Update dependencies and refine tooling

- Pin cargo-deny/nextest/llvm-cov/audit versions
- Enable license checks in CI
- Clarify implied-vol MIT license with hash verification
- Update workspace license from deprecated LGPL-3.0 to LGPL-3.0-or-later

Author: cjdsellers

.github/workflows/build-v2.yml

@@ -57,15 +57,11 @@ jobs:
           persist-credentials: false
 
       # https://github.com/EmbarkStudios/cargo-deny-action
-      # NOTE: License checking is disabled due to implied-vol crate not declaring
-      # its license in Cargo.toml (has MIT LICENSE file but shows as "unlicensed").
-      # License compliance is verified manually until this is resolved upstream.
-      # See deny.toml for documented exception and tracking.
-      - name: Run cargo-deny (advisories, sources, bans)
+      - name: Run cargo-deny (advisories, licenses, sources, bans)
         uses: EmbarkStudios/cargo-deny-action@f9cc7aa250dec5698b425dc01fbf0d745fcd1b78 # v2.0.13
         with:
+          command: check advisories licenses sources bans
           arguments: --all-features
-          command: check advisories sources bans
 
   build:
     needs:

.github/workflows/build.yml

@@ -52,15 +52,11 @@ jobs:
           persist-credentials: false
 
       # https://github.com/EmbarkStudios/cargo-deny-action
-      # NOTE: License checking is disabled due to implied-vol crate not declaring
-      # its license in Cargo.toml (has MIT LICENSE file but shows as "unlicensed").
-      # License compliance is verified manually until this is resolved upstream.
-      # See deny.toml for documented exception and tracking.
-      - name: Run cargo-deny (advisories, sources, bans)
+      - name: Run cargo-deny (advisories, licenses, sources, bans)
         uses: EmbarkStudios/cargo-deny-action@f9cc7aa250dec5698b425dc01fbf0d745fcd1b78 # v2.0.13
         with:
+          command: check advisories licenses sources bans
           arguments: --all-features
-          command: check advisories sources bans
 
   build-linux-x86:
     strategy:

.pre-commit-config.yaml

@@ -137,16 +137,14 @@ repos:
   ##############################################################################
   #  Rust formatting and linting
   ##############################################################################
-  - repo: local
+  - repo: https://github.com/EmbarkStudios/cargo-deny
+    rev: 0.18.5
     hooks:
       - id: cargo-deny
-        name: cargo deny
-        description: Run cargo-deny security checks (advisories, sources, bans)
-        entry: .pre-commit-hooks/cargo_deny.sh
-        language: script
-        files: '(Cargo\.(toml|lock)|deny\.toml)$'
-        pass_filenames: false
+        args: ["--all-features", "check"]
 
+  - repo: local
+    hooks:
       - id: check-anyhow-usage
         name: check anyhow usage
         description:

.pre-commit-hooks/cargo_deny.sh

@@ -38,7 +38,7 @@ version = "0.52.0"
 edition = "2024"
 rust-version = "1.90.0"
 authors = ["Nautech Systems <[email protected]>"]
-license = "LGPL-3.0"
+license = "LGPL-3.0-or-later"
 readme = "README.md"
 description = "A high-performance algorithmic trading platform and event-driven backtester"
 categories = ["finance", "simulation", "asynchronous"]
@@ -331,6 +331,15 @@ turmoil = "0.6.6"
 # -----------------------------------------------------------------------------
 cbindgen = "0.29.2"
 
+# -----------------------------------------------------------------------------
+# Tools (for cargo install, used by Makefile and CI)
+# -----------------------------------------------------------------------------
+[workspace.metadata.tools]
+cargo-audit = "0.21.2"
+cargo-deny = "0.18.5"
+cargo-llvm-cov = "0.6.21"
+cargo-nextest = "0.9.108"
+
 # -----------------------------------------------------------------------------
 # Profiles
 # -----------------------------------------------------------------------------

Cargo.lock

@@ -6,6 +6,12 @@ IMAGE?=$(REGISTRY)$(PROJECT)
 GIT_TAG:=$(shell git rev-parse --abbrev-ref HEAD)
 IMAGE_FULL?=$(IMAGE):$(GIT_TAG)
 
+# Tool versions from Cargo.toml [workspace.metadata.tools]
+CARGO_AUDIT_VERSION := $(shell grep '^cargo-audit *= *"' Cargo.toml | awk -F\" '{print $$2}')
+CARGO_DENY_VERSION := $(shell grep '^cargo-deny *= *"' Cargo.toml | awk -F\" '{print $$2}')
+CARGO_LLVM_COV_VERSION := $(shell grep '^cargo-llvm-cov *= *"' Cargo.toml | awk -F\" '{print $$2}')
+CARGO_NEXTEST_VERSION := $(shell grep '^cargo-nextest *= *"' Cargo.toml | awk -F\" '{print $$2}')
+
 V = 0  # 0 / 1 - verbose mode
 Q = $(if $(filter 1,$V),,@) # Quiet mode, suppress command output
 M = $(shell printf "\033[0;34m>\033[0m") # Message prefix for commands
@@ -242,10 +248,12 @@ cargo-build:  #-- Build Rust crates in release mode
 	cargo build --release --all-features
 
 .PHONY: cargo-update
-cargo-update:  #-- Update Rust dependencies and install test tools
+cargo-update:  #-- Update Rust dependencies and install required tools (versions from Cargo.toml)
 	cargo update \
-	&& cargo install cargo-nextest \
-	&& cargo install cargo-llvm-cov
+	&& cargo install cargo-deny --version $(CARGO_DENY_VERSION) --locked \
+	&& cargo install cargo-nextest --version $(CARGO_NEXTEST_VERSION) --locked \
+	&& cargo install cargo-llvm-cov --version $(CARGO_LLVM_COV_VERSION) --locked \
+	&& cargo install cargo-audit --version $(CARGO_AUDIT_VERSION) --locked
 
 .PHONY: cargo-check
 cargo-check:  #-- Check Rust code without building

Cargo.toml

@@ -12,14 +12,20 @@ Released on TBD (UTC).
 - Dropped support for Python 3.11
 
 ### Security
+TBD
 
 ### Fixes
+None
 
 ### Internal Improvements
+- Refactored reading of feather files in catalog (#3114), thanks @faysou
+- Upgraded implied-vol crate (#3115), thanks @faysou
 
 ### Documentation Updates
+None
 
 ### Deprecations
+None
 
 ---
 

Makefile

@@ -38,28 +38,32 @@ allow = [
   "Apache-2.0",
   "Apache-2.0 WITH LLVM-exception",
   "BSD-2-Clause",
+  "BSD-2-Clause-Patent",
   "BSD-3-Clause",
+  "BSL-1.0",
   "ISC",
   "MPL-2.0",
   "CC0-1.0",
+  "CDLA-Permissive-2.0",
   "Zlib",
   "Unicode-DFS-2016",
   "Unicode-3.0",
   "0BSD",
   "LGPL-3.0",
+  "LGPL-3.0-only",
+  "LGPL-3.0-or-later",
   "OpenSSL",
+  "Unlicense",
 ]
 
 confidence-threshold = 0.8
 
-# Per-crate license exceptions
-exceptions = [
-  # implied-vol v1.3.0 contains an MIT LICENSE file but doesn't specify
-  # `license = "MIT"` in its Cargo.toml manifest, causing cargo-deny to
-  # fail license detection. Verified MIT licensed at:
-  # https://crates.io/crates/implied-vol/1.3.0
-  { allow = ["MIT"], crate = "implied-vol" },
-]
+# Clarify licenses for crates with missing/incorrect license metadata
+[[licenses.clarify]]
+name = "implied-vol"
+version = "*"
+expression = "MIT"
+license-files = [{ path = "LICENSE", hash = 0xb0803f0e }]
 
 [licenses.private]
 # Ignore workspace crates that aren't published