From 4973040380692b736f3d0cfc19930a6d8ccca3d5 Mon Sep 17 00:00:00 2001 From: Hubert Date: Tue, 26 Aug 2025 09:43:13 +0200 Subject: [PATCH 1/3] chore: backport deny to v3 branch --- .github/workflows/audit.yml | 14 -------------- .github/workflows/deny.yml | 18 ++++++++++++++++++ deny.toml | 22 ++++++++++++++++++++++ testing/conformance/Cargo.toml | 1 + 4 files changed, 41 insertions(+), 14 deletions(-) delete mode 100644 .github/workflows/audit.yml create mode 100644 .github/workflows/deny.yml create mode 100644 deny.toml diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml deleted file mode 100644 index 3c1d8907ac..0000000000 --- a/.github/workflows/audit.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: Cargo audit -on: - push: - paths: - - '**/Cargo.toml' - - '**/Cargo.lock' -jobs: - security_audit: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: rustsec/audit-check@bb800784d9c5b0afa352b75dae201bf2e438960a - with: - token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml new file mode 100644 index 0000000000..373294d5cd --- /dev/null +++ b/.github/workflows/deny.yml @@ -0,0 +1,18 @@ +# This workflow will run `cargo-deny`, checking for dependency issues related to licensing, known vulnerabilities, and more. +# The configuration file is in [deny.toml](../../deny.toml). +name: Cargo Deny +on: + push: + branches: + - master + pull_request: + merge_group: + +jobs: + cargo-deny: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: EmbarkStudios/cargo-deny-action@v2 + with: + rust-version: "1.86.0" diff --git a/deny.toml b/deny.toml new file mode 100644 index 0000000000..0ed47fb65d --- /dev/null +++ b/deny.toml @@ -0,0 +1,22 @@ +[advisories] +ignore = [ + "RUSTSEC-2024-0436", # Paste is unmaintained, whatever. + "RUSTSEC-2025-0046", # wasmtime, only impacting WASI, tracked in https://github.com/filecoin-project/ref-fvm/issues/2186 +] + +[bans] +multiple-versions = "allow" + +[licenses] +allow = [ + "Apache-2.0", + "Apache-2.0 WITH LLVM-exception", + "BSD-2-Clause", + "BSD-3-Clause", + "CC0-1.0", + "MIT", + "Unlicense", + "MPL-2.0", + "Unicode-3.0", + "Zlib", +] diff --git a/testing/conformance/Cargo.toml b/testing/conformance/Cargo.toml index 71db764690..f2eff9d6d9 100644 --- a/testing/conformance/Cargo.toml +++ b/testing/conformance/Cargo.toml @@ -7,6 +7,7 @@ edition.workspace = true exclude = ["/test-vectors"] publish = false repository = "https://github.com/filecoin-project/ref-fvm" +license.workspace = true [dependencies] fvm = { workspace = true, features = ["testing"] } From f43b974bbf7be462b7cab7c7fda976c6b10f0485 Mon Sep 17 00:00:00 2001 From: Hubert Bugaj Date: Tue, 26 Aug 2025 10:00:47 +0200 Subject: [PATCH 2/3] update `slab` --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ed93abca65..02bae94475 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3214,9 +3214,9 @@ dependencies = [ [[package]] name = "slab" -version = "0.4.10" +version = "0.4.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "04dc19736151f35336d325007ac991178d504a119863a2fcb3758cdb5e52c50d" +checksum = "7a2ae44ef20feb57a68b23d846850f861394c2e02dc425a50098ae8c90267589" [[package]] name = "smallvec" From bd86956ce45aa5b35feda3c19db6823a13705690 Mon Sep 17 00:00:00 2001 From: Hubert Bugaj Date: Tue, 26 Aug 2025 10:02:23 +0200 Subject: [PATCH 3/3] update `replace_with` --- Cargo.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 02bae94475..9e80f1d495 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2924,9 +2924,9 @@ checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c" [[package]] name = "replace_with" -version = "0.1.7" +version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e3a8614ee435691de62bcffcf4a66d91b3594bf1428a5722e79103249a095690" +checksum = "51743d3e274e2b18df81c4dc6caf8a5b8e15dbe799e0dca05c7617380094e884" [[package]] name = "rfc6979"