# Objective
- MPL should not be an authorised license for all crates
## Solution
- Add exception for MPL for wgpu and hexasphere
- Remove security issue for a crate we don't depend on anymore
After winit update in #2186, a bunch of duplicated dependencies changed.
Most are related to a new dependency, https://github.com/onurzdg/mio-misc, that has a few older versions in its dependencies
https://github.com/EmbarkStudios/cargo-deny
cargo-deny is a tool that can issue errors for dependency issues, among other:
* security issues in a crate
* duplicated dependencies with different versions
* unauthorised license
Added cargo-deny with an opinionated configuration:
* No middle ground with warnings, either allow or deny
* Not added to Bors, we probably don't want to block a PR on something that may happen from outside
* Different github workflow than CI to run only when Cargo.toml files are changed, or on a schedule
* Each check in its own job to help readability
* Initial config makes Bevy pass all check
Pushing a first commit with commented config to show errors
