mirror of
https://github.com/0xMassi/webclaw.git
synced 2026-07-03 04:10:59 +02:00
60 lines
1.9 KiB
TOML
60 lines
1.9 KiB
TOML
|
|
# cargo-deny configuration — supply-chain gate for the webclaw workspace.
|
||
|
|
# Run locally with `cargo deny check`; CI runs it via EmbarkStudios/cargo-deny-action.
|
||
|
|
#
|
||
|
|
# Scope of enforcement:
|
||
|
|
# advisories — fail on known RUSTSEC vulnerabilities / unmaintained crates
|
||
|
|
# bans — keep the dep tree lean and free of disallowed crates
|
||
|
|
# licenses — allow the AGPL-3.0 workspace plus permissive deps only
|
||
|
|
# sources — only crates.io and our own GitHub org
|
||
|
|
|
||
|
|
[graph]
|
||
|
|
# Evaluate all targets so a vuln gated behind a non-host platform still trips
|
||
|
|
# the gate. Keep this in sync with the platforms we actually ship.
|
||
|
|
all-features = true
|
||
|
|
|
||
|
|
[advisories]
|
||
|
|
version = 2
|
||
|
|
# Fail the build on any unfixed advisory by default (cargo-deny v2 errors on
|
||
|
|
# `vulnerability`/`unmaintained`/`unsound`/`yanked` unless explicitly ignored).
|
||
|
|
# Add specific RUSTSEC ids here with a justification only when a fix is not yet
|
||
|
|
# available upstream.
|
||
|
|
ignore = []
|
||
|
|
|
||
|
|
[bans]
|
||
|
|
# Warn (don't hard-fail) on duplicate versions of the same crate — common and
|
||
|
|
# usually benign in a tree this size; revisit if a duplicate becomes a problem.
|
||
|
|
multiple-versions = "warn"
|
||
|
|
wildcard-dependencies = "deny"
|
||
|
|
# Crates that must never enter the tree. Empty for now; this is where a banned
|
||
|
|
# transitive dep (e.g. an unmaintained TLS or crypto crate) would be listed.
|
||
|
|
deny = []
|
||
|
|
|
||
|
|
[licenses]
|
||
|
|
version = 2
|
||
|
|
# Permissive licenses we accept on dependencies, plus AGPL-3.0 for the
|
||
|
|
# workspace crates themselves. SPDX identifiers.
|
||
|
|
allow = [
|
||
|
|
"AGPL-3.0",
|
||
|
|
"MIT",
|
||
|
|
"Apache-2.0",
|
||
|
|
"Apache-2.0 WITH LLVM-exception",
|
||
|
|
"BSD-2-Clause",
|
||
|
|
"BSD-3-Clause",
|
||
|
|
"MPL-2.0",
|
||
|
|
"ISC",
|
||
|
|
"Unicode-3.0",
|
||
|
|
"Unicode-DFS-2016",
|
||
|
|
"Zlib",
|
||
|
|
"CC0-1.0",
|
||
|
|
]
|
||
|
|
# Crates with no SPDX expression in their manifest fail unless clarified here.
|
||
|
|
confidence-threshold = 0.8
|
||
|
|
|
||
|
|
[sources]
|
||
|
|
unknown-registry = "deny"
|
||
|
|
unknown-git = "deny"
|
||
|
|
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
|
||
|
|
|
||
|
|
[sources.allow-org]
|
||
|
|
github = ["0xMassi"]
|