Fix Cargo Deny issues

frequency-chain · Mar 10, 2025 · 4d03250 · 4d03250
1 parent a8aab29
commit 4d03250
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 31 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/deny.toml b/deny.toml
@@ -64,19 +64,23 @@ feature-depth = 1
 # https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
 [advisories]
 ignore = [
-  #"RUSTSEC-0000-0000",
-  #{ id = "RUSTSEC-0000-0000", reason = "you can specify a reason the advisory is ignored" },
-  #"[email protected]", # you can also ignore yanked crate versions if you wish
-  #{ crate = "[email protected]", reason = "you can specify why you are ignoring the yanked crate" },
-  { id = "RUSTSEC-2022-0061", reason = "Substrate Dependency deprecation. Eventually there will be an update. See https://github.com/paritytech/parity-wasm/pull/334 and https://github.com/paritytech/polkadot-sdk/issues/118" },
-  { id = "RUSTSEC-2021-0139", reason = "Substrate dependency deprecation. See https://github.com/paritytech/polkadot-sdk/issues/31" },
-  { id = "RUSTSEC-2020-0168", reason = "There is no suitable replacement for mach and the mach2 crate has not been vetted." },
-  { id = "RUSTSEC-2024-0336", reason = "Only use of [email protected] is in futures-rustls which does not use the effected code" },
-  { id = "RUSTSEC-2024-0344", reason = "We are only able to remove this once parity updates its dependencies. Older versions of curve25519-dalek should get replaces with >= 4.1.3" },
-  { id = "RUSTSEC-2022-0093", reason = "The vulnerable code is not exploitable in Frequency because the signing function is not exposed in a way that allows the use of arbitrary public keys, ensuring protection against the described vulnerability." },
-  { id = "RUSTSEC-2024-0370", reason = "proc-macro-error is used by a few dependencies, and while unmaintained, is not currently an issue." },
-  { id = "RUSTSEC-2024-0388", reason = "This is an inner dependency that would get updated when cumulus-primitives-core v0.7.0 is updated to a newer version"},
-  { id = "RUSTSEC-2024-0384", reason = "This is an inner dependency that would get updated when libp2p v0.51.4 and wasm-timer v0.2.5 are updated to a newer version"},
+	#"RUSTSEC-0000-0000",
+	#{ id = "RUSTSEC-0000-0000", reason = "you can specify a reason the advisory is ignored" },
+	#"[email protected]", # you can also ignore yanked crate versions if you wish
+	#{ crate = "[email protected]", reason = "you can specify why you are ignoring the yanked crate" },
+	{ id = "RUSTSEC-2022-0061", reason = "Substrate Dependency deprecation. Eventually there will be an update. See https://github.com/paritytech/parity-wasm/pull/334 and https://github.com/paritytech/polkadot-sdk/issues/118" },
+	{ id = "RUSTSEC-2021-0139", reason = "Substrate dependency deprecation. See https://github.com/paritytech/polkadot-sdk/issues/31" },
+	{ id = "RUSTSEC-2020-0168", reason = "There is no suitable replacement for mach and the mach2 crate has not been vetted." },
+	{ id = "RUSTSEC-2024-0336", reason = "Only use of [email protected] is in futures-rustls which does not use the effected code" },
+	{ id = "RUSTSEC-2024-0344", reason = "We are only able to remove this once parity updates its dependencies. Older versions of curve25519-dalek should get replaces with >= 4.1.3" },
+	{ id = "RUSTSEC-2022-0093", reason = "The vulnerable code is not exploitable in Frequency because the signing function is not exposed in a way that allows the use of arbitrary public keys, ensuring protection against the described vulnerability." },
+	{ id = "RUSTSEC-2024-0370", reason = "proc-macro-error is used by a few dependencies, and while unmaintained, is not currently an issue." },
+	{ id = "RUSTSEC-2024-0388", reason = "This is an inner dependency that would get updated when cumulus-primitives-core v0.7.0 is updated to a newer version" },
+	{ id = "RUSTSEC-2024-0384", reason = "This is an inner dependency that would get updated when libp2p v0.51.4 and wasm-timer v0.2.5 are updated to a newer version" },
+	{ id = "RUSTSEC-2024-0421", reason = "The vulnerable code is not exploitable in Frequency as the problem code is unused." },
+	{ id = "RUSTSEC-2025-0010", reason = "Substrate dependency unmaintained. Waiting for a new version of the Polkadot-SDK." },
+	{ id = "RUSTSEC-2025-0009", reason = "Substrate dependency unmaintained. Waiting for a new version of the Polkadot-SDK." },
+	{ id = "RUSTSEC-2024-0436", reason = "Substrate dependency unmaintained. Waiting for a new version of the Polkadot-SDK." },
 ]
 # If this is true, then cargo deny will use the git executable to fetch advisory database.
 # If this is false, then it uses a built-in git library.
@@ -92,20 +96,19 @@ ignore = [
 # See https://spdx.org/licenses/ for list of possible licenses
 # [possible values: any SPDX 3.11 short identifier (+ optional exception)].
 allow = [
-  "MIT",
-  "Apache-2.0",
-  "Apache-2.0 WITH LLVM-exception",
-  "BSD-2-Clause",
-  "BSD-3-Clause",
-  "CC0-1.0",
-  "MPL-2.0",
-  "ISC",
-  "GPL-3.0",
-  "GPL-3.0 WITH Classpath-exception-2.0",
-  "OpenSSL",
-  "Unicode-DFS-2016",
-  "Zlib",
-  "Unicode-3.0",
+	"MIT",
+	"Apache-2.0",
+	"Apache-2.0 WITH LLVM-exception",
+	"BSD-2-Clause",
+	"BSD-3-Clause",
+	"CC0-1.0",
+	"MPL-2.0",
+	"ISC",
+	"GPL-3.0",
+	"GPL-3.0 WITH Classpath-exception-2.0",
+	"OpenSSL",
+	"Unicode-DFS-2016",
+	"Zlib",
 ]
 # The confidence threshold for detecting a license from license text.
 # The higher the value, the more closely the license text must be to the