forked from AbdelStark/ProvableWorldModel
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdeny.toml
More file actions
41 lines (37 loc) · 1.48 KB
/
Copy pathdeny.toml
File metadata and controls
41 lines (37 loc) · 1.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# SPDX-License-Identifier: Apache-2.0
#
# cargo-deny configuration for the License / SPDX merge gate (specs.md §11.2).
# Only permissive licenses compatible with the project's Apache-2.0 license are
# allowed. Post-pivot there is no vendored proving substrate; the dependency set
# is small (blake2 and its transitive deps).
[licenses]
# Permissive licenses compatible with Apache-2.0. The first-party crates are
# Apache-2.0; MIT/BSD/ISC/Unicode/Zlib cover the transitive dependencies of
# blake2 (the only crypto dependency).
allow = [
"Apache-2.0",
"MIT",
"BSD-2-Clause",
"BSD-3-Clause",
"Unicode-3.0",
"Zlib",
]
confidence-threshold = 0.9
# The allow list is forward-looking (no external deps exist on the skeleton yet);
# do not warn about allowed-but-unmatched licenses until the vendoring lands.
unused-allowed-license = "allow"
[bans]
# Surface accidental duplicate dependency versions (supply-chain hygiene) without
# blocking on the long tail of transitive diamonds.
multiple-versions = "warn"
[advisories]
# The supply-chain gate runs `cargo deny check` (advisories + bans + licenses +
# sources). A yanked crate or a published advisory against any dependency fails the
# merge gate (fail closed); the small trust-root dependency set (blake2 and its
# transitive deps) keeps this cheap. Uses the cargo-deny v2 advisories schema, whose
# defaults treat security vulnerabilities as `deny`.
version = 2
yanked = "deny"
[sources]
unknown-registry = "deny"
unknown-git = "deny"