Pierre Fitness Platform MCP Server

deny.toml•4.91 kB

# ABOUTME: Security and dependency validation configuration for cargo-deny # ABOUTME: Replaces custom cargo-audit bash scripting with native cargo-deny tool # ============================================================================ # Advisory Database - Security Vulnerability Scanning # ============================================================================ # Replaces: cargo audit --ignore RUSTSEC-2023-0071 --no-fetch --color always [advisories] version = 2 # Ignored advisories with risk assessment and mitigation plans ignore = [ # ------------------------------------------------------------------------- # RUSTSEC-2023-0071: RSA 0.9.x - Marvin Attack (timing sidechannel) # ------------------------------------------------------------------------- # Severity: 5.9/10 (Medium) # Crate: rsa 0.9.8 # Issue: Potential key recovery through timing sidechannels during decryption # Advisory: https://rustsec.org/advisories/RUSTSEC-2023-0071 # # Risk Assessment: LOW for our usage # - Only used for JWT signing/verification (RS256) in src/admin/jwks.rs # - NOT used for decryption operations (primary attack vector) # - Admin-only feature with limited attack surface # - 4096-bit RSA keys provide additional security margin # # Mitigation: # - Monitor for rsa 0.10.0 stable release (currently RC) # - Upgrade to 0.10.0 when stable (fixes this vulnerability) # - Consider Ed25519 migration for future admin tokens (faster, smaller keys) # # Status: Accepted risk until stable fix available # Review Date: 2025-11-15 # Next Review: 2026-01-15 or when rsa 0.10.0 stable released "RUSTSEC-2023-0071", # ------------------------------------------------------------------------- # RUSTSEC-2024-0384: instant crate unmaintained # ------------------------------------------------------------------------- # Severity: Informational # Reason: Transitive dependency via reqwest-retry (no safe upgrade path) # Status: Monitor for reqwest-retry update "RUSTSEC-2024-0384", # ------------------------------------------------------------------------- # RUSTSEC-2024-0387: opentelemetry_api merged into opentelemetry # ------------------------------------------------------------------------- # Severity: Informational # Reason: Crate merged into parent (used by opentelemetry-stdout) # Status: Upgrade opentelemetry-stdout when compatible version available "RUSTSEC-2024-0387", ] # Warn on yanked crates yanked = "warn" # ============================================================================ # License Validation - Ensure Only Approved Open Source Licenses # ============================================================================ [licenses] # Allow OSI-approved permissive licenses used by dependencies allow = [ "MIT", # Most common permissive license "Apache-2.0", # Apache license "Unicode-3.0", # ICU Unicode libraries "ISC", # ring/untrusted crypto libraries "CDLA-Permissive-2.0", # webpki-roots TLS certificates "BSD-3-Clause", # BSD license (crypto: curve25519, ed25519, redis, subtle, instant) "MPL-2.0", # Mozilla Public License (option-ext) "Zlib", # zlib license (foldhash) ] # Confidence threshold for license detection confidence-threshold = 0.93 # Allow certain licenses for exceptions (if needed in future) exceptions = [] # ============================================================================ # Dependency Bans - Prevent Problematic Dependencies # ============================================================================ [bans] # Warn on multiple versions of the same dependency (bloats binary) multiple-versions = "warn" # Deny wildcard dependencies (bad for reproducibility) wildcards = "deny" # Highlight dependencies that are not on crates.io highlight = "all" # Workspace-wide dependency management workspace-default-features = "allow" # External default features external-default-features = "allow" # Allow build dependencies allow = [] # Deny specific crates (if needed) deny = [] # Skip these dependencies from multiple-version checking skip = [] # Skip tree checking for these dependencies skip-tree = [] # ============================================================================ # Source Validation - Only Allow Trusted Registries # ============================================================================ [sources] # Deny unknown Git repositories (prevent supply chain attacks) unknown-git = "deny" # Deny unknown registries (only allow crates.io) unknown-registry = "deny" # Allow these specific Git repositories (if needed for specific deps) allow-git = [] # Allow these specific registries allow-registry = ["https://github.com/rust-lang/crates.io-index"]

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/jfarcand/pierre_mcp_server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

deny.toml•4.91 kB