lssa/.deny.toml
2026-02-16 12:28:31 -03:00

62 lines
2.3 KiB
TOML

# Config file reference can be found at https://embarkstudios.github.io/cargo-deny/checks/cfg.html.
[graph]
all-features = true
exclude-dev = true
no-default-features = true
[advisories]
ignore = [
{ id = "RUSTSEC-2023-0071", reason = "Marvin Attack: potential key recovery through timing sidechannels" },
{ id = "RUSTSEC-2024-0388", reason = "`derivative` is unmaintained; consider using an alternative. Use `cargo tree -p derivative -i > tmp.txt` to check the dependency tree." },
{ id = "RUSTSEC-2024-0436", reason = "`paste` has a security vulnerability; consider using an alternative. Use `cargo tree -p paste -i > tmp.txt` to check the dependency tree." },
{ id = "RUSTSEC-2025-0055", reason = "`tracing-subscriber` v0.2.25 pulled in by ark-relations v0.4.0 - will be addressed before mainnet" },
{ id = "RUSTSEC-2025-0141", reason = "`bincode` is unmaintained but continuing to use it." },
{ id = "RUSTSEC-2023-0089", reason = "atomic-polyfill is pulled transitively via risc0-zkvm; waiting on upstream fix (see https://github.com/risc0/risc0/issues/3453)" },
]
yanked = "deny"
unused-ignored-advisory = "deny"
[bans]
allow-wildcard-paths = false
multiple-versions = "allow"
[licenses]
allow = [
"Apache-2.0 WITH LLVM-exception",
"Apache-2.0",
"BSD-2-Clause",
"BSD-3-Clause",
"BSL-1.0",
"CC0-1.0",
"CDLA-Permissive-2.0",
"ISC",
"MIT",
"MPL-2.0",
"Unicode-3.0",
"Zlib",
]
exceptions = [
# TEMP: Pending legal review. Pulled transitively via `risc0-zkvm`
{ name = "downloader", version = "0.2.8", allow = ["LGPL-3.0-or-later"] },
{ name = "malachite", version = "0.4.22", allow = ["LGPL-3.0-only"] },
{ name = "malachite-base", version = "0.4.22", allow = ["LGPL-3.0-only"] },
{ name = "malachite-float", version = "0.4.22", allow = ["LGPL-3.0-only"] },
{ name = "malachite-nz", version = "0.4.22", allow = ["LGPL-3.0-only"] },
{ name = "malachite-q", version = "0.4.22", allow = ["LGPL-3.0-only"] },
{ name = "managed", version = "0.8.0", allow = ["0BSD"] },
]
private = { ignore = false }
unused-allowed-license = "deny"
[sources]
allow-git = [
"https://github.com/EspressoSystems/jellyfish.git",
"https://github.com/logos-blockchain/logos-blockchain.git",
]
unknown-git = "deny"
unknown-registry = "deny"
[sources.allow-org]
github = ["logos-co"]