99# The values provided in this template are the default values that will be used
1010# when any section or field is not specified in your own configuration
1111
12+ # Root options
13+
14+ # The graph table configures how the dependency graph is constructed and thus
15+ # which crates the checks are performed against
16+ [graph ]
1217# If 1 or more target triples (and optionally, target_features) are specified,
1318# only the specified targets will be checked when running `cargo deny check`.
1419# This means, if a particular package is only ever used as a target specific
2025targets = [
2126 # The triple can be any string, but only the target triples built in to
2227 # rustc (as of 1.40) can be checked against actual config expressions
23- # { triple = "x86_64-unknown-linux-musl" } ,
28+ # "x86_64-unknown-linux-musl",
2429 # You can also specify which target_features you promise are enabled for a
2530 # particular target. target_features are currently not validated against
2631 # the actual valid features supported by the target architecture.
2732 # { triple = "wasm32-unknown-unknown", features = ["atomics"] },
2833]
34+ # When creating the dependency graph used as the source of truth when checks are
35+ # executed, this field can be used to prune crates from the graph, removing them
36+ # from the view of cargo-deny. This is an extremely heavy hammer, as if a crate
37+ # is pruned from the graph, all of its dependencies will also be pruned unless
38+ # they are connected to another crate in the graph that hasn't been pruned,
39+ # so it should be used with care. The identifiers are [Package ID Specifications]
40+ # (https://doc.rust-lang.org/cargo/reference/pkgid-spec.html)
41+ # exclude = []
42+ # If true, metadata will be collected with `--all-features`. Note that this can't
43+ # be toggled off if true, if you want to conditionally enable `--all-features` it
44+ # is recommended to pass `--all-features` on the cmd line instead
45+ all-features = false
46+ # If true, metadata will be collected with `--no-default-features`. The same
47+ # caveat with `all-features` applies
48+ no-default-features = false
49+ # If set, these feature will be enabled when collecting metadata. If `--features`
50+ # is specified on the cmd line they will take precedence over this option.
51+ # features = []
52+
53+ # The output table provides options for how/if diagnostics are outputted
54+ [output ]
55+ # When outputting inclusion graphs in diagnostics that include features, this
56+ # option can be used to specify the depth at which feature edges will be added.
57+ # This option is included since the graphs can be quite large and the addition
58+ # of features from the crate(s) to all of the graph roots can be far too verbose.
59+ # This option can be overridden via `--feature-depth` on the cmd line
60+ feature-depth = 1
2961
3062# This section is considered when running `cargo deny check advisories`
3163# More documentation for the advisories section can be found here:
3264# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
3365[advisories ]
34- # The path where the advisory database is cloned/fetched into
35- db-path = " ~/.cargo/ advisory-db "
66+ # The path where the advisory databases are cloned/fetched into
67+ # db-path = "$CARGO_HOME/ advisory-dbs "
3668# The url(s) of the advisory databases to use
37- db-urls = [" https://github.com/rustsec/advisory-db"
38- # The lint level for security vulnerabilities
39- vulnerability = " deny"
40- # The lint level for unmaintained crates
41- unmaintained = " warn"
42- # The lint level for crates that have been yanked from their source registry
43- yanked = " warn"
44- # The lint level for crates with security notices. Note that as of
45- # 2019-12-17 there are no security notice advisories in
46- # https://github.com/rustsec/advisory-db
47- notice = " warn"
69+ # db-urls = ["https://github.com/rustsec/advisory-db"]
4870# A list of advisory IDs to ignore. Note that ignored advisories will still
4971# output a note when they are encountered.
50- ignore = []
51- # Threshold for security vulnerabilities, any vulnerability with a CVSS score
52- # lower than the range specified will be ignored. Note that ignored advisories
53- # will still output a note when they are encountered.
54- # * None - CVSS Score 0.0
55- # * Low - CVSS Score 0.1 - 3.9
56- # * Medium - CVSS Score 4.0 - 6.9
57- # * High - CVSS Score 7.0 - 8.9
58- # * Critical - CVSS Score 9.0 - 10.0
59- # severity-threshold =
72+ ignore = [
73+ " RUSTSEC-2024-0370"
74+ # { id = "RUSTSEC-0000-0000", reason = "you can specify a reason the advisory is ignored" },
75+ # "a-crate-that-is-yanked@0.1.1", # you can also ignore yanked crate versions if you wish
76+ # { crate = "a-crate-that-is-yanked@0.1.1", reason = "you can specify why you are ignoring the yanked crate" },
77+ ]
78+ # If this is true, then cargo deny will use the git executable to fetch advisory database.
79+ # If this is false, then it uses a built-in git library.
80+ # Setting this to true can be helpful if you have special authentication requirements that cargo-deny does not support.
81+ # See Git Authentication for more information about setting up git authentication.
82+ # git-fetch-with-cli = true
6083
6184# This section is considered when running `cargo deny check licenses`
6285# More documentation for the licenses section can be found here:
6386# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
6487[licenses ]
65- # The lint level for crates which do not have a detectable license
66- unlicensed = " deny"
67- # List of explictly allowed licenses
88+ # List of explicitly allowed licenses
6889# See https://spdx.org/licenses/ for list of possible licenses
6990# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
7091allow = [
@@ -83,28 +104,7 @@ allow = [
83104 " OFL-1.1"
84105 " LicenseRef-UFL-1.0"
85106 " OpenSSL"
86- " GPL-3.0"
87107]
88- # List of explictly disallowed licenses
89- # See https://spdx.org/licenses/ for list of possible licenses
90- # [possible values: any SPDX 3.11 short identifier (+ optional exception)].
91- deny = [
92- # "Nokia",
93- ]
94- # Lint level for licenses considered copyleft
95- copyleft = " warn"
96- # Blanket approval or denial for OSI-approved or FSF Free/Libre licenses
97- # * both - The license will be approved if it is both OSI-approved *AND* FSF
98- # * either - The license will be approved if it is either OSI-approved *OR* FSF
99- # * osi-only - The license will be approved if is OSI-approved *AND NOT* FSF
100- # * fsf-only - The license will be approved if is FSF *AND NOT* OSI-approved
101- # * neither - This predicate is ignored and the default lint level is used
102- allow-osi-fsf-free = " neither"
103- # Lint level used when no other predicates are matched
104- # 1. License isn't in the allow or deny lists
105- # 2. License isn't copyleft
106- # 3. License isn't OSI/FSF, or allow-osi-fsf-free = "neither"
107- default = " deny"
108108# The confidence threshold for detecting a license from license text.
109109# The higher the value, the more closely the license text must be to the
110110# canonical license text of a valid SPDX license file.
@@ -115,17 +115,15 @@ confidence-threshold = 0.8
115115exceptions = [
116116 # Each entry is the crate and version constraint, and its specific allow
117117 # list
118- # { allow = ["Zlib"], name = "adler32", version = "* " },
118+ # { allow = ["Zlib"], crate = "adler32" },
119119]
120120
121121# Some crates don't have (easily) machine readable licensing information,
122122# adding a clarification entry for it allows you to manually specify the
123123# licensing information
124124[[licenses .clarify ]]
125- # The name of the crate the clarification applies to
126- name = " ring"
127- # The optional version constraint for the crate
128- version = " *"
125+ # The package spec the clarification applies to
126+ crate = " ring"
129127# The SPDX expression for the license requirements of the crate
130128expression = " MIT AND ISC AND OpenSSL"
131129# One or more files in the crate's source used as the "source of truth" for
@@ -140,7 +138,9 @@ license-files = [
140138
141139[licenses .private ]
142140# If true, ignores workspace crates that aren't published, or are only
143- # published to private registries
141+ # published to private registries.
142+ # To see how to mark a crate as unpublished (to the official registry),
143+ # visit https://doc.rust-lang.org/cargo/reference/manifest.html#the-publish-field.
144144ignore = false
145145# One or more private registries that you might publish crates to, if a crate
146146# is only published to private registries, and ignore is true, the crate will
@@ -163,30 +163,63 @@ wildcards = "allow"
163163# * simplest-path - The path to the version with the fewest edges is highlighted
164164# * all - Both lowest-version and simplest-path are used
165165highlight = " all"
166+ # The default lint level for `default` features for crates that are members of
167+ # the workspace that is being checked. This can be overridden by allowing/denying
168+ # `default` on a crate-by-crate basis if desired.
169+ workspace-default-features = " allow"
170+ # The default lint level for `default` features for external crates that are not
171+ # members of the workspace. This can be overridden by allowing/denying `default`
172+ # on a crate-by-crate basis if desired.
173+ external-default-features = " allow"
166174# List of crates that are allowed. Use with care!
167175allow = [
168- # { name = "ansi_term", version = "=0.11.0" },
176+ # "ansi_term@0.11.0",
177+ # { crate = "ansi_term@0.11.0", reason = "you can specify a reason it is allowed" },
169178]
170179# List of crates to deny
171180deny = [
172- # Each entry the name of a crate and a version range. If version is
173- # not specified, all versions will be matched.
174- # { name = "ansi_term", version = "=0.11.0" },
175- #
181+ # "ansi_term@0.11.0",
182+ # { crate = "ansi_term@0.11.0", reason = "you can specify a reason it is banned" },
176183 # Wrapper crates can optionally be specified to allow the crate when it
177184 # is a direct dependency of the otherwise banned crate
178- # { name = "ansi_term", version = "= 0.11.0", wrappers = [] },
185+ # { crate = "ansi_term@ 0.11.0", wrappers = ["this-crate-directly-depends-on-ansi_term" ] },
179186]
187+
188+ # List of features to allow/deny
189+ # Each entry the name of a crate and a version range. If version is
190+ # not specified, all versions will be matched.
191+ # [[bans.features]]
192+ # crate = "reqwest"
193+ # Features to not allow
194+ # deny = ["json"]
195+ # Features to allow
196+ # allow = [
197+ # "rustls",
198+ # "__rustls",
199+ # "__tls",
200+ # "hyper-rustls",
201+ # "rustls",
202+ # "rustls-pemfile",
203+ # "rustls-tls-webpki-roots",
204+ # "tokio-rustls",
205+ # "webpki-roots",
206+ # ]
207+ # If true, the allowed features must exactly match the enabled feature set. If
208+ # this is set there is no point setting `deny`
209+ # exact = true
210+
180211# Certain crates/versions that will be skipped when doing duplicate detection.
181212skip = [
182- # { name = "ansi_term", version = "=0.11.0" },
213+ # "ansi_term@0.11.0",
214+ # { crate = "ansi_term@0.11.0", reason = "you can specify a reason why it can't be updated/removed" },
183215]
184216# Similarly to `skip` allows you to skip certain crates during duplicate
185217# detection. Unlike skip, it also includes the entire tree of transitive
186218# dependencies starting at the specified crate, up to a certain depth, which is
187- # by default infinite
219+ # by default infinite.
188220skip-tree = [
189- # { name = "ansi_term", version = "=0.11.0", depth = 20 },
221+ # "ansi_term@0.11.0", # will be skipped along with _all_ of its direct and transitive dependencies
222+ # { crate = "ansi_term@0.11.0", depth = 20 },
190223]
191224
192225# This section is considered when running `cargo deny check sources`.
@@ -206,9 +239,9 @@ allow-registry = ["https://github.com/rust-lang/crates.io-index"]
206239allow-git = []
207240
208241[sources .allow-org ]
209- # 1 or more github.com organizations to allow git sources for
242+ # github.com organizations to allow git sources for
210243github = [" encounter"
211- # 1 or more gitlab.com organizations to allow git sources for
212- # gitlab = ["" ]
213- # 1 or more bitbucket.org organizations to allow git sources for
214- # bitbucket = ["" ]
244+ # gitlab.com organizations to allow git sources for
245+ gitlab = []
246+ # bitbucket.org organizations to allow git sources for
247+ bitbucket = []
0 commit comments