diff --git a/.deny.toml b/.deny.toml index e65cdd34..f2e3f3c7 100644 --- a/.deny.toml +++ b/.deny.toml @@ -14,6 +14,8 @@ ignore = [ { id = "RUSTSEC-2025-0141", reason = "`bincode` is unmaintained but continuing to use it." }, { id = "RUSTSEC-2023-0089", reason = "atomic-polyfill is pulled transitively via risc0-zkvm; waiting on upstream fix (see https://github.com/risc0/risc0/issues/3453)" }, { id = "RUSTSEC-2026-0097", reason = "`rand` v0.8.5 is present transitively from logos crates, modification may break integration" }, + { id = "RUSTSEC-2026-0118", reason = "`hickory-proto` v0.25.0-alpha.5 NSEC3 unbounded loop; pulled transitively via libp2p 0.55 -> libp2p-dns 0.43; needs upstream `logos-blockchain-cryptarchia-sync` libp2p bump to 0.56" }, + { id = "RUSTSEC-2026-0119", reason = "`hickory-proto` v0.25.0-alpha.5 O(n^2) name compression; pulled transitively via libp2p 0.55 -> libp2p-dns 0.43; needs upstream `logos-blockchain-cryptarchia-sync` libp2p bump to 0.56" }, ] yanked = "deny" unused-ignored-advisory = "deny" diff --git a/deny.toml b/deny.toml deleted file mode 100644 index 72d80da3..00000000 --- a/deny.toml +++ /dev/null @@ -1,56 +0,0 @@ -[advisories] -# Ignored advisories. Each entry must record why the fix isn't being applied here so -# future maintainers can re-evaluate. Track upstream fixes and reopen as bumps land. -ignore = [ - # hickory-proto v0.25.0-alpha.5 — pulled in via libp2p v0.55 -> libp2p-dns v0.43 -> - # hickory-resolver v0.25.0-alpha.5. The fix is only in hickory-proto v0.26.x, which - # requires libp2p v0.56 (libp2p-dns v0.44). `libp2p` comes from the upstream - # `logos-blockchain-cryptarchia-sync` git dep, and as of master commit f0b8974dde - # (2026-05-07) that repo still pins libp2p = "0.55". - { id = "RUSTSEC-2026-0118", reason = "transitive via libp2p 0.55; needs upstream cryptarchia-sync libp2p bump" }, - { id = "RUSTSEC-2026-0119", reason = "transitive via libp2p 0.55; needs upstream cryptarchia-sync libp2p bump" }, - # rsa v0.9 — Marvin Attack timing sidechannel. No patched 0.9.x release; fix lands - # in a future release. Used transitively by several deps; revisit when upstream - # patches. - { id = "RUSTSEC-2023-0071", reason = "rsa crate Marvin Attack; awaiting patched release" }, - # tracing-subscriber — ANSI escape injection in log values. Patched in newer - # tracing-subscriber; pinned by transitive deps. Bump requires coordinated update - # of dependents. - { id = "RUSTSEC-2025-0055", reason = "tracing-subscriber ANSI; pinned by transitive deps, needs coordinated bump" }, - # rand — unsoundness when a custom logger uses rand::rng(). We don't use a custom - # logger this way; risk profile is low. - { id = "RUSTSEC-2026-0097", reason = "rand unsoundness only triggered by custom logger pattern we don't use" }, - # Unmaintained crates. Not vulnerabilities; flagged because upstream stopped - # publishing. Each is a transitive dep — bumping out requires the consumer to - # switch alternatives. - { id = "RUSTSEC-2023-0089", reason = "atomic-polyfill unmaintained; transitive only" }, - { id = "RUSTSEC-2024-0388", reason = "derivative unmaintained; transitive only" }, - { id = "RUSTSEC-2024-0436", reason = "paste unmaintained; transitive only" }, - { id = "RUSTSEC-2025-0141", reason = "bincode unmaintained; transitive only" }, -] - -[licenses] -# Mirrors the implicit set previously accepted on `main` (origin reported `licenses ok` -# with no deny.toml). Adding deny.toml triggers strict enforcement, so the licenses -# already present in the dependency graph must be enumerated here. -allow = [ - "0BSD", - "Apache-2.0", - "Apache-2.0 WITH LLVM-exception", - "BSD-1-Clause", - "BSD-2-Clause", - "BSD-3-Clause", - "BSL-1.0", - "CC0-1.0", - "CDLA-Permissive-2.0", - "ISC", - "LGPL-2.1-or-later", - "LGPL-3.0-only", - "LGPL-3.0-or-later", - "MIT", - "MPL-2.0", - "Unicode-3.0", - "Unlicense", - "Zlib", -] -confidence-threshold = 0.8