diff --git a/deny.toml b/deny.toml
index f07639d..876b52f 100644
--- a/deny.toml
+++ b/deny.toml
@@ -76,6 +76,7 @@ ignore = [
     #{ crate = "a-crate-that-is-yanked@0.1.1", reason = "you can specify why you are ignoring the yanked crate" },
 
     { id = "RUSTSEC-2023-0071", reason = "Not applicable, vulnerable path is not used" },
+    { id = "RUSTSEC-2025-0011", reason = "No alternative available" },
 ]
 # If this is true, then cargo deny will use the git executable to fetch advisory database.
 # If this is false, then it uses a built-in git library.
@@ -96,7 +97,7 @@ allow = [
     "BSD-3-Clause",
     "ISC",
     "CC0-1.0",
-    "Unicode-DFS-2016",
+#   "Unicode-DFS-2016",
     "LGPL-2.0",
     "LGPL-3.0",
     "Unicode-3.0",
@@ -115,6 +116,11 @@ exceptions = [
     #{ allow = ["Zlib"], crate = "adler32" },
     { allow = ["BSL-1.0"], name = "xxhash-rust", version = "*" },
     { allow = ["Zlib"], name = "foldhash", version = "*" },
+    { allow = ["AGPL-3.0"], name = "keyforkd", version = "*" },
+    { allow = ["AGPL-3.0"], name = "keyfork-shard", version = "*" },
+    { allow = ["AGPL-3.0"], name = "keyfork-derive-openpgp", version = "*" },
+    { allow = ["AGPL-3.0"], name = "keyfork-derive-key", version = "*" },
+    { allow = ["AGPL-3.0"], name = "keyfork", version = "*" },
 ]
 
 # Some crates don't have (easily) machine readable licensing information,