forked from MaterializeInc/materialize
-
Notifications
You must be signed in to change notification settings - Fork 1
/
deny.toml
181 lines (157 loc) · 5.06 KB
/
deny.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
[advisories]
ignore = [
# chrono calls localtime_r, which can result in memory unsafety if another
# thread is simultaneously calling setenv. The likelihood of this happening
# in Materialize is exceptionally low (we don't call setenv directly
# anywhere, and it is unlikely that our dependencies do either). There is
# no easy fix for chrono (https://github.com/chronotope/chrono/issues/499),
# so we're just ignoring the advisory for now.
"RUSTSEC-2020-0159",
# flatbuffers exposes pub methods that are unsafe but not marked as unsafe.
# These methods are not part of the "true" public API but are intended to be
# used only by flatbuffers generated code. This is a transitive dependency
# of ours and the issue has been mitigated by the arrow2 direct dependency
# with additional miri testing.
#
# https://github.com/jorgecarleitao/arrow2/blob/v0.8.1/.github/workflows/security.yml
"RUSTSEC-2021-0122",
]
[bans]
multiple-versions = "deny"
skip = [
# Do not add to this list without good reason! Duplicate dependencies slow
# down compilation and bloat the binary.
# Waiting for csv, http, and aws_smithy_types to upgrade to v1.0.
{ name = "itoa", version = "0.4.1" },
# Waiting for tokio to upgrade to mio 0.8
{ name = "mio", version = "0.7.11" },
]
# Use `prost` or `protobuf-native` instead.
[[bans.deny]]
name = "protobuf"
# The `md5` and `sha1` crates are not part of the RustCrypto project. Use
# `md-5` and `sha-1` instead, despite their somewhat suspicious names.
[[bans.deny]]
name = "md5"
wrappers = ["aws-sdk-s3"]
[[bans.deny]]
name = "sha1"
# Strum has suspect code quality and includes many unneeded features. Use
# more targeted enum macro crates, e.g. `enum-kinds`.
[[bans.deny]]
name = "strum"
[[bans.deny]]
name = "strum-macros"
# `thiserror` requires everyone to learn a special DSL. Our current position is
# that it is clearer to require manual implementations of the `Error` trait.
[[bans.deny]]
name = "thiserror"
wrappers = [
# Only list third-party crates here.
"async-native-tls",
"aws-http",
"aws-smithy-xml",
"aws-sig-auth",
"flatbuffers",
"mysql_async",
"mysql_common",
"pprof",
"proc-macro-crate",
"prometheus",
"protoc",
"protobuf-codegen",
"protobuf-codegen-pure",
"protobuf-parse",
"pubnub-core",
"pubnub-hyper",
"sysctl",
"tiberius",
"zip",
]
[[bans.deny]]
name = "log"
wrappers = [
"wasm-bindgen-backend",
"want",
"tracing-log",
"tracing",
"tokio-util",
"tokio-postgres",
"reqwest",
# TODO(guswynn): switch to tracing in rdkafka
"rdkafka",
"pubnub-hyper",
"pubnub-core",
"prost-build",
"pprof",
"postgres",
"os_info",
"opentls",
"native-tls",
"mio",
"globset",
"fail",
"env_logger",
# TODO(guswynn): switch to `tracing:enabled!` when its released
"mz-dataflow",
"mz-coord",
]
# We prefer the system's native TLS or OpenSSL to Rustls, since they are more
# mature and more widely used.
[[bans.deny]]
name = "rustls"
# The `uncased` crate serves the same purpose as `unicase` and is more
# actively maintained.
[[bans.deny]]
name = "unicase"
wrappers = ["mime_guess"]
[licenses]
allow = [
"Apache-2.0",
"CC0-1.0",
"0BSD",
"BSD-2-Clause",
"BSD-3-Clause",
"ICU",
"ISC",
"MIT",
]
copyleft = "deny"
private = { ignore = true }
[[licenses.clarify]]
name = "ring"
expression = "ISC"
license-files = [
{ path = "LICENSE", hash = 0xbd0eed23 }
]
[sources]
unknown-git = "deny"
unknown-registry = "deny"
allow-git = [
# Waiting on https://github.com/lu-zero/autotools-rs/pull/27 to make it into
# a release.
"https://github.com/lu-zero/autotools-rs.git",
# Waiting on https://github.com/blackbeam/rust_mysql_common/pull/55
"https://github.com/blackbeam/rust_mysql_common.git",
# See the patch in Cargo.toml.
"https://github.com/MaterializeInc/headers.git",
# Waiting on several PRs to a mostly-abandoned upstream library.
"https://github.com/MaterializeInc/pubnub-rust.git",
# Waiting on https://github.com/sfackler/rust-postgres/pull/752.
"https://github.com/MaterializeInc/rust-postgres.git",
"https://github.com/MaterializeInc/rust-postgres-array.git",
"https://github.com/MaterializeInc/rust-prometheus.git",
# Waiting on https://github.com/tokio-rs/prost/pull/576.
"https://github.com/MaterializeInc/prost.git",
# Waiting on https://github.com/bheisler/criterion.rs/pull/543.
"https://github.com/MaterializeInc/criterion.rs.git",
# Until https://github.com/jorgecarleitao/parquet-format-rs/pull/2 is merged and released
"https://github.com/MaterializeInc/parquet-format-rs.git",
# Dependencies that we control upstream whose official releases we don't
# care about.
"https://github.com/MaterializeInc/cloud-sdks.git",
"https://github.com/frankmcsherry/columnation",
"https://github.com/TimelyDataflow/timely-dataflow",
"https://github.com/TimelyDataflow/differential-dataflow.git",
"https://github.com/fede1024/rust-rdkafka.git",
]