2026-0091", # GHSA-394w-hwhg-8vgm: OOB write from unvalidated guest realloc
    #
    # Panic when allocating a table that is larger than host address space.
    # The UDF/WASM parts are currently unused in production.
    "RUSTSEC-2026-0114",
    # TODO: update wasmtime via datafusion-udf-wasm to a patched version (>=42.0.2)
]
git-fetch-with-cli = true

[licenses]
version = 2
unused-allowed-license = "warn"
allow = [
    "Apache-2.0",
    "Apache-2.0 WITH LLVM-exception",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "bzip2-1.0.6",
    "BSL-1.0",
    "CC0-1.0",
    "CDLA-Permissive-2.0",
    "ISC",
    "MIT",
    "NCSA",
    "Unicode-DFS-2016",
    "Unicode-3.0",
    "Zlib",
]
exceptions = [
    # We should probably NOT bundle CA certs but use the OS ones.
    { name = "webpki-roots", allow = ["MPL-2.0"] },
    # aws sdk-s3 uses aws-lc-sys for rustls
    { name = "aws-lc-sys", allow = ["OpenSSL"] },
]

[[licenses.clarify]]
name = "ring"
expression = "BSD-4-Clause AND ISC AND MIT AND OpenSSL"
license-files = [
    # https://github.com/briansmith/ring/blob/95948b3977013aed16db92ae32e6b8384496a740/LICENSE
    { path = "LICENSE", hash = 0xbd0eed23 },
]

[sources.allow-org]
github = ["influxdata"]

[bans]
multiple-versions = "allow"
deny = [
    # We are using rustls as the TLS implementation, so we shouldn't be linking
    # in OpenSSL too.
    #
    # If you're hitting this, you might want to take a look at what new
    # dependencies you have introduced and check if there's a way to depend on
    # rustls instead of OpenSSL (tip: check the crate's feature flags).
    { name = "openssl-sys" },
    # We've decided to use the `humantime` crate to parse and generate friendly time formats; use
    # that rather than chrono-english.
    { name = "chrono-english" },
    # Use stdlib ( https://doc.rust-lang.org/stable/std/io/trait.IsTerminal.html )
    { name = "atty" },
]