[graph] targets = [ "x86_64-unknown-linux-gnu", "x86_64-unknown-linux-musl", "x86_64-apple-darwin", "aarch64-apple-darwin", "x86_64-pc-windows-msvc", ] [licenses] version = 2 allow = [ "MIT", "Apache-2.0", "Apache-2.0 WITH LLVM-exception", "BSD-2-Clause", "BSD-3-Clause", "ISC", "Zlib", "Unicode-DFS-2016", "Unicode-3.0", ] confidence-threshold = 0.93 # License exceptions for dependencies in the current dependency tree. # Each exception has a corresponding ADR documenting the rationale. # See docs/adr/ for ADR files. exceptions = [ # cbindgen (MPL-2.0) - build dependency for C FFI (pdftract-libpdftract) # ADR-001: https://github.com/jedarden/pdftract/blob/main/docs/adr/0001-mpl-2-0-cbindgen-exception.md { name = "cbindgen", allow = ["MPL-2.0"] }, # option-ext (MPL-2.0) - transitive dependency of dirs (filesystem paths) # ADR-002: https://github.com/jedarden/pdftract/blob/main/docs/adr/0002-mpl-2-0-option-ext-exception.md { name = "option-ext", allow = ["MPL-2.0"] }, ] [licenses.private] ignore = false [bans] multiple-versions = "warn" wildcards = "deny" # Banned crates per TH-06 supply-chain policy (plan line 908) # - openssl-sys, native-tls: we use rustls instead # - git2, libgit2-sys: no git CLI dependency in this project deny = [ { name = "openssl-sys", use-instead = "rustls" }, { name = "native-tls", use-instead = "rustls" }, { name = "git2" }, { name = "libgit2-sys" }, ] # Minimum version requirements per TH-06 supply-chain policy (plan line 908) # - ring >= 0.17.5 (critical crypto primitive, known vulns in older versions) # - rustls >= 0.23 (TLS implementation, API changes and fixes in 0.23.x) skip = [ { name = "ring", version = "=0.17.5", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" }, { name = "ring", version = "=0.17.6", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" }, { name = "ring", version = "=0.17.7", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" }, { name = "ring", version = "=0.17.8", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" }, { name = "ring", version = "=0.17.9", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" }, { name = "ring", version = "=0.17.10", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" }, { name = "ring", version = "=0.17.11", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" }, { name = "ring", version = "=0.17.12", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" }, { name = "ring", version = "=0.17.13", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" }, { name = "rustls", version = "=0.23.0", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" }, { name = "rustls", version = "=0.23.1", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" }, { name = "rustls", version = "=0.23.2", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" }, { name = "rustls", version = "=0.23.3", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" }, { name = "rustls", version = "=0.23.4", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" }, { name = "rustls", version = "=0.23.5", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" }, { name = "rustls", version = "=0.23.6", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" }, { name = "rustls", version = "=0.23.7", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" }, { name = "rustls", version = "=0.23.8", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" }, { name = "rustls", version = "=0.23.9", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" }, { name = "rustls", version = "=0.23.10", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" }, { name = "rustls", version = "=0.23.11", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" }, { name = "rustls", version = "=0.23.12", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" }, ] # Allow wildcards for workspace crates (path dependencies) # These are internal crates within the pdftract workspace skip-tree = [ { name = "pdftract-cli", reason = "workspace path dependency" }, { name = "pdftract-libpdftract", reason = "workspace path dependency" }, { name = "pdftract-py", reason = "workspace path dependency" }, ] [advisories] yanked = "deny" # Advisory exceptions for dependencies with no viable alternative. # Each exception has a corresponding ADR documenting the rationale. # See docs/adr/ for ADR files. ignore = [ # RUSTSEC-2020-0144: lzw crate is unmaintained, no safe upgrade exists # Used for LZWDecode filter in PDF streams; alternatives (weezl) incompatible with PDF LZW # ADR-003: https://github.com/jedarden/pdftract/blob/main/docs/adr/0003-lzw-advisory-exception.md "RUSTSEC-2020-0144", # RUSTSEC-2021-0145: atty has unsound code (potential unaligned read) # Migration to is-terminal is tracked separately "RUSTSEC-2021-0145", # RUSTSEC-2024-0375: atty is unmaintained # Migration to is-terminal is tracked separately "RUSTSEC-2024-0375", # RUSTSEC-2025-0020: pyo3 0.20.3 has buffer overflow vulnerability # Upgrade to pyo3 >=0.24.1 is tracked separately "RUSTSEC-2025-0020", ] [sources] unknown-registry = "deny" unknown-git = "deny"