# https://embarkstudios.github.io/cargo-deny/ # Note: running just `cargo deny check` without a `--target` can result in # false positives due to https://github.com/EmbarkStudios/cargo-deny/issues/324 targets = [ { triple = "aarch64-apple-darwin" }, { triple = "i686-pc-windows-gnu" }, { triple = "i686-pc-windows-msvc" }, { triple = "i686-unknown-linux-gnu" }, { triple = "wasm32-unknown-unknown" }, { triple = "x86_64-apple-darwin" }, { triple = "x86_64-pc-windows-gnu" }, { triple = "x86_64-pc-windows-msvc" }, { triple = "x86_64-unknown-linux-gnu" }, { triple = "x86_64-unknown-linux-musl" }, { triple = "x86_64-unknown-redox" }, ] [advisories] vulnerability = "deny" unmaintained = "warn" yanked = "deny" ignore = [ "RUSTSEC-2020-0071", # https://rustsec.org/advisories/RUSTSEC-2020-0071 - chrono/time: Potential segfault in the time crate ] [bans] multiple-versions = "deny" wildcards = "allow" # at least until https://github.com/EmbarkStudios/cargo-deny/issues/241 is fixed deny = [ { name = "cmake" }, # Lord no { name = "openssl-sys" }, # prefer rustls { name = "openssl" }, # prefer rustls ] skip = [ { name = "arrayvec" }, # old version via tiny-skiaz { name = "base64" }, # small crate, old version from usvg { name = "glow" }, # TODO(@wumpf): Old version use for glow backend right now, newer for wgpu. Updating this trickles out to updating winit. { name = "glutin_wgl_sys" }, # TODO(@wumpf): Old version use for glow backend right now, newer for wgpu. Updating this trickles out to updating winit. { name = "libloading" }, # wgpu-hal itself depends on 0.8 while some of its dependencies, like ash and d3d12, depend on 0.7 { name = "memoffset" }, # tiny dependency { name = "nix" }, # old version via winit { name = "redox_syscall" }, # old version via winit { name = "spin" }, # old version via ring through rusttls and other libraries, newer for wgpu. { name = "time" }, # old version pulled in by unmaintianed crate 'chrono' { name = "tiny-skia" }, # winit uses a different version from egui_extras (TODO(emilk): update egui_extras!) { name = "ttf-parser" }, # different versions pulled in by ab_glyph and usvg { name = "wayland-sys" }, # old version via winit { name = "windows_x86_64_msvc" }, # old version via glutin { name = "windows-sys" }, # old version via glutin { name = "windows" }, # old version via accesskit ] skip-tree = [ { name = "criterion" }, # dev-dependency { name = "foreign-types" }, # small crate. Old version via cocoa and core-graphics (winit). { name = "rfd" }, # example dependency ] [licenses] unlicensed = "deny" allow-osi-fsf-free = "neither" confidence-threshold = 0.92 # We want really high confidence when inferring licenses from text copyleft = "deny" allow = [ "Apache-2.0 WITH LLVM-exception", # https://spdx.org/licenses/LLVM-exception.html "Apache-2.0", # https://tldrlegal.com/license/apache-license-2.0-(apache-2.0) "BSD-2-Clause", # https://tldrlegal.com/license/bsd-2-clause-license-(freebsd) "BSD-3-Clause", # https://tldrlegal.com/license/bsd-3-clause-license-(revised) "BSL-1.0", # https://tldrlegal.com/license/boost-software-license-1.0-explained "CC0-1.0", # https://creativecommons.org/publicdomain/zero/1.0/ "ISC", # https://tldrlegal.com/license/-isc-license "LicenseRef-UFL-1.0", # https://tldrlegal.com/license/ubuntu-font-license,-1.0 - no official SPDX, see https://github.com/emilk/egui/issues/2321 "MIT", # https://tldrlegal.com/license/mit-license "MPL-2.0", # https://www.mozilla.org/en-US/MPL/2.0/FAQ/ - see Q11 "OFL-1.1", # https://spdx.org/licenses/OFL-1.1.html "OpenSSL", # https://www.openssl.org/source/license.html "Unicode-DFS-2016", # https://spdx.org/licenses/Unicode-DFS-2016.html "Zlib", # https://tldrlegal.com/license/zlib-libpng-license-(zlib) ] [[licenses.clarify]] name = "webpki" expression = "ISC" license-files = [{ path = "LICENSE", hash = 0x001c7e6c }] [[licenses.clarify]] name = "ring" expression = "MIT AND ISC AND OpenSSL" license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]