mirror of
https://github.com/lancedb/lancedb.git
synced 2026-05-14 10:30:40 +00:00
f31e27768a
## Summary - Update `rustls-webpki` 0.103.10 → 0.103.13 to fix RUSTSEC-2026-0104 (reachable panic in CRL parsing) - Add advisory ignore for the legacy `rustls-webpki` 0.101.7 copy pinned to the aws-smithy/rustls 0.21 chain (same chain already exempted for RUSTSEC-2026-0098/0099) Fixes the `deny` CI job failure seen in #3325. ## Test plan - [x] `cargo deny check advisories` passes locally 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
173 lines
8.1 KiB
TOML
173 lines
8.1 KiB
TOML
# cargo-deny configuration for LanceDB.
|
|
#
|
|
# Run locally with `cargo deny check`. See
|
|
# https://embarkstudios.github.io/cargo-deny/ for the full reference.
|
|
|
|
# The set of target triples we care about. cargo-deny will only consider
|
|
# dependencies that are used on at least one of these targets. Keeping this
|
|
# explicit avoids noise from platform-specific crates (e.g. wasm, android,
|
|
# ios) that we never actually ship.
|
|
[graph]
|
|
targets = [
|
|
"x86_64-unknown-linux-gnu",
|
|
"aarch64-unknown-linux-gnu",
|
|
"x86_64-apple-darwin",
|
|
"aarch64-apple-darwin",
|
|
"x86_64-pc-windows-msvc",
|
|
"aarch64-pc-windows-msvc",
|
|
]
|
|
all-features = true
|
|
|
|
[output]
|
|
feature-depth = 1
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Advisories: security vulnerabilities and yanked crates.
|
|
# ---------------------------------------------------------------------------
|
|
[advisories]
|
|
version = 2
|
|
# Fail the check if any crate in the lockfile has been yanked from crates.io.
|
|
# Yanked crates are a signal the author retracted the release (often due to
|
|
# bugs or security issues) and should not be depended on.
|
|
yanked = "deny"
|
|
# Advisory IDs we have explicitly reviewed and chosen to accept. Every
|
|
# entry must include a rationale and, where possible, an upstream issue
|
|
# pointing to a fix. Revisit this list whenever dependencies are updated.
|
|
ignore = [
|
|
# rsa: Marvin Attack timing side-channel in PKCS#1 v1.5 decryption.
|
|
# Reached only through opendal → reqsign → rsa. We do not use RSA
|
|
# decryption in LanceDB ourselves; this is dormant in the signing path.
|
|
# No fixed release exists upstream as of this writing.
|
|
# https://rustsec.org/advisories/RUSTSEC-2023-0071
|
|
{ id = "RUSTSEC-2023-0071", reason = "rsa crate via opendal/reqsign; no fixed upstream release" },
|
|
|
|
# instant: unmaintained. Pulled in via backoff → instant. Upstream
|
|
# recommends switching to `web-time`; fix has to come from backoff.
|
|
# https://rustsec.org/advisories/RUSTSEC-2024-0384
|
|
{ id = "RUSTSEC-2024-0384", reason = "transitive via backoff; waiting on backoff replacement" },
|
|
|
|
# paste: unmaintained (author archived the repo). Used transitively by
|
|
# datafusion and the arrow ecosystem; widespread, no drop-in replacement.
|
|
# https://rustsec.org/advisories/RUSTSEC-2024-0436
|
|
{ id = "RUSTSEC-2024-0436", reason = "transitive via datafusion; awaiting ecosystem migration" },
|
|
|
|
# tantivy: segfault on malformed input due to missing bounds check.
|
|
# Pulled in via lance for full-text search. We only feed tantivy
|
|
# documents we construct ourselves, not attacker-controlled bytes.
|
|
# Tracked for a lance dependency bump.
|
|
# https://rustsec.org/advisories/RUSTSEC-2025-0003
|
|
{ id = "RUSTSEC-2025-0003", reason = "tantivy via lance; inputs are internally produced, not user-supplied bytes" },
|
|
|
|
# backoff: unmaintained. Reached only via async-openai. Replacement
|
|
# requires async-openai to migrate (or us to drop async-openai).
|
|
# https://rustsec.org/advisories/RUSTSEC-2025-0012
|
|
{ id = "RUSTSEC-2025-0012", reason = "transitive via async-openai; waiting on upstream migration" },
|
|
|
|
# number_prefix: unmaintained. Transitive via indicatif → hf-hub.
|
|
# No security impact, just maintenance status.
|
|
# https://rustsec.org/advisories/RUSTSEC-2025-0119
|
|
{ id = "RUSTSEC-2025-0119", reason = "transitive via hf-hub/indicatif; cosmetic formatting crate" },
|
|
|
|
# rustls-pemfile: unmaintained. Reached from two separate chains:
|
|
# rustls-native-certs 0.6 (via hyper-rustls 0.24) and object_store 0.12.
|
|
# Both upstream dependencies need to move before we can drop it.
|
|
# https://rustsec.org/advisories/RUSTSEC-2025-0134
|
|
{ id = "RUSTSEC-2025-0134", reason = "transitive via rustls-native-certs/object_store; waiting on upstream migration" },
|
|
|
|
# rustls-webpki 0.101.7 (old major line): name-constraint checks for
|
|
# URI / wildcard names. Pulled in only via the legacy rustls 0.21 chain
|
|
# from aws-smithy-http-client. The 0.103 line we actively use is patched.
|
|
# Clearing the 0.101 copy requires the aws-sdk chain to migrate off
|
|
# rustls 0.21.
|
|
# https://rustsec.org/advisories/RUSTSEC-2026-0098
|
|
# https://rustsec.org/advisories/RUSTSEC-2026-0099
|
|
{ id = "RUSTSEC-2026-0098", reason = "only affects rustls-webpki 0.101 from legacy aws-smithy/rustls 0.21 chain" },
|
|
{ id = "RUSTSEC-2026-0099", reason = "only affects rustls-webpki 0.101 from legacy aws-smithy/rustls 0.21 chain" },
|
|
|
|
# rustls-webpki 0.101.7: reachable panic in CRL parsing. Same legacy
|
|
# rustls 0.21 chain from aws-smithy-http-client as above. The 0.103 line
|
|
# we actively use is upgraded to 0.103.13 which contains the fix.
|
|
# https://rustsec.org/advisories/RUSTSEC-2026-0104
|
|
{ id = "RUSTSEC-2026-0104", reason = "only affects rustls-webpki 0.101 from legacy aws-smithy/rustls 0.21 chain" },
|
|
]
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Licenses: only allow licenses we've reviewed as compatible with Apache-2.0.
|
|
# ---------------------------------------------------------------------------
|
|
[licenses]
|
|
version = 2
|
|
# SPDX identifiers for licenses that are compatible with our Apache-2.0
|
|
# distribution. Additions require legal review.
|
|
allow = [
|
|
"Apache-2.0",
|
|
"Apache-2.0 WITH LLVM-exception",
|
|
"MIT",
|
|
"BSD-2-Clause",
|
|
"BSD-3-Clause",
|
|
"ISC",
|
|
"Unicode-3.0",
|
|
"Unicode-DFS-2016",
|
|
"Zlib",
|
|
"CC0-1.0",
|
|
"MPL-2.0",
|
|
"BSL-1.0",
|
|
"OpenSSL",
|
|
# 0BSD ("BSD Zero Clause") is effectively public domain — no attribution
|
|
# required. Pulled in by `mock_instant`.
|
|
"0BSD",
|
|
# bzip2-1.0.6 is the permissive upstream bzip2 license (BSD-like). Pulled
|
|
# in by `libbz2-rs-sys`, the pure-Rust bzip2 implementation.
|
|
"bzip2-1.0.6",
|
|
# CDLA-Permissive-2.0 is a permissive data license used by `webpki-roots`
|
|
# for the Mozilla CA root bundle. Data-only, distribution-compatible.
|
|
"CDLA-Permissive-2.0",
|
|
]
|
|
confidence-threshold = 0.8
|
|
# Crates whose license cannot be determined from Cargo metadata but whose
|
|
# license we've manually confirmed from upstream. Keep this list minimal.
|
|
[[licenses.clarify]]
|
|
# polars-arrow-format omits the `license` field in its Cargo.toml, but the
|
|
# upstream repo (pola-rs/polars-arrow-format) is dual-licensed Apache-2.0 OR
|
|
# MIT. See https://github.com/pola-rs/polars-arrow-format/blob/main/LICENSE
|
|
crate = "polars-arrow-format"
|
|
expression = "Apache-2.0 OR MIT"
|
|
license-files = []
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Bans: disallow specific crates and flag dependency hygiene issues.
|
|
# ---------------------------------------------------------------------------
|
|
[bans]
|
|
# Warn (not deny) on duplicate versions of the same crate. In a large
|
|
# workspace like this one, duplicates are common and often unavoidable
|
|
# transitively. We surface them to discourage growth, but don't fail CI.
|
|
multiple-versions = "warn"
|
|
# Wildcard version requirements (`foo = "*"`) are a footgun — they let any
|
|
# future release in without review. Ban them outright.
|
|
wildcards = "deny"
|
|
# Internal workspace crates reference each other via `path = "..."`, which
|
|
# cargo-deny sees as a wildcard version. That's fine for private workspace
|
|
# members (not published to crates.io), so allow it specifically for paths.
|
|
allow-wildcard-paths = true
|
|
# Features that, if enabled, should cause the check to fail.
|
|
deny = []
|
|
# Crates to skip when checking for duplicate versions.
|
|
skip = []
|
|
# Similar to `skip`, but also skips the entire transitive subtree.
|
|
skip-tree = []
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Sources: restrict where crates can come from.
|
|
# ---------------------------------------------------------------------------
|
|
[sources]
|
|
# Deny any registry other than the ones explicitly listed below.
|
|
unknown-registry = "deny"
|
|
# Deny any git dependency whose host isn't in the allow-list below. This
|
|
# prevents accidental pulls from arbitrary forks.
|
|
unknown-git = "deny"
|
|
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
|
|
# Lance is developed in a sibling repo and pulled as a git dependency until
|
|
# releases are cut to crates.io. Allow that specific host.
|
|
allow-git = [
|
|
"https://github.com/lance-format/lance",
|
|
]
|