[bans]
multiple-versions = "deny"
# Try to avoid exemptions for duplicate dependencies! Duplicate dependencies
# slow down compilation, bloat the binary, and tickle race conditions in `cargo
# doc` (see rust-lang/cargo#3613).
#
# If possible, submit PRs upstream to remove duplicated transitive dependencies.
# You can use patch directives in the root Cargo.toml to point at a
# Materialize-maintained fork that avoids the duplicated transitive
# dependencies.
skip = [
    # arrayvec had a significant API change in 0.7
    { name = "arrayvec", version = "0.5.2" },
    # One-time exception for base64 due to its prevalence in the crate graph.
    { name = "base64", version = "0.13.1" },
    { name = "base64", version = "0.21.5" },
    # `syn` is a core crate that a huge part of the ecosystem either directly, or
    # transitively depends on. They just released v2.0 which not all crates have
    # migrated to yet.
    { name = "syn", version = "1.0.107" },
    # `tokio` depends on a newer version of socket2, we are okay with _temporarily_
    # allowing these duplicate dependencies until the rest of the ecosystem catches
    # up.
    { name = "socket2", version = "0.4.9" },
    # held back by regex 1.7.0 depended on by arrow-string and bindgen
    { name = "regex-syntax", version = "0.6.28" },
    # held back by thrift 0.17.0 depended on by parquet 51.0.0
    { name = "ordered-float", version = "2.10.1" },
    { name = "ordered-float", version = "4.6.0" },
    # held back by 'ciborium' which is depended on by 'criterion'
    { name = "half", version = "1.6.0" },
    { name = "windows-targets", version = "0.48.0" },
    { name = "windows-sys", version = "0.48.0" },
    { name = "windows_aarch64_gnullvm", version = "0.48.0" },
    { name = "windows_aarch64_msvc", version = "0.48.0" },
    { name = "windows_i686_gnu", version = "0.48.0" },
    { name = "windows_i686_msvc", version = "0.48.0" },
    { name = "windows_x86_64_gnullvm", version = "0.48.0" },
    { name = "windows_x86_64_gnu", version = "0.48.0" },
    { name = "windows_x86_64_msvc", version = "0.48.0" },
    { name = "windows-sys", version = "0.52.0" },
    # Newer versions of crates like `tempfile` are held back by crates like `atty`.
    # This is very Unfortunate as we don't actually use these platforms.
    { name = "redox_syscall", version = "0.2.10" },
    { name = "redox_syscall", version = "0.4.1" },

    # Will require updating many crates
    { name = "indexmap", version = "1.9.1" },
    # Required by indexmap 1.9.1, which is depended on by many things
    { name = "hashbrown", version = "0.12.3" },
    { name = "hashbrown", version = "0.14.5" },

    # Had to update `tower-http` to `0.4.3` to fix the `base64` duplicate version
    # but this introduced a new dependency on `bitflags 2.3.3` but all the rest of
    # our crates use `bitflags 1.3.2`
    # TODO: fork `tower-http` and swap to use older bitflags
    { name = "bitflags", version = "1.3.2" },

    # TODO(parkmycar): In a followup/stacked PR, get rid of these duplicates.
    { name = "regex-automata", version = "0.1.9" },

    # TODO: Required for Rust nightly upgrade
    { name = "http", version = "0.2.9" },

    # TODO: Required for Rust nightly upgrade
    { name = "http-body", version = "0.4.5" },

    # There are many external crates that rely on 0.10.5. Upgrading them should
    # be its own PR.
    { name = "itertools", version = "0.10.5" },

    # A few crates -> `num_enum_derive` -> `proc-macro-crate` -> `toml_edit v0.19.14`.
    { name = "toml_edit", version = "0.19.14" },
    { name = "winnow", version = "0.5.4" },

    # There are some crates in our dependency tree that have yet to upgrade to
    # `hyper 1.*`. As of now these are:
    #     * `aws-config`
    #     * `aws-smithy-runtime`
    #     * `eventsource-client`
    #     * `launchdarkly-server-sdk`
    # Until they upgrade we'll need to duplicate some related hyper deps.

    { name = "hyper", version = "0.14.27" },

    { name = "h2", version = "0.3.26" },

    { name = "hyper-tls", version = "0.5.0" },

    { name = "hyper-timeout", version = "0.4.1" },

    { name = "tungstenite", version = "0.24.0" },
    { name = "tokio-tungstenite", version = "0.24.0" },

    # `axum 0.7.5` depends on both `sync_wrapper 1.*` and `axum-core 0.4.3`.
    # The latter depends on `sync_wrapper 0.1.*`.
    { name = "sync_wrapper", version = "0.1.2" },

    { name = "memmap2", version = "0.5.4" },

    { name = "wasi", version = "0.9.0+wasi-snapshot-preview1" },
    { name = "wasi", version = "0.11.0+wasi-snapshot-preview1" },
    { name = "async-channel", version = "1.9.0" },
    { name = "event-listener", version = "2.5.3" },
    { name = "fastrand", version = "1.9.0" },
    { name = "futures-lite", version = "1.13.0" },
    { name = "getrandom", version = "0.1.16" },
    { name = "getrandom", version = "0.2.10" },
    { name = "rand", version = "0.7.3" },
    { name = "rand", version = "0.8.5" },
    { name = "rand_chacha", version = "0.2.2" },
    { name = "rand_chacha", version = "0.3.0" },
    { name = "rand_core", version = "0.5.1" },
    { name = "rand_core", version = "0.6.2" },
    { name = "reqwest", version = "0.11.24" },
    { name = "rustls-pemfile", version = "1.0.4" },
    # Used by reqwest
    { name = "system-configuration", version = "0.5.1" },
    { name = "system-configuration-sys", version = "0.5.0" },
    { name = "thiserror", version = "1.0.61" },
    { name = "thiserror-impl", version = "1.0.61" },
    { name = "twox-hash", version = "1.6.3" },
    { name = "unicode-width", version = "0.1.10" },
    # Used by rdkafka-sys
    { name = "num_enum", version = "0.5.11" },
    { name = "num_enum_derive", version = "0.5.11" },
    # Used by protobuf-parse
    { name = "which", version = "4.4.2" },
    # Used by tempfile
    { name = "linux-raw-sys", version = "0.9.2" },
    { name = "rustix", version = "0.38.44" },
    # Used by axum
    { name = "tower", version = "0.4.13" },
    # Used by tracing-capture
    { name = "predicates", version = "2.1.5" },
    # Used by launchdarkly-server-sdk (via moka)
    { name = "windows-result", version = "0.2.0" },
    { name = "windows-strings", version = "0.1.0" },
    { name = "windows-targets", version = "0.52.6" },
    { name = "windows_aarch64_gnullvm", version = "0.52.6" },
    { name = "windows_aarch64_msvc", version = "0.52.6" },
    { name = "windows_i686_gnu", version = "0.52.6" },
    { name = "windows_i686_gnullvm", version = "0.52.6" },
    { name = "windows_i686_msvc", version = "0.52.6" },
    { name = "windows_x86_64_gnu", version = "0.52.6" },
    { name = "windows_x86_64_gnullvm", version = "0.52.6" },
    { name = "windows_x86_64_msvc", version = "0.52.6" },
    # Used by aws-config
    { name = "aws-smithy-http", version = "0.60.10" },
    # Used by aws-sdk-s3
    { name = "lru", version = "0.12.5" },
    # Used by tower-lsp
    { name = "dashmap", version = "5.5.3" },
    # Used by bindgen
    { name = "itertools", version = "0.12.1" },
    { name = "itertools", version = "0.13.0" },
    # Used by pprof
    { name = "nix", version = "0.26.4" },
    # Used by dynfmt
    { name = "erased-serde", version = "0.3.26" },
]

[[bans.deny]]
crate = "crossbeam-channel@0.5.14"
reason = "memory corruption, https://github.com/MaterializeInc/database-issues/issues/9091"

# Use `tracing` instead.
[[bans.deny]]
name = "env_logger"

# Use `md-5` instead, which is part of the RustCrypto ecosystem.
[[bans.deny]]
name = "md5"

# Use `sha1` instead, which the RustCrypto ecosystem recently took control of.
# `sha-1` is the older and now deprecated name.
[[bans.deny]]
name = "sha-1"

# Use `prost` or `protobuf-native` instead.
[[bans.deny]]
name = "protobuf"
wrappers = ["protobuf-parse"]

# Strum has suspect code quality and includes many unneeded features. Use
# more targeted enum macro crates, e.g. `enum-kinds`.
[[bans.deny]]
name = "strum"
[[bans.deny]]
name = "strum-macros"

[[bans.deny]]
name = "log"
wrappers = [
    "azure_svc_blobstorage",
    "buildid",
    "cookie_store",
    "deadpool-postgres",
    "eventsource-client",
    "fail",
    "generator",
    "globset",
    "launchdarkly-server-sdk",
    "launchdarkly-server-sdk-evaluation",
    "native-tls",
    "os_info",
    "postgres",
    "pprof",
    "prost-build",
    "protobuf-parse",
    # TODO(guswynn): switch to tracing in rdkafka
    "rdkafka",
    "reqwest",
    "tokio-postgres",
    "tokio-tungstenite",
    "tracing-log",
    "tracing",
    "tungstenite",
    "want",
    "wasm-bindgen-backend",
    "workspace-hack",
]

# We prefer the system's native TLS or OpenSSL to Rustls, since they are more
# mature and more widely used.
[[bans.deny]]
name = "rustls"

# once_cell is going to be added to std, and doesn't use macros
# Unfortunately, its heavily used, so we have lots of exceptions.
[[bans.deny]]
name = "lazy_static"
wrappers = [
    "bindgen",
    "dynfmt",
    "findshlibs",
    "launchdarkly-server-sdk",
    "launchdarkly-server-sdk-evaluation",
    "prometheus",
    "proptest",
    "rayon-core",
    "schannel",
    "sharded-slab",
]

# The `uncased` crate serves the same purpose as `unicase` and is more
# actively maintained.
[[bans.deny]]
name = "unicase"
wrappers = [
    "mime_guess",
]

# We shouldn't manually vendor `protoc`, instead rely on it through `mz-build-tools`.
[[bans.deny]]
name = "protobuf-src"
wrappers = [
    "mz-build-tools",
    "protobuf-native",
]

[advisories]
version = 2
ignore = [
    # Consider `encoding_rs` instead of `encoding` (unmaintained)
    "RUSTSEC-2021-0153",
    # proc-macro-error is unmaintained, possible alternative: proc-macro-error2
    "RUSTSEC-2024-0370",
    # `derivative` is unmaintained; consider using an alternative (unmaintained)
    "RUSTSEC-2024-0388",
    # `instant` is unmaintained, and the author recommends using the maintained [`web-time`] crate instead.
    "RUSTSEC-2024-0384",
    # The creator of the crate `paste` has stated in the [`README.md`](https://github.com/dtolnay/paste/blob/master/README.md) that this project is not longer maintained as well as archived the repository
    "RUSTSEC-2024-0436",
]

# Must be manually kept in sync with about.toml.
# See: https://github.com/EmbarkStudios/cargo-about/issues/201
[licenses]
version = 2
allow = [
    "Apache-2.0",
    "Apache-2.0 WITH LLVM-exception",
    "CC0-1.0",
    "0BSD",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "ICU",
    "ISC",
    "MIT",
    "MPL-2.0",
    "Zlib",
    "Unicode-3.0",
]
# copyleft is denied by default
private = { ignore = true }
[[licenses.clarify]]
name = "ring"
expression = "ISC"
license-files = [
    { path = "LICENSE", hash = 0xbd0eed23 }
]

[sources]
unknown-git = "deny"
unknown-registry = "deny"
# Do not allow non-MaterializeInc Git repositories here! Git repositories must
# be owned by the MaterializeInc organization so that maintainership is shared
# amongst Materialize employees and so that historical versions of Materialize
# remain buildable even if upstream Git repositories disappear. If you don't
# have permissions to create a fork in the MaterializeInc organization, ask in
# #eng-infra on Slack.
allow-org = { github = ["MaterializeInc"] }