From 390cd904e40a78d74c04caf455193848c83a8ade Mon Sep 17 00:00:00 2001 From: Viktar Makouski Date: Mon, 27 Jan 2025 12:39:09 +0300 Subject: [PATCH] import audits to cargo vet --- supply-chain/config.toml | 487 +----------- supply-chain/imports.lock | 1514 +++++++++++++++++++++++++++++++++++++ 2 files changed, 1529 insertions(+), 472 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 3a5edff0d..5f804673d 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -4,6 +4,21 @@ [cargo-vet] version = "0.10" +[imports.bytecodealliance] +url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[imports.embark] +url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + +[imports.google] +url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" + +[imports.isrg] +url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[imports.mozilla] +url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" + [policy.stacks-common] audit-as-crates-io = true @@ -14,10 +29,6 @@ audit-as-crates-io = true version = "0.21.0" criteria = "safe-to-deploy" -[[exemptions.adler]] -version = "1.0.2" -criteria = "safe-to-deploy" - [[exemptions.aead]] version = "0.5.2" criteria = "safe-to-deploy" @@ -38,18 +49,10 @@ criteria = "safe-to-deploy" version = "1.1.3" criteria = "safe-to-deploy" -[[exemptions.allocator-api2]] -version = "0.2.18" -criteria = "safe-to-deploy" - [[exemptions.android-tzdata]] version = "0.1.1" criteria = "safe-to-deploy" -[[exemptions.android_system_properties]] -version = "0.1.5" -criteria = "safe-to-deploy" - [[exemptions.anstream]] version = "0.6.14" criteria = "safe-to-deploy" @@ -110,10 +113,6 @@ criteria = "safe-to-deploy" version = "1.1.0" criteria = "safe-to-run" -[[exemptions.assert-json-diff]] -version = "2.0.2" -criteria = "safe-to-run" - [[exemptions.async-io]] version = "2.3.3" criteria = "safe-to-deploy" @@ -122,14 +121,6 @@ criteria = "safe-to-deploy" version = "3.4.0" criteria = "safe-to-deploy" -[[exemptions.async-stream]] -version = "0.3.5" -criteria = "safe-to-deploy" - -[[exemptions.async-stream-impl]] -version = "0.3.5" -criteria = "safe-to-deploy" - [[exemptions.async-trait]] version = "0.1.80" criteria = "safe-to-deploy" @@ -262,18 +253,10 @@ criteria = "safe-to-deploy" version = "0.1.0" criteria = "safe-to-deploy" -[[exemptions.base64]] -version = "0.13.1" -criteria = "safe-to-deploy" - [[exemptions.base64]] version = "0.21.7" criteria = "safe-to-deploy" -[[exemptions.base64]] -version = "0.22.1" -criteria = "safe-to-deploy" - [[exemptions.base64-simd]] version = "0.8.0" criteria = "safe-to-deploy" @@ -286,10 +269,6 @@ criteria = "safe-to-deploy" version = "0.11.0" criteria = "safe-to-deploy" -[[exemptions.bindgen]] -version = "0.64.0" -criteria = "safe-to-deploy" - [[exemptions.bitcoin]] version = "0.32.5" criteria = "safe-to-deploy" @@ -322,14 +301,6 @@ criteria = "safe-to-deploy" version = "1.5.2" criteria = "safe-to-deploy" -[[exemptions.bitflags]] -version = "1.3.2" -criteria = "safe-to-deploy" - -[[exemptions.bitflags]] -version = "2.5.0" -criteria = "safe-to-deploy" - [[exemptions.bitvec]] version = "1.0.1" criteria = "safe-to-deploy" @@ -338,10 +309,6 @@ criteria = "safe-to-deploy" version = "0.10.6" criteria = "safe-to-deploy" -[[exemptions.block-buffer]] -version = "0.9.0" -criteria = "safe-to-deploy" - [[exemptions.block-buffer]] version = "0.10.4" criteria = "safe-to-deploy" @@ -354,18 +321,10 @@ criteria = "safe-to-deploy" version = "0.5.1" criteria = "safe-to-deploy" -[[exemptions.bumpalo]] -version = "3.16.0" -criteria = "safe-to-deploy" - [[exemptions.byte-slice-cast]] version = "1.2.2" criteria = "safe-to-deploy" -[[exemptions.byteorder]] -version = "1.5.0" -criteria = "safe-to-deploy" - [[exemptions.bytes]] version = "1.9.0" criteria = "safe-to-deploy" @@ -378,22 +337,10 @@ criteria = "safe-to-deploy" version = "1.0.98" criteria = "safe-to-deploy" -[[exemptions.cexpr]] -version = "0.6.0" -criteria = "safe-to-deploy" - -[[exemptions.cfg-expr]] -version = "0.15.8" -criteria = "safe-to-deploy" - [[exemptions.cfg-if]] version = "0.1.10" criteria = "safe-to-deploy" -[[exemptions.cfg-if]] -version = "1.0.0" -criteria = "safe-to-deploy" - [[exemptions.chacha20]] version = "0.9.1" criteria = "safe-to-deploy" @@ -406,10 +353,6 @@ criteria = "safe-to-deploy" version = "0.4.38" criteria = "safe-to-deploy" -[[exemptions.cipher]] -version = "0.4.4" -criteria = "safe-to-deploy" - [[exemptions.clang-sys]] version = "1.7.0" criteria = "safe-to-deploy" @@ -470,14 +413,6 @@ criteria = "safe-to-deploy" version = "0.6.0" criteria = "safe-to-deploy" -[[exemptions.core-foundation]] -version = "0.9.4" -criteria = "safe-to-deploy" - -[[exemptions.core-foundation-sys]] -version = "0.8.6" -criteria = "safe-to-deploy" - [[exemptions.core2]] version = "0.4.0" criteria = "safe-to-deploy" @@ -518,14 +453,6 @@ criteria = "safe-to-deploy" version = "0.8.20" criteria = "safe-to-deploy" -[[exemptions.crunchy]] -version = "0.2.2" -criteria = "safe-to-deploy" - -[[exemptions.crypto-common]] -version = "0.1.6" -criteria = "safe-to-deploy" - [[exemptions.crypto-mac]] version = "0.8.0" criteria = "safe-to-deploy" @@ -578,10 +505,6 @@ criteria = "safe-to-deploy" version = "9.0.0" criteria = "safe-to-deploy" -[[exemptions.deranged]] -version = "0.3.11" -criteria = "safe-to-deploy" - [[exemptions.deunicode]] version = "1.6.0" criteria = "safe-to-deploy" @@ -598,18 +521,10 @@ criteria = "safe-to-deploy" version = "0.9.0" criteria = "safe-to-deploy" -[[exemptions.digest]] -version = "0.10.7" -criteria = "safe-to-deploy" - [[exemptions.dircpy]] version = "0.3.19" criteria = "safe-to-deploy" -[[exemptions.dirs-next]] -version = "2.0.0" -criteria = "safe-to-deploy" - [[exemptions.dirs-sys-next]] version = "0.1.2" criteria = "safe-to-deploy" @@ -618,10 +533,6 @@ criteria = "safe-to-deploy" version = "1.0.4" criteria = "safe-to-deploy" -[[exemptions.displaydoc]] -version = "0.2.5" -criteria = "safe-to-deploy" - [[exemptions.dlv-list]] version = "0.5.2" criteria = "safe-to-deploy" @@ -662,18 +573,10 @@ criteria = "safe-to-deploy" version = "1.12.0" criteria = "safe-to-deploy" -[[exemptions.encoding_rs]] -version = "0.8.34" -criteria = "safe-to-deploy" - [[exemptions.enum-as-inner]] version = "0.6.0" criteria = "safe-to-deploy" -[[exemptions.equivalent]] -version = "1.0.1" -criteria = "safe-to-deploy" - [[exemptions.errno]] version = "0.3.9" criteria = "safe-to-deploy" @@ -706,14 +609,6 @@ criteria = "safe-to-deploy" version = "0.1.9" criteria = "safe-to-deploy" -[[exemptions.fastrand]] -version = "2.1.0" -criteria = "safe-to-deploy" - -[[exemptions.fiat-crypto]] -version = "0.2.9" -criteria = "safe-to-deploy" - [[exemptions.finl_unicode]] version = "1.2.0" criteria = "safe-to-deploy" @@ -730,26 +625,6 @@ criteria = "safe-to-deploy" version = "0.8.0" criteria = "safe-to-run" -[[exemptions.fnv]] -version = "1.0.7" -criteria = "safe-to-deploy" - -[[exemptions.foldhash]] -version = "0.1.3" -criteria = "safe-to-deploy" - -[[exemptions.foreign-types]] -version = "0.3.2" -criteria = "safe-to-deploy" - -[[exemptions.foreign-types-shared]] -version = "0.1.1" -criteria = "safe-to-deploy" - -[[exemptions.form_urlencoded]] -version = "1.2.1" -criteria = "safe-to-deploy" - [[exemptions.fragile]] version = "1.2.2" criteria = "safe-to-run" @@ -854,10 +729,6 @@ criteria = "safe-to-deploy" version = "0.28.1" criteria = "safe-to-deploy" -[[exemptions.glob]] -version = "0.3.1" -criteria = "safe-to-deploy" - [[exemptions.h2]] version = "0.3.26" criteria = "safe-to-deploy" @@ -866,18 +737,10 @@ criteria = "safe-to-deploy" version = "0.4.5" criteria = "safe-to-deploy" -[[exemptions.hashbrown]] -version = "0.12.3" -criteria = "safe-to-deploy" - [[exemptions.hashbrown]] version = "0.14.5" criteria = "safe-to-deploy" -[[exemptions.hashbrown]] -version = "0.15.2" -criteria = "safe-to-deploy" - [[exemptions.hashlink]] version = "0.8.4" criteria = "safe-to-deploy" @@ -894,18 +757,6 @@ criteria = "safe-to-deploy" version = "0.3.9" criteria = "safe-to-deploy" -[[exemptions.headers-core]] -version = "0.2.0" -criteria = "safe-to-deploy" - -[[exemptions.heck]] -version = "0.4.1" -criteria = "safe-to-deploy" - -[[exemptions.heck]] -version = "0.5.0" -criteria = "safe-to-deploy" - [[exemptions.hermit-abi]] version = "0.3.9" criteria = "safe-to-deploy" @@ -914,10 +765,6 @@ criteria = "safe-to-deploy" version = "0.4.0" criteria = "safe-to-deploy" -[[exemptions.hex]] -version = "0.4.3" -criteria = "safe-to-deploy" - [[exemptions.hex-conservative]] version = "0.2.0" criteria = "safe-to-deploy" @@ -946,10 +793,6 @@ criteria = "safe-to-deploy" version = "0.8.1" criteria = "safe-to-deploy" -[[exemptions.hmac]] -version = "0.12.1" -criteria = "safe-to-deploy" - [[exemptions.hmac-drbg]] version = "0.3.0" criteria = "safe-to-deploy" @@ -974,10 +817,6 @@ criteria = "safe-to-deploy" version = "0.4.6" criteria = "safe-to-deploy" -[[exemptions.http-body]] -version = "1.0.0" -criteria = "safe-to-deploy" - [[exemptions.http-body-util]] version = "0.1.1" criteria = "safe-to-deploy" @@ -990,10 +829,6 @@ criteria = "safe-to-deploy" version = "1.8.0" criteria = "safe-to-deploy" -[[exemptions.httpdate]] -version = "1.0.3" -criteria = "safe-to-deploy" - [[exemptions.hyper]] version = "0.14.28" criteria = "safe-to-deploy" @@ -1026,22 +861,6 @@ criteria = "safe-to-deploy" version = "0.1.60" criteria = "safe-to-deploy" -[[exemptions.iana-time-zone-haiku]] -version = "0.1.2" -criteria = "safe-to-deploy" - -[[exemptions.ident_case]] -version = "1.0.1" -criteria = "safe-to-deploy" - -[[exemptions.idna]] -version = "0.4.0" -criteria = "safe-to-deploy" - -[[exemptions.idna]] -version = "0.5.0" -criteria = "safe-to-deploy" - [[exemptions.if-addrs]] version = "0.10.2" criteria = "safe-to-deploy" @@ -1078,10 +897,6 @@ criteria = "safe-to-deploy" version = "2.7.0" criteria = "safe-to-deploy" -[[exemptions.inout]] -version = "0.1.3" -criteria = "safe-to-deploy" - [[exemptions.instant]] version = "0.1.13" criteria = "safe-to-deploy" @@ -1114,18 +929,10 @@ criteria = "safe-to-deploy" version = "0.10.5" criteria = "safe-to-deploy" -[[exemptions.itertools]] -version = "0.12.1" -criteria = "safe-to-deploy" - [[exemptions.itoa]] version = "0.4.8" criteria = "safe-to-run" -[[exemptions.itoa]] -version = "1.0.11" -criteria = "safe-to-deploy" - [[exemptions.jobserver]] version = "0.1.32" criteria = "safe-to-deploy" @@ -1166,10 +973,6 @@ criteria = "safe-to-deploy" version = "0.5.0" criteria = "safe-to-deploy" -[[exemptions.lazy_static]] -version = "1.4.0" -criteria = "safe-to-deploy" - [[exemptions.lazycell]] version = "1.3.0" criteria = "safe-to-deploy" @@ -1298,10 +1101,6 @@ criteria = "safe-to-deploy" version = "0.28.0" criteria = "safe-to-deploy" -[[exemptions.linked-hash-map]] -version = "0.5.6" -criteria = "safe-to-deploy" - [[exemptions.linux-raw-sys]] version = "0.4.14" criteria = "safe-to-deploy" @@ -1322,14 +1121,6 @@ criteria = "safe-to-deploy" version = "0.1.2" criteria = "safe-to-deploy" -[[exemptions.match_cfg]] -version = "0.1.0" -criteria = "safe-to-deploy" - -[[exemptions.matchers]] -version = "0.1.0" -criteria = "safe-to-deploy" - [[exemptions.matchit]] version = "0.7.3" criteria = "safe-to-deploy" @@ -1426,10 +1217,6 @@ criteria = "safe-to-deploy" version = "0.18.1" criteria = "safe-to-deploy" -[[exemptions.multibase]] -version = "0.9.1" -criteria = "safe-to-deploy" - [[exemptions.multihash]] version = "0.19.1" criteria = "safe-to-deploy" @@ -1442,10 +1229,6 @@ criteria = "safe-to-deploy" version = "0.13.0" criteria = "safe-to-deploy" -[[exemptions.native-tls]] -version = "0.2.11" -criteria = "safe-to-deploy" - [[exemptions.net2]] version = "0.2.39" criteria = "safe-to-deploy" @@ -1478,38 +1261,10 @@ criteria = "safe-to-deploy" version = "0.24.3" criteria = "safe-to-deploy" -[[exemptions.nohash-hasher]] -version = "0.2.0" -criteria = "safe-to-deploy" - -[[exemptions.nom]] -version = "7.1.3" -criteria = "safe-to-deploy" - -[[exemptions.normalize-line-endings]] -version = "0.3.0" -criteria = "safe-to-run" - -[[exemptions.nu-ansi-term]] -version = "0.46.0" -criteria = "safe-to-deploy" - [[exemptions.num-bigint]] version = "0.4.6" criteria = "safe-to-deploy" -[[exemptions.num-conv]] -version = "0.1.0" -criteria = "safe-to-deploy" - -[[exemptions.num-integer]] -version = "0.1.46" -criteria = "safe-to-deploy" - -[[exemptions.num-traits]] -version = "0.2.19" -criteria = "safe-to-deploy" - [[exemptions.num_cpus]] version = "1.16.0" criteria = "safe-to-deploy" @@ -1534,14 +1289,6 @@ criteria = "safe-to-deploy" version = "0.10.66" criteria = "safe-to-deploy" -[[exemptions.openssl-macros]] -version = "0.1.1" -criteria = "safe-to-deploy" - -[[exemptions.openssl-probe]] -version = "0.1.5" -criteria = "safe-to-deploy" - [[exemptions.openssl-src]] version = "300.3.1+3.3.1" criteria = "safe-to-deploy" @@ -1558,10 +1305,6 @@ criteria = "safe-to-deploy" version = "0.5.1" criteria = "safe-to-deploy" -[[exemptions.overload]] -version = "0.1.1" -criteria = "safe-to-deploy" - [[exemptions.p256k1]] version = "7.2.1" criteria = "safe-to-deploy" @@ -1594,18 +1337,10 @@ criteria = "safe-to-deploy" version = "0.2.3" criteria = "safe-to-deploy" -[[exemptions.peeking_take_while]] -version = "0.1.2" -criteria = "safe-to-deploy" - [[exemptions.pem]] version = "3.0.4" criteria = "safe-to-deploy" -[[exemptions.percent-encoding]] -version = "2.3.1" -criteria = "safe-to-deploy" - [[exemptions.pest]] version = "2.7.15" criteria = "safe-to-deploy" @@ -1634,14 +1369,6 @@ criteria = "safe-to-deploy" version = "1.1.5" criteria = "safe-to-deploy" -[[exemptions.pin-project-lite]] -version = "0.2.14" -criteria = "safe-to-deploy" - -[[exemptions.pin-utils]] -version = "0.1.0" -criteria = "safe-to-deploy" - [[exemptions.pkcs8]] version = "0.10.2" criteria = "safe-to-deploy" @@ -1670,10 +1397,6 @@ criteria = "safe-to-deploy" version = "1.10.0" criteria = "safe-to-deploy" -[[exemptions.powerfmt]] -version = "0.2.0" -criteria = "safe-to-deploy" - [[exemptions.ppv-lite86]] version = "0.2.17" criteria = "safe-to-deploy" @@ -1710,18 +1433,10 @@ criteria = "safe-to-deploy" version = "1.0.4" criteria = "safe-to-deploy" -[[exemptions.proc-macro-error-attr]] -version = "1.0.4" -criteria = "safe-to-deploy" - [[exemptions.proc-macro-hack]] version = "0.5.20+deprecated" criteria = "safe-to-deploy" -[[exemptions.proc-macro2]] -version = "1.0.83" -criteria = "safe-to-deploy" - [[exemptions.prometheus-client]] version = "0.22.3" criteria = "safe-to-deploy" @@ -1778,14 +1493,6 @@ criteria = "safe-to-deploy" version = "0.11.6" criteria = "safe-to-deploy" -[[exemptions.quinn-udp]] -version = "0.5.4" -criteria = "safe-to-deploy" - -[[exemptions.quote]] -version = "1.0.36" -criteria = "safe-to-deploy" - [[exemptions.radium]] version = "0.7.0" criteria = "safe-to-deploy" @@ -1798,38 +1505,14 @@ criteria = "safe-to-run" version = "0.8.5" criteria = "safe-to-deploy" -[[exemptions.rand_chacha]] -version = "0.2.2" -criteria = "safe-to-run" - -[[exemptions.rand_chacha]] -version = "0.3.1" -criteria = "safe-to-deploy" - [[exemptions.rand_core]] version = "0.5.1" criteria = "safe-to-deploy" -[[exemptions.rand_core]] -version = "0.6.4" -criteria = "safe-to-deploy" - -[[exemptions.rand_hc]] -version = "0.2.0" -criteria = "safe-to-run" - [[exemptions.raw-cpuid]] version = "11.2.0" criteria = "safe-to-deploy" -[[exemptions.rayon]] -version = "1.10.0" -criteria = "safe-to-deploy" - -[[exemptions.rayon-core]] -version = "1.12.1" -criteria = "safe-to-deploy" - [[exemptions.rcgen]] version = "0.11.3" criteria = "safe-to-deploy" @@ -1922,18 +1605,6 @@ criteria = "safe-to-deploy" version = "0.20.0" criteria = "safe-to-deploy" -[[exemptions.rustc-demangle]] -version = "0.1.24" -criteria = "safe-to-deploy" - -[[exemptions.rustc-hash]] -version = "1.1.0" -criteria = "safe-to-deploy" - -[[exemptions.rustc-hash]] -version = "2.0.0" -criteria = "safe-to-deploy" - [[exemptions.rustc-hex]] version = "2.1.0" criteria = "safe-to-deploy" @@ -1990,10 +1661,6 @@ criteria = "safe-to-deploy" version = "0.102.7" criteria = "safe-to-deploy" -[[exemptions.rustversion]] -version = "1.0.17" -criteria = "safe-to-deploy" - [[exemptions.rw-stream-sink]] version = "0.4.0" criteria = "safe-to-deploy" @@ -2058,18 +1725,10 @@ criteria = "safe-to-deploy" version = "0.7.0" criteria = "safe-to-deploy" -[[exemptions.serde]] -version = "1.0.203" -criteria = "safe-to-deploy" - [[exemptions.serde_bytes]] version = "0.11.15" criteria = "safe-to-deploy" -[[exemptions.serde_derive]] -version = "1.0.203" -criteria = "safe-to-deploy" - [[exemptions.serde_dynamo]] version = "4.2.14" criteria = "safe-to-deploy" @@ -2114,10 +1773,6 @@ criteria = "safe-to-deploy" version = "0.6.1" criteria = "safe-to-deploy" -[[exemptions.sha1]] -version = "0.10.6" -criteria = "safe-to-deploy" - [[exemptions.sha1_smol]] version = "1.0.0" criteria = "safe-to-deploy" @@ -2126,26 +1781,14 @@ criteria = "safe-to-deploy" version = "0.9.9" criteria = "safe-to-deploy" -[[exemptions.sha2]] -version = "0.10.8" -criteria = "safe-to-deploy" - [[exemptions.sha2-asm]] version = "0.6.4" criteria = "safe-to-deploy" -[[exemptions.sha3]] -version = "0.10.8" -criteria = "safe-to-deploy" - [[exemptions.sharded-slab]] version = "0.1.7" criteria = "safe-to-deploy" -[[exemptions.shlex]] -version = "1.3.0" -criteria = "safe-to-deploy" - [[exemptions.signal-hook-registry]] version = "1.4.2" criteria = "safe-to-deploy" @@ -2238,10 +1881,6 @@ criteria = "safe-to-deploy" version = "0.2.17" criteria = "safe-to-deploy" -[[exemptions.static_assertions]] -version = "1.1.0" -criteria = "safe-to-deploy" - [[exemptions.stdweb]] version = "0.4.20" criteria = "safe-to-deploy" @@ -2262,22 +1901,6 @@ criteria = "safe-to-deploy" version = "0.1.4" criteria = "safe-to-deploy" -[[exemptions.strsim]] -version = "0.11.1" -criteria = "safe-to-deploy" - -[[exemptions.strum]] -version = "0.26.3" -criteria = "safe-to-deploy" - -[[exemptions.strum_macros]] -version = "0.26.4" -criteria = "safe-to-deploy" - -[[exemptions.subtle]] -version = "2.5.0" -criteria = "safe-to-deploy" - [[exemptions.syn]] version = "1.0.109" criteria = "safe-to-deploy" @@ -2294,10 +1917,6 @@ criteria = "safe-to-deploy" version = "1.0.1" criteria = "safe-to-deploy" -[[exemptions.synstructure]] -version = "0.13.1" -criteria = "safe-to-deploy" - [[exemptions.system-configuration]] version = "0.5.1" criteria = "safe-to-deploy" @@ -2310,10 +1929,6 @@ criteria = "safe-to-deploy" version = "6.2.2" criteria = "safe-to-deploy" -[[exemptions.tap]] -version = "1.0.1" -criteria = "safe-to-deploy" - [[exemptions.target-lexicon]] version = "0.12.16" criteria = "safe-to-deploy" @@ -2342,14 +1957,6 @@ criteria = "safe-to-run" version = "3.3.1" criteria = "safe-to-run" -[[exemptions.test-log]] -version = "0.2.16" -criteria = "safe-to-run" - -[[exemptions.test-log-macros]] -version = "0.2.16" -criteria = "safe-to-run" - [[exemptions.thiserror]] version = "1.0.61" criteria = "safe-to-deploy" @@ -2386,18 +1993,10 @@ criteria = "safe-to-deploy" version = "0.3.36" criteria = "safe-to-deploy" -[[exemptions.time-core]] -version = "0.1.2" -criteria = "safe-to-deploy" - [[exemptions.time-macros]] version = "0.1.1" criteria = "safe-to-deploy" -[[exemptions.time-macros]] -version = "0.2.18" -criteria = "safe-to-deploy" - [[exemptions.time-macros-impl]] version = "0.1.2" criteria = "safe-to-deploy" @@ -2406,10 +2005,6 @@ criteria = "safe-to-deploy" version = "2.0.2" criteria = "safe-to-deploy" -[[exemptions.tinyvec]] -version = "1.6.0" -criteria = "safe-to-deploy" - [[exemptions.tinyvec_macros]] version = "0.1.1" criteria = "safe-to-deploy" @@ -2426,10 +2021,6 @@ criteria = "safe-to-deploy" version = "2.4.0" criteria = "safe-to-deploy" -[[exemptions.tokio-native-tls]] -version = "0.3.1" -criteria = "safe-to-deploy" - [[exemptions.tokio-rustls]] version = "0.24.1" criteria = "safe-to-deploy" @@ -2542,18 +2133,6 @@ criteria = "safe-to-deploy" version = "2.7.0" criteria = "safe-to-deploy" -[[exemptions.unicode-bidi]] -version = "0.3.15" -criteria = "safe-to-deploy" - -[[exemptions.unicode-ident]] -version = "1.0.12" -criteria = "safe-to-deploy" - -[[exemptions.unicode-normalization]] -version = "0.1.23" -criteria = "safe-to-deploy" - [[exemptions.unicode-segmentation]] version = "1.12.0" criteria = "safe-to-deploy" @@ -2574,18 +2153,10 @@ criteria = "safe-to-deploy" version = "0.8.0" criteria = "safe-to-deploy" -[[exemptions.untrusted]] -version = "0.7.1" -criteria = "safe-to-deploy" - [[exemptions.untrusted]] version = "0.9.0" criteria = "safe-to-deploy" -[[exemptions.url]] -version = "2.5.0" -criteria = "safe-to-deploy" - [[exemptions.urlencoding]] version = "2.1.3" criteria = "safe-to-deploy" @@ -2594,10 +2165,6 @@ criteria = "safe-to-deploy" version = "0.7.6" criteria = "safe-to-deploy" -[[exemptions.utf8parse]] -version = "0.2.1" -criteria = "safe-to-deploy" - [[exemptions.utoipa]] version = "4.2.3" criteria = "safe-to-deploy" @@ -2610,26 +2177,10 @@ criteria = "safe-to-deploy" version = "1.8.0" criteria = "safe-to-deploy" -[[exemptions.valuable]] -version = "0.1.0" -criteria = "safe-to-deploy" - -[[exemptions.vcpkg]] -version = "0.2.15" -criteria = "safe-to-deploy" - [[exemptions.version-compare]] version = "0.2.0" criteria = "safe-to-deploy" -[[exemptions.version_check]] -version = "0.9.4" -criteria = "safe-to-deploy" - -[[exemptions.void]] -version = "1.0.2" -criteria = "safe-to-deploy" - [[exemptions.vsimd]] version = "0.8.0" criteria = "safe-to-deploy" @@ -2894,14 +2445,6 @@ criteria = "safe-to-deploy" version = "0.7.34" criteria = "safe-to-deploy" -[[exemptions.zeroize]] -version = "1.8.1" -criteria = "safe-to-deploy" - -[[exemptions.zeroize_derive]] -version = "1.4.2" -criteria = "safe-to-deploy" - [[exemptions.zeromq-src]] version = "0.2.6+4.3.4" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 0c397a404..ccdc61632 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1,2 +1,1516 @@ # cargo-vet imports lock + +[[publisher.bumpalo]] +version = "3.16.0" +when = "2024-04-08" +user-id = 696 +user-login = "fitzgen" +user-name = "Nick Fitzgerald" + +[[publisher.cexpr]] +version = "0.6.0" +when = "2021-10-11" +user-id = 3788 +user-login = "emilio" +user-name = "Emilio Cobos Álvarez" + +[[publisher.cfg-expr]] +version = "0.15.8" +when = "2024-04-10" +user-id = 52553 +user-login = "embark-studios" + +[[publisher.core-foundation]] +version = "0.9.3" +when = "2022-02-07" +user-id = 5946 +user-login = "jrmuizel" +user-name = "Jeff Muizelaar" + +[[publisher.core-foundation-sys]] +version = "0.8.4" +when = "2023-04-03" +user-id = 5946 +user-login = "jrmuizel" +user-name = "Jeff Muizelaar" + +[[publisher.encoding_rs]] +version = "0.8.34" +when = "2024-04-10" +user-id = 4484 +user-login = "hsivonen" +user-name = "Henri Sivonen" + +[[publisher.unicode-normalization]] +version = "0.1.23" +when = "2024-02-20" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + +[[audits.bytecodealliance.wildcard-audits.bumpalo]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +user-id = 696 # Nick Fitzgerald (fitzgen) +start = "2019-03-16" +end = "2025-07-30" + +[[audits.bytecodealliance.audits.adler]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.0.2" +notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm." + +[[audits.bytecodealliance.audits.base64]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.21.0" +notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." + +[[audits.bytecodealliance.audits.base64]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +delta = "0.21.3 -> 0.22.1" + +[[audits.bytecodealliance.audits.cfg-if]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.0.0" +notes = "I am the author of this crate." + +[[audits.bytecodealliance.audits.cipher]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "0.4.4" +notes = "Most unsafe is hidden by `inout` dependency; only remaining unsafe is raw-splitting a slice and an unreachable hint. Older versions of this regularly reach ~150k daily downloads." + +[[audits.bytecodealliance.audits.core-foundation-sys]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "0.8.4 -> 0.8.6" +notes = """ +The changes here are all typical bindings updates: new functions, types, and +constants. I have not audited all the bindings for ABI conformance. +""" + +[[audits.bytecodealliance.audits.crypto-common]] +who = "Benjamin Bouvier " +criteria = "safe-to-deploy" +version = "0.1.3" + +[[audits.bytecodealliance.audits.digest]] +who = "Benjamin Bouvier " +criteria = "safe-to-deploy" +delta = "0.9.0 -> 0.10.3" + +[[audits.bytecodealliance.audits.displaydoc]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +delta = "0.2.4 -> 0.2.5" + +[[audits.bytecodealliance.audits.fastrand]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "2.0.0 -> 2.0.1" +notes = """ +This update had a few doc updates but no otherwise-substantial source code +updates. +""" + +[[audits.bytecodealliance.audits.foldhash]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.1.3" +notes = """ +Only a minor amount of `unsafe` code in this crate related to global per-process +initialization which looks correct to me. +""" + +[[audits.bytecodealliance.audits.foreign-types]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.2" +notes = "This crate defined a macro-rules which creates wrappers working with FFI types. The implementation of this crate appears to be safe, but each use of this macro would need to be vetted for correctness as well." + +[[audits.bytecodealliance.audits.foreign-types-shared]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.1.1" + +[[audits.bytecodealliance.audits.hashbrown]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +delta = "0.14.5 -> 0.15.2" + +[[audits.bytecodealliance.audits.heck]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.4.1 -> 0.5.0" +notes = "Minor changes for a `no_std` upgrade but otherwise everything looks as expected." + +[[audits.bytecodealliance.audits.http-body]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "1.0.0-rc.2" + +[[audits.bytecodealliance.audits.http-body]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.0.0-rc.2 -> 1.0.0" +notes = "Only minor changes made for a stable release." + +[[audits.bytecodealliance.audits.iana-time-zone-haiku]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +version = "0.1.2" + +[[audits.bytecodealliance.audits.idna]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.3.0" +notes = """ +This is a crate without unsafe code or usage of the standard library. The large +size of this crate comes from the large generated unicode tables file. This +crate is broadly used throughout the ecosystem and does not contain anything +suspicious. +""" + +[[audits.bytecodealliance.audits.inout]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "0.1.3" +notes = "A part of RustCrypto/utils, this crate is designed to handle unsafe buffers and carefully documents the safety concerns throughout. Older versions of this tally up to ~130k daily downloads." + +[[audits.bytecodealliance.audits.itertools]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +delta = "0.10.5 -> 0.12.1" +notes = """ +Minimal `unsafe` usage. Few blocks that existed looked reasonable. Does what it +says on the tin: lots of iterators. +""" + +[[audits.bytecodealliance.audits.matchers]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.1.0" + +[[audits.bytecodealliance.audits.native-tls]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.2.11" +notes = "build is only looking for environment variables to set cfg. only two minor uses of unsafe,on macos, with ffi bindings to digest primitives and libc atexit. otherwise, this is an abstraction over three very complex systems (schannel, security-framework, and openssl) which may end up having subtle differences, but none of those are apparent from the implementation of this crate" + +[[audits.bytecodealliance.audits.nu-ansi-term]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.46.0" +notes = "one use of unsafe to call windows specific api to get console handle." + +[[audits.bytecodealliance.audits.num-traits]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "0.2.19" +notes = "As advertised: a numeric library. The only `unsafe` is from some float-to-int conversions, which seems expected." + +[[audits.bytecodealliance.audits.openssl-macros]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.1.0" + +[[audits.bytecodealliance.audits.openssl-probe]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.1.5" +notes = "IO is only checking for the existence of paths in the filesystem" + +[[audits.bytecodealliance.audits.overload]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.1.1" +notes = "small crate, only defines macro-rules!, nicely documented as well" + +[[audits.bytecodealliance.audits.peeking_take_while]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +version = "1.0.0" +notes = "I am the author of this crate." + +[[audits.bytecodealliance.audits.percent-encoding]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "2.2.0" +notes = """ +This crate is a single-file crate that does what it says on the tin. There are +a few `unsafe` blocks related to utf-8 validation which are locally verifiable +as correct and otherwise this crate is good to go. +""" + +[[audits.bytecodealliance.audits.pin-project-lite]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.2.13 -> 0.2.14" +notes = "No substantive changes in this update" + +[[audits.bytecodealliance.audits.pin-utils]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.1.0" + +[[audits.bytecodealliance.audits.rustc-demangle]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.1.21" +notes = "I am the author of this crate." + +[[audits.bytecodealliance.audits.rustc-demangle]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.1.21 -> 0.1.24" + +[[audits.bytecodealliance.audits.rustc-hash]] +who = "Trevor Elliott " +criteria = "safe-to-deploy" +delta = "1.1.0 -> 2.0.0" +notes = "Chris Fallin reviewed this update with me, and we didn't find anything surprising. We did verify that the new constants did originate in the paper referenced." + +[[audits.bytecodealliance.audits.sha1]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +delta = "0.10.5 -> 0.10.6" +notes = "Only new code is some loongarch64 additions which include assembly code for that platform." + +[[audits.bytecodealliance.audits.shlex]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = "Only minor `unsafe` code blocks which look valid and otherwise does what it says on the tin." + +[[audits.bytecodealliance.audits.static_assertions]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = "No dependencies and completely a compile-time crate as advertised. Uses `unsafe` in one module as a compile-time check only: `mem::transmute` and `ptr::write` are wrapped in an impossible-to-run closure." + +[[audits.bytecodealliance.audits.test-log]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.2.11" + +[[audits.bytecodealliance.audits.test-log]] +who = "Alex Crichton " +criteria = "safe-to-run" +delta = "0.2.11 -> 0.2.16" +notes = "Crate implementation was moved to a `*-macros` crate, crate is very small as a result." + +[[audits.bytecodealliance.audits.test-log-macros]] +who = "Alex Crichton " +criteria = "safe-to-run" +version = "0.2.16" +notes = "Simple procedural macro copied from its previous source." + +[[audits.bytecodealliance.audits.tinyvec]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.6.0" +notes = """ +This crate, while it implements collections, does so without `std::*` APIs and +without `unsafe`. Skimming the crate everything looks reasonable and what one +would expect from idiomatic safe collections in Rust. +""" + +[[audits.bytecodealliance.audits.tokio-native-tls]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.1" +notes = "unsafety is used for smuggling std::task::Context as a raw pointer. Lifetime and type safety appears to be taken care of correctly." + +[[audits.bytecodealliance.audits.unicode-bidi]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.3.8" +notes = """ +This crate has no unsafe code and does not use `std::*`. Skimming the crate it +does not attempt to out of the bounds of what it's already supposed to be doing. +""" + +[[audits.bytecodealliance.audits.vcpkg]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.2.15" +notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." + +[[audits.embark.wildcard-audits.cfg-expr]] +who = "Jake Shadle " +criteria = "safe-to-deploy" +user-id = 52553 # embark-studios +start = "2020-01-01" +end = "2024-05-23" +notes = "Maintained by Embark. No unsafe usage or ambient capabilities" + +[[audits.embark.audits.assert-json-diff]] +who = "Johan Andersson " +criteria = "safe-to-run" +version = "2.0.2" +notes = "No unsafe usage or ambient capabilities" + +[[audits.embark.audits.ident_case]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "1.0.1" +notes = "No unsafe usage or ambient capabilities" + +[[audits.embark.audits.idna]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.4.0" +notes = "No unsafe usage or ambient capabilities" + +[[audits.embark.audits.multibase]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "0.9.1" +notes = "No unsafe usage or ambient capabilities" + +[[audits.embark.audits.nohash-hasher]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "0.2.0" +notes = "Tiny crate with no dependencies, no unsafe, and no ambient capabilities" + +[[audits.embark.audits.tap]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "1.0.1" +notes = "No unsafe usage or ambient capabilities" + +[[audits.embark.audits.utf8parse]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "0.2.1" +notes = "Single unsafe usage that looks sound, no ambient capabilities" + +[[audits.embark.audits.valuable]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "0.1.0" +notes = "No unsafe usage or ambient capabilities, sane build script" + +[[audits.google.audits.async-stream]] +who = "Tyler Mandry " +criteria = "safe-to-deploy" +version = "0.3.4" +notes = "Reviewed on https://fxrev.dev/761470" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.async-stream]] +who = "David Koloski " +criteria = "safe-to-deploy" +delta = "0.3.4 -> 0.3.5" +notes = "Reviewed on https://fxrev.dev/906795" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.async-stream-impl]] +who = "Tyler Mandry " +criteria = "safe-to-deploy" +version = "0.3.4" +notes = "Reviewed on https://fxrev.dev/761470" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.async-stream-impl]] +who = "David Koloski " +criteria = "safe-to-deploy" +delta = "0.3.4 -> 0.3.5" +notes = "Reviewed on https://fxrev.dev/906795" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.base64]] +who = "Adam Langley " +criteria = "safe-to-deploy" +version = "0.13.1" +notes = "Skimmed the uses of `std` to ensure that nothing untoward is happening. Code uses `forbid(unsafe_code)` and, indeed, there are no uses of `unsafe`" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.bitflags]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.3.2" +notes = """ +Security review of earlier versions of the crate can be found at +(Google-internal, sorry): go/image-crate-chromium-security-review + +The crate exposes a function marked as `unsafe`, but doesn't use any +`unsafe` blocks (except for tests of the single `unsafe` function). I +think this justifies marking this crate as `ub-risk-1`. + +Additional review comments can be found at https://crrev.com/c/4723145/31 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.bitflags]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "2.4.2" +notes = """ +Audit notes: + +* I've checked for any discussion in Google-internal cl/546819168 (where audit + of version 2.3.3 happened) +* `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]` +* There are 2 cases of `unsafe` in `src/external.rs` but they seem to be + correct in a straightforward way - they just propagate the marker trait's + impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type +* Additional discussion and/or notes may be found in https://crrev.com/c/5238056 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.bitflags]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "2.4.2 -> 2.5.0" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.byteorder]] +who = "danakj " +criteria = "safe-to-deploy" +version = "1.5.0" +notes = "Unsafe review in https://crrev.com/c/5838022" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.dirs-next]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "2.0.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.equivalent]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.0.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.fastrand]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.9.0" +notes = """ +`does-not-implement-crypto` is certified because this crate explicitly says +that the RNG here is not cryptographically secure. +""" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.glob]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.3.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.heck]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "0.4.1" +notes = """ +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` +and there were no hits. + +`heck` (version `0.3.3`) has been added to Chromium in +https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.httpdate]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.0.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.itoa]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.10" +notes = ''' +I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. + +There are a few places where `unsafe` is used. Unsafe review notes can be found +in https://crrev.com/c/5350697. + +Version 1.0.1 of this crate has been added to Chromium in +https://crrev.com/c/3321896. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.itoa]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.10 -> 1.0.11" +notes = """ +Straightforward diff between 1.0.10 and 1.0.11 - only 3 commits: + +* Bumping up the version +* A touch up of comments +* And my own PR to make `unsafe` blocks more granular: + https://github.com/dtolnay/itoa/pull/42 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.lazy_static]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.4.0" +notes = ''' +I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. + +There are two places where `unsafe` is used. Unsafe review notes can be found +in https://crrev.com/c/5347418. + +This crate has been added to Chromium in https://crrev.com/c/3321895. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.match_cfg]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.1.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.nom]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "7.1.3" +notes = """ +Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/5046153 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.normalize-line-endings]] +who = "Max Lee " +criteria = "safe-to-run" +version = "0.3.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.openssl-macros]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +delta = "0.1.0 -> 0.1.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.pin-project-lite]] +who = "David Koloski " +criteria = "safe-to-deploy" +version = "0.2.9" +notes = "Reviewed on https://fxrev.dev/824504" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.pin-project-lite]] +who = "David Koloski " +criteria = "safe-to-deploy" +delta = "0.2.9 -> 0.2.13" +notes = "Audited at https://fxrev.dev/946396" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro-error-attr]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.0.4" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.78" +notes = """ +Grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits +(except for a benign \"fs\" hit in a doc comment) + +Notes from the `unsafe` review can be found in https://crrev.com/c/5385745. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.78 -> 1.0.79" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.79 -> 1.0.80" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.80 -> 1.0.81" +notes = "Comment changes only" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.81 -> 1.0.82" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.82 -> 1.0.83" +notes = "Substantive change is replacing String with Box, saving memory." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.quote]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.35" +notes = """ +Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits +(except for benign \"net\" hit in tests and \"fs\" hit in README.md) +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.quote]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.35 -> 1.0.36" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rand_chacha]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "0.3.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.14" +notes = """ +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` +and there were no hits except for: + +* Using trivially-safe `unsafe` in test code: + + ``` + tests/test_const.rs:unsafe fn _unsafe() {} + tests/test_const.rs:const _UNSAFE: () = unsafe { _unsafe() }; + ``` + +* Using `unsafe` in a string: + + ``` + src/constfn.rs: \"unsafe\" => Qualifiers::Unsafe, + ``` + +* Using `std::fs` in `build/build.rs` to write `${OUT_DIR}/version.expr` + which is later read back via `include!` used in `src/lib.rs`. + +Version `1.0.6` of this crate has been added to Chromium in +https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.14 -> 1.0.15" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.15 -> 1.0.16" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.16 -> 1.0.17" +notes = "Just updates windows compat" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.197" +notes = """ +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`. + +There were some hits for `net`, but they were related to serialization and +not actually opening any connections or anything like that. + +There were 2 hits of `unsafe` when grepping: +* In `fn as_str` in `impl Buf` +* In `fn serialize` in `impl Serialize for net::Ipv4Addr` + +Unsafe review comments can be found in https://crrev.com/c/5350573/2 (this +review also covered `serde_json_lenient`). + +Version 1.0.130 of the crate has been added to Chromium in +https://crrev.com/c/3265545. The CL description contains a link to a +(Google-internal, sorry) document with a mini security review. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.197 -> 1.0.198" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.198 -> 1.0.201" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.201 -> 1.0.202" +notes = "Trivial changes" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.202 -> 1.0.203" +notes = "s/doc_cfg/docsrs/ + tuple_impls/tuple_impl_body-related changes" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.197" +notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.197 -> 1.0.201" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.201 -> 1.0.202" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.202 -> 1.0.203" +notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.sha1]] +who = "David Koloski " +criteria = "safe-to-deploy" +version = "0.10.5" +notes = "Reviewed on https://fxrev.dev/712371." +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.strsim]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "0.10.0" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.strum]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "0.25.0" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.strum_macros]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "0.25.3" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.unicode-ident]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.12" +notes = ''' +I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. + +All two functions from the public API of this crate use `unsafe` to avoid bound +checks for an array access. Cross-module analysis shows that the offsets can +be statically proven to be within array bounds. More details can be found in +the unsafe review CL at https://crrev.com/c/5350386. + +This crate has been added to Chromium in https://crrev.com/c/3891618. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.version_check]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.9.4" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.void]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.0.2" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.isrg.audits.base64]] +who = "Tim Geoghegan " +criteria = "safe-to-deploy" +delta = "0.21.0 -> 0.21.1" + +[[audits.isrg.audits.base64]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.21.1 -> 0.21.2" + +[[audits.isrg.audits.base64]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.21.2 -> 0.21.3" + +[[audits.isrg.audits.block-buffer]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.9.0" + +[[audits.isrg.audits.crunchy]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.2.2" + +[[audits.isrg.audits.digest]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.10.6 -> 0.10.7" + +[[audits.isrg.audits.fiat-crypto]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.1.17" +notes = """ +This crate does not contain any unsafe code, and does not use any items from +the standard library or other crates, aside from operations backed by +`std::ops`. All paths with array indexing use integer literals for indexes, so +there are no panics due to indexes out of bounds (as rustc would catch an +out-of-bounds literal index). I did not check whether arithmetic overflows +could cause a panic, and I am relying on the Coq code having satisfied the +necessary preconditions to ensure panics due to overflows are unreachable. +""" + +[[audits.isrg.audits.fiat-crypto]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.1.17 -> 0.1.18" + +[[audits.isrg.audits.fiat-crypto]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.1.18 -> 0.1.19" +notes = """ +This release renames many items and adds a new module. The code in the new +module is entirely composed of arithmetic and array accesses. +""" + +[[audits.isrg.audits.fiat-crypto]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.1.19 -> 0.1.20" + +[[audits.isrg.audits.fiat-crypto]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.1.20 -> 0.2.0" + +[[audits.isrg.audits.fiat-crypto]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.2.0 -> 0.2.1" + +[[audits.isrg.audits.fiat-crypto]] +who = "Tim Geoghegan " +criteria = "safe-to-deploy" +delta = "0.2.1 -> 0.2.2" +notes = "No changes to `unsafe` code, or any functional changes that I can detect at all." + +[[audits.isrg.audits.fiat-crypto]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.2.2 -> 0.2.4" + +[[audits.isrg.audits.fiat-crypto]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.2.4 -> 0.2.5" + +[[audits.isrg.audits.fiat-crypto]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.2.5 -> 0.2.6" + +[[audits.isrg.audits.fiat-crypto]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.2.6 -> 0.2.7" + +[[audits.isrg.audits.fiat-crypto]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.2.7 -> 0.2.8" + +[[audits.isrg.audits.fiat-crypto]] +who = "Tim Geoghegan " +criteria = "safe-to-deploy" +delta = "0.2.8 -> 0.2.9" +notes = "No changes to Rust code between 0.2.8 and 0.2.9" + +[[audits.isrg.audits.hmac]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.12.1" + +[[audits.isrg.audits.num-integer]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.1.45 -> 0.1.46" + +[[audits.isrg.audits.rand_chacha]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.3.1" + +[[audits.isrg.audits.rand_chacha]] +who = "David Cook " +criteria = "safe-to-run" +delta = "0.3.0 -> 0.2.2" + +[[audits.isrg.audits.rand_core]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.6.3" + +[[audits.isrg.audits.rand_hc]] +who = "David Cook " +criteria = "safe-to-run" +version = "0.2.0" + +[[audits.isrg.audits.rayon]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.6.1 -> 1.7.0" + +[[audits.isrg.audits.rayon]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "1.7.0 -> 1.8.0" + +[[audits.isrg.audits.rayon]] +who = "Ameer Ghani " +criteria = "safe-to-deploy" +delta = "1.8.0 -> 1.8.1" + +[[audits.isrg.audits.rayon]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.8.1 -> 1.9.0" + +[[audits.isrg.audits.rayon]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.9.0 -> 1.10.0" + +[[audits.isrg.audits.rayon-core]] +who = "Ameer Ghani " +criteria = "safe-to-deploy" +version = "1.12.1" + +[[audits.isrg.audits.sha2]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.10.2" + +[[audits.isrg.audits.sha3]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.10.6" + +[[audits.isrg.audits.sha3]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.10.6 -> 0.10.7" + +[[audits.isrg.audits.sha3]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.10.7 -> 0.10.8" + +[[audits.isrg.audits.untrusted]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.7.1" + +[[audits.mozilla.wildcard-audits.cexpr]] +who = "Emilio Cobos Álvarez " +criteria = "safe-to-deploy" +user-id = 3788 # Emilio Cobos Álvarez (emilio) +start = "2021-06-21" +end = "2024-04-21" +notes = "No unsafe code, rather straight-forward parser." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.core-foundation]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +user-id = 5946 # Jeff Muizelaar (jrmuizel) +start = "2019-03-29" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.core-foundation-sys]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +user-id = 5946 # Jeff Muizelaar (jrmuizel) +start = "2020-10-14" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.encoding_rs]] +who = "Henri Sivonen " +criteria = "safe-to-deploy" +user-id = 4484 # Henri Sivonen (hsivonen) +start = "2019-02-26" +end = "2025-10-23" +notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.unicode-normalization]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2019-11-06" +end = "2024-05-03" +notes = "All code written or reviewed by Manish" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.allocator-api2]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +version = "0.2.18" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.android_system_properties]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +version = "0.1.2" +notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.android_system_properties]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.1.2 -> 0.1.4" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.android_system_properties]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.1.4 -> 0.1.5" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bindgen]] +who = "Emilio Cobos Álvarez " +criteria = "safe-to-deploy" +version = "0.59.2" +notes = "I'm the primary author and maintainer of the crate." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bindgen]] +who = "Emilio Cobos Álvarez " +criteria = "safe-to-deploy" +delta = "0.59.2 -> 0.63.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bindgen]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.63.0 -> 0.64.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.core-foundation]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "0.9.3 -> 0.9.4" +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.crypto-common]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.1.6" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.deranged]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.3.11" +notes = """ +This crate contains a decent bit of `unsafe` code, however all internal +unsafety is verified with copious assertions (many are compile-time), and +otherwise the unsafety is documented and left to the caller to verify. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.digest]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.10.3 -> 0.10.6" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.displaydoc]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +version = "0.2.3" +notes = """ +This crate is convenient macros to implement core::fmt::Display trait. +Although `unsafe` is used for test code to call `libc::abort()`, it has no `unsafe` code in this crate. And there is no file access. +It meets the criteria for safe-to-deploy. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.displaydoc]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.3 -> 0.2.4" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.fastrand]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.9.0 -> 2.0.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.fastrand]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "2.0.1 -> 2.1.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.fnv]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.0.7" +notes = "Simple hasher implementation with no unsafe code." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.form_urlencoded]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +version = "1.2.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.form_urlencoded]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +delta = "1.2.0 -> 1.2.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.hashbrown]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +version = "0.12.3" +notes = "This version is used in rust's libstd, so effectively we're already trusting it" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.headers-core]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "0.2.0" +notes = "Trivial crate, no unsafe code." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.hex]] +who = "Simon Friedberger " +criteria = "safe-to-deploy" +version = "0.4.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.idna]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +delta = "0.4.0 -> 0.5.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.linked-hash-map]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.5.4" +notes = "I own this crate (I am contain-rs) and 0.5.4 passes miri. This code is very old and used by lots of people, so I'm pretty confident in it, even though it's in maintenance-mode and missing some nice-to-have APIs." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.linked-hash-map]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.5.4 -> 0.5.6" +notes = "New unsafe code has debug assertions and meets invariants. All other changes are formatting-related." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.num-conv]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.1.0" +notes = """ +Very straightforward, simple crate. No dependencies, unsafe, extern, +side-effectful std functions, etc. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.num-integer]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "0.1.45" +notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.peeking_take_while]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +delta = "1.0.0 -> 0.1.2" +notes = "Small refactor of some simple iterator logic, no unsafe code or capabilities." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.percent-encoding]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +delta = "2.2.0 -> 2.3.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.percent-encoding]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +delta = "2.3.0 -> 2.3.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.powerfmt]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.2.0" +notes = """ +A tiny bit of unsafe code to implement functionality that isn't in stable rust +yet, but it's all valid. Otherwise it's a pretty simple crate. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.quinn-udp]] +who = "Max Inden " +criteria = "safe-to-deploy" +version = "0.5.4" +notes = "This is a small crate, providing safe wrappers around various low-level networking specific operating system features. Given that the Rust standard library does not provide safe wrappers for these low-level features, safe wrappers need to be build in the crate itself, i.e. `quinn-udp`, thus requiring `unsafe` code." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rand_core]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.6.3 -> 0.6.4" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rayon]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "1.5.3" +notes = "All code written or reviewed by Josh Stone or Niko Matsakis." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rayon]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.5.3 -> 1.6.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rustc-hash]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = "Straightforward crate with no unsafe code, does what it says on the tin." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.sha2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.10.2 -> 0.10.6" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.sha2]] +who = "Jeff Muizelaar " +criteria = "safe-to-deploy" +delta = "0.10.6 -> 0.10.8" +notes = """ +The bulk of this is https://github.com/RustCrypto/hashes/pull/490 which adds aarch64 support along with another PR adding longson. +I didn't check the implementation thoroughly but there wasn't anything obviously nefarious. 0.10.8 has been out for more than a year +which suggests no one else has found anything either. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.shlex]] +who = "Max Inden " +criteria = "safe-to-deploy" +delta = "1.1.0 -> 1.3.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.strsim]] +who = "Ben Dean-Kawamura " +criteria = "safe-to-deploy" +delta = "0.10.0 -> 0.11.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.strum]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "0.25.0 -> 0.26.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.strum_macros]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "0.25.3 -> 0.26.4" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.subtle]] +who = "Simon Friedberger " +criteria = "safe-to-deploy" +version = "2.5.0" +notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.synstructure]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "0.12.6" +notes = """ +I am the primary author of the `synstructure` crate, and its current +maintainer. The one use of `unsafe` is unnecessary, but documented and +harmless. It will be removed in the next version. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.synstructure]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.12.6 -> 0.13.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.synstructure]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.13.0 -> 0.13.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.time-core]] +who = "Kershaw Chang " +criteria = "safe-to-deploy" +version = "0.1.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.time-core]] +who = "Kershaw Chang " +criteria = "safe-to-deploy" +delta = "0.1.0 -> 0.1.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.time-core]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.1.1 -> 0.1.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.time-macros]] +who = "Kershaw Chang " +criteria = "safe-to-deploy" +version = "0.2.6" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.time-macros]] +who = "Kershaw Chang " +criteria = "safe-to-deploy" +delta = "0.2.6 -> 0.2.10" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.time-macros]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.2.10 -> 0.2.18" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.unicode-bidi]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +delta = "0.3.8 -> 0.3.13" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.unicode-bidi]] +who = "Jonathan Kew " +criteria = "safe-to-deploy" +delta = "0.3.13 -> 0.3.14" +notes = "I am the author of the bulk of the upstream changes in this version, and also checked the remaining post-0.3.13 changes." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.unicode-bidi]] +who = "Jonathan Kew " +criteria = "safe-to-deploy" +delta = "0.3.14 -> 0.3.15" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.url]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +version = "2.4.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.url]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +delta = "2.4.0 -> 2.4.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.url]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +delta = "2.4.1 -> 2.5.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.zeroize]] +who = "Benjamin Beurdouche " +criteria = "safe-to-deploy" +version = "1.8.1" +notes = """ +This code DOES contain unsafe code required to internally call volatiles +for deleting data. This is expected and documented behavior. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.zeroize_derive]] +who = "Benjamin Beurdouche " +criteria = "safe-to-deploy" +version = "1.4.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"