-
-
Notifications
You must be signed in to change notification settings - Fork 354
Expand file tree
/
Copy pathdeny.toml
More file actions
92 lines (80 loc) · 3.1 KB
/
deny.toml
File metadata and controls
92 lines (80 loc) · 3.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# Dependency policy for this project.
# cargo-deny is used here for *policy enforcement*, not vulnerability scanning.
# Vulnerability advisories are handled separately via cargo-audit.
[licenses]
# Keep this aligned with GitHub dependency-review
allow = [
"MIT",
"Apache-2.0",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Zlib",
"CC0-1.0",
"Unlicense",
"BSL-1.0",
"Unicode-3.0", # basically MIT
"MPL-2.0", # copyleft, but not infectious
"CDLA-Permissive-2.0", # data licence for webkpi roots
]
confidence-threshold = 0.9
exceptions = [
# Build-time dependencies can have more permissive copyleft licenses
# since they don't end up in the final binary
# used by maplibre_native build script
{ crate = "downloader", allow = ["LGPL-3.0-or-later"] },
]
[licenses.private]
ignore = true
# Some crates don't have (easily) machine readable licensing information,
# adding a clarification entry for it allows you to manually specify the
# licensing information
#[[licenses.clarify]]
# The package spec the clarification applies to
#crate = "ring"
# The SPDX expression for the license requirements of the crate
#expression = "MIT AND ISC AND OpenSSL"
# One or more files in the crate's source used as the "source of truth" for
# the license expression. If the contents match, the clarification will be used
# when running the license check, otherwise the clarification will be ignored
# and the crate will be checked normally, which may produce warnings or errors
# depending on the rest of your configuration
#license-files = [
# Each entry is a crate relative path, and the (opaque) hash of its contents
#{ path = "LICENSE", hash = 0xbd0eed23 }
#]
[bans]
# Would be nice for compile time, but currently we don't have the capacity for this
multiple-versions = "allow"
# Wildcard versions are almost always accidental
wildcards = "deny"
# Explicitly allowed exceptions go here (keep empty unless justified)
skip = []
skip-tree = []
# List of crates to deny
# changes here need to be synced `just update`
deny = [
{ crate = "libdeflater@1.25.0", reason = "does not compile under musl" },
{ crate = "libdeflate-sys@1.25.0", reason = "does not compile under musl" },
{ crate = "insta@1.45.0", reason = "fails cargo test -- diff_and_patch" },
{ crate = "insta@1.45.1", reason = "fails cargo test -- diff_and_patch" },
{ crate = "freetype-sys@0.23.0", reason = "libpng fails to compile (missing zlib.h) on musl and Windows" },
{ crate = "freetype-rs@0.38.0", reason = "depends on freetype-sys@0.23.0 which fails to compile on musl and Windows" },
{ crate = "sdf_glyph_renderer@1.1.0", reason = "depends on freetype-rs@0.38.0 which fails to compile on musl and Windows" },
]
[sources]
# Supply-chain hardening: only crates.io, no git deps
unknown-registry = "deny"
unknown-git = "deny"
# If git deps are ever needed, they must be explicitly allowed here
allow-git = []
[graph]
targets = [
"x86_64-unknown-linux-musl",
"aarch64-unknown-linux-musl",
"x86_64-unknown-linux-gnu",
"aarch64-unknown-linux-gnu",
"aarch64-apple-darwin",
"x86_64-apple-darwin",
"x86_64-pc-windows-msvc",
]