servo/deny.toml

[graph]
all-features = false
no-default-features = false
#features = []

# The output table provides options for how/if diagnostics are outputted
[output]
feature-depth = 1

# This section is considered when running `cargo deny check advisories`
# More documentation for the advisories section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
[advisories]
ignore = [
    # The crate `paste` is no longer maintained.
    "RUSTSEC-2024-0436",
    # The crate `fxhash` is no longer maintained.
    "RUSTSEC-2025-0057",
]

# This section is considered when running `cargo deny check licenses`
# More documentation for the licenses section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
[licenses]
# List of explicitly allowed licenses
# See https://spdx.org/licenses/ for list of possible licenses
# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
allow = [
    "Apache-2.0 WITH LLVM-exception",
    "Apache-2.0",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "BSL-1.0",
    "CC0-1.0",
    "CDLA-Permissive-2.0",
    "ISC",
    "MIT",
    "MPL-2.0",
    "OpenSSL",
    "OFL-1.1",
    "Ubuntu-font-1.0",
    "Unicode-3.0",
    "Zlib",
]
# The confidence threshold for detecting a license from license text.
# The higher the value, the more closely the license text must be to the
# canonical license text of a valid SPDX license file.
# [possible values: any between 0.0 and 1.0].
confidence-threshold = 0.8
# Allow 1 or more licenses on a per-crate basis, so that particular licenses
# aren't accepted for every possible crate as with the normal allow list
exceptions = [
    # rav1e depends on libfuzzer-sys when cfg(fuzzing) is true, which it isn't for servo builds.
    # cargo-deny is being run with --all-features, so we need to explicitly make an exception here.
    { allow = ["NCSA"], crate = "libfuzzer-sys" },
]


# This section is considered when running `cargo deny check bans`.
# More documentation about the 'bans' section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
[bans]
external-default-features = "allow"
highlight = "all"
multiple-versions = "deny"
wildcards = "allow"
workspace-default-features = "allow"

# List of crates that are allowed. Use with care!
allow = []

# List of crates to deny:
deny = [
    "num",
    # cargo-deny does not allow denying the rand crate while also skipping
    # it for duplicate checks. While the ecosystem is split between 0.8 and 0.9,
    # we need to prioritize allowing duplicate versions.
    #{ crate = "rand", wrappers = [
    #    "ipc-channel",
    #    "phf_generator",
    #    "quickcheck",
    #    "servo_rand",
    #    "tracing-perfetto",
    #    "tungstenite",
    #] },
]

# List of crates to skip for the duplicate check:
skip = [
    "bitflags",
    "cookie",
    "futures",
    "redox_syscall",

    # Duplicated by aws-lc-rs
    "bindgen",

    # New versions of these dependencies is pulled in by GStreamer / GLib.
    "itertools",

    # Duplicated by egui
    "windows-strings",

    # Duplicated by egui-file-dialog
    "windows",
    "windows-implement",
    "windows-interface",
    "windows-link",
    "windows-result",

    # Duplicated by winit.
    "windows-sys",
    "windows-targets",
    "windows_aarch64_gnullvm",
    "windows_aarch64_msvc",
    "windows_i686_gnu",
    "windows_i686_msvc",
    "windows_x86_64_gnu",
    "windows_x86_64_gnullvm",
    "windows_x86_64_msvc",

    # Duplicated by zbus.
    "windows_i686_gnullvm",

    # wgpu has the latest and greatest.
    "windows-core",

    # rust-content-security-policy uses newest base64.
    "base64",

    # gilrs is on 0.10.0, but Servo is still on 0.9.4
    "core-foundation",

    # wgpu crates still depend on 1.1.0
    "rustc-hash",

    # wgpu depends on thiserror 2, while rest is still on 1
    "thiserror",
    "thiserror-impl",

    # duplicated by webdriver
    "h2",
    "headers",
    "headers-core",
    "http",
    "http-body",
    "hyper",

    # duplicated by winit
    "objc2-app-kit",
    "objc2-foundation",
    "objc2",

    # duplicated by tungstenite
    "getrandom",
    "rand",
    "rand_chacha",
    "rand_core",
    "wasi",
    "webpki-roots",

    # Stylo uses 2.0, WebRender uses 0.99
    "derive_more",

    # duplicated by blurz/blurmock
    "hex",

    # duplciated by rustix
    "linux-raw-sys",

    # duplicated by async-io
    "rustix",

    # duplicated by zbus-xml
    "quick-xml",

    # duplicated by sea-query
    "heck",

    # duplicated by bindgen as build dependency
    # Remove when cexpr updates its nom version
    # and bindgen updates the cexpr version
    "nom",

    # duplicated by `cargo metadata` as a build-dependency of mozjs-sys.
    # Can be removed if `icu_capi` exposes the C include dir via the `DEP_`
    # variable in the future.
    "ordered-float",

    # duplicated by image 0.25
    "cfg-expr",
    "system-deps",
    "target-lexicon",

    # duplicated by core-graphics
    "core-graphics-types",

    # duplicated by winresource and proc-macro-crate. Once everything
    # switches to the latest version of toml we can remove this. It's
    # really just a build dep, so not a large problem.
    "toml_datetime",
    "toml_edit",
]

# github.com organizations to allow git sources for
[sources.allow-org]
github = ["servo", "linebender"]