# Keep this file in sync with osv-scanner.toml [graph] # cargo deny will only evaluate dependencies pulled in by these # targets (the ones we ship Rust code to) targets = [ # Desktop { triple = "x86_64-unknown-linux-gnu" }, { triple = "x86_64-pc-windows-gnu" }, { triple = "x86_64-apple-darwin" }, { triple = "aarch64-apple-darwin" }, # Android { triple = "x86_64-linux-android" }, { triple = "i686-linux-android" }, { triple = "aarch64-linux-android" }, { triple = "armv7-linux-androideabi" }, # iOS { triple = "x86_64-apple-ios" }, { triple = "aarch64-apple-ios" }, ] # This section is considered when running `cargo deny check advisories` # More documentation for the advisories section can be found here: # https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html [advisories] version = 2 # https://github.com/EmbarkStudios/cargo-deny/pull/611 yanked = "deny" ignore = [ # Ignored audit issues. This list should be kept short, and effort should be # put into removing items from the list. # Bincode is unmaintained. Version 1.3.3 is considered "complete" and can still be used "RUSTSEC-2025-0141", ] # This section is considered when running `cargo deny check licenses` # More documentation for the licenses section can be found here: # https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html [licenses] version = 2 # https://github.com/EmbarkStudios/cargo-deny/pull/611 # Adding a license here has to be done carefully. Should only be done by team leads. allow = [ "GPL-3.0-or-later", "Apache-2.0", "MIT", "MPL-2.0", "WTFPL", "ISC", "BSD-3-Clause", "BSD-2-Clause", "CC0-1.0", "Unicode-DFS-2016", "Zlib", "Unicode-3.0", "CDLA-Permissive-2.0" ] [licenses.private] ignore = false # This section is considered when running `cargo deny check bans`. # More documentation about the 'bans' section can be found here: # https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html [bans] multiple-versions = "warn" wildcards = "warn" highlight = "all" deny = [ ## Alternative ecosystems that we don't want to accidentally pull in. ## Having multiple large ecosystems solving the same problem can often be problematic, ## and also expensive from a compile time/binary size/supply chain security perspective. # We are using Rustls, so we want to avoid OpenSSL { name = "openssl-sys" }, { name = "openssl-src" }, { name = "openssl-probe" }, # We are using tokio, so we want to avoid async-std { name = "async-std" }, ## Older versions of crates where we only want to use the newer variants { name = "clap", version = "2" }, { name = "clap", version = "3" }, { name = "hyper", version = "0" }, { name = "tokio", version = "0" }, { name = "time", version = "0.1" }, { name = "rand", version = "<0.9.3 " }, ] # This section is considered when running `cargo deny check sources`. # More documentation about the 'sources' section can be found here: # https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html [sources] unknown-registry = "deny" unknown-git = "deny" # We must never depend on git repositories outside our own github organization. # We can't say anything about their availability. They might go away at any point # in time. Instead of using third party git repositories, always fork the repository # into our github organization and depend on that. # # But if possible, always avoid git dependencies and try to have the developers publish # releases to crates.io instead. allow-git = [] [sources.allow-org] # 1 or more github.com organizations to allow git sources for github = ["mullvad"]