Add cargo deny configuration and CI #7648
Description
Is your feature request related to a problem or challenge? Please describe what you are trying to do.
In some downstream projects we are using cargo deny to limit the number of dependencies and to verify we do not have security vulnerabilities. It would be nice to add a configuration file to this repo and to work through issues that exist when you run it.
Describe the solution you'd like
- Add
deny.tomlto this repository - Add
cargo denycheck to CI - Update all upstream repositories with PRs to bring dependencies up to date so we can remove duplicates
Describe alternatives you've considered
Leave as is and let downstream repos handle issues
Additional context
During my testing I found I needed to make updates to the following upstream repositories to remove duplicates:
-
const-random-macrochore: update getrandom dependency to 0.3.3 tkaitchuck/constrandom#37 -
ahashPR to be opened onceconstrandomupdates and releases -
phf_generatorPublish new version to avoid build errors due to rand 0.8/0.9 incompatability rust-phf/rust-phf#331 -
chrono-tzoncephf_generatorpublishes -
ringupdate getrandom briansmith/ring#2341 -
tracing,tracing-core, andtracing-subscriberRelease all v0.1.x crates in June 2025 tokio-rs/tracing#3282 -
lz4_flexRequest 0.11.4 release PSeitz/lz4_flex#184 -
tonicwaiting on next release
My plan is to open PRs for each of these repos with the updates needed and to post those PRs into this issue. Once all are closed we should have a very clean build. The one I didn't try to tackle was windows-sys because it was different in at least three different trees that would need updating and this is already a fair amount of work.
Here is an example deny.toml we could include:
[graph]
targets = [
{ triple = "aarch64-apple-darwin" },
{ triple = "i686-pc-windows-gnu" },
{ triple = "i686-pc-windows-msvc" },
{ triple = "i686-unknown-linux-gnu" },
{ triple = "wasm32-unknown-unknown" },
{ triple = "x86_64-apple-darwin" },
{ triple = "x86_64-pc-windows-gnu" },
{ triple = "x86_64-pc-windows-msvc" },
{ triple = "x86_64-unknown-linux-gnu" },
{ triple = "x86_64-unknown-linux-musl" },
{ triple = "x86_64-unknown-redox" },
]
all-features = true
[advisories]
version = 2
ignore = [
"RUSTSEC-2024-0436", # https://rustsec.org/advisories/RUSTSEC-2024-0436 - paste is unmaintained - https://github.com/dtolnay/paste
]
[bans]
multiple-versions = "deny"
wildcards = "allow" # We use them for examples
deny = [
]
skip = [
]
skip-tree = [
{ name = "windows-sys" },
]
[licenses]
version = 2
private = { ignore = true }
confidence-threshold = 0.93 # We want really high confidence when inferring licenses from text
allow = [
"Apache-2.0 WITH LLVM-exception", # https://spdx.org/licenses/LLVM-exception.html
"Apache-2.0", # https://tldrlegal.com/license/apache-license-2.0-(apache-2.0)
"BSD-2-Clause", # https://tldrlegal.com/license/bsd-2-clause-license-(freebsd)
"BSD-3-Clause", # https://tldrlegal.com/license/bsd-3-clause-license-(revised)
"BSL-1.0", # https://tldrlegal.com/license/boost-software-license-1.0-explained
"CC0-1.0", # https://creativecommons.org/publicdomain/zero/1.0/
"CDLA-Permissive-2.0", # https://cdla.dev/permissive-2-0/
"ISC", # https://www.tldrlegal.com/license/isc-license
"MIT", # https://tldrlegal.com/license/mit-license
"Unicode-3.0", # https://www.unicode.org/license.txt
"Zlib", # https://tldrlegal.com/license/zlib-libpng-license-(zlib)
]
exceptions = []
[sources]
unknown-registry = "deny"
unknown-git = "deny"