Skip to content
Open
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion deny.toml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,16 @@ ignore = [
# 0.16.3) but ratatui 0.29 pins the older minor; cvg dash never
# exercises IterMut. Revisit at the next ratatui upgrade.
{ id = "RUSTSEC-2026-0002", reason = "lru v0.12.5 transitive via ratatui 0.29; cvg dash does not call IterMut. Revisit when ratatui bumps lru" },
# quinn-proto 0.11.14 has a QUIC stream-reassembly memory exhaustion
# (RUSTSEC-2026-0185, fix: >= 0.11.15). It enters the dep graph via
# jsonschema 0.21 → reqwest (default features) → quinn 0.11.9.
# Convergio never opens a QUIC endpoint: the server runs axum/hyper
# over TCP only, and all reqwest clients are built with the
# `rustls-tls` feature (no http3). The vulnerable QUIC reassembly
# logic is compiled in but never reached at runtime.
# Remove this ignore once quinn-proto >= 0.11.15 is published on
# crates.io and `cargo update --workspace` picks it up.
{ id = "RUSTSEC-2026-0185", reason = "quinn-proto via jsonschema→reqwest; no QUIC endpoint in convergio — remove when quinn-proto >= 0.11.15 is on crates.io" },
]

[licenses]
Expand Down Expand Up @@ -61,7 +71,6 @@ skip = [
{ crate = "getrandom@0.3.4", reason = "additional version pulled in by fastembed transitive (ADR-0038, F1-β)" },
{ crate = "hashbrown@0.15.5", reason = "transitive duplicate from current lockfile; ratchet when upstreams converge" },
{ crate = "hashbrown@0.16.1", reason = "additional version pulled in by fastembed transitive (ADR-0038, F1-β)" },
{ crate = "redox_syscall@0.5.18", reason = "transitive duplicate from current lockfile; ratchet when upstreams converge" },
{ crate = "thiserror@1.0.69", reason = "transitive duplicate from current lockfile; ratchet when upstreams converge" },

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restore the redox_syscall duplicate skip

With multiple-versions = "deny", cargo-deny documents that duplicates fail the bans check and that skip temporarily ignores crates during duplicate detection. This commit removes the redox_syscall@0.5.18 skip, but the checked-in Cargo.lock still contains both redox_syscall 0.5.18 (via parking_lot_core) and redox_syscall 0.8.1 (via libredox), so the CI cargo deny check bans step this change says it fixes will still fail until the skip is restored or the lockfile is actually updated to a single version.

Useful? React with 👍 / 👎.

{ crate = "thiserror-impl@1.0.69", reason = "transitive duplicate from current lockfile; ratchet when upstreams converge" },
{ crate = "wit-bindgen@0.51.0", reason = "transitive duplicate from current lockfile; ratchet when upstreams converge" },
Expand Down
Loading