logos-blockchain/logos-execution-zone
1
0
Fork 0
mirror of https://github.com/logos-blockchain/logos-execution-zone.git synced 2026-05-14 03:59:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: artifacts and deny

Browse Source 
Refs: #454
This commit is contained in:
moudyellaz 2026-05-08 17:32:28 +02:00
parent 3772046a39
commit 06fd4fc12e
2 changed files with 56 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
artifacts/program_methods/privacy_preserving_circuit.bin
View File

Binary file not shown.

56
deny.toml Normal file
View File

@ -0,0 +1,56 @@
[advisories]
# Ignored advisories. Each entry must record why the fix isn't being applied here so
# future maintainers can re-evaluate. Track upstream fixes and reopen as bumps land.
ignore = [
# hickory-proto v0.25.0-alpha.5 — pulled in via libp2p v0.55 -> libp2p-dns v0.43 ->
# hickory-resolver v0.25.0-alpha.5. The fix is only in hickory-proto v0.26.x, which
# requires libp2p v0.56 (libp2p-dns v0.44). `libp2p` comes from the upstream
# `logos-blockchain-cryptarchia-sync` git dep, and as of master commit f0b8974dde
# (2026-05-07) that repo still pins libp2p = "0.55".
{ id = "RUSTSEC-2026-0118", reason = "transitive via libp2p 0.55; needs upstream cryptarchia-sync libp2p bump" },
{ id = "RUSTSEC-2026-0119", reason = "transitive via libp2p 0.55; needs upstream cryptarchia-sync libp2p bump" },
# rsa v0.9 — Marvin Attack timing sidechannel. No patched 0.9.x release; fix lands
# in a future release. Used transitively by several deps; revisit when upstream
# patches.
{ id = "RUSTSEC-2023-0071", reason = "rsa crate Marvin Attack; awaiting patched release" },
# tracing-subscriber — ANSI escape injection in log values. Patched in newer
# tracing-subscriber; pinned by transitive deps. Bump requires coordinated update
# of dependents.
{ id = "RUSTSEC-2025-0055", reason = "tracing-subscriber ANSI; pinned by transitive deps, needs coordinated bump" },
# rand — unsoundness when a custom logger uses rand::rng(). We don't use a custom
# logger this way; risk profile is low.
{ id = "RUSTSEC-2026-0097", reason = "rand unsoundness only triggered by custom logger pattern we don't use" },
# Unmaintained crates. Not vulnerabilities; flagged because upstream stopped
# publishing. Each is a transitive dep — bumping out requires the consumer to
# switch alternatives.
{ id = "RUSTSEC-2023-0089", reason = "atomic-polyfill unmaintained; transitive only" },
{ id = "RUSTSEC-2024-0388", reason = "derivative unmaintained; transitive only" },
{ id = "RUSTSEC-2024-0436", reason = "paste unmaintained; transitive only" },
{ id = "RUSTSEC-2025-0141", reason = "bincode unmaintained; transitive only" },
]
[licenses]
# Mirrors the implicit set previously accepted on `main` (origin reported `licenses ok`
# with no deny.toml). Adding deny.toml triggers strict enforcement, so the licenses
# already present in the dependency graph must be enumerated here.
allow = [
"0BSD",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-1-Clause",
"BSD-2-Clause",
"BSD-3-Clause",
"BSL-1.0",
"CC0-1.0",
"CDLA-Permissive-2.0",
"ISC",
"LGPL-2.1-or-later",
"LGPL-3.0-only",
"LGPL-3.0-or-later",
"MIT",
"MPL-2.0",
"Unicode-3.0",
"Unlicense",
"Zlib",
]
confidence-threshold = 0.8