[advisories] vulnerability = "deny" unmaintained = "warn" notice = "warn" ignore = [] [licenses] unlicensed = "warn" allow = [] deny = [] copyleft = "warn" allow-osi-fsf-free = "either" confidence-threshold = 0.8 exceptions = [ # ring uses code from multiple libraries but all with permissive licenses # https://tldrlegal.com/license/openssl-license-(openssl) { allow = ["ISC", "MIT", "OpenSSL"], name = "ring" }, ] [[licenses.clarify]] name = "ring" # SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses # https://spdx.org/licenses/OpenSSL.html # ISC - Both BoringSSL and ring use this for their new files # MIT - "Files in third_party/ have their own licenses, as described therein. The MIT # license, for third_party/fiat, which, unlike other third_party directories, is # compiled into non-test libraries, is included below." # OpenSSL - Obviously expression = "ISC AND MIT AND OpenSSL" license-files = [ { path = "LICENSE", hash = 0xbd0eed23 }, ] [bans] multiple-versions = "deny" highlight = "all" skip-tree = [] skip = [ # rustls uses old version (dev dep) { name = "spin", version = "=0.5.2" }, { name = "webpki", version = "=0.21.4" }, # pulled in by hyper, http, and serde_urlencoded { name = "itoa", version = "=0.4.8" }, ] [sources] unknown-registry = "warn" unknown-git = "warn" allow-git = []