mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-05-08 04:23:59 +02:00
Address review feedback on deny.toml and build.yml
- Remove RUSTSEC-2026-0049 ignore (advisory not triggered in this repo) - Shorten license allowlist to only licenses present in the dep tree - Set multiple-versions to "allow" (transitive dups can't be resolved) - Set wildcards to "deny" with allow-wildcard-paths = true - Update cargo-deny-action pin to 175dc7fd (v2.0.16)
This commit is contained in:
TriplEight
parent
33b0316995
commit
5bc2f1401f
2 changed files with 7 additions and 19 deletions
2
.github/workflows/build.yml
vendored
2
.github/workflows/build.yml
vendored
|
|
@ -184,7 +184,7 @@ jobs:
|
|||
- name: "cargo deny"
|
||||
id: deny
|
||||
if: ${{ !cancelled() && matrix.channel == 'rust-toolchain' }}
|
||||
uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2
|
||||
uses: EmbarkStudios/cargo-deny-action@175dc7fd4fb85ec8f46948fb98f44db001149081 # v2.0.16
|
||||
# End Run cargo deny
|
||||
|
||||
|
||||
|
|
|
|||
24
deny.toml
24
deny.toml
|
|
@ -18,11 +18,6 @@ ignore = [
|
|||
# wrapper around rustls-pki-types and pulled in transitively via rustls 0.21.x.
|
||||
# Removing it requires upstream crates to drop their rustls 0.21 dependency.
|
||||
{ id = "RUSTSEC-2025-0134", reason = "Transitive via rustls 0.21.x compat chain; blocked on upstream upgrade." },
|
||||
|
||||
# CRL validation bug in rustls-webpki: fix requires >=0.103.10, but rustls-webpki
|
||||
# 0.101.x is pinned by the rustls 0.21.x compatibility stack.
|
||||
# Track upstream rustls upgrade to resolve both occurrences.
|
||||
{ id = "RUSTSEC-2026-0049", reason = "rustls-webpki 0.101.x locked by rustls 0.21.x compat chain; track upstream rustls upgrade." },
|
||||
]
|
||||
|
||||
# =============================================================================
|
||||
|
|
@ -34,18 +29,13 @@ ignore = [
|
|||
allow = [
|
||||
"0BSD",
|
||||
"Apache-2.0",
|
||||
"Apache-2.0 WITH LLVM-exception",
|
||||
"BSD-1-Clause",
|
||||
"BSD-2-Clause",
|
||||
"BSD-3-Clause",
|
||||
"BSL-1.0", # Boost Software License (ryu)
|
||||
"CDLA-Permissive-2.0", # Community Data License Agreement (webpki-roots)
|
||||
"CC0-1.0",
|
||||
"CDLA-Permissive-2.0",
|
||||
"ISC",
|
||||
"LGPL-2.1-or-later", # r-efi (Windows-only UEFI crate; dynamically linked)
|
||||
"MIT",
|
||||
"MPL-2.0", # webauthn-rs crates (file-level copyleft, compatible)
|
||||
"MPL-2.0",
|
||||
"Unicode-3.0",
|
||||
"Unlicense",
|
||||
"Zlib",
|
||||
]
|
||||
|
||||
|
|
@ -59,11 +49,9 @@ ignore = true
|
|||
[bans]
|
||||
# Warn on duplicate versions; many arise from transitive deps and require
|
||||
# upstream changes to resolve. Promote to "deny" once the dep tree stabilises.
|
||||
multiple-versions = "warn"
|
||||
# Warn on wildcard version requirements. "deny" would also flag internal
|
||||
# workspace path dependencies (macros = { path = "./macros" }), which have
|
||||
# no version specifier by design, so "warn" is used instead.
|
||||
wildcards = "warn"
|
||||
multiple-versions = "allow"
|
||||
wildcards = "deny"
|
||||
allow-wildcard-paths = true
|
||||
highlight = "all"
|
||||
|
||||
# =============================================================================
|
||||
|
|
|
|||
Loading…
Reference in a new issue