summaryrefslogtreecommitdiff
path: root/deny.toml
blob: f5291700dfc0e314812d739d0e2485682a17ecfb (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

# Copied from https://github.com/rerun-io/rerun_template
#
# https://github.com/EmbarkStudios/cargo-deny
#
# cargo-deny checks our dependency tree for copy-left licenses,
# duplicate dependencies, and rustsec advisories (https://rustsec.org/advisories).
#
# Install: `cargo install cargo-deny`
# Check: `cargo deny check`.


# Note: running just `cargo deny check` without a `--target` can result in
# false positives due to https://github.com/EmbarkStudios/cargo-deny/issues/324
[graph]
targets = [
  { triple = "aarch64-apple-darwin" },
  { triple = "i686-pc-windows-gnu" },
  { triple = "i686-pc-windows-msvc" },
  { triple = "i686-unknown-linux-gnu" },
  { triple = "wasm32-unknown-unknown" },
  { triple = "x86_64-apple-darwin" },
  { triple = "x86_64-pc-windows-gnu" },
  { triple = "x86_64-pc-windows-msvc" },
  { triple = "x86_64-unknown-linux-gnu" },
  { triple = "x86_64-unknown-linux-musl" },
  { triple = "x86_64-unknown-redox" },
]
all-features = true


[advisories]
version = 2
ignore = [
  "RUSTSEC-2024-0320",        # unmaintaines yaml-rust pulled in by syntect
  { name = "async-process" }, # yanked crated pulled in by old accesskit
]


[bans]
multiple-versions = "deny"
wildcards = "deny"
deny = [
  { name = "cmake", reason = "It has hurt me too much" },
  { name = "openssl-sys", reason = "Use rustls" },
  { name = "openssl", reason = "Use rustls" },
]

skip = [
  { name = "bit-set" },        # wgpu's naga depends on 0.6, syntect's (used by egui_extras) fancy-regex depends on 0.5
  { name = "bit-vec" },        # dependency of bit-set in turn, different between 0.6 and 0.5
  { name = "bitflags" },       # old 1.0 version via glutin, png, spirv, …
  { name = "cfg_aliases" },    # old version via wgpu
  { name = "event-listener" }, # TODO(emilk): rustls pulls in two versions of this 😭
  { name = "futures-lite" },   # old version via accesskit_unix and zbus
  { name = "memoffset" },      # tiny dependency
  { name = "ndk-sys" },        # old version via wgpu, winit uses newer version
  { name = "quick-xml" },      # old version via wayland-scanner
  { name = "redox_syscall" },  # old version via winit
  { name = "time" },           # old version pulled in by unmaintianed crate 'chrono'
  { name = "windows-core" },   # old version via accesskit_windows
  { name = "windows" },        # old version via accesskit_windows
  { name = "glow" },           # wgpu uses an old `glow`, but realistically no one uses _both_ `egui_wgpu` and `egui_glow`, so we won't get a duplicate dependency

]
skip-tree = [
  { name = "criterion" },     # dev-dependency
  { name = "fastrand" },      # old version via accesskit_unix
  { name = "foreign-types" }, # small crate. Old version via core-graphics (winit).
  { name = "objc2" },         # old version via accesskit_macos
  { name = "polling" },       # old version via accesskit_unix
  { name = "rfd" },           # example dependency
]


[licenses]
version = 2
private = { ignore = true }
confidence-threshold = 0.93 # We want really high confidence when inferring licenses from text
allow = [
  "Apache-2.0 WITH LLVM-exception", # https://spdx.org/licenses/LLVM-exception.html
  "Apache-2.0",                     # https://tldrlegal.com/license/apache-license-2.0-(apache-2.0)
  "BSD-2-Clause",                   # https://tldrlegal.com/license/bsd-2-clause-license-(freebsd)
  "BSD-3-Clause",                   # https://tldrlegal.com/license/bsd-3-clause-license-(revised)
  "BSL-1.0",                        # https://tldrlegal.com/license/boost-software-license-1.0-explained
  "CC0-1.0",                        # https://creativecommons.org/publicdomain/zero/1.0/
  "ISC",                            # https://www.tldrlegal.com/license/isc-license
  "LicenseRef-UFL-1.0",             # no official SPDX, see https://github.com/emilk/egui/issues/2321
  "MIT-0",                          # https://choosealicense.com/licenses/mit-0/
  "MIT",                            # https://tldrlegal.com/license/mit-license
  "MPL-2.0",                        # https://www.mozilla.org/en-US/MPL/2.0/FAQ/ - see Q11. Used by webpki-roots on Linux.
  "OFL-1.1",                        # https://spdx.org/licenses/OFL-1.1.html
  "OpenSSL",                        # https://www.openssl.org/source/license.html - used on Linux
  "Unicode-DFS-2016",               # https://spdx.org/licenses/Unicode-DFS-2016.html
  "Zlib",                           # https://tldrlegal.com/license/zlib-libpng-license-(zlib)
]
exceptions = []

[[licenses.clarify]]
name = "webpki"
expression = "ISC"
license-files = [{ path = "LICENSE", hash = 0x001c7e6c }]

[[licenses.clarify]]
name = "ring"
expression = "MIT AND ISC AND OpenSSL"
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]


[sources]
unknown-registry = "deny"
unknown-git = "deny"
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-10-22 20:33:55 +0000