harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3
zeroclaw/deny.toml
fettpl 2ecfcb9072
ci: add explicit advisory severity thresholds to deny.toml (#393) 
* ci: add explicit advisory severity thresholds to deny.toml

- Set vulnerability = "deny" to fail CI on known vulnerabilities
- Set unmaintained = "warn" (changed from "workspace" for clarity)
- Set notice = "warn" to surface informational advisories
- Keep yanked = "warn" as before

This improves signal-to-noise by ensuring genuine vulnerabilities
block CI while less critical advisories are surfaced as warnings.

Closes #363

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: use valid cargo-deny v2 schema values for advisories

In v2, vulnerability/notice fields are removed (always error).
- unmaintained: change "workspace" → "all" (check all deps, not just direct)
- yanked: change "warn" → "deny" (fail CI on yanked crates)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(deny): ignore RUSTSEC-2025-0141 bincode unmaintained advisory

bincode v2.0.1 is a transitive dependency via probe-rs that we cannot
easily replace. The advisory notes the project considers v1.3.3 complete.
Adding to ignore list so unmaintained="all" check passes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 15:14:41 -05:00

43 lines
1 KiB
TOML
Raw Blame History

# cargo-deny configuration — v2 schema
# https://embarkstudios.github.io/cargo-deny/
[advisories]
# In v2, vulnerability advisories always emit errors (not configurable).
# unmaintained: scope of unmaintained-crate checks (all | workspace | transitive | none)
unmaintained = "all"
# yanked: deny | warn | allow
yanked = "deny"
# Ignore known unmaintained transitive deps we cannot easily replace
ignore = [
# bincode v2.0.1 via probe-rs — project ceased but 1.3.3 considered complete
"RUSTSEC-2025-0141",
]
[licenses]
# All licenses are denied unless explicitly allowed
allow = [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Unicode-3.0",
"Unicode-DFS-2016",
"OpenSSL",
"Zlib",
"MPL-2.0",
"CDLA-Permissive-2.0",
"0BSD",
]
unused-allowed-license = "allow"
[bans]
multiple-versions = "warn"
wildcards = "allow"
[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = []
Reference in a new issue View git blame Copy permalink