b693606235
The openssl crate is affected by several CVEs. While looking into bumping it I realized that we could just bump reqwest, which doesn't use it as default TLS provider anymore. So this adds rustls and all its dependencies to the dependency tree.
58 lines
1.1 KiB
TOML
58 lines
1.1 KiB
TOML
# https://embarkstudios.github.io/cargo-deny/checks/cfg.html
|
|
|
|
[graph]
|
|
all-features = true
|
|
exclude = [
|
|
# dev only dependency
|
|
"criterion"
|
|
]
|
|
|
|
[advisories]
|
|
version = 2
|
|
ignore = [
|
|
"RUSTSEC-2024-0436" # in paste, used transitively by `smol_macros`, which is test-only.
|
|
]
|
|
|
|
[licenses]
|
|
version = 2
|
|
allow = [
|
|
"Apache-2.0",
|
|
"BSD-3-Clause",
|
|
"CDLA-Permissive-2.0",
|
|
"ISC",
|
|
"MIT",
|
|
"MPL-2.0",
|
|
"OpenSSL",
|
|
"Unicode-3.0",
|
|
"Unicode-DFS-2016",
|
|
"Zlib",
|
|
]
|
|
private = { ignore = true }
|
|
|
|
[[licenses.clarify]]
|
|
name = "ring"
|
|
version = "*"
|
|
expression = "MIT AND ISC AND OpenSSL"
|
|
license-files = [
|
|
{ path = "LICENSE", hash = 0xbd0eed23 },
|
|
]
|
|
|
|
[bans]
|
|
multiple-versions = "warn"
|
|
wildcards = "deny"
|
|
|
|
[[bans.features]]
|
|
name = "serde_json"
|
|
# These features all don't make sense to activate from a library as they apply
|
|
# globally to all users of serde_json. Make sure we don't enable them somehow.
|
|
deny = [
|
|
"arbitrary_precision",
|
|
"float_roundtrip",
|
|
"preserve_order",
|
|
"unbounded_depth",
|
|
]
|
|
|
|
[sources]
|
|
unknown-registry = "deny"
|
|
unknown-git = "deny"
|
|
allow-git = ["https://github.com/mozilla/uniffi-rs.git"]
|