Skip to content

Commit

Permalink
Update cargo-deny and some dependencies (#4386)
Browse files Browse the repository at this point in the history
* Closes #4382
  • Loading branch information
emilk authored Apr 21, 2024
1 parent c630a8d commit 89d7f9f
Show file tree
Hide file tree
Showing 2 changed files with 129 additions and 46 deletions.
120 changes: 92 additions & 28 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

55 changes: 37 additions & 18 deletions deny.toml
Original file line number Diff line number Diff line change
@@ -1,7 +1,17 @@
# https://embarkstudios.github.io/cargo-deny/
# Copied from https://github.com/rerun-io/rerun_template
#
# https://github.com/EmbarkStudios/cargo-deny
#
# cargo-deny checks our dependency tree for copy-left licenses,
# duplicate dependencies, and rustsec advisories (https://rustsec.org/advisories).
#
# Install: `cargo install cargo-deny`
# Check: `cargo deny check`.


# Note: running just `cargo deny check` without a `--target` can result in
# false positives due to https://github.com/EmbarkStudios/cargo-deny/issues/324
[graph]
targets = [
{ triple = "aarch64-apple-darwin" },
{ triple = "i686-pc-windows-gnu" },
Expand All @@ -15,35 +25,38 @@ targets = [
{ triple = "x86_64-unknown-linux-musl" },
{ triple = "x86_64-unknown-redox" },
]
all-features = true


[advisories]
vulnerability = "deny"
unmaintained = "warn"
yanked = "deny"
version = 2
ignore = [
"RUSTSEC-2020-0071", # https://rustsec.org/advisories/RUSTSEC-2020-0071 - chrono/time: Potential segfault in the time crate
"RUSTSEC-2024-0320", # unmaintaines yaml-rust pulled in by syntect
{ name = "async-process" }, # yanked crated pulled in by old accesskit
]


[bans]
multiple-versions = "deny"
wildcards = "allow" # at least until https://github.com/EmbarkStudios/cargo-deny/issues/241 is fixed
wildcards = "deny"
deny = [
{ name = "cmake" }, # Lord no
{ name = "openssl-sys" }, # prefer rustls
{ name = "openssl" }, # prefer rustls
{ name = "cmake", reason = "It has hurt me too much" },
{ name = "openssl-sys", reason = "Use rustls" },
{ name = "openssl", reason = "Use rustls" },
]

skip = [
{ name = "bitflags" }, # old 1.0 version via glutin, png, spirv, …
{ name = "event-listener" }, # TODO(emilk): rustls pulls in two versions of this 😭
{ name = "libloading" }, # wgpu-hal itself depends on 0.8 while some of its dependencies, like ash and d3d12, depend on 0.7
{ name = "memoffset" }, # tiny dependency
{ name = "quick-xml" }, # old version via wayland-scanner
{ name = "redox_syscall" }, # old version via directories-next
{ name = "spin" }, # old version via ring through rusttls and other libraries, newer for wgpu.
{ name = "time" }, # old version pulled in by unmaintianed crate 'chrono'
{ name = "windows" }, # old version via accesskit_windows
{ name = "x11rb" }, # old version via arboard
{ name = "x11rb-protocol" }, # old version via arboard
{ name = "x11rb" }, # old version via arboard
]
skip-tree = [
{ name = "criterion" }, # dev-dependency
Expand All @@ -56,26 +69,27 @@ skip-tree = [


[licenses]
unlicensed = "deny"
allow-osi-fsf-free = "neither"
confidence-threshold = 0.92 # We want really high confidence when inferring licenses from text
copyleft = "deny"
version = 2
private = { ignore = true }
confidence-threshold = 0.93 # We want really high confidence when inferring licenses from text
allow = [
"Apache-2.0 WITH LLVM-exception", # https://spdx.org/licenses/LLVM-exception.html
"Apache-2.0", # https://tldrlegal.com/license/apache-license-2.0-(apache-2.0)
"BSD-2-Clause", # https://tldrlegal.com/license/bsd-2-clause-license-(freebsd)
"BSD-3-Clause", # https://tldrlegal.com/license/bsd-3-clause-license-(revised)
"BSL-1.0", # https://tldrlegal.com/license/boost-software-license-1.0-explained
"CC0-1.0", # https://creativecommons.org/publicdomain/zero/1.0/
"ISC", # https://tldrlegal.com/license/-isc-license
"LicenseRef-UFL-1.0", # https://tldrlegal.com/license/ubuntu-font-license,-1.0 - no official SPDX, see https://github.com/emilk/egui/issues/2321
"ISC", # https://www.tldrlegal.com/license/isc-license
"LicenseRef-UFL-1.0", # no official SPDX, see https://github.com/emilk/egui/issues/2321
"MIT-0", # https://choosealicense.com/licenses/mit-0/
"MIT", # https://tldrlegal.com/license/mit-license
"MPL-2.0", # https://www.mozilla.org/en-US/MPL/2.0/FAQ/ - see Q11
"MPL-2.0", # https://www.mozilla.org/en-US/MPL/2.0/FAQ/ - see Q11. Used by webpki-roots on Linux.
"OFL-1.1", # https://spdx.org/licenses/OFL-1.1.html
"OpenSSL", # https://www.openssl.org/source/license.html
"OpenSSL", # https://www.openssl.org/source/license.html - used on Linux
"Unicode-DFS-2016", # https://spdx.org/licenses/Unicode-DFS-2016.html
"Zlib", # https://tldrlegal.com/license/zlib-libpng-license-(zlib)
]
exceptions = []

[[licenses.clarify]]
name = "webpki"
Expand All @@ -86,3 +100,8 @@ license-files = [{ path = "LICENSE", hash = 0x001c7e6c }]
name = "ring"
expression = "MIT AND ISC AND OpenSSL"
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]


[sources]
unknown-registry = "deny"
unknown-git = "deny"

0 comments on commit 89d7f9f

Please sign in to comment.