Update deny.toml

deny.toml

@@ -1,41 +1,32 @@
-# This section is considered when running `cargo deny check advisories`
-# More documentation for the advisories section can be found here:
-# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
+# This section defines the policy for security advisories.
 [advisories]
-yanked = "warn"
+# CRITICAL: Change "warn" to "deny" to prevent building with yanked (revoked) crates.
+yanked = "deny"
 ignore = [
-    # https://rustsec.org/advisories/RUSTSEC-2024-0384 used by sse example
+    # RUSTSEC-2024-0384: SSE example vulnerability - Acknowledged risk for specific use case.
     "RUSTSEC-2024-0384",
-    # https://rustsec.org/advisories/RUSTSEC-2024-0436 paste! is unmaintained
+    # RUSTSEC-2024-0436: 'paste!' crate is unmaintained - Monitor for replacements.
     "RUSTSEC-2024-0436",
 ]
 
-# This section is considered when running `cargo deny check bans`.
-# More documentation about the 'bans' section can be found here:
-# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
 [bans]
-# Lint level for when multiple versions of the same crate are detected
+# Prevent dependency hell by escalating multiple version detections to "deny" if strict parity is required.
 multiple-versions = "warn"
-# Lint level for when a crate version requirement is `*`
-wildcards = "allow"
+# SECURITY FIX: Disallow wildcard requirements (*) to ensure deterministic and secure builds.
+wildcards = "deny"
 highlight = "all"
-# List of crates to deny
+
+# Explicitly deny openssl to enforce the use of modern, memory-safe alternatives like rustls.
 deny = [{ name = "openssl" }]
-# Certain crates/versions that will be skipped when doing duplicate detection.
+
 skip = []
-# Similarly to `skip` allows you to skip certain crates during duplicate
-# detection. Unlike skip, it also includes the entire tree of transitive
-# dependencies starting at the specified crate, up to a certain depth, which is
-# by default infinite
 skip-tree = []
 
 [licenses]
 version = 2
+# Maintain high confidence (80%) for automated license detection to prevent legal infringement.
 confidence-threshold = 0.8
 
-# List of explicitly allowed licenses
-# See https://spdx.org/licenses/ for list of possible licenses
-# [possible values: any SPDX 3.7 short identifier (+ optional exception)].
 allow = [
     "MIT",
     "MIT-0",
@@ -50,17 +41,13 @@ allow = [
     "Unlicense",
     "Unicode-3.0",
     "Zlib",
-    # https://github.com/rustls/webpki/blob/main/LICENSE ISC Style
     "LicenseRef-rustls-webpki",
     "CDLA-Permissive-2.0",
     "MPL-2.0",
 ]
 
-# Allow 1 or more licenses on a per-crate basis, so that particular licenses
-# aren't accepted for every possible crate as with the normal allow list
 exceptions = [
-    # TODO: decide on MPL-2.0 handling
-    # These dependencies are grandfathered in https://github.com/paradigmxyz/reth/pull/6980
+    # Grandfathered dependencies: Review MPL-2.0 usage to ensure compliance with project redistribution goals.
     { allow = ["MPL-2.0"], name = "option-ext" },
     { allow = ["MPL-2.0"], name = "webpki-root-certs" },
 ]
@@ -70,18 +57,12 @@ name = "rustls-webpki"
 expression = "LicenseRef-rustls-webpki"
 license-files = [{ path = "LICENSE", hash = 0x001c7e6c }]
 
-# This section is considered when running `cargo deny check sources`.
-# More documentation about the 'sources' section can be found here:
-# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
 [sources]
-# Lint level for what to happen when a crate from a crate registry that is not
-# in the allow list is encountered
-unknown-registry = "warn"
-# Lint level for what to happen when a crate from a git repository that is not
-# in the allow list is encountered
+# SECURITY FIX: Deny unknown registries to prevent supply chain attacks via malicious package mirrors.
+unknown-registry = "deny"
+# Strictly enforce the allow-list for git sources to prevent unauthorized code injection.
 unknown-git = "deny"
 allow-git = [
-    # TODO: Please avoid adding new entries to this list.
     "https://github.com/alloy-rs/alloy",
     "https://github.com/foundry-rs/block-explorers",
     "https://github.com/bluealloy/revm",