From 2ecfcb9072c4a11838dea57645417231e3b52e88 Mon Sep 17 00:00:00 2001
From: fettpl <38704082+fettpl@users.noreply.github.com>
Date: Mon, 16 Feb 2026 21:14:41 +0100
Subject: [PATCH] ci: add explicit advisory severity thresholds to deny.toml
 (#393)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* ci: add explicit advisory severity thresholds to deny.toml

- Set vulnerability = "deny" to fail CI on known vulnerabilities
- Set unmaintained = "warn" (changed from "workspace" for clarity)
- Set notice = "warn" to surface informational advisories
- Keep yanked = "warn" as before

This improves signal-to-noise by ensuring genuine vulnerabilities
block CI while less critical advisories are surfaced as warnings.

Closes #363

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: use valid cargo-deny v2 schema values for advisories

In v2, vulnerability/notice fields are removed (always error).
- unmaintained: change "workspace" → "all" (check all deps, not just direct)
- yanked: change "warn" → "deny" (fail CI on yanked crates)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(deny): ignore RUSTSEC-2025-0141 bincode unmaintained advisory

bincode v2.0.1 is a transitive dependency via probe-rs that we cannot
easily replace. The advisory notes the project considers v1.3.3 complete.
Adding to ignore list so unmaintained="all" check passes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
---
 deny.toml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/deny.toml b/deny.toml
index c716501..8f29292 100644
--- a/deny.toml
+++ b/deny.toml
@@ -2,8 +2,16 @@
 # https://embarkstudios.github.io/cargo-deny/
 
 [advisories]
-unmaintained = "workspace"
-yanked = "warn"
+# In v2, vulnerability advisories always emit errors (not configurable).
+# unmaintained: scope of unmaintained-crate checks (all | workspace | transitive | none)
+unmaintained = "all"
+# yanked: deny | warn | allow
+yanked = "deny"
+# Ignore known unmaintained transitive deps we cannot easily replace
+ignore = [
+    # bincode v2.0.1 via probe-rs — project ceased but 1.3.3 considered complete
+    "RUSTSEC-2025-0141",
+]
 
 [licenses]
 # All licenses are denied unless explicitly allowed