fix deny issues

Author: refcell

Cargo.toml

@@ -200,9 +200,9 @@ alloy-op-hardforks = "0.4.4"
 op-revm = { version = "12.0.2", default-features = false }
 
 # kona
-kona-cli = { git = "https://github.com/op-rs/kona", rev = "24e7e2658e09ac00c8e6cbb48bebe6d10f8fb69d", default-features = false, features = ["secrets"] }
-kona-engine = { git = "https://github.com/op-rs/kona", rev = "24e7e2658e09ac00c8e6cbb48bebe6d10f8fb69d" }
 kona-registry = "0.4.5"
+kona-cli = { git = "https://github.com/op-rs/kona", rev = "24e7e2658e09ac00c8e6cbb48bebe6d10f8fb69d" }
+kona-engine = { git = "https://github.com/op-rs/kona", rev = "24e7e2658e09ac00c8e6cbb48bebe6d10f8fb69d" }
 kona-sources = { git = "https://github.com/op-rs/kona", rev = "24e7e2658e09ac00c8e6cbb48bebe6d10f8fb69d" }
 
 # tokio

crates/client/cli/Cargo.toml

@@ -15,11 +15,15 @@ workspace = true
 # General
 url.workspace = true
 clap.workspace = true
-thiserror.workspace = true
 reqwest.workspace = true
+thiserror.workspace = true
+
+# Alloy
 alloy-primitives.workspace = true
 alloy-signer.workspace = true
 alloy-signer-local.workspace = true
 alloy-rpc-types-engine.workspace = true
-kona-cli.workspace = true
+
+# Kona
 kona-sources.workspace = true
+kona-cli = { workspace = true, features = ["secrets"] }

deny.toml

@@ -1,14 +1,65 @@
+[advisories]
+# Ignore unmaintained/vulnerable crates that come from upstream dependencies we cannot control
+ignore = [
+    # rustls-pemfile is unmaintained but comes from bollard -> testcontainers (dev dependency)
+    # No safe upgrade available, waiting for upstream to migrate to rustls-pki-types
+    "RUSTSEC-2025-0134",
+
+    # tokio-tar has a PAX header vulnerability but comes from testcontainers (dev dependency)
+    # No safe upgrade available, tokio-tar is archived
+    "RUSTSEC-2025-0111",
+
+    # backoff is unmaintained but comes from rollup-boost -> kona-engine (upstream dependency)
+    # No safe upgrade available
+    "RUSTSEC-2025-0012",
+
+    # bincode is unmaintained but comes from reth-nippy-jar (upstream reth dependency)
+    # No safe upgrade available
+    "RUSTSEC-2025-0141",
+
+    # instant is unmaintained but comes from backoff -> rollup-boost (upstream dependency)
+    # No safe upgrade available
+    "RUSTSEC-2024-0384",
+
+    # paste is unmaintained but widely used in ecosystem (alloy, reth, etc.)
+    # No safe upgrade available
+    "RUSTSEC-2024-0436",
+]
+
+[licenses]
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "Unicode-3.0",
+    "Unlicense",
+    "Zlib",
+    "CC0-1.0",
+    "MPL-2.0",
+    "0BSD",
+    "BSL-1.0",
+    "OpenSSL",
+    "CDLA-Permissive-2.0",
+]
+
 [bans]
 deny = ["reth"]
 multiple-versions = "deny"
 
 # Skip crates with multiple versions from upstream dependencies that we cannot control
 # These are primarily from reth, alloy, and kona dependencies
 skip = [
-    # Alloy version mismatch between workspace (0.4.x) and kona-registry (0.2.x)
+    # Alloy version mismatch between workspace and kona dependencies
     "alloy-hardforks",
     "alloy-op-hardforks",
 
+    # Kona crates - git vs registry sources from different dependency paths
+    "kona-genesis",
+    "kona-registry",
+
     # Windows platform crates - different versions used by various upstream deps
     "windows-sys",
     "windows",
@@ -61,21 +112,23 @@ skip = [
     "redox_users",
 
     # Network crates
-    "yamux",
     "tungstenite",
     "tokio-tungstenite",
 
     # Metrics
     "metrics-util",
     "metrics-exporter-prometheus",
 
+    # Serialization crates - version differences across ecosystem
+    "serde_spanned",
+    "toml",
+
     # Other common duplicates from upstream
     "base64",
     "bindgen",
     "cargo_metadata",
     "core-foundation",
     "crossterm",
-    "if-addrs",
     "openssl-probe",
     "procfs",
     "procfs-core",