google-cloud-rust/deny.toml at 042ad96c0454912fa9cfa474dd377f352dd36a4f · googleapis/google-cloud-rust · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# Copyright 2026 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

[graph]
targets             = []
all-features        = false
no-default-features = false

[output]
feature-depth = 1

# This section is considered when running `cargo deny check advisories`
# More documentation for the advisories section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
[advisories]
git-fetch-with-cli = false
ignore = [
  { id = "RUSTSEC-2023-0071", reason = "Only used in tests and no new version available" },
  { id = "RUSTSEC-2026-0009", reason = "Only affects RFC 2822 dates, which we do not use. An update is not possible, it requires bumping the MSRV to 1.88" },
]

[licenses]
allow                = ["Apache-2.0", "BSD-3-Clause", "ISC", "MIT", "Unicode-3.0"]
confidence-threshold = 0.8

[[licenses.exceptions]]
allow = ["ISC"]
crate = "aws-lc-rs"

[[licenses.exceptions]]
allow = ["Apache-2.0", "ISC", "OpenSSL"]
crate = "aws-lc-sys"

[[licenses.exceptions]]
allow = ["CDLA-Permissive-2.0"]
crate = "webpki-root-certs"

[[licenses.exceptions]]
allow = ["Zlib"]
crate = "zlib-rs"

# Used indirectly via `prost-build` and `tonic-prost-build`.
[[licenses.exceptions]]
allow = ["Zlib"]
crate = "foldhash"

# Visually inspected by coryan circa 2026-01-31
#     https://github.com/Nokel81/scoped-env/blob/master/LICENSE
[[licenses.clarify]]
crate         = "scoped-env"
expression    = "MIT"
license-files = []

# Even private crates must have a license.
[licenses.private]
ignore     = false
registries = []

[bans]
# Allow multiple versions, there are too many of them via indirect dependencies.
# Note that `bans.workspace-dependencies` can make sure we avoid dups in our
# direct dependencies.
multiple-versions = "allow"
# Lint level for when a crate version requirement is `*`
wildcards                  = "allow"
highlight                  = "all"
workspace-default-features = "allow"
external-default-features  = "allow"
# An empty list allows all crates.
allow = []
# If true, workspace members are automatically allowed even when using deny-by-default
# This is useful for organizations that want to deny all external dependencies by default
# but allow their own workspace crates without having to explicitly list them
allow-workspace = false
skip            = []

[[bans.deny]]
crate = "reqwest@0.13"
wrappers = [
  # Uses `reqwest` in its "public" API. The types are re-exported. This is
  # the main motivation for denying reqwest in general: we want to avoid
  # accidental use of the crate in other crates.
  "google-cloud-gax-internal",
  # Uses `reqwest` in the implementation, but does not expose any types in
  # the public API.
  "google-cloud-auth",
  # Use in tests is fine.
  "integration-tests",
  "integration-tests-auth",
  "integration-tests-o11y",
  "integration-tests-spanner",
  "integration-tests-storage",
  "test-auth",
  "user-guide-samples",
]

[[bans.deny]]
crate = "tonic@0.14"
wrappers = [
  # Uses `tonic` in its "public" API. The types are re-exported. This is
  # the main motivation for denying `tonic` in general: we want to avoid
  # accidental use of the crate in other crates.
  "google-cloud-gax-internal",
  # Use in tests is fine.
  "grpc-server",
  "integration-tests-o11y",
  "integration-tests-spanner",
  "pubsub-grpc-mock",
  "spanner-grpc-mock",
  "storage-grpc-mock",
  # Indirect dependencies are fine.
  "opentelemetry-otlp",
  "opentelemetry-proto",
  "tonic-prost",
]

[[bans.deny]]
crate = "tonic-prost@0.14"
wrappers = [
  # Uses `tonic-prost` in its implementation.
  "google-cloud-gax-internal",
  # Use in tests is fine.
  "grpc-server",
  "opentelemetry-proto",
  "pubsub-grpc-mock",
  "spanner-grpc-mock",
  "storage-grpc-mock",
]

[bans.workspace-dependencies]
# TODO(#4477) - use `duplicates = "deny"`.
duplicates                = "allow"
include-path-dependencies = true
unused                    = "allow"

# Only allow dependencies via crates.io
[sources]
unknown-registry = "deny"
unknown-git      = "deny"
allow-registry   = ["https://github.com/rust-lang/crates.io-index"]
allow-git        = []