forked from ZcashFoundation/zebra
-
Notifications
You must be signed in to change notification settings - Fork 0
/
deny.toml
145 lines (120 loc) · 5.66 KB
/
deny.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# Note that all fields that take a lint level have these possible values:
# * deny - An error will be produced and the check will fail
# * warn - A warning will be produced, but the check will not fail
# * allow - No warning or error will be produced, though in some cases a note
# will be
# This section is considered when running `cargo deny check bans`.
# More documentation about the 'bans' section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
[bans]
# Lint level for when multiple versions of the same crate are detected
multiple-versions = "deny"
# Don't allow wildcard ("any version") dependencies
# TODO: Change to `deny` after we upgrade to crates.io version of the ECC dependencies (#8749).
wildcards = "allow"
# Allow private and dev wildcard dependencies.
# Switch this to `false` when #6924 is implemented.
allow-wildcard-paths = true
# The graph highlighting used when creating dotgraphs for crates
# with multiple versions
# * lowest-version - The path to the lowest versioned duplicate is highlighted
# * simplest-path - The path to the version with the fewest edges is highlighted
# * all - Both lowest-version and simplest-path are used
highlight = "all"
# List of crates that are allowed. Use with care!
#allow = [
#]
# List of crates that can never become Zebra dependencies.
deny = [
# Often has memory safety vulnerabilities.
# Enabled by --all-features, use the `cargo hack` script in the deny.toml CI job instead.
{ name = "openssl" },
{ name = "openssl-sys" },
]
# We only use this for some `librustzcash` and `orchard` crates.
# If we add a crate here, duplicate dependencies of that crate are still shown.
#
# Certain crates/versions that will be skipped when doing duplicate detection.
skip = [
]
# Similarly to `skip` allows you to skip certain crates during duplicate
# detection. Unlike skip, it also includes the entire tree of transitive
# dependencies starting at the specified crate, up to a certain depth, which is
# by default infinite
skip-tree = [
# wait for ordered-map to release a dependency fix
{ name = "ordered-map", version = "=0.4.2" },
# wait for primitive-types to upgrade
{ name = "proc-macro-crate", version = "=0.1.5" },
# wait for `color-eyre` to upgrade
{ name = "owo-colors", version = "=3.5.0" },
# wait for structopt upgrade (or upgrade to clap 4)
{ name = "clap", version = "=2.34.0" },
# wait for abscissa_core to upgrade
{name = "tracing-log", version = "=0.1.4" },
# wait for tokio-test -> tokio-stream to upgrade
{ name = "tokio-util", version = "=0.6.10" },
# wait for console-subscriber and tower to update hdrhistogram.
# also wait for ron to update insta, and wait for tonic update.
{ name = "base64", version = "=0.13.1" },
# wait for elasticsearch to update base64, darling, rustc_version, serde_with
{ name = "elasticsearch", version = "=8.5.0-alpha.1" },
# wait for reqwest to update base64
{ name = "base64", version = "=0.21.7" },
{ name = "sync_wrapper", version = "0.1.2" },
# wait for jsonrpc-http-server to update hyper or for Zebra to replace jsonrpc (#8682)
{ name = "h2", version = "=0.3.26" },
{ name = "http", version = "=0.2.12" },
{ name = "http-body", version = "=0.4.6" },
{ name = "hyper", version = "=0.14.31" },
{ name = "hyper-rustls", version = "=0.24.2" },
{ name = "reqwest", version = "=0.11.27" },
{ name = "rustls", version = "=0.21.12" },
{ name = "rustls-pemfile", version = "=1.0.4" },
{ name = "rustls-webpki", version = "=0.101.7" },
{ name = "tokio-rustls", version = "=0.24.1" },
{ name = "webpki-roots", version = "=0.25.4" },
# wait for structopt-derive to update heck
{ name = "heck", version = "=0.3.3" },
# wait for librocksdb-sys to update bindgen to one that uses newer itertools
{ name = "itertools", version = "=0.12.1" },
{ name = "bindgen", version = "=0.69.5" },
# wait for halo2_gadgets and primitive-types to update uint
{ name = "uint", version = "=0.9.5" },
# wait for dirs-sys to update windows-sys
{ name = "windows-sys", version = "=0.48.0" },
# wait for zebra to update tower
{ name = "tower", version = "=0.4.13" },
{ name = "hashbrown", version = "=0.12.3" },
# Remove after release candicate period is over and the ECC crates are not patched anymore
{ name = "equihash", version = "=0.2.0" },
{ name = "f4jumble", version = "=0.1.0" },
{ name = "incrementalmerkletree", version = "=0.6.0" },
{ name = "zcash_address", version = "=0.4.0" },
{ name = "zcash_keys", version = "=0.3.0" },
{ name = "zcash_primitives", version = "=0.16.0" },
{ name = "zcash_protocol", version = "=0.2.0" }
]
# This section is considered when running `cargo deny check sources`.
# More documentation about the 'sources' section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
[sources]
# Lint level for what to happen when a crate from a crate registry that is not
# in the allow list is encountered
unknown-registry = "deny"
# Lint level for what to happen when a crate from a git repository that is not
# in the allow list is encountered
unknown-git = "deny"
# List of URLs for allowed crate registries. Defaults to the crates.io index
# if not specified. If it is specified but empty, no registries are allowed.
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
# List of URLs for allowed Git repositories
allow-git = [
"https://github.com/zcash/librustzcash.git",
"https://github.com/zcash/incrementalmerkletree",
"https://github.com/zcash/orchard",
"https://github.com/zcash/sapling-crypto"
]
[sources.allow-org]
github = [
]