From e6fd2cf18c8042e8b194a40ffe1df088d6bb6c8f Mon Sep 17 00:00:00 2001 From: panos Date: Thu, 26 Mar 2026 12:28:14 +0800 Subject: [PATCH 1/3] ci(deny): add cargo-deny dependency audit workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add `deny.toml` and `.github/workflows/deny.yml` to run `cargo deny check all` on Cargo.lock changes. This checks for known security advisories, license compliance, banned crates, and trusted git sources. Also upgrades transitive dependencies to fix known vulnerabilities: - tar 0.4.44 → 0.4.45 (RUSTSEC-2026-0067, RUSTSEC-2026-0068) - rustls-webpki 0.103.9 → 0.103.10 (RUSTSEC-2026-0049) - tracing-subscriber 0.3.22 → 0.3.23 lru 0.12.x (RUSTSEC-2026-0002) is ignored — pinned by reth fork, fix requires semver-incompatible 0.16.3. --- .github/workflows/deny.yml | 24 +++++++++++ Cargo.lock | 50 +++++++++++------------ deny.toml | 81 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 130 insertions(+), 25 deletions(-) create mode 100644 .github/workflows/deny.yml create mode 100644 deny.toml diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml new file mode 100644 index 0000000..bb1a434 --- /dev/null +++ b/.github/workflows/deny.yml @@ -0,0 +1,24 @@ +name: Deny + +on: + push: + branches: [main] + paths: [Cargo.lock] + pull_request: + paths: [Cargo.lock] + +permissions: + contents: read + +jobs: + deny: + name: cargo-deny + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Run cargo-deny + uses: EmbarkStudios/cargo-deny-action@v2 + with: + command: check all diff --git a/Cargo.lock b/Cargo.lock index 54ad644..e38d1a9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -948,7 +948,7 @@ version = "1.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc" dependencies = [ - "windows-sys 0.61.2", + "windows-sys 0.60.2", ] [[package]] @@ -959,7 +959,7 @@ checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d" dependencies = [ "anstyle", "once_cell_polyfill", - "windows-sys 0.61.2", + "windows-sys 0.60.2", ] [[package]] @@ -2416,7 +2416,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7ab67060fc6b8ef687992d439ca0fa36e7ed17e9a0b16b25b601e8757df720de" dependencies = [ "data-encoding", - "syn 2.0.117", + "syn 1.0.109", ] [[package]] @@ -2598,7 +2598,7 @@ dependencies = [ "libc", "option-ext", "redox_users 0.5.2", - "windows-sys 0.61.2", + "windows-sys 0.60.2", ] [[package]] @@ -2829,7 +2829,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" dependencies = [ "libc", - "windows-sys 0.61.2", + "windows-sys 0.52.0", ] [[package]] @@ -5119,7 +5119,7 @@ version = "0.50.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5" dependencies = [ - "windows-sys 0.61.2", + "windows-sys 0.60.2", ] [[package]] @@ -8687,7 +8687,7 @@ dependencies = [ "tracing-journald", "tracing-logfmt", "tracing-samply", - "tracing-subscriber 0.3.22", + "tracing-subscriber 0.3.23", ] [[package]] @@ -8703,7 +8703,7 @@ dependencies = [ "opentelemetry_sdk", "tracing", "tracing-opentelemetry", - "tracing-subscriber 0.3.22", + "tracing-subscriber 0.3.23", "url", ] @@ -9285,7 +9285,7 @@ dependencies = [ "errno", "libc", "linux-raw-sys 0.4.15", - "windows-sys 0.59.0", + "windows-sys 0.52.0", ] [[package]] @@ -9298,7 +9298,7 @@ dependencies = [ "errno", "libc", "linux-raw-sys 0.12.1", - "windows-sys 0.61.2", + "windows-sys 0.52.0", ] [[package]] @@ -9356,7 +9356,7 @@ dependencies = [ "security-framework", "security-framework-sys", "webpki-root-certs 0.26.11", - "windows-sys 0.59.0", + "windows-sys 0.52.0", ] [[package]] @@ -9367,9 +9367,9 @@ checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f" [[package]] name = "rustls-webpki" -version = "0.103.9" +version = "0.103.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53" +checksum = "df33b2b81ac578cabaf06b89b0631153a3f416b0a886e8a7a1707fb51abbd1ef" dependencies = [ "ring", "rustls-pki-types", @@ -9875,7 +9875,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e" dependencies = [ "libc", - "windows-sys 0.61.2", + "windows-sys 0.60.2", ] [[package]] @@ -10052,9 +10052,9 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369" [[package]] name = "tar" -version = "0.4.44" +version = "0.4.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1d863878d212c87a19c1a610eb53bb01fe12951c0501cf5a0d65f724914a667a" +checksum = "22692a6476a21fa75fdfc11d452fda482af402c008cdbaf3476414e122040973" dependencies = [ "filetime", "libc", @@ -10071,7 +10071,7 @@ dependencies = [ "getrandom 0.4.2", "once_cell", "rustix 1.1.4", - "windows-sys 0.61.2", + "windows-sys 0.52.0", ] [[package]] @@ -10464,7 +10464,7 @@ dependencies = [ "crossbeam-channel", "thiserror 2.0.18", "time", - "tracing-subscriber 0.3.22", + "tracing-subscriber 0.3.23", ] [[package]] @@ -10506,7 +10506,7 @@ checksum = "2d3a81ed245bfb62592b1e2bc153e77656d94ee6a0497683a65a12ccaf2438d0" dependencies = [ "libc", "tracing-core", - "tracing-subscriber 0.3.22", + "tracing-subscriber 0.3.23", ] [[package]] @@ -10529,7 +10529,7 @@ dependencies = [ "time", "tracing", "tracing-core", - "tracing-subscriber 0.3.22", + "tracing-subscriber 0.3.23", ] [[package]] @@ -10544,7 +10544,7 @@ dependencies = [ "tracing", "tracing-core", "tracing-log", - "tracing-subscriber 0.3.22", + "tracing-subscriber 0.3.23", "web-time", ] @@ -10561,7 +10561,7 @@ dependencies = [ "memmap2", "smallvec", "tracing-core", - "tracing-subscriber 0.3.22", + "tracing-subscriber 0.3.23", ] [[package]] @@ -10585,9 +10585,9 @@ dependencies = [ [[package]] name = "tracing-subscriber" -version = "0.3.22" +version = "0.3.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2f30143827ddab0d256fd843b7a66d164e9f271cfa0dde49142c5ca0ca291f1e" +checksum = "cb7f578e5945fb242538965c2d0b04418d38ec25c79d160cd279bf0731c8d319" dependencies = [ "matchers", "nu-ansi-term", @@ -11145,7 +11145,7 @@ version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22" dependencies = [ - "windows-sys 0.61.2", + "windows-sys 0.48.0", ] [[package]] diff --git a/deny.toml b/deny.toml new file mode 100644 index 0000000..03ed2c2 --- /dev/null +++ b/deny.toml @@ -0,0 +1,81 @@ +# This section is considered when running `cargo deny check advisories` +# More documentation for the advisories section can be found here: +# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html +[advisories] +yanked = "warn" +ignore = [ + # https://rustsec.org/advisories/RUSTSEC-2024-0436 paste! is unmaintained + "RUSTSEC-2024-0436", + # https://rustsec.org/advisories/RUSTSEC-2025-0141 bincode is unmaintained + "RUSTSEC-2025-0141", + # https://rustsec.org/advisories/RUSTSEC-2026-0002 lru 0.12.x unsound IterMut + # pinned by reth fork at 0.12.5, fix requires 0.16.3 (semver-incompatible) + "RUSTSEC-2026-0002", +] + +# This section is considered when running `cargo deny check bans`. +# More documentation about the 'bans' section can be found here: +# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html +[bans] +# Lint level for when multiple versions of the same crate are detected +multiple-versions = "warn" +# Lint level for when a crate version requirement is `*` +wildcards = "allow" +highlight = "all" +deny = [] +skip = [] +skip-tree = [] + +[licenses] +version = 2 +confidence-threshold = 0.8 +# Ignore private workspace members entirely +private = { ignore = true } + +# List of explicitly allowed licenses +# See https://spdx.org/licenses/ for list of possible licenses +# [possible values: any SPDX 3.7 short identifier (+ optional exception)]. +allow = [ + "MIT", + "MIT-0", + "Apache-2.0", + "Apache-2.0 WITH LLVM-exception", + "BSD-2-Clause", + "BSD-3-Clause", + "BSL-1.0", + "0BSD", + "CC0-1.0", + "ISC", + "Unlicense", + "Unicode-3.0", + "Zlib", + # https://github.com/rustls/webpki/blob/main/LICENSE ISC Style + "LicenseRef-rustls-webpki", + "CDLA-Permissive-2.0", + "MPL-2.0", +] + +exceptions = [ + { allow = ["MPL-2.0"], name = "option-ext" }, +] + +[[licenses.clarify]] +name = "ring" +expression = "LicenseRef-ring" +license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }] + +[[licenses.clarify]] +name = "rustls-webpki" +expression = "LicenseRef-rustls-webpki" +license-files = [{ path = "LICENSE", hash = 0x001c7e6c }] + +# This section is considered when running `cargo deny check sources`. +# More documentation about the 'sources' section can be found here: +# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html +[sources] +unknown-registry = "warn" +unknown-git = "deny" +allow-git = [ + "https://github.com/morph-l2/reth", + "https://github.com/rustyhorde/vergen", +] From f99909a6905deeabd426697f22afdbef099bd8c6 Mon Sep 17 00:00:00 2001 From: panos Date: Thu, 26 Mar 2026 13:00:44 +0800 Subject: [PATCH 2/3] ci(deny): also trigger on deny.toml changes --- .github/workflows/deny.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml index bb1a434..7dcb839 100644 --- a/.github/workflows/deny.yml +++ b/.github/workflows/deny.yml @@ -3,9 +3,9 @@ name: Deny on: push: branches: [main] - paths: [Cargo.lock] + paths: [Cargo.lock, deny.toml] pull_request: - paths: [Cargo.lock] + paths: [Cargo.lock, deny.toml] permissions: contents: read From af7085fbdc4f7f0bbb2ec7aa558ac905a7f3f5d1 Mon Sep 17 00:00:00 2001 From: panos Date: Fri, 27 Mar 2026 14:29:31 +0800 Subject: [PATCH 3/3] fix(deny): add LicenseRef-ring to allowed licenses ring uses a custom license (ISC + OpenSSL + SSLeay) declared via licenses.clarify but was missing from the allow list, causing cargo-deny license checks to fail. --- deny.toml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deny.toml b/deny.toml index 03ed2c2..12e4853 100644 --- a/deny.toml +++ b/deny.toml @@ -51,6 +51,8 @@ allow = [ "Zlib", # https://github.com/rustls/webpki/blob/main/LICENSE ISC Style "LicenseRef-rustls-webpki", + # https://github.com/briansmith/ring/blob/main/LICENSE ISC + OpenSSL + SSLeay + "LicenseRef-ring", "CDLA-Permissive-2.0", "MPL-2.0", ]