From 90474c59fa4fe6051dfb727b03def093ed97caca Mon Sep 17 00:00:00 2001 From: David Bernard Date: Sun, 16 Feb 2025 15:15:46 +0100 Subject: [PATCH] ci: ignore some duplicate dependency (multi-version) --- Cargo.toml | 2 +- deny.toml | 112 +++++++++++++++++++++++++++-------------------------- 2 files changed, 58 insertions(+), 56 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 57f717d..c196cf5 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -26,7 +26,7 @@ assert2 = "0.3" axum = { version = "0.8", default-features = false } http = "^1" hyper = "1" -insta = { version = "1.40", features = ["yaml", "redactions"] } +insta = { version = "1", features = ["yaml", "redactions"] } opentelemetry = { version = "0.28", features = [ "trace", ], default-features = false } diff --git a/deny.toml b/deny.toml index 54eff16..766a06b 100644 --- a/deny.toml +++ b/deny.toml @@ -23,13 +23,13 @@ # dependencies not shared by any other crates, would be ignored, as the target # list here is effectively saying which targets you are building for. targets = [ - # The triple can be any string, but only the target triples built in to - # rustc (as of 1.40) can be checked against actual config expressions - #"x86_64-unknown-linux-musl", - # You can also specify which target_features you promise are enabled for a - # particular target. target_features are currently not validated against - # the actual valid features supported by the target architecture. - #{ triple = "wasm32-unknown-unknown", features = ["atomics"] }, + # The triple can be any string, but only the target triples built in to + # rustc (as of 1.40) can be checked against actual config expressions + #"x86_64-unknown-linux-musl", + # You can also specify which target_features you promise are enabled for a + # particular target. target_features are currently not validated against + # the actual valid features supported by the target architecture. + #{ triple = "wasm32-unknown-unknown", features = ["atomics"] }, ] # When creating the dependency graph used as the source of truth when checks are # executed, this field can be used to prune crates from the graph, removing them @@ -70,10 +70,10 @@ feature-depth = 1 # A list of advisory IDs to ignore. Note that ignored advisories will still # output a note when they are encountered. ignore = [ - #"RUSTSEC-0000-0000", - #{ id = "RUSTSEC-0000-0000", reason = "you can specify a reason the advisory is ignored" }, - #"a-crate-that-is-yanked@0.1.1", # you can also ignore yanked crate versions if you wish - #{ crate = "a-crate-that-is-yanked@0.1.1", reason = "you can specify why you are ignoring the yanked crate" }, + #"RUSTSEC-0000-0000", + #{ id = "RUSTSEC-0000-0000", reason = "you can specify a reason the advisory is ignored" }, + #"a-crate-that-is-yanked@0.1.1", # you can also ignore yanked crate versions if you wish + #{ crate = "a-crate-that-is-yanked@0.1.1", reason = "you can specify why you are ignoring the yanked crate" }, ] # If this is true, then cargo deny will use the git executable to fetch advisory database. # If this is false, then it uses a built-in git library. @@ -89,17 +89,17 @@ ignore = [ # See https://spdx.org/licenses/ for list of possible licenses # [possible values: any SPDX 3.11 short identifier (+ optional exception)]. allow = [ - "Apache-2.0", - "Apache-2.0 WITH LLVM-exception", - "BSD-2-Clause", - "BSD-3-Clause", - "CC0-1.0", - "ISC", - "MIT", - "OpenSSL", - "Unicode-3.0", - # "Unicode-DFS-2016", - "Unlicense", + "Apache-2.0", + "Apache-2.0 WITH LLVM-exception", + "BSD-2-Clause", + "BSD-3-Clause", + "CC0-1.0", + "ISC", + "MIT", + "OpenSSL", + "Unicode-3.0", + # "Unicode-DFS-2016", + "Unlicense", ] # The confidence threshold for detecting a license from license text. # The higher the value, the more closely the license text must be to the @@ -109,9 +109,9 @@ confidence-threshold = 0.8 # Allow 1 or more licenses on a per-crate basis, so that particular licenses # aren't accepted for every possible crate as with the normal allow list exceptions = [ - # Each entry is the crate and version constraint, and its specific allow - # list - #{ allow = ["Zlib"], crate = "adler32" }, + # Each entry is the crate and version constraint, and its specific allow + # list + #{ allow = ["Zlib"], crate = "adler32" }, ] # Some crates don't have (easily) machine readable licensing information, @@ -123,8 +123,8 @@ crate = "ring" # The SPDX expression for the license requirements of the crate expression = "MIT AND ISC AND OpenSSL" license-files = [ - # Each entry is a crate relative path, and the (opaque) hash of its contents - { path = "LICENSE", hash = 0xbd0eed23 }, + # Each entry is a crate relative path, and the (opaque) hash of its contents + { path = "LICENSE", hash = 0xbd0eed23 }, ] [licenses.private] @@ -142,7 +142,7 @@ ignore = false # is only published to private registries, and ignore is true, the crate will # not have its license(s) checked registries = [ - #"https://sekretz.com/registry + #"https://sekretz.com/registry ] # This section is considered when running `cargo deny check bans`. @@ -169,16 +169,16 @@ workspace-default-features = "allow" external-default-features = "allow" # List of crates that are allowed. Use with care! allow = [ - #"ansi_term@0.11.0", - #{ crate = "ansi_term@0.11.0", reason = "you can specify a reason it is allowed" }, + #"ansi_term@0.11.0", + #{ crate = "ansi_term@0.11.0", reason = "you can specify a reason it is allowed" }, ] # List of crates to deny deny = [ - #"ansi_term@0.11.0", - #{ crate = "ansi_term@0.11.0", reason = "you can specify a reason it is banned" }, - # Wrapper crates can optionally be specified to allow the crate when it - # is a direct dependency of the otherwise banned crate - #{ crate = "ansi_term@0.11.0", wrappers = ["this-crate-directly-depends-on-ansi_term"] }, + #"ansi_term@0.11.0", + #{ crate = "ansi_term@0.11.0", reason = "you can specify a reason it is banned" }, + # Wrapper crates can optionally be specified to allow the crate when it + # is a direct dependency of the otherwise banned crate + #{ crate = "ansi_term@0.11.0", wrappers = ["this-crate-directly-depends-on-ansi_term"] }, ] # List of features to allow/deny @@ -206,32 +206,34 @@ deny = [ # Certain crates/versions that will be skipped when doing duplicate detection. skip = [ - #"ansi_term@0.11.0", - #{ crate = "ansi_term@0.11.0", reason = "you can specify a reason why it can't be updated/removed" }, - "axum@0.7", # tonic depend on axum 0.7 - "axum-core@0.4", # tonic depend on axum 0.7 - "matchit@0.7", # tonic depend on axum 0.7 - "tower@0.4", # axum 0.7 use tower 0.5, but hyper still use 0.4 - # "sync_wrapper", # axum direct and transive dependency use multiple version - "regex-syntax", - "regex-automata", - "indexmap", - # "hermit-abi", - # "rustls-native-certs", - "hashbrown", - "thiserror", # until every dependency use thiserror 2 - "thiserror-impl", + #"ansi_term@0.11.0", + #{ crate = "ansi_term@0.11.0", reason = "you can specify a reason why it can't be updated/removed" }, + "axum@0.7", # tonic depend on axum 0.7 + "axum-core@0.4", # tonic depend on axum 0.7 + "matchit@0.7", # tonic depend on axum 0.7 + "tower@0.4", # axum 0.7 use tower 0.5, but hyper still use 0.4 + # "sync_wrapper", # axum direct and transive dependency use multiple version + "regex-syntax", + "regex-automata", + "indexmap", + # "hermit-abi", + # "rustls-native-certs", + "hashbrown", + "thiserror", # until every dependency use thiserror 2 + "thiserror-impl", + "getrandom", + "wasi", ] # Similarly to `skip` allows you to skip certain crates during duplicate # detection. Unlike skip, it also includes the entire tree of transitive # dependencies starting at the specified crate, up to a certain depth, which is # by default infinite. skip-tree = [ - #"ansi_term@0.11.0", # will be skipped along with _all_ of its direct and transitive dependencies - #{ crate = "ansi_term@0.11.0", depth = 20 }, - "windows-targets", - "windows-sys", - "async-std", + #"ansi_term@0.11.0", # will be skipped along with _all_ of its direct and transitive dependencies + #{ crate = "ansi_term@0.11.0", depth = 20 }, + "windows-targets", + "windows-sys", + "async-std", ] # This section is considered when running `cargo deny check sources`.