tidy: Use more cargo-deny features (#34447)

Instead of parsing the `Cargo.lock` file directly in `tidy.py`. Use `cargo-deny`, which we already use to detect unapproved licenses in the dependency chain to detect duplicate and banned crates. In addition, enable all other `cargo-deny` checks and add exceptions where necessary for them. This depends on the latest release of `cargo-deny` which depends on a recent verison of `rust`. Fixes #34393. Signed-off-by: Martin Robinson <mrobinson@igalia.com>
2025-09-23 05:10:09 +01:00 · 2024-12-13 09:47:40 +01:00 · 2024-12-13 09:47:40 +01:00 · 682eba9f74
commit 682eba9f74
parent 53612dab90
6 changed files with 155 additions and 273 deletions
--- a/deny.toml
+++ b/deny.toml
@ -12,10 +12,11 @@ feature-depth = 1
 # https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
 [advisories]
 ignore = [
-    #"RUSTSEC-0000-0000",
-    #{ id = "RUSTSEC-0000-0000", reason = "you can specify a reason the advisory is ignored" },
-    #"a-crate-that-is-yanked@0.1.1", # you can also ignore yanked crate versions if you wish
-    #{ crate = "a-crate-that-is-yanked@0.1.1", reason = "you can specify why you are ignoring the yanked crate" },
+    # This is for the usage of time@0.1.45 in WebRender, which should be removed soon.
+    "RUSTSEC-2020-0071",
+    # This has been yanked, but upgrading to the next version breaks some WPT tests.
+    # It needs investigation.
+    "url@2.5.3",
 ]

 # This section is considered when running `cargo deny check licenses`
@ -50,10 +51,6 @@ confidence-threshold = 0.8
 # Allow 1 or more licenses on a per-crate basis, so that particular licenses
 # aren't accepted for every possible crate as with the normal allow list
 exceptions = [
-    # Each entry is the crate and version constraint, and its specific allow
-    # list
-    { allow = ["OFL-1.1", "LicenseRef-UFL-1.0"], crate = "epaint" },
-    { allow = ["Unicode-DFS-2016"], crate = "unicode-ident" },
 ]

 # Some crates don't have (easily) machine readable licensing information,
@ -73,21 +70,88 @@ license-files = [
 # More documentation about the 'bans' section can be found here:
 # https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
 [bans]
-multiple-versions = "warn"
-wildcards = "warn"
-highlight = "all"
-workspace-default-features = "allow"
 external-default-features = "allow"
+highlight = "all"
+multiple-versions = "deny"
+wildcards = "allow"
+workspace-default-features = "allow"
+
 # List of crates that are allowed. Use with care!
-allow = [
-    #"ansi_term@0.11.0",
-    #{ crate = "ansi_term@0.11.0", reason = "you can specify a reason it is allowed" },
-]
-# List of crates to deny
+allow = []
+
+# List of crates to deny:
 deny = [
-    #"ansi_term@0.11.0",
-    #{ crate = "ansi_term@0.11.0", reason = "you can specify a reason it is banned" },
-    # Wrapper crates can optionally be specified to allow the crate when it
-    # is a direct dependency of the otherwise banned crate
-    #{ crate = "ansi_term@0.11.0", wrappers = ["this-crate-directly-depends-on-ansi_term"] },
+    "num",
+    { crate = "rand", wrappers = [
+        "ipc-channel",
+        "phf_generator",
+        "quickcheck",
+        "servo_rand",
+        "tracing-perfetto",
+        "tungstenite",
+    ] },
 ]
+
+# List of crates to skip for the duplicate check:
+skip = [
+    "cfg_aliases",
+    "bitflags",
+    "cookie",
+    "futures",
+    "hermit-abi",
+    "redox_syscall",
+    "time",
+    "wasi",
+    "wayland-sys",
+
+    # New versions of these dependencies is pulled in by GStreamer / GLib.
+    "itertools",
+    "toml",
+
+    # Duplicated by winit.
+    "windows-sys",
+    "windows-targets",
+    "windows_aarch64_gnullvm",
+    "windows_aarch64_msvc",
+    "windows_i686_gnu",
+    "windows_i686_msvc",
+    "windows_x86_64_gnu",
+    "windows_x86_64_gnullvm",
+    "windows_x86_64_msvc",
+
+    # wgpu has the latest and greatest.
+    "foreign-types",
+    "foreign-types-shared",
+    "metal",
+    "windows-core",
+
+    # wgpu-hal depends on 0.5.0.
+    "ndk-sys",
+
+    # Required until a new version of string-cache is released.
+    "phf_generator",
+    "phf_shared",
+
+    # icu (from mozjs) uses old version
+    # tracing-subscriber (tokio-rs/tracing#3033) uses old version
+    # regex -> regex-automata 0.4.7
+    # icu_list -> regex-automata 0.2.0
+    # tracing-subscriber -> matchers -> regex-automata 0.1.0
+    "regex-automata",
+
+    # tracing-subscriber (tokio-rs/tracing#3033) uses old version
+    # regex [-> regex-automata 0.4.7] -> regex-syntax 0.8.4
+    # tracing-subscriber -> matchers -> regex-automata 0.1.0 -> regex-syntax 0.6.29
+    "regex-syntax",
+
+
+    # gilrs is on 0.10.0, but Servo is still on 0.9.4
+    "core-foundation",
+
+    # some non-servo crates still use 0.14
+    "glow",
+]
+
+# github.com organizations to allow git sources for
+[sources.allow-org]
+github = ["pcwalton", "servo"]