From d135c18db621064d7d035974f262767e45cd193c Mon Sep 17 00:00:00 2001 From: Will Jones Date: Fri, 24 Apr 2026 20:53:15 -0700 Subject: [PATCH] ci: add cargo-deny configuration and CI check (#3307) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a `deny.toml` at the workspace root and a `deny` CI job that runs `cargo deny check` on every PR. Catches yanked crates, license drift, banned or wildcard dependencies, unapproved sources, and new RUSTSEC advisories. As part of wiring this up: - Updated `aws-lc-rs` 1.13.0 → 1.16.3 / `aws-lc-sys` 0.28.0 → 0.40.0 to clear four 2026 AWS-LC advisories (timing side-channel, PKCS7 bypass, CRL scope). Removed the `=0.28.0` workaround pin; the original build failure no longer reproduces. - Updated `bytes`, `zlib-rs`, `rand`, `rustls-webpki`, `lz4_flex` to clear their current advisories. - Marked `lancedb-nodejs` and `lancedb-python` as `publish = false` and pinned `lzma-sys` from `*` to `0.1` so `bans.wildcards = "deny"` can be enforced. 10 remaining advisories have no safe upgrade available (transitive via opendal, lance, datafusion, async-openai, aws-sdk on the legacy rustls 0.21 chain). Each is ignored in `deny.toml` with a per-entry rationale and a link to the RUSTSEC advisory. New advisories still fail CI. Fixes #3297 --------- Co-authored-by: Claude Opus 4.7 (1M context) --- .github/workflows/rust.yml | 14 ++++ Cargo.lock | 98 +++++++++++----------- deny.toml | 166 +++++++++++++++++++++++++++++++++++++ nodejs/Cargo.toml | 5 +- python/Cargo.toml | 1 + 5 files changed, 233 insertions(+), 51 deletions(-) create mode 100644 deny.toml diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 61d52754c..937124f5a 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -9,7 +9,10 @@ on: - Cargo.toml - Cargo.lock - rust-toolchain.toml + - deny.toml - rust/** + - nodejs/Cargo.toml + - python/Cargo.toml - .github/workflows/rust.yml permissions: @@ -56,6 +59,17 @@ jobs: - name: Run clippy (without remote feature) run: cargo clippy --profile ci --workspace --tests -- -D warnings + deny: + # Supply-chain checks: advisories, licenses, banned crates, and source + # restrictions. Configuration lives in `deny.toml` at the workspace root. + timeout-minutes: 10 + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v4 + - uses: EmbarkStudios/cargo-deny-action@v2 + with: + command: check advisories bans licenses sources + build-no-lock: runs-on: ubuntu-24.04 timeout-minutes: 30 diff --git a/Cargo.lock b/Cargo.lock index a749b0208..da1d390d5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -572,9 +572,9 @@ dependencies = [ [[package]] name = "aws-lc-rs" -version = "1.16.1" +version = "1.16.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "94bffc006df10ac2a68c83692d734a465f8ee6c5b384d8545a636f81d858f4bf" +checksum = "0ec6fb3fe69024a75fa7e1bfb48aa6cf59706a101658ea01bfd33b2b248a038f" dependencies = [ "aws-lc-sys", "untrusted 0.7.1", @@ -583,9 +583,9 @@ dependencies = [ [[package]] name = "aws-lc-sys" -version = "0.38.0" +version = "0.40.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4321e568ed89bb5a7d291a7f37997c2c0df89809d7b6d12062c81ddb54aa782e" +checksum = "f50037ee5e1e41e7b8f9d161680a725bd1626cb6f8c7e901f91f942850852fe7" dependencies = [ "cc", "cmake", @@ -1373,7 +1373,7 @@ dependencies = [ "memmap2 0.9.10", "num-traits", "num_cpus", - "rand 0.9.2", + "rand 0.9.4", "rand_distr 0.5.1", "rayon", "safetensors", @@ -1409,7 +1409,7 @@ dependencies = [ "candle-nn", "fancy-regex", "num-traits", - "rand 0.9.2", + "rand 0.9.4", "rayon", "serde", "serde_json", @@ -1966,7 +1966,7 @@ dependencies = [ "log", "object_store", "parking_lot", - "rand 0.9.2", + "rand 0.9.4", "regex", "sqlparser 0.59.0", "tempfile", @@ -2080,7 +2080,7 @@ dependencies = [ "itertools 0.14.0", "log", "object_store", - "rand 0.9.2", + "rand 0.9.4", "tokio", "url", ] @@ -2176,7 +2176,7 @@ dependencies = [ "log", "object_store", "parking_lot", - "rand 0.9.2", + "rand 0.9.4", "tempfile", "url", ] @@ -2240,7 +2240,7 @@ dependencies = [ "log", "md-5", "num-traits", - "rand 0.9.2", + "rand 0.9.4", "regex", "sha2", "unicode-segmentation", @@ -2642,7 +2642,7 @@ dependencies = [ "libc", "option-ext", "redox_users", - "windows-sys 0.59.0", + "windows-sys 0.61.2", ] [[package]] @@ -2830,7 +2830,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" dependencies = [ "libc", - "windows-sys 0.59.0", + "windows-sys 0.61.2", ] [[package]] @@ -2965,7 +2965,7 @@ checksum = "719a903cc23e4a89e87962c2a80fdb45cdaad0983a89bd150bb57b4c8571a7d5" dependencies = [ "half", "num-traits", - "rand 0.9.2", + "rand 0.9.4", "rand_distr 0.5.1", ] @@ -3014,7 +3014,7 @@ version = "6.0.0-beta.1" source = "git+https://github.com/lance-format/lance.git?tag=v6.0.0-beta.1#c7a7d3a0e944646e793d297d4a2e2cf7e4fb28a3" dependencies = [ "arrow-array", - "rand 0.9.2", + "rand 0.9.4", ] [[package]] @@ -3387,7 +3387,7 @@ dependencies = [ "cfg-if", "crunchy", "num-traits", - "rand 0.9.2", + "rand 0.9.4", "rand_distr 0.5.1", "zerocopy", ] @@ -3470,7 +3470,7 @@ dependencies = [ "libc", "log", "num_cpus", - "rand 0.9.2", + "rand 0.9.4", "reqwest", "serde", "serde_json", @@ -3980,7 +3980,7 @@ dependencies = [ "portable-atomic", "portable-atomic-util", "serde_core", - "windows-sys 0.59.0", + "windows-sys 0.61.2", ] [[package]] @@ -4043,7 +4043,7 @@ dependencies = [ "nom 8.0.0", "num-traits", "ordered-float", - "rand 0.9.2", + "rand 0.9.4", "ryu", "serde", "serde_json", @@ -4119,7 +4119,7 @@ dependencies = [ "prost", "prost-build", "prost-types", - "rand 0.9.2", + "rand 0.9.4", "roaring", "semver", "serde", @@ -4152,7 +4152,7 @@ dependencies = [ "half", "jsonb", "num-traits", - "rand 0.9.2", + "rand 0.9.4", ] [[package]] @@ -4191,7 +4191,7 @@ dependencies = [ "object_store", "pin-project", "prost", - "rand 0.9.2", + "rand 0.9.4", "roaring", "serde_json", "snafu 0.9.0", @@ -4248,7 +4248,7 @@ dependencies = [ "futures", "half", "hex", - "rand 0.9.2", + "rand 0.9.4", "rand_distr 0.5.1", "rand_xoshiro", "random_word 0.5.2", @@ -4283,7 +4283,7 @@ dependencies = [ "prost", "prost-build", "prost-types", - "rand 0.9.2", + "rand 0.9.4", "snafu 0.9.0", "strum", "tokio", @@ -4374,7 +4374,7 @@ dependencies = [ "prost", "prost-build", "prost-types", - "rand 0.9.2", + "rand 0.9.4", "rand_distr 0.5.1", "rangemap", "rayon", @@ -4426,7 +4426,7 @@ dependencies = [ "path_abs", "pin-project", "prost", - "rand 0.9.2", + "rand 0.9.4", "serde", "snafu 0.9.0", "tempfile", @@ -4449,7 +4449,7 @@ dependencies = [ "lance-arrow", "lance-core", "num-traits", - "rand 0.9.2", + "rand 0.9.4", ] [[package]] @@ -4488,7 +4488,7 @@ dependencies = [ "lance-table", "log", "object_store", - "rand 0.9.2", + "rand 0.9.4", "reqwest", "serde", "serde_json", @@ -4539,7 +4539,7 @@ dependencies = [ "prost", "prost-build", "prost-types", - "rand 0.9.2", + "rand 0.9.4", "rangemap", "roaring", "semver", @@ -4561,7 +4561,7 @@ dependencies = [ "arrow-schema", "lance-arrow", "num-traits", - "rand 0.9.2", + "rand 0.9.4", ] [[package]] @@ -4637,7 +4637,7 @@ dependencies = [ "pin-project", "polars", "polars-arrow", - "rand 0.9.2", + "rand 0.9.4", "random_word 0.4.3", "regex", "reqwest", @@ -5235,7 +5235,7 @@ version = "0.50.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5" dependencies = [ - "windows-sys 0.59.0", + "windows-sys 0.61.2", ] [[package]] @@ -5357,7 +5357,7 @@ dependencies = [ "parking_lot", "percent-encoding", "quick-xml 0.38.4", - "rand 0.9.2", + "rand 0.9.4", "reqwest", "ring", "rustls-pemfile", @@ -6199,8 +6199,8 @@ version = "0.14.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "343d3bd7056eda839b03204e68deff7d1b13aba7af2b2fd16890697274262ee7" dependencies = [ - "heck 0.5.0", - "itertools 0.11.0", + "heck 0.4.1", + "itertools 0.14.0", "log", "multimap", "petgraph", @@ -6219,7 +6219,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "27c6023962132f4b30eb4c172c91ce92d933da334c59c23cddee82358ddafb0b" dependencies = [ "anyhow", - "itertools 0.11.0", + "itertools 0.14.0", "proc-macro2", "quote", "syn 2.0.117", @@ -6402,7 +6402,7 @@ dependencies = [ "bytes", "getrandom 0.3.4", "lru-slab", - "rand 0.9.2", + "rand 0.9.4", "ring", "rustc-hash", "rustls 0.23.37", @@ -6425,7 +6425,7 @@ dependencies = [ "once_cell", "socket2 0.6.3", "tracing", - "windows-sys 0.59.0", + "windows-sys 0.60.2", ] [[package]] @@ -6468,9 +6468,9 @@ dependencies = [ [[package]] name = "rand" -version = "0.9.2" +version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1" +checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea" dependencies = [ "rand_chacha 0.9.0", "rand_core 0.9.5", @@ -6531,7 +6531,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6a8615d50dcf34fa31f7ab52692afec947c4dd0ab803cc87cb3b0b4570ff7463" dependencies = [ "num-traits", - "rand 0.9.2", + "rand 0.9.4", ] [[package]] @@ -6566,7 +6566,7 @@ dependencies = [ "ahash", "brotli 8.0.2", "paste", - "rand 0.9.2", + "rand 0.9.4", "unicase", ] @@ -6954,7 +6954,7 @@ dependencies = [ "errno", "libc", "linux-raw-sys", - "windows-sys 0.59.0", + "windows-sys 0.61.2", ] [[package]] @@ -7465,7 +7465,7 @@ version = "0.8.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c1c97747dbf44bb1ca44a561ece23508e99cb592e862f22222dcf42f51d1e451" dependencies = [ - "heck 0.5.0", + "heck 0.4.1", "proc-macro2", "quote", "syn 2.0.117", @@ -7477,7 +7477,7 @@ version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "54254b8531cafa275c5e096f62d48c81435d1015405a91198ddb11e967301d40" dependencies = [ - "heck 0.5.0", + "heck 0.4.1", "proc-macro2", "quote", "syn 2.0.117", @@ -7818,7 +7818,7 @@ dependencies = [ "getrandom 0.4.2", "once_cell", "rustix", - "windows-sys 0.59.0", + "windows-sys 0.61.2", ] [[package]] @@ -8242,7 +8242,7 @@ version = "2.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ea3136b675547379c4bd395ca6b938e5ad3c3d20fad76e7fe85f9e0d011419c" dependencies = [ - "rand 0.9.2", + "rand 0.9.4", ] [[package]] @@ -8298,9 +8298,9 @@ dependencies = [ [[package]] name = "unicode-segmentation" -version = "1.13.1" +version = "1.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "da36089a805484bcccfffe0739803392c8298778a2d2f09febf76fac5ad9025b" +checksum = "9629274872b2bfaf8d66f5f15725007f635594914870f65218920345aa11aa8c" [[package]] name = "unicode-width" @@ -8632,7 +8632,7 @@ version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22" dependencies = [ - "windows-sys 0.59.0", + "windows-sys 0.61.2", ] [[package]] diff --git a/deny.toml b/deny.toml new file mode 100644 index 000000000..a2542235d --- /dev/null +++ b/deny.toml @@ -0,0 +1,166 @@ +# cargo-deny configuration for LanceDB. +# +# Run locally with `cargo deny check`. See +# https://embarkstudios.github.io/cargo-deny/ for the full reference. + +# The set of target triples we care about. cargo-deny will only consider +# dependencies that are used on at least one of these targets. Keeping this +# explicit avoids noise from platform-specific crates (e.g. wasm, android, +# ios) that we never actually ship. +[graph] +targets = [ + "x86_64-unknown-linux-gnu", + "aarch64-unknown-linux-gnu", + "x86_64-apple-darwin", + "aarch64-apple-darwin", + "x86_64-pc-windows-msvc", + "aarch64-pc-windows-msvc", +] +all-features = true + +[output] +feature-depth = 1 + +# --------------------------------------------------------------------------- +# Advisories: security vulnerabilities and yanked crates. +# --------------------------------------------------------------------------- +[advisories] +version = 2 +# Fail the check if any crate in the lockfile has been yanked from crates.io. +# Yanked crates are a signal the author retracted the release (often due to +# bugs or security issues) and should not be depended on. +yanked = "deny" +# Advisory IDs we have explicitly reviewed and chosen to accept. Every +# entry must include a rationale and, where possible, an upstream issue +# pointing to a fix. Revisit this list whenever dependencies are updated. +ignore = [ + # rsa: Marvin Attack timing side-channel in PKCS#1 v1.5 decryption. + # Reached only through opendal → reqsign → rsa. We do not use RSA + # decryption in LanceDB ourselves; this is dormant in the signing path. + # No fixed release exists upstream as of this writing. + # https://rustsec.org/advisories/RUSTSEC-2023-0071 + { id = "RUSTSEC-2023-0071", reason = "rsa crate via opendal/reqsign; no fixed upstream release" }, + + # instant: unmaintained. Pulled in via backoff → instant. Upstream + # recommends switching to `web-time`; fix has to come from backoff. + # https://rustsec.org/advisories/RUSTSEC-2024-0384 + { id = "RUSTSEC-2024-0384", reason = "transitive via backoff; waiting on backoff replacement" }, + + # paste: unmaintained (author archived the repo). Used transitively by + # datafusion and the arrow ecosystem; widespread, no drop-in replacement. + # https://rustsec.org/advisories/RUSTSEC-2024-0436 + { id = "RUSTSEC-2024-0436", reason = "transitive via datafusion; awaiting ecosystem migration" }, + + # tantivy: segfault on malformed input due to missing bounds check. + # Pulled in via lance for full-text search. We only feed tantivy + # documents we construct ourselves, not attacker-controlled bytes. + # Tracked for a lance dependency bump. + # https://rustsec.org/advisories/RUSTSEC-2025-0003 + { id = "RUSTSEC-2025-0003", reason = "tantivy via lance; inputs are internally produced, not user-supplied bytes" }, + + # backoff: unmaintained. Reached only via async-openai. Replacement + # requires async-openai to migrate (or us to drop async-openai). + # https://rustsec.org/advisories/RUSTSEC-2025-0012 + { id = "RUSTSEC-2025-0012", reason = "transitive via async-openai; waiting on upstream migration" }, + + # number_prefix: unmaintained. Transitive via indicatif → hf-hub. + # No security impact, just maintenance status. + # https://rustsec.org/advisories/RUSTSEC-2025-0119 + { id = "RUSTSEC-2025-0119", reason = "transitive via hf-hub/indicatif; cosmetic formatting crate" }, + + # rustls-pemfile: unmaintained. Reached from two separate chains: + # rustls-native-certs 0.6 (via hyper-rustls 0.24) and object_store 0.12. + # Both upstream dependencies need to move before we can drop it. + # https://rustsec.org/advisories/RUSTSEC-2025-0134 + { id = "RUSTSEC-2025-0134", reason = "transitive via rustls-native-certs/object_store; waiting on upstream migration" }, + + # rustls-webpki 0.101.7 (old major line): name-constraint checks for + # URI / wildcard names. Pulled in only via the legacy rustls 0.21 chain + # from aws-smithy-http-client. The 0.103 line we actively use is patched. + # Clearing the 0.101 copy requires the aws-sdk chain to migrate off + # rustls 0.21. + # https://rustsec.org/advisories/RUSTSEC-2026-0098 + # https://rustsec.org/advisories/RUSTSEC-2026-0099 + { id = "RUSTSEC-2026-0098", reason = "only affects rustls-webpki 0.101 from legacy aws-smithy/rustls 0.21 chain" }, + { id = "RUSTSEC-2026-0099", reason = "only affects rustls-webpki 0.101 from legacy aws-smithy/rustls 0.21 chain" }, +] + +# --------------------------------------------------------------------------- +# Licenses: only allow licenses we've reviewed as compatible with Apache-2.0. +# --------------------------------------------------------------------------- +[licenses] +version = 2 +# SPDX identifiers for licenses that are compatible with our Apache-2.0 +# distribution. Additions require legal review. +allow = [ + "Apache-2.0", + "Apache-2.0 WITH LLVM-exception", + "MIT", + "BSD-2-Clause", + "BSD-3-Clause", + "ISC", + "Unicode-3.0", + "Unicode-DFS-2016", + "Zlib", + "CC0-1.0", + "MPL-2.0", + "BSL-1.0", + "OpenSSL", + # 0BSD ("BSD Zero Clause") is effectively public domain — no attribution + # required. Pulled in by `mock_instant`. + "0BSD", + # bzip2-1.0.6 is the permissive upstream bzip2 license (BSD-like). Pulled + # in by `libbz2-rs-sys`, the pure-Rust bzip2 implementation. + "bzip2-1.0.6", + # CDLA-Permissive-2.0 is a permissive data license used by `webpki-roots` + # for the Mozilla CA root bundle. Data-only, distribution-compatible. + "CDLA-Permissive-2.0", +] +confidence-threshold = 0.8 +# Crates whose license cannot be determined from Cargo metadata but whose +# license we've manually confirmed from upstream. Keep this list minimal. +[[licenses.clarify]] +# polars-arrow-format omits the `license` field in its Cargo.toml, but the +# upstream repo (pola-rs/polars-arrow-format) is dual-licensed Apache-2.0 OR +# MIT. See https://github.com/pola-rs/polars-arrow-format/blob/main/LICENSE +crate = "polars-arrow-format" +expression = "Apache-2.0 OR MIT" +license-files = [] + +# --------------------------------------------------------------------------- +# Bans: disallow specific crates and flag dependency hygiene issues. +# --------------------------------------------------------------------------- +[bans] +# Warn (not deny) on duplicate versions of the same crate. In a large +# workspace like this one, duplicates are common and often unavoidable +# transitively. We surface them to discourage growth, but don't fail CI. +multiple-versions = "warn" +# Wildcard version requirements (`foo = "*"`) are a footgun — they let any +# future release in without review. Ban them outright. +wildcards = "deny" +# Internal workspace crates reference each other via `path = "..."`, which +# cargo-deny sees as a wildcard version. That's fine for private workspace +# members (not published to crates.io), so allow it specifically for paths. +allow-wildcard-paths = true +# Features that, if enabled, should cause the check to fail. +deny = [] +# Crates to skip when checking for duplicate versions. +skip = [] +# Similar to `skip`, but also skips the entire transitive subtree. +skip-tree = [] + +# --------------------------------------------------------------------------- +# Sources: restrict where crates can come from. +# --------------------------------------------------------------------------- +[sources] +# Deny any registry other than the ones explicitly listed below. +unknown-registry = "deny" +# Deny any git dependency whose host isn't in the allow-list below. This +# prevents accidental pulls from arbitrary forks. +unknown-git = "deny" +allow-registry = ["https://github.com/rust-lang/crates.io-index"] +# Lance is developed in a sibling repo and pulled as a git dependency until +# releases are cut to crates.io. Allow that specific host. +allow-git = [ + "https://github.com/lance-format/lance", +] diff --git a/nodejs/Cargo.toml b/nodejs/Cargo.toml index 627e7b256..6231fcf87 100644 --- a/nodejs/Cargo.toml +++ b/nodejs/Cargo.toml @@ -2,6 +2,7 @@ name = "lancedb-nodejs" edition.workspace = true version = "0.28.0-beta.9" +publish = false license.workspace = true description.workspace = true repository.workspace = true @@ -31,8 +32,8 @@ lzma-sys = { version = "0.1", features = ["static"] } log.workspace = true # Pin to resolve build failures; update periodically for security patches. -aws-lc-sys = "=0.38.0" -aws-lc-rs = "=1.16.1" +aws-lc-sys = "=0.40.0" +aws-lc-rs = "=1.16.3" [build-dependencies] napi-build = "2.3.1" diff --git a/python/Cargo.toml b/python/Cargo.toml index 481f4ebfe..4ac95f22c 100644 --- a/python/Cargo.toml +++ b/python/Cargo.toml @@ -1,6 +1,7 @@ [package] name = "lancedb-python" version = "0.31.0-beta.9" +publish = false edition.workspace = true description = "Python bindings for LanceDB" license.workspace = true