deny.toml

# Note that all fields that take a lint level have these possible values:
# * deny - An error will be produced and the check will fail
# * warn - A warning will be produced, but the check will not fail
# * allow - No warning or error will be produced, though in some cases a note
# will be

# This section is considered when running `cargo deny check advisories`.
# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
[advisories]
version = 2
yanked = "deny"
# Unmaintained crate advisories — all transitive via abscissa_core/structopt or direct.
# Remove each ignore entry as the dependency chain is upgraded.
ignore = [
    "RUSTSEC-2021-0139", # ansi_term — transitive via abscissa_core -> structopt
    "RUSTSEC-2024-0375", # atty — transitive via abscissa_core -> structopt
    "RUSTSEC-2024-0370", # proc-macro-error — transitive via abscissa_core -> structopt
    "RUSTSEC-2025-0119", # number_prefix — transitive via indicatif
    "RUSTSEC-2025-0141", # bincode — direct dependency
]

# This section is considered when running `cargo deny check licenses`.
# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
[licenses]
confidence-threshold = 0.8
allow = [
    "MIT",
    "Apache-2.0",
    "Apache-2.0 WITH LLVM-exception",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "BSL-1.0",
    "ISC",
    "Zlib",
    "Unicode-3.0",
    "CC0-1.0",
    "MPL-2.0",
    "Unlicense",
    "0BSD",
    "MIT-0",
    "CDLA-Permissive-2.0",
    "CDDL-1.0",
]
exceptions = []

# rustls-webpki uses a custom ISC-style license
[[licenses.clarify]]
name = "rustls-webpki"
expression = "ISC"
license-files = [{ path = "LICENSE", hash = 0x001c7e6c }]

# This section is considered when running `cargo deny check bans`.
# More documentation about the 'bans' section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
[bans]
# Lint level for when multiple versions of the same crate are detected
multiple-versions = "deny"

# Don't allow wildcard ("any version") dependencies
# TODO: Change to `deny` after we upgrade to crates.io version of the ECC dependencies (#8749).
wildcards = "allow"
# Allow private and dev wildcard dependencies.
# Switch this to `false` when #6924 is implemented.
allow-wildcard-paths = true

# The graph highlighting used when creating dotgraphs for crates
# with multiple versions
# * lowest-version - The path to the lowest versioned duplicate is highlighted
# * simplest-path - The path to the version with the fewest edges is highlighted
# * all - Both lowest-version and simplest-path are used
highlight = "all"

# List of crates that are allowed. Use with care!
#allow = [
#]

# List of crates that can never become Zebra dependencies.
deny = [
    # Often has memory safety vulnerabilities.
    # Enabled by --all-features, use the `cargo hack` script in the deny.toml CI job instead.
    { name = "openssl" },
    { name = "openssl-sys" },
]

# We only use this for some `librustzcash` and `orchard` crates.
# If we add a crate here, duplicate dependencies of that crate are still shown.
#
# Certain crates/versions that will be skipped when doing duplicate detection.
skip = [

]

# Similarly to `skip` allows you to skip certain crates during duplicate
# detection. Unlike skip, it also includes the entire tree of transitive
# dependencies starting at the specified crate, up to a certain depth, which is
# by default infinite
skip-tree = [
    # wait for ordered-map to release a dependency fix
    { name = "ordered-map", version = "=0.4.2" },

    # wait for structopt upgrade (or upgrade to clap 4)
    { name = "clap", version = "=2.34.0" },

    # wait for abscissa_core to upgrade
    {name = "tracing-log", version = "=0.1.4" },

    # Multiple base64 versions through different dependencies
    { name = "base64", version = "=0.21.7" },

    # wait for abscissa_core to update toml
    { name = "toml", version = "=0.5.11" },

    # wait for structopt-derive to update heck
    { name = "heck", version = "=0.3.3" },

    # wait for librocksdb-sys to update bindgen
    { name = "bindgen", version = "=0.69.5" },

    # wait for halo2_gadgets and primitive-types to update uint
    { name = "uint", version = "=0.9.5" },

    # wait for zebra to update tower
    { name = "tower", version = "=0.4.13" },

    # wait for zebra to update vergen
    { name = "thiserror", version = "=1.0.69" },
    { name = "thiserror-impl", version = "=1.0.69" },

    # wait for all librustzcash crates to update sha2, secp256k1, and ripemd
    { name = "sha2", version = "=0.10.9" },
    { name = "ripemd", version = "=0.1.3" },

    # pre-release RustCrypto crates pulled in by librustzcash 2026-04 release wave;
    # remove once the broader ecosystem catches up to the same pre-release line
    { name = "block-buffer", version = "=0.11.0-rc.3" },
    { name = "crypto-common", version = "=0.2.0-rc.1" },
    { name = "digest", version = "=0.11.0-pre.9" },

    # console 0.15.x is pulled by indicatif (via howudoin); 0.16.x by insta (dev-dep).
    # remove once indicatif/howudoin update to console 0.16.
    { name = "console", version = "=0.15.11" },

    # hashbrown 0.16.x pulled by ed25519-zebra; 0.17.x by indexmap 2.14 (transitive of librustzcash).
    # remove once ed25519-zebra updates hashbrown.
    { name = "hashbrown", version = "=0.16.1" },

    # toml 0.9.x pulled by zebrad direct; 1.1.x by config 0.15 (also via zebrad).
    # toml 1.x is the spec-1.1 line; remove once zebrad migrates its direct dep.
    { name = "toml", version = "=0.9.12+spec-1.1.0" },

    # winnow 0.7.x pulled by toml 0.9.x; 1.x by toml 1.x / config 0.15.
    # resolved together with the toml entry above.
    { name = "winnow", version = "=0.7.15" },

    # wait for abscissa_core to update synstructure
    { name = "synstructure", version = "=0.12.6" },

    # wait for librustzcash to update tonic
    { name = "tonic", version = "0.12" },
    { name = "prost-types", version = "0.13" },

    { name = "windows-sys", version = "=0.52.0" },

    { name = "indexmap", version = "1.9" },

    { name = "hashbrown", version = "0.12" },
    # hashbrown 0.15.x pulled by various deps; 0.16.x pulled by indexmap 2.x
    { name = "hashbrown", version = "0.15" },

    # itertools 0.13.x pulled by halo2 deps; 0.14.x pulled by other deps
    { name = "itertools", version = "0.13" },

    { name = "getrandom", version = "0.2" },

    { name = "rand", version = "0.8" },
    { name = "rand_core", version = "0.6" },
    { name = "rand_chacha", version = "0.3" },

    # wait for derive_builder to update
    { name = "darling", version = "0.20.11" },

    # wait until `config` updates `convert_case`
    { name = "convert_case", version = "0.6.0" },

    # wait until `config` updates `toml`
    { name = "toml_datetime", version = "0.7.5"},

    #
    { name = "getrandom", version = "0.3.4" },
]

# This section is considered when running `cargo deny check sources`.
# More documentation about the 'sources' section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
[sources]
# Lint level for what to happen when a crate from a crate registry that is not
# in the allow list is encountered
unknown-registry = "deny"
# Lint level for what to happen when a crate from a git repository that is not
# in the allow list is encountered
unknown-git = "deny"
# List of URLs for allowed crate registries. Defaults to the crates.io index
# if not specified. If it is specified but empty, no registries are allowed.
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
# List of URLs for allowed Git repositories
allow-git = [
    "https://github.com/zcash/librustzcash.git",
    "https://github.com/zcash/incrementalmerkletree",
    "https://github.com/zcash/orchard",
    "https://github.com/zcash/sapling-crypto"
]

[sources.allow-org]
github = [
]