-
Notifications
You must be signed in to change notification settings - Fork 20
Expand file tree
/
Copy pathdeny.toml
More file actions
87 lines (81 loc) · 4.79 KB
/
Copy pathdeny.toml
File metadata and controls
87 lines (81 loc) · 4.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# cargo-deny configuration
# Deployed from paiml/infra — do not edit manually.
# Spec: docs/specifications/unified-ci-pipeline.md
[graph]
targets = []
all-features = false
no-default-features = false
[advisories]
ignore = [
# Unmaintained transitive deps with no available fix.
# Reviewed 2026-03-26 — all are deep transitive, no direct usage.
{ id = "RUSTSEC-2024-0384", reason = "instant: transitive via web-time, no replacement available" },
{ id = "RUSTSEC-2024-0436", reason = "paste: transitive via simba/nalgebra/parquet, use pastey when upstream migrates" },
{ id = "RUSTSEC-2025-0119", reason = "number_prefix: transitive via indicatif, no replacement available" },
{ id = "RUSTSEC-2025-0141", reason = "bincode: transitive, widely used, no drop-in replacement" },
{ id = "RUSTSEC-2024-0370", reason = "proc-macro-error: transitive via tabled_derive, no safe upgrade available" },
{ id = "RUSTSEC-2026-0173", reason = "proc-macro-error2: unmaintained, transitive via validator_derive; awaiting validator upstream migration" },
{ id = "RUSTSEC-2025-0134", reason = "rustls-pemfile 1.x: transitive, upstream uses 2.x but older consumers pin 1.x" },
{ id = "RUSTSEC-2026-0002", reason = "lru 0.12.5: transitive via ratatui, fixed in 0.16 but ratatui pins 0.12" },
# atty 0.2.14 — unsound read (different from 2024-0375 unmaintained)
{ id = "RUSTSEC-2021-0145", reason = "atty: unsound read, transitive via aprender-test-cli" },
# rand 0.8.6 — unmaintained, transitive only. #1980 removed the workspace's own
# tower 0.4 pin (aprender-serve/-orchestrate now on tower 0.5, matching axum 0.7's
# own tower 0.5 dep). The remaining rand 0.8.6 enters via the published
# whisper-apr 0.2.8 -> realizar 0.8.6 (stale crates.io realizar; whisper feature),
# and is potentially also reachable via axum 0.7 `ws` -> tungstenite 0.24 (axum
# 0.7->0.8 is a large API migration), tonic 0.12 `channel` -> tower 0.4.13, and the
# published trueno-ublk/pacha/renacer stack (block-device/registry features). Each
# needs an upstream major bump; no safe drop-in exists yet.
{ id = "RUSTSEC-2026-0097", reason = "rand 0.8.6: unmaintained, transitive via whisper-apr->realizar 0.8.6 (+ axum 0.7 ws / tonic channel / trueno-ublk); awaiting upstream migration to rand 0.9" },
# wasmtime 43 + cranelift — test-only dep, not production. Upgrade to >=43.0.2 when available.
{ id = "RUSTSEC-2026-0085", reason = "cranelift: test-only dep via wasmtime (aprender-test-lib)" },
{ id = "RUSTSEC-2026-0086", reason = "cranelift: test-only dep via wasmtime (aprender-test-lib)" },
{ id = "RUSTSEC-2026-0088", reason = "wasmtime: test-only dep (aprender-test-lib)" },
{ id = "RUSTSEC-2026-0089", reason = "wasmtime: test-only dep (aprender-test-lib)" },
{ id = "RUSTSEC-2026-0091", reason = "wasmtime: test-only dep (aprender-test-lib)" },
{ id = "RUSTSEC-2026-0092", reason = "wasmtime: test-only dep (aprender-test-lib)" },
{ id = "RUSTSEC-2026-0094", reason = "wasmtime: test-only dep (aprender-test-lib)" },
{ id = "RUSTSEC-2026-0096", reason = "wasmtime: test-only dep (aprender-test-lib)" },
{ id = "RUSTSEC-2026-0114", reason = "wasmtime 43 table allocation panic: test-only dep, availability bug not RCE" },
# rustls-webpki 0.101.7 — transitive via aws-smithy-http-client (rustls 0.21).
# Direct 0.103.x path already patched to >=0.103.12; 0.101.7 is pinned inside
# the AWS SDK graph and can only move via a major SDK bump.
{ id = "RUSTSEC-2026-0098", reason = "rustls-webpki 0.101.7: transitive via aws-smithy-http-client (rustls 0.21), no drop-in fix" },
{ id = "RUSTSEC-2026-0099", reason = "rustls-webpki 0.101.7: transitive via aws-smithy-http-client (rustls 0.21), no drop-in fix" },
{ id = "RUSTSEC-2026-0104", reason = "rustls-webpki 0.101.7: transitive via aws-smithy-http-client (rustls 0.21), no drop-in fix. Direct 0.103.x path bumped to 0.103.13." },
# core2 0.4.0 — unmaintained, all versions yanked. Transitive via bitstream-io
# (image/media decoding stack). Surfaced 2026-05-22 blocking ALL in-flight PRs.
{ id = "RUSTSEC-2026-0105", reason = "core2: yanked + unmaintained, transitive via bitstream-io; waiting for upstream migration off core2" },
]
[licenses]
allow = [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Unicode-3.0",
"Unicode-DFS-2016",
"Zlib",
"BSL-1.0",
"OpenSSL",
"0BSD",
"CC0-1.0",
"MPL-2.0",
"CDLA-Permissive-2.0",
"MIT-0",
]
confidence-threshold = 0.8
[bans]
multiple-versions = "warn"
wildcards = "deny"
highlight = "all"
[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = []
[sources.allow-org]
github = ["paiml"]