This project uses several tools to ensure dependency security and quality:
- Purpose: Comprehensive dependency validation including license compliance, security advisories, and dependency bans
- Configuration:
deny.toml - Usage:
cargo deny checkormake deny
- Purpose: Detect and remove unused dependencies
- Usage:
cargo shearormake unused - Auto-fix:
cargo shear --fixorjust fix-unused
Run these checks before submitting PRs:
# Full security and dependency validation
make check-deps
# Or individually:
cargo deny check advisories # Security advisories
cargo deny check licenses # License compliance
cargo deny check bans # Banned dependencies
cargo shear # Unused dependenciesIf you discover a security vulnerability in BLZ, please:
- DO NOT create a public GitHub issue
- Email security details to the maintainers
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Current advisories being tracked:
| Advisory | Package | Status | Notes |
|---|---|---|---|
| RUSTSEC-2024-0384 | instant | Monitoring | Used by tantivy, awaiting upstream fix |
To add exceptions for advisories that cannot be immediately fixed, update the [advisories] section in deny.toml with justification.
We maintain a strict license policy for dependencies:
- MIT, Apache-2.0, BSD variants (permissive)
- MPL-2.0 (weak copyleft, allows static linking)
- See
deny.tomlfor complete list
- GPL-3.0, AGPL-3.0 (strong copyleft)
- Any license not explicitly allowed
GitHub Actions runs security checks on:
- Every push to main
- All pull requests
- Weekly schedule (to catch new advisories)
See .github/workflows/dependencies.yml for CI configuration.