diff --git a/tls-client/src/client/tls12.rs b/tls-client/src/client/tls12.rs
index b8e548149..905623a2c 100644
--- a/tls-client/src/client/tls12.rs
+++ b/tls-client/src/client/tls12.rs
@@ -831,7 +831,7 @@ impl State<ClientConnectionData> for ExpectServerDone {
         let mut transcript = st.transcript;
         emit_clientkx(&mut transcript, cx.common, &key_share).await;
         // nb. EMS handshake hash only runs up to ClientKeyExchange.
-        let ems_seed = st.using_ems.then(|| transcript.get_current_hash());
+        let _ems_seed = st.using_ems.then(|| transcript.get_current_hash());
 
         // 5c.
         if let Some(ClientAuthDetails::Verify { signer, .. }) = &st.client_auth {
diff --git a/tls-client/src/client/tls13.rs b/tls-client/src/client/tls13.rs
index eeee55ef9..e45b42754 100644
--- a/tls-client/src/client/tls13.rs
+++ b/tls-client/src/client/tls13.rs
@@ -54,7 +54,7 @@ pub(super) async fn handle_server_hello(
     config: Arc<ClientConfig>,
     cx: &mut ClientContext<'_>,
     server_hello: &ServerHelloPayload,
-    mut resuming_session: Option<persist::Tls13ClientSessionValue>,
+    resuming_session: Option<persist::Tls13ClientSessionValue>,
     server_name: ServerName,
     randoms: ConnectionRandoms,
     suite: &'static Tls13CipherSuite,
diff --git a/tls-client/src/lib.rs b/tls-client/src/lib.rs
index 65f379741..a236a8d27 100644
--- a/tls-client/src/lib.rs
+++ b/tls-client/src/lib.rs
@@ -252,8 +252,8 @@
 //!   buffers. Will do nothing on non-Nightly releases.
 
 // Require docs for public APIs, deny unsafe code, etc.
-#![forbid(unsafe_code, unused_must_use)]
-#![allow(dead_code)]
+#![forbid(unsafe_code)]
+#![allow(dead_code, unused_imports)]
 #![cfg_attr(not(read_buf), forbid(unstable_features))]
 #![deny(
     clippy::clone_on_ref_ptr,