deny.toml

[graph]
targets = [
    "x86_64-unknown-linux-gnu",
    "aarch64-unknown-linux-gnu",
    "aarch64-apple-darwin",
]

[bans]
multiple-versions = "deny"
# Try to avoid exemptions for duplicate dependencies! Duplicate dependencies
# slow down compilation, bloat the binary, and tickle race conditions in `cargo
# doc` (see rust-lang/cargo#3613).
#
# If possible, submit PRs upstream to remove duplicated transitive dependencies.
# You can use patch directives in the root Cargo.toml to point at a
# Materialize-maintained fork that avoids the duplicated transitive
# dependencies.
skip = [
    # arrayvec had a significant API change in 0.7
    { name = "arrayvec", version = "0.5.2" },
    # One-time exception for base64 due to its prevalence in the crate graph.
    { name = "base64", version = "0.13.1" },
    # `syn` is a core crate that a huge part of the ecosystem either directly, or
    # transitively depends on. They just released v2.0 which not all crates have
    # migrated to yet.
    { name = "syn", version = "1.0.107" },
    # held back by thrift 0.17.0 depended on by parquet 51.0.0
    { name = "ordered-float", version = "2.10.1" },
    { name = "ordered-float", version = "4.6.0" },
    # Will require updating many crates
    { name = "indexmap", version = "1.9.1" },
    # Required by indexmap 1.9.1, which is depended on by many things
    { name = "hashbrown", version = "0.12.3" },
    { name = "hashbrown", version = "0.14.5" },
    # Required by hashbrown
    { name = "foldhash", version = "0.1.5" },

    # Had to update `tower-http` to `0.4.3` to fix the `base64` duplicate version
    # but this introduced a new dependency on `bitflags 2.3.3` but all the rest of
    # our crates use `bitflags 1.3.2`
    # TODO: fork `tower-http` and swap to use older bitflags
    { name = "bitflags", version = "1.3.2" },

    # TODO: Required for Rust nightly upgrade
    { name = "http", version = "0.2.9" },

    # TODO: Required for Rust nightly upgrade
    { name = "http-body", version = "0.4.5" },

    # There are many external crates that rely on 0.10.5. Upgrading them should
    # be its own PR.
    { name = "itertools", version = "0.10.5" },

    # A few crates -> `num_enum_derive` -> `proc-macro-crate` -> `toml_edit v0.19.14`.
    { name = "toml_edit", version = "0.19.14" },
    { name = "winnow", version = "0.5.4" },

    # There are some crates in our dependency tree that have yet to upgrade to
    # `hyper 1.*`. As of now these are:
    #     * `aws-config`
    #     * `aws-smithy-runtime`
    #     * `eventsource-client`
    #     * `launchdarkly-server-sdk`
    # Until they upgrade we'll need to duplicate some related hyper deps.

    { name = "hyper", version = "0.14.27" },

    { name = "h2", version = "0.3.26" },

    { name = "hyper-tls", version = "0.5.0" },

    { name = "hyper-timeout", version = "0.4.1" },

    { name = "memmap2", version = "0.5.4" },

    { name = "async-channel", version = "1.9.0" },
    { name = "event-listener", version = "2.5.3" },
    { name = "fastrand", version = "1.9.0" },
    { name = "futures-lite", version = "1.13.0" },
    { name = "getrandom", version = "0.1.16" },
    { name = "getrandom", version = "0.2.10" },
    { name = "rand", version = "0.7.3" },
    { name = "rand", version = "0.8.5" },
    { name = "rand_chacha", version = "0.2.2" },
    { name = "rand_chacha", version = "0.3.0" },
    { name = "rand_core", version = "0.5.1" },
    { name = "rand_core", version = "0.6.2" },
    # Used by reqwest
    { name = "thiserror", version = "1.0.61" },
    { name = "thiserror-impl", version = "1.0.61" },
    { name = "unicode-width", version = "0.1.10" },
    # Used by rdkafka-sys
    { name = "num_enum", version = "0.5.11" },
    { name = "num_enum_derive", version = "0.5.11" },
    { name = "proc-macro-crate", version = "1.3.1" },
    # Used by tempfile
    { name = "linux-raw-sys", version = "0.4.15" },
    { name = "rustix", version = "0.38.44" },
    # Used by bindgen
    { name = "itertools", version = "0.13.0" },
    # Used by pprof
    { name = "nix", version = "0.26.4" },
    # Held back by mysql_async `v0.36.1`
    { name = "socket2", version = "0.5.10" },
    # Used by azure_core
    { name = "quick-xml", version = "0.31.0" },
    # Used by reqsign (via iceberg); opendal pulls quick-xml 0.38
    { name = "quick-xml", version = "0.37.5" },
    # Used by opendal via iceberg
    { name = "quick-xml", version = "0.38.4" },
    # Used by sentry
    { name = "reqwest", version = "0.13.3" },
    # Conflicts between `bon` in apache-avro and `derive_builder` in iceberg
    { name = "darling_macro", version = "0.20.11" },
    { name = "darling_core", version = "0.20.11" },
    { name = "darling", version = "0.20.11" },
    { name = "darling_macro", version = "0.21.2" },
    { name = "darling_core", version = "0.21.2" },
    { name = "darling", version = "0.21.2" },
    { name = "typed-builder", version = "0.20.1" },
    { name = "typed-builder-macro", version = "0.20.1" },
    # chrono-tz
    { name = "phf", version = "0.11.3" },
    { name = "phf_shared", version = "0.11.3" },
    { name = "phf_generator", version = "0.11.2" },
    { name = "phf_codegen", version = "0.11.3" },
    # duckdb
    { name = "fallible-iterator", version = "0.3.0" },
    # arrow
    { name = "hashbrown", version = "0.16.1" },
    # Used by dynfmt; iceberg/typetag pulls in v0.4.
    { name = "erased-serde", version = "0.3.26" },
    # gcp_auth → hyper-rustls → rustls-native-certs pulls newer versions
    # while native-tls still pulls older versions.
    { name = "core-foundation", version = "0.10.1" },
    { name = "security-framework", version = "3.7.0" },
    { name = "openssl-probe", version = "0.2.1" },
    # reqsign (via iceberg-storage-opendal / opendal) pins older deps
    # than the workspace.
    { name = "jsonwebtoken", version = "9.3.1" },
    { name = "quick-xml", version = "0.37.5" },
    # aws-lc-rs (via jsonwebtoken 10) and ring pull different `untrusted`.
    { name = "untrusted", version = "0.7.1" },
    # Held back by lazy_static 1.4.0 (used by num-bigint-dig).
    { name = "spin", version = "0.5.2" },
    # held back by tower-lsp 0.20 (mz-deploy LSP server)
    { name = "dashmap", version = "5.5.3" },
    { name = "tower", version = "0.4.13" },
    # held back by rusqlite 0.32 (mz-deploy build cache)
    { name = "hashlink", version = "0.9.1" },
    # held back by owo-colors 4.3 (mz-deploy terminal styling)
    { name = "supports-color", version = "2.1.0" },
]

[[bans.deny]]
crate = "crossbeam-channel@0.5.14"
reason = "memory corruption, https://github.com/MaterializeInc/database-issues/issues/9091"

# Use `tracing` instead.
[[bans.deny]]
name = "env_logger"

# Use `md-5` instead, which is part of the RustCrypto ecosystem.
[[bans.deny]]
name = "md5"

# Use `sha1` instead, which the RustCrypto ecosystem recently took control of.
# `sha-1` is the older and now deprecated name.
[[bans.deny]]
name = "sha-1"

# Use `prost` or `protobuf-native` instead. Two exceptions:
# - `prometheus` itself, whose `proto` types (used to encode/decode the
#   Prometheus protobuf format) are generated by protobuf.
# - `mz-prometheus-protobuf`, a tiny wrapper crate that owns the decode
#   helper around `prometheus::proto::MetricFamily`. No other workspace
#   crate should depend on `protobuf` directly.
[[bans.deny]]
name = "protobuf"
wrappers = ["prometheus", "mz-prometheus-protobuf"]

# Strum has suspect code quality and includes many unneeded features. Use
# more targeted enum macro crates, e.g. `enum-kinds`.
[[bans.deny]]
name = "strum"
wrappers = [
    "apache-avro",
    "iceberg",
    "duckdb",
]
[[bans.deny]]
name = "strum-macros"

[[bans.deny]]
name = "log"
wrappers = [
    "azure_svc_blobstorage",
    "apache-avro",
    "bindgen",
    "buildid",
    "cookie_store",
    "deadpool-postgres",
    "domain",
    "eventsource-client",
    "fail",
    "globset",
    "launchdarkly-server-sdk",
    "launchdarkly-server-sdk-evaluation",
    "native-tls",
    "opendal",
    "os_info",
    "postgres",
    "pprof",
    "prost-build",
    # TODO(guswynn): switch to tracing in rdkafka
    "rdkafka",
    "reqsign",
    "reqwest",
    "rustls",
    "sqlparser",
    "tokio-postgres",
    "tokio-tungstenite",
    "tracing-log",
    "tracing",
    "tungstenite",
    "want",
    "zopfli",
]

# once_cell is going to be added to std, and doesn't use macros
# Unfortunately, its heavily used, so we have lots of exceptions.
[[bans.deny]]
name = "lazy_static"
wrappers = [
    "dynfmt",
    "findshlibs",
    "launchdarkly-server-sdk",
    "launchdarkly-server-sdk-evaluation",
    "num-bigint-dig",
    "prometheus",
    "rayon-core",
    "sharded-slab",
]

# The `uncased` crate serves the same purpose as `unicase` and is more
# actively maintained.
[[bans.deny]]
name = "unicase"
wrappers = [
    "mime_guess",
    "pulldown-cmark",
]

# We shouldn't manually vendor `protoc`, instead rely on it through `mz-build-tools`.
[[bans.deny]]
name = "protobuf-src"
wrappers = [
    "mz-build-tools",
    "protobuf-native",
]

[advisories]
version = 2
ignore = [
    # Consider `encoding_rs` instead of `encoding` (unmaintained)
    "RUSTSEC-2021-0153",
    # `proc-macro-error2` (the maintained fork of `proc-macro-error`) is now also
    # unmaintained. Pulled in transitively via `tabled` -> `tabled_derive`. No
    # safe upgrade is available.
    "RUSTSEC-2026-0173",
    # `http-types`'s `Authorization::value`/`WwwAuthenticate::value` can violate
    # ASCII invariants. The crate is unmaintained and pulled in transitively via
    # the `azure_*` crates. No safe upgrade is available.
    "RUSTSEC-2026-0174",
    # `derivative` is unmaintained; consider using an alternative (unmaintained)
    "RUSTSEC-2024-0388",
    # The creator of the crate `paste` has stated in the [`README.md`](https://github.com/dtolnay/paste/blob/master/README.md) that this project is not longer maintained as well as archived the repository
    "RUSTSEC-2024-0436",
    # Bincode is unmaintained, the team considers version 1.3.3 a complete version of bincode that is not in need of any updates.
    "RUSTSEC-2025-0141",
    # rand unsoundness when a custom logger accesses ThreadRng during reseeding.
    # Affects transitive deps (rand 0.7.3 via http-types, rand 0.8.5 via fail/quickcheck/etc).
    "RUSTSEC-2026-0097",
    # Allows private key leakage through timing information
    # rsa is required through iceberg-storage-opendal
    "RUSTSEC-2023-0071",
]

# Must be manually kept in sync with about.toml.
# See: https://github.com/EmbarkStudios/cargo-about/issues/201
[licenses]
version = 2
allow = [
    "Apache-2.0",
    "Apache-2.0 WITH LLVM-exception",
    "CC0-1.0",
    "0BSD",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "ICU",
    "ISC",
    "MIT",
    "MPL-2.0",
    "Zlib",
    "Unicode-3.0",
]
# copyleft is denied by default
private = { ignore = true }
[[licenses.clarify]]
name = "ring"
expression = "ISC"
license-files = [
    { path = "LICENSE", hash = 0xbd0eed23 }
]

[sources]
unknown-git = "deny"
unknown-registry = "deny"
# Do not allow non-MaterializeInc Git repositories here! Git repositories must
# be owned by the MaterializeInc organization so that maintainership is shared
# amongst Materialize employees and so that historical versions of Materialize
# remain buildable even if upstream Git repositories disappear. If you don't
# have permissions to create a fork in the MaterializeInc organization, ask in
# #eng-infra on Slack.
allow-org = { github = ["MaterializeInc"] }