From f0407963f7b31a788cfc583cfaf019218a9b6de4 Mon Sep 17 00:00:00 2001 From: Johan Andersson Date: Tue, 5 Sep 2023 11:37:33 +0200 Subject: [PATCH] Update audit imports & exemptions (#559) And require cargo-vet v0.8 --- supply-chain/audits.toml | 2 +- supply-chain/config.toml | 750 ++++++++++++++++------ supply-chain/imports.lock | 1234 +++++++++++++++++++------------------ 3 files changed, 1185 insertions(+), 801 deletions(-) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 1b227d804..62ff2c891 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -167,7 +167,7 @@ end = "2024-06-05" [[trusted.libz-sys]] criteria = "safe-to-deploy" -user-id = 4333 # Josh Triplett (joshtriplett) +user-id = 4333 start = "2020-08-14" end = "2024-06-07" diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 94b6e3bd0..930b50715 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -2,7 +2,7 @@ # cargo-vet config file [cargo-vet] -version = "0.7" +version = "0.8" [imports.embark] url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" @@ -56,88 +56,88 @@ notes = "Not used, web WASM-only" criteria = [] notes = "Not used, web WASM-only" -[[exemptions.adler]] -version = "1.0.2" +[[exemptions.addr2line]] +version = "0.17.0" +criteria = "safe-to-deploy" + +[[exemptions.ahash]] +version = "0.8.3" +criteria = "safe-to-deploy" + +[[exemptions.anstyle-query]] +version = "1.0.0" +criteria = "safe-to-deploy" + +[[exemptions.anyhow]] +version = "1.0.75" +criteria = "safe-to-deploy" + +[[exemptions.arc-swap]] +version = "1.6.0" criteria = "safe-to-deploy" [[exemptions.arrayvec]] -version = "0.5.2" +version = "0.7.4" criteria = "safe-to-deploy" [[exemptions.askalono]] version = "0.4.6" criteria = "safe-to-deploy" -[[exemptions.base16ct]] -version = "0.2.0" -criteria = "safe-to-deploy" - -[[exemptions.base64]] -version = "0.13.0" +[[exemptions.async-compression]] +version = "0.4.2" criteria = "safe-to-deploy" -[[exemptions.base64ct]] -version = "1.6.0" +[[exemptions.backtrace]] +version = "0.3.69" criteria = "safe-to-deploy" [[exemptions.bitflags]] version = "1.3.2" criteria = "safe-to-deploy" -[[exemptions.bitmaps]] -version = "2.1.0" +[[exemptions.bitflags]] +version = "2.4.0" criteria = "safe-to-deploy" [[exemptions.bitvec]] version = "1.0.1" criteria = "safe-to-deploy" -[[exemptions.bytesize]] -version = "1.2.0" +[[exemptions.btoi]] +version = "0.4.3" criteria = "safe-to-deploy" -[[exemptions.cargo]] -version = "0.69.1" +[[exemptions.camino]] +version = "1.1.6" criteria = "safe-to-deploy" [[exemptions.cargo-lock]] -version = "8.0.3" +version = "9.0.0" criteria = "safe-to-deploy" -[[exemptions.cargo-util]] -version = "0.2.3" +[[exemptions.cargo-platform]] +version = "0.1.3" criteria = "safe-to-deploy" [[exemptions.cc]] -version = "1.0.79" -criteria = "safe-to-deploy" - -[[exemptions.codespan]] -version = "0.11.1" -criteria = "safe-to-deploy" - -[[exemptions.combine]] -version = "4.6.6" +version = "1.0.83" criteria = "safe-to-deploy" -[[exemptions.commoncrypto]] -version = "0.2.0" +[[exemptions.clru]] +version = "0.6.1" criteria = "safe-to-deploy" -[[exemptions.commoncrypto-sys]] -version = "0.2.0" +[[exemptions.codespan]] +version = "0.11.1" criteria = "safe-to-deploy" -[[exemptions.const-oid]] -version = "0.9.2" -criteria = "safe-to-deploy" +[[exemptions.console]] +version = "0.15.7" +criteria = "safe-to-run" [[exemptions.cpufeatures]] -version = "0.2.2" -criteria = "safe-to-deploy" - -[[exemptions.crates-io]] -version = "0.35.1" +version = "0.2.9" criteria = "safe-to-deploy" [[exemptions.crc32fast]] @@ -164,60 +164,48 @@ criteria = "safe-to-deploy" version = "0.8.8" criteria = "safe-to-deploy" -[[exemptions.crypto-bigint]] -version = "0.5.1" -criteria = "safe-to-deploy" - -[[exemptions.crypto-hash]] -version = "0.3.4" -criteria = "safe-to-deploy" - -[[exemptions.ct-codecs]] -version = "1.1.1" -criteria = "safe-to-deploy" - -[[exemptions.curl]] -version = "0.4.44" -criteria = "safe-to-deploy" - [[exemptions.cvss]] version = "2.0.0" criteria = "safe-to-deploy" -[[exemptions.der]] -version = "0.7.1" +[[exemptions.deranged]] +version = "0.3.8" criteria = "safe-to-deploy" [[exemptions.digest]] version = "0.9.0" criteria = "safe-to-deploy" -[[exemptions.ecdsa]] -version = "0.16.2" -criteria = "safe-to-deploy" - -[[exemptions.ed25519-compact]] -version = "2.0.4" +[[exemptions.dunce]] +version = "1.0.4" criteria = "safe-to-deploy" -[[exemptions.elliptic-curve]] -version = "0.13.2" +[[exemptions.either]] +version = "1.9.0" criteria = "safe-to-deploy" [[exemptions.encode_unicode]] version = "0.3.6" criteria = "safe-to-run" -[[exemptions.env_logger]] -version = "0.9.0" +[[exemptions.equivalent]] +version = "1.0.1" criteria = "safe-to-deploy" -[[exemptions.fern]] -version = "0.6.2" +[[exemptions.errno]] +version = "0.3.3" criteria = "safe-to-deploy" -[[exemptions.ff]] -version = "0.12.0" +[[exemptions.faster-hex]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.fastrand]] +version = "2.0.0" +criteria = "safe-to-deploy" + +[[exemptions.fern]] +version = "0.6.2" criteria = "safe-to-deploy" [[exemptions.fixedbitset]] @@ -225,19 +213,35 @@ version = "0.4.2" criteria = "safe-to-deploy" [[exemptions.flate2]] -version = "1.0.24" +version = "1.0.27" +criteria = "safe-to-deploy" + +[[exemptions.form_urlencoded]] +version = "1.2.0" criteria = "safe-to-deploy" [[exemptions.fs-err]] version = "2.8.1" criteria = "safe-to-deploy" +[[exemptions.fs_extra]] +version = "1.3.0" +criteria = "safe-to-run" + [[exemptions.funty]] version = "2.0.0" criteria = "safe-to-deploy" -[[exemptions.fwdansi]] -version = "1.1.0" +[[exemptions.futures-macro]] +version = "0.3.21" +criteria = "safe-to-deploy" + +[[exemptions.futures-task]] +version = "0.3.21" +criteria = "safe-to-deploy" + +[[exemptions.futures-util]] +version = "0.3.21" criteria = "safe-to-deploy" [[exemptions.generic-array]] @@ -248,268 +252,536 @@ criteria = "safe-to-deploy" version = "0.2.6" criteria = "safe-to-deploy" -[[exemptions.group]] +[[exemptions.gimli]] +version = "0.26.1" +criteria = "safe-to-deploy" + +[[exemptions.gix]] +version = "0.52.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-actor]] +version = "0.25.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-attributes]] +version = "0.17.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-bitmap]] +version = "0.2.7" +criteria = "safe-to-deploy" + +[[exemptions.gix-chunk]] +version = "0.4.4" +criteria = "safe-to-deploy" + +[[exemptions.gix-command]] +version = "0.2.9" +criteria = "safe-to-deploy" + +[[exemptions.gix-commitgraph]] +version = "0.19.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-config]] +version = "0.28.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-config-value]] +version = "0.13.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-credentials]] +version = "0.18.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-date]] +version = "0.7.4" +criteria = "safe-to-deploy" + +[[exemptions.gix-diff]] +version = "0.34.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-discover]] +version = "0.23.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-features]] +version = "0.33.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-filter]] +version = "0.3.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-fs]] +version = "0.5.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-glob]] +version = "0.11.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-hash]] version = "0.12.0" criteria = "safe-to-deploy" -[[exemptions.hermit-abi]] -version = "0.1.19" +[[exemptions.gix-hashtable]] +version = "0.3.0" criteria = "safe-to-deploy" -[[exemptions.hermit-abi]] -version = "0.3.1" +[[exemptions.gix-ignore]] +version = "0.6.0" criteria = "safe-to-deploy" -[[exemptions.hex]] -version = "0.3.2" +[[exemptions.gix-index]] +version = "0.22.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-lock]] +version = "8.0.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-mailmap]] +version = "0.17.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-negotiate]] +version = "0.6.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-object]] +version = "0.35.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-odb]] +version = "0.51.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-pack]] +version = "0.41.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-packetline]] +version = "0.16.5" criteria = "safe-to-deploy" -[[exemptions.hkdf]] -version = "0.12.3" +[[exemptions.gix-packetline-blocking]] +version = "0.16.5" criteria = "safe-to-deploy" -[[exemptions.hmac]] -version = "0.12.1" +[[exemptions.gix-path]] +version = "0.9.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-pathspec]] +version = "0.1.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-prompt]] +version = "0.6.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-protocol]] +version = "0.38.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-quote]] +version = "0.4.7" +criteria = "safe-to-deploy" + +[[exemptions.gix-ref]] +version = "0.35.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-refspec]] +version = "0.16.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-revision]] +version = "0.20.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-revwalk]] +version = "0.6.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-sec]] +version = "0.9.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-submodule]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-tempfile]] +version = "8.0.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-trace]] +version = "0.1.3" +criteria = "safe-to-deploy" + +[[exemptions.gix-transport]] +version = "0.35.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-traverse]] +version = "0.31.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-url]] +version = "0.22.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-utils]] +version = "0.1.5" +criteria = "safe-to-deploy" + +[[exemptions.gix-validate]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-worktree]] +version = "0.24.0" +criteria = "safe-to-deploy" + +[[exemptions.gix-worktree-state]] +version = "0.1.0" +criteria = "safe-to-deploy" + +[[exemptions.goblin]] +version = "0.1.3" +criteria = "safe-to-deploy" + +[[exemptions.h2]] +version = "0.3.21" +criteria = "safe-to-deploy" + +[[exemptions.hermit-abi]] +version = "0.3.2" criteria = "safe-to-deploy" [[exemptions.home]] -version = "0.5.4" +version = "0.5.5" +criteria = "safe-to-deploy" + +[[exemptions.http]] +version = "0.2.8" +criteria = "safe-to-deploy" + +[[exemptions.http-body]] +version = "0.4.5" +criteria = "safe-to-deploy" + +[[exemptions.httparse]] +version = "1.8.0" +criteria = "safe-to-deploy" + +[[exemptions.httpdate]] +version = "1.0.3" criteria = "safe-to-deploy" -[[exemptions.http-auth]] -version = "0.1.8" +[[exemptions.hyper]] +version = "0.14.25" criteria = "safe-to-deploy" -[[exemptions.humantime]] -version = "2.1.0" +[[exemptions.hyper-rustls]] +version = "0.24.1" criteria = "safe-to-deploy" -[[exemptions.im-rc]] -version = "15.1.0" +[[exemptions.imara-diff]] +version = "0.1.5" criteria = "safe-to-deploy" [[exemptions.indexmap]] version = "1.9.1" criteria = "safe-to-deploy" +[[exemptions.indexmap]] +version = "2.0.0" +criteria = "safe-to-deploy" + [[exemptions.insta]] -version = "1.29.0" +version = "1.31.0" criteria = "safe-to-run" -[[exemptions.instant]] -version = "0.1.12" +[[exemptions.io-close]] +version = "0.3.7" criteria = "safe-to-deploy" -[[exemptions.itertools]] -version = "0.10.5" +[[exemptions.ipnet]] +version = "2.5.0" criteria = "safe-to-deploy" -[[exemptions.lazycell]] -version = "1.3.0" +[[exemptions.jwalk]] +version = "0.8.1" criteria = "safe-to-deploy" [[exemptions.libc]] -version = "0.2.140" +version = "0.2.126" criteria = "safe-to-deploy" -[[exemptions.memoffset]] -version = "0.6.5" +[[exemptions.lock_api]] +version = "0.4.10" criteria = "safe-to-deploy" -[[exemptions.miniz_oxide]] -version = "0.5.3" +[[exemptions.log]] +version = "0.4.20" criteria = "safe-to-deploy" -[[exemptions.miow]] -version = "0.5.0" +[[exemptions.maybe-async]] +version = "0.2.7" criteria = "safe-to-deploy" -[[exemptions.nu-ansi-term]] -version = "0.47.0" +[[exemptions.memmap2]] +version = "0.7.1" criteria = "safe-to-deploy" -[[exemptions.once_cell]] -version = "1.15.0" +[[exemptions.memoffset]] +version = "0.6.5" criteria = "safe-to-deploy" -[[exemptions.opener]] -version = "0.5.2" +[[exemptions.mime]] +version = "0.3.17" criteria = "safe-to-deploy" -[[exemptions.openssl]] -version = "0.10.49" +[[exemptions.minimal-lexical]] +version = "0.2.1" criteria = "safe-to-deploy" -[[exemptions.openssl-macros]] -version = "0.1.1" +[[exemptions.mio]] +version = "0.8.2" criteria = "safe-to-deploy" -[[exemptions.openssl-sys]] -version = "0.9.84" +[[exemptions.nom]] +version = "7.1.1" criteria = "safe-to-deploy" -[[exemptions.ordered-float]] -version = "2.10.0" +[[exemptions.nu-ansi-term]] +version = "0.49.0" criteria = "safe-to-deploy" -[[exemptions.orion]] -version = "0.17.4" +[[exemptions.num_threads]] +version = "0.1.6" criteria = "safe-to-deploy" -[[exemptions.os_info]] -version = "3.7.0" +[[exemptions.object]] +version = "0.28.4" criteria = "safe-to-deploy" -[[exemptions.p384]] -version = "0.13.0" +[[exemptions.once_cell]] +version = "1.15.0" criteria = "safe-to-deploy" -[[exemptions.pasetors]] -version = "0.6.6" +[[exemptions.parking_lot]] +version = "0.11.2" criteria = "safe-to-deploy" -[[exemptions.pathdiff]] -version = "0.2.1" +[[exemptions.parking_lot_core]] +version = "0.9.8" criteria = "safe-to-deploy" -[[exemptions.pem-rfc7468]] -version = "0.7.0" +[[exemptions.percent-encoding]] +version = "2.3.0" criteria = "safe-to-deploy" [[exemptions.petgraph]] -version = "0.6.3" +version = "0.6.4" criteria = "safe-to-deploy" -[[exemptions.pkcs8]] -version = "0.10.1" +[[exemptions.pin-project-lite]] +version = "0.2.13" criteria = "safe-to-deploy" -[[exemptions.platforms]] -version = "3.0.2" +[[exemptions.pkg-config]] +version = "0.3.27" criteria = "safe-to-deploy" -[[exemptions.primeorder]] -version = "0.13.0" +[[exemptions.plain]] +version = "0.2.3" criteria = "safe-to-deploy" -[[exemptions.radium]] -version = "0.7.0" +[[exemptions.platforms]] +version = "3.1.2" criteria = "safe-to-deploy" -[[exemptions.rand_core]] -version = "0.6.4" +[[exemptions.prodash]] +version = "25.0.2" criteria = "safe-to-deploy" -[[exemptions.rand_xoshiro]] -version = "0.6.0" +[[exemptions.quote]] +version = "1.0.33" criteria = "safe-to-deploy" -[[exemptions.redox_syscall]] -version = "0.2.13" +[[exemptions.radium]] +version = "0.7.0" criteria = "safe-to-deploy" [[exemptions.redox_syscall]] version = "0.3.5" criteria = "safe-to-deploy" -[[exemptions.rfc6979]] -version = "0.4.0" +[[exemptions.reqwest]] +version = "0.11.20" +criteria = "safe-to-deploy" + +[[exemptions.ring]] +version = "0.16.20" criteria = "safe-to-deploy" [[exemptions.rmp]] -version = "0.8.11" +version = "0.8.12" criteria = "safe-to-deploy" [[exemptions.rmp-serde]] version = "0.14.4" criteria = "safe-to-deploy" -[[exemptions.rustfix]] -version = "0.6.1" +[[exemptions.rustls]] +version = "0.21.7" +criteria = "safe-to-deploy" + +[[exemptions.rustls-native-certs]] +version = "0.6.3" +criteria = "safe-to-deploy" + +[[exemptions.rustls-pemfile]] +version = "1.0.3" criteria = "safe-to-deploy" [[exemptions.rustsec]] -version = "0.26.5" +version = "0.28.0" criteria = "safe-to-deploy" [[exemptions.schannel]] -version = "0.1.21" +version = "0.1.22" criteria = "safe-to-deploy" -[[exemptions.sec1]] -version = "0.7.1" +[[exemptions.scroll]] +version = "0.10.2" criteria = "safe-to-deploy" -[[exemptions.serde-value]] -version = "0.7.0" +[[exemptions.scroll_derive]] +version = "0.10.5" criteria = "safe-to-deploy" -[[exemptions.sha2]] -version = "0.9.9" +[[exemptions.security-framework]] +version = "2.9.2" criteria = "safe-to-deploy" -[[exemptions.shell-escape]] -version = "0.1.5" +[[exemptions.security-framework-sys]] +version = "2.9.1" criteria = "safe-to-deploy" -[[exemptions.signature]] -version = "2.0.0" +[[exemptions.semver]] +version = "1.0.18" criteria = "safe-to-deploy" -[[exemptions.sized-chunks]] -version = "0.6.5" +[[exemptions.serde_urlencoded]] +version = "0.7.1" +criteria = "safe-to-deploy" + +[[exemptions.sha1_smol]] +version = "1.0.0" +criteria = "safe-to-deploy" + +[[exemptions.signal-hook]] +version = "0.3.17" +criteria = "safe-to-deploy" + +[[exemptions.signal-hook-registry]] +version = "1.4.1" +criteria = "safe-to-deploy" + +[[exemptions.slab]] +version = "0.4.9" criteria = "safe-to-deploy" [[exemptions.smallvec]] -version = "1.10.0" +version = "1.8.0" criteria = "safe-to-deploy" [[exemptions.smol_str]] -version = "0.1.24" +version = "0.2.0" criteria = "safe-to-deploy" [[exemptions.socket2]] version = "0.4.9" criteria = "safe-to-deploy" -[[exemptions.spki]] -version = "0.7.0" +[[exemptions.socket2]] +version = "0.5.3" criteria = "safe-to-deploy" -[[exemptions.static_assertions]] -version = "1.1.0" +[[exemptions.spin]] +version = "0.5.2" criteria = "safe-to-deploy" -[[exemptions.strip-ansi-escapes]] -version = "0.1.1" +[[exemptions.static_assertions]] +version = "1.1.0" criteria = "safe-to-deploy" [[exemptions.strsim]] version = "0.10.0" criteria = "safe-to-deploy" +[[exemptions.strum]] +version = "0.25.0" +criteria = "safe-to-deploy" + [[exemptions.strum_macros]] -version = "0.24.3" +version = "0.25.2" criteria = "safe-to-deploy" -[[exemptions.subtle]] -version = "2.4.1" +[[exemptions.tame-index]] +version = "0.5.4" criteria = "safe-to-deploy" [[exemptions.tempfile]] -version = "3.3.0" +version = "3.8.0" criteria = "safe-to-deploy" -[[exemptions.time]] -version = "0.3.20" +[[exemptions.thiserror]] +version = "1.0.47" criteria = "safe-to-deploy" -[[exemptions.time-core]] -version = "0.1.0" +[[exemptions.thiserror-impl]] +version = "1.0.47" +criteria = "safe-to-deploy" + +[[exemptions.time]] +version = "0.3.28" criteria = "safe-to-deploy" [[exemptions.time-macros]] -version = "0.2.7" +version = "0.2.14" +criteria = "safe-to-deploy" + +[[exemptions.tokio]] +version = "1.32.0" +criteria = "safe-to-deploy" + +[[exemptions.tokio-rustls]] +version = "0.24.1" +criteria = "safe-to-deploy" + +[[exemptions.tokio-util]] +version = "0.7.8" +criteria = "safe-to-deploy" + +[[exemptions.tower-service]] +version = "0.3.2" +criteria = "safe-to-deploy" + +[[exemptions.tracing]] +version = "0.1.34" +criteria = "safe-to-deploy" + +[[exemptions.tracing-core]] +version = "0.1.28" criteria = "safe-to-deploy" [[exemptions.twox-hash]] @@ -520,20 +792,24 @@ criteria = "safe-to-deploy" version = "1.15.0" criteria = "safe-to-deploy" -[[exemptions.unicode-bidi]] -version = "0.3.13" +[[exemptions.unicode-bom]] +version = "2.0.2" criteria = "safe-to-deploy" -[[exemptions.utf8parse]] -version = "0.2.1" +[[exemptions.unicode-ident]] +version = "1.0.11" criteria = "safe-to-deploy" -[[exemptions.vte]] -version = "0.10.1" +[[exemptions.url]] +version = "2.4.1" criteria = "safe-to-deploy" -[[exemptions.vte_generate_state_changes]] -version = "0.1.1" +[[exemptions.wasm-bindgen-futures]] +version = "0.4.37" +criteria = "safe-to-deploy" + +[[exemptions.web-sys]] +version = "0.3.64" criteria = "safe-to-deploy" [[exemptions.winapi]] @@ -548,12 +824,88 @@ criteria = "safe-to-deploy" version = "0.4.0" criteria = "safe-to-deploy" -[[exemptions.wyz]] -version = "0.5.0" +[[exemptions.windows]] +version = "0.48.0" +criteria = "safe-to-deploy" + +[[exemptions.windows-sys]] +version = "0.45.0" +criteria = "safe-to-run" + +[[exemptions.windows-sys]] +version = "0.48.0" +criteria = "safe-to-deploy" + +[[exemptions.windows-targets]] +version = "0.42.2" +criteria = "safe-to-run" + +[[exemptions.windows-targets]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_aarch64_gnullvm]] +version = "0.42.2" +criteria = "safe-to-run" + +[[exemptions.windows_aarch64_gnullvm]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_aarch64_msvc]] +version = "0.42.2" +criteria = "safe-to-run" + +[[exemptions.windows_aarch64_msvc]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_i686_gnu]] +version = "0.42.2" +criteria = "safe-to-run" + +[[exemptions.windows_i686_gnu]] +version = "0.48.5" criteria = "safe-to-deploy" -[[exemptions.zeroize]] -version = "1.4.3" +[[exemptions.windows_i686_msvc]] +version = "0.42.2" +criteria = "safe-to-run" + +[[exemptions.windows_i686_msvc]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_gnu]] +version = "0.42.2" +criteria = "safe-to-run" + +[[exemptions.windows_x86_64_gnu]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_gnullvm]] +version = "0.42.2" +criteria = "safe-to-run" + +[[exemptions.windows_x86_64_gnullvm]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_msvc]] +version = "0.42.2" +criteria = "safe-to-run" + +[[exemptions.windows_x86_64_msvc]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.winreg]] +version = "0.50.0" +criteria = "safe-to-deploy" + +[[exemptions.wyz]] +version = "0.5.0" criteria = "safe-to-deploy" [[exemptions.zstd]] @@ -565,5 +917,5 @@ version = "5.0.2+zstd.1.5.2" criteria = "safe-to-deploy" [[exemptions.zstd-sys]] -version = "2.0.7+zstd.1.5.4" +version = "2.0.8+zstd.1.5.5" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 843587a31..90556444a 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -2,43 +2,43 @@ # cargo-vet imports lock [[publisher.aho-corasick]] -version = "0.7.20" -when = "2022-11-22" +version = "1.0.5" +when = "2023-08-29" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.anstream]] -version = "0.2.6" -when = "2023-03-17" +version = "0.5.0" +when = "2023-08-24" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle]] -version = "0.3.5" -when = "2023-03-17" +version = "1.0.2" +when = "2023-08-23" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle-parse]] -version = "0.1.1" -when = "2023-03-14" +version = "0.2.1" +when = "2023-06-20" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle-wincon]] -version = "0.2.0" -when = "2023-03-13" +version = "2.1.0" +when = "2023-08-24" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.bstr]] -version = "1.4.0" -when = "2023-03-18" +version = "1.6.2" +when = "2023-08-30" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" @@ -58,49 +58,35 @@ user-login = "Darksonn" user-name = "Alice Ryhl" [[publisher.cfg-expr]] -version = "0.15.0" -when = "2023-04-04" +version = "0.15.4" +when = "2023-07-28" user-id = 52553 user-login = "embark-studios" [[publisher.clap]] -version = "4.2.1" -when = "2023-03-29" +version = "4.4.2" +when = "2023-08-31" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap_builder]] -version = "4.2.1" -when = "2023-03-29" +version = "4.4.2" +when = "2023-08-31" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap_derive]] -version = "4.2.0" -when = "2023-03-28" +version = "4.4.2" +when = "2023-08-31" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap_lex]] -version = "0.4.1" -when = "2023-03-28" -user-id = 6743 -user-login = "epage" -user-name = "Ed Page" - -[[publisher.concolor-override]] -version = "1.0.0" -when = "2023-03-08" -user-id = 6743 -user-login = "epage" -user-name = "Ed Page" - -[[publisher.concolor-query]] -version = "0.3.3" -when = "2023-03-14" +version = "0.5.1" +when = "2023-08-24" user-id = 6743 user-login = "epage" user-name = "Ed Page" @@ -119,51 +105,30 @@ user-id = 5946 user-login = "jrmuizel" user-name = "Jeff Muizelaar" -[[publisher.curl-sys]] -version = "0.4.61+curl-8.0.1" -when = "2023-03-20" -user-id = 1 -user-login = "alexcrichton" -user-name = "Alex Crichton" +[[publisher.encoding_rs]] +version = "0.8.33" +when = "2023-08-23" +user-id = 4484 +user-login = "hsivonen" +user-name = "Henri Sivonen" [[publisher.filetime]] -version = "0.2.20" -when = "2023-02-08" +version = "0.2.22" +when = "2023-08-05" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.globset]] -version = "0.4.10" -when = "2023-01-05" -user-id = 189 -user-login = "BurntSushi" -user-name = "Andrew Gallant" - -[[publisher.ignore]] -version = "0.4.20" -when = "2023-01-15" +version = "0.4.13" +when = "2023-08-05" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" -[[publisher.io-lifetimes]] -version = "1.0.9" -when = "2023-03-20" -user-id = 6825 -user-login = "sunfishcode" -user-name = "Dan Gohman" - -[[publisher.is-terminal]] -version = "0.4.6" -when = "2023-03-29" -user-id = 6825 -user-login = "sunfishcode" -user-name = "Dan Gohman" - [[publisher.itoa]] -version = "1.0.6" -when = "2023-03-03" +version = "1.0.9" +when = "2023-07-15" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" @@ -176,8 +141,8 @@ user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.krates]] -version = "0.13.0" -when = "2023-04-04" +version = "0.15.1" +when = "2023-09-03" user-id = 52553 user-login = "embark-studios" @@ -188,93 +153,72 @@ user-id = 6743 user-login = "epage" user-name = "Ed Page" -[[publisher.libnghttp2-sys]] -version = "0.1.7+1.45.0" -when = "2021-09-20" -user-id = 1 -user-login = "alexcrichton" -user-name = "Alex Crichton" - -[[publisher.libz-sys]] -version = "1.1.8" -when = "2022-05-28" -user-id = 4333 -user-login = "joshtriplett" -user-name = "Josh Triplett" - [[publisher.linux-raw-sys]] -version = "0.3.1" -when = "2023-03-30" +version = "0.4.5" +when = "2023-07-31" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" [[publisher.memchr]] -version = "2.5.0" -when = "2022-04-30" +version = "2.6.2" +when = "2023-08-30" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.num_cpus]] -version = "1.15.0" -when = "2022-12-20" +version = "1.16.0" +when = "2023-06-29" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" -[[publisher.openssl-src]] -version = "111.25.2+1.1.1t" -when = "2023-03-20" -user-id = 1 -user-login = "alexcrichton" -user-name = "Alex Crichton" - [[publisher.paste]] -version = "1.0.12" -when = "2023-03-05" +version = "1.0.14" +when = "2023-07-15" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.regex]] -version = "1.7.3" -when = "2023-03-25" +version = "1.9.4" +when = "2023-08-26" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.regex-automata]] -version = "0.1.10" -when = "2021-06-01" +version = "0.3.7" +when = "2023-08-26" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.regex-syntax]] -version = "0.6.29" -when = "2023-03-21" +version = "0.7.5" +when = "2023-08-26" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.rustix]] -version = "0.37.7" -when = "2023-04-03" +version = "0.38.11" +when = "2023-08-31" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" [[publisher.rustversion]] -version = "1.0.12" -when = "2023-03-05" +version = "1.0.14" +when = "2023-07-15" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.ryu]] -version = "1.0.13" -when = "2023-03-03" +version = "1.0.15" +when = "2023-07-15" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" @@ -287,50 +231,43 @@ user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.scopeguard]] -version = "1.1.0" -when = "2020-02-16" +version = "1.2.0" +when = "2023-07-17" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.serde]] -version = "1.0.159" -when = "2023-03-28" +version = "1.0.188" +when = "2023-08-26" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_derive]] -version = "1.0.159" -when = "2023-03-28" -user-id = 3618 -user-login = "dtolnay" -user-name = "David Tolnay" - -[[publisher.serde_ignored]] -version = "0.1.7" -when = "2023-01-03" +version = "1.0.188" +when = "2023-08-26" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_json]] -version = "1.0.95" -when = "2023-03-27" +version = "1.0.105" +when = "2023-08-15" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_spanned]] -version = "0.6.1" -when = "2023-01-30" +version = "0.6.3" +when = "2023-06-24" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.spdx]] -version = "0.10.0" -when = "2022-12-20" +version = "0.10.2" +when = "2023-07-14" user-id = 52553 user-login = "embark-studios" @@ -342,22 +279,15 @@ user-login = "dtolnay" user-name = "David Tolnay" [[publisher.syn]] -version = "2.0.13" -when = "2023-04-01" +version = "2.0.29" +when = "2023-08-17" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" -[[publisher.tar]] -version = "0.4.38" -when = "2021-12-14" -user-id = 1 -user-login = "alexcrichton" -user-name = "Alex Crichton" - [[publisher.target-lexicon]] -version = "0.12.6" -when = "2023-02-10" +version = "0.12.11" +when = "2023-07-31" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" @@ -369,37 +299,16 @@ user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" -[[publisher.thread_local]] -version = "1.1.7" -when = "2023-02-12" -user-id = 2915 -user-login = "Amanieu" -user-name = "Amanieu d'Antras" - -[[publisher.toml]] -version = "0.5.7" -when = "2020-10-11" -user-id = 1 -user-login = "alexcrichton" -user-name = "Alex Crichton" - [[publisher.toml]] -version = "0.7.3" -when = "2023-03-13" -user-id = 6743 -user-login = "epage" -user-name = "Ed Page" - -[[publisher.toml_edit]] -version = "0.15.0" -when = "2022-10-21" +version = "0.7.6" +when = "2023-07-05" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.toml_edit]] -version = "0.19.8" -when = "2023-03-23" +version = "0.19.14" +when = "2023-07-14" user-id = 6743 user-login = "epage" user-name = "Ed Page" @@ -418,13 +327,6 @@ user-id = 1139 user-login = "Manishearth" user-name = "Manish Goregaokar" -[[publisher.unicode-xid]] -version = "0.2.4" -when = "2022-09-15" -user-id = 1139 -user-login = "Manishearth" -user-name = "Manish Goregaokar" - [[publisher.walkdir]] version = "2.3.3" when = "2023-03-16" @@ -440,40 +342,69 @@ user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.winnow]] -version = "0.4.1" -when = "2023-03-24" +version = "0.5.15" +when = "2023-08-24" user-id = 6743 user-login = "epage" user-name = "Ed Page" -[[audits.embark.audits.anyhow]] +[[audits.embark.wildcard-audits.cfg-expr]] +who = "Jake Shadle " +criteria = "safe-to-deploy" +user-id = 52553 # embark-studios +start = "2020-01-01" +end = "2024-05-23" +notes = "Maintained by Embark. No unsafe usage or ambient capabilities" + +[[audits.embark.wildcard-audits.krates]] +who = "Jake Shadle " +criteria = "safe-to-deploy" +user-id = 52553 # embark-studios +start = "2020-01-01" +end = "2024-05-23" +notes = """ +Maintained by Embark. + +No unsafe usage but does allow calling of cargo via the cargo_metadata crate +""" + +[[audits.embark.wildcard-audits.spdx]] +who = "Jake Shadle " +criteria = "safe-to-deploy" +user-id = 52553 # embark-studios +start = "2020-01-01" +end = "2024-05-23" +notes = "Maintained by Embark. No unsafe usage or ambient capabilities" + +[[audits.embark.audits.cargo_metadata]] who = "Johan Andersson " criteria = "safe-to-deploy" -version = "1.0.58" +delta = "0.15.3 -> 0.15.4" +notes = "No notable changes" -[[audits.embark.audits.epaint]] +[[audits.embark.audits.cargo_metadata]] who = "Johan Andersson " criteria = "safe-to-deploy" -violation = "<0.20.0" -notes = "Specified crate license does not include licenses of embedded fonts if using default features or the `default_fonts` feature. Tracked in: https://github.com/emilk/egui/issues/2321" +delta = "0.15.4 -> 0.17.0" +notes = "No notable changes" -[[audits.embark.audits.rustc-workspace-hack]] +[[audits.embark.audits.colorchoice]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.0" -notes = "No unsafe usage or ambient capabilities. No functionality in it beyond a #[test]. " +notes = "No unsafe usage or ambient capabilities" -[[audits.embark.audits.similar]] +[[audits.embark.audits.idna]] who = "Johan Andersson " criteria = "safe-to-deploy" -version = "2.2.1" +delta = "0.3.0 -> 0.4.0" notes = "No unsafe usage or ambient capabilities" -[[audits.embark.audits.strum]] +[[audits.embark.audits.similar]] who = "Johan Andersson " criteria = "safe-to-deploy" -version = "0.24.1" -notes = "Tiny layer on top of the proc macro crate, found no unsafe or system usage" +version = "2.2.1" +notes = "No unsafe usage or ambient capabilities" [[audits.embark.audits.tap]] who = "Johan Andersson " @@ -481,23 +412,29 @@ criteria = "safe-to-deploy" version = "1.0.1" notes = "No unsafe usage or ambient capabilities" -[[audits.embark.audits.thiserror]] +[[audits.embark.audits.tinyvec_macros]] who = "Johan Andersson " criteria = "safe-to-deploy" -version = "1.0.40" -notes = "Wrapper over implementation crate, found no unsafe or ambient capabilities used" +version = "0.1.0" +notes = "Inspected it and is a tiny crate with single safe macro" -[[audits.embark.audits.thiserror-impl]] +[[audits.embark.audits.toml_datetime]] who = "Johan Andersson " criteria = "safe-to-deploy" -version = "1.0.40" -notes = "Found no unsafe or ambient capabilities used" +delta = "0.6.1 -> 0.6.2" +notes = "No notable changes" -[[audits.embark.audits.tinyvec_macros]] +[[audits.embark.audits.utf8parse]] who = "Johan Andersson " criteria = "safe-to-deploy" -version = "0.1.0" -notes = "Inspected it and is a tiny crate with single safe macro" +version = "0.2.1" +notes = "Single unsafe usage that looks sound, no ambient capabilities" + +[[audits.embark.audits.webpki-roots]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "0.22.4" +notes = "Inspected it to confirm that it only contains data definitions and no runtime code" [[audits.embark.audits.yaml-rust]] who = "Johan Andersson " @@ -523,6 +460,14 @@ end = "2023-05-04" renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." +[[audits.firefox.wildcard-audits.encoding_rs]] +who = "Henri Sivonen " +criteria = "safe-to-deploy" +user-id = 4484 # Henri Sivonen (hsivonen) +start = "2019-02-26" +end = "2024-08-28" +notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ." + [[audits.firefox.wildcard-audits.unicode-normalization]] who = "Manish Goregaokar " criteria = "safe-to-deploy" @@ -539,51 +484,12 @@ start = "2019-12-05" end = "2024-05-03" notes = "All code written or reviewed by Manish" -[[audits.firefox.wildcard-audits.unicode-xid]] -who = "Manish Goregaokar " -criteria = "safe-to-deploy" -user-id = 1139 # Manish Goregaokar (Manishearth) -start = "2019-07-25" -end = "2024-05-03" -notes = "All code written or reviewed by Manish" - -[[audits.firefox.audits.anyhow]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.57 -> 1.0.61" - -[[audits.firefox.audits.anyhow]] -who = "Bobby Holley " -criteria = "safe-to-deploy" -delta = "1.0.58 -> 1.0.57" -notes = "No functional differences, just CI config and docs." - -[[audits.firefox.audits.anyhow]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.61 -> 1.0.62" - -[[audits.firefox.audits.anyhow]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.62 -> 1.0.68" - -[[audits.firefox.audits.anyhow]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.68 -> 1.0.69" - [[audits.firefox.audits.autocfg]] who = "Josh Stone " criteria = "safe-to-deploy" version = "1.1.0" notes = "All code written or reviewed by Josh Stone." -[[audits.firefox.audits.base64]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.13.0 -> 0.13.1" - [[audits.firefox.audits.block-buffer]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -629,46 +535,96 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.3 -> 0.10.6" -[[audits.firefox.audits.either]] +[[audits.firefox.audits.fnv]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.0.7" +notes = "Simple hasher implementation with no unsafe code." + +[[audits.firefox.audits.fs-err]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "1.6.1 -> 1.7.0" +delta = "2.8.1 -> 2.9.0" -[[audits.firefox.audits.either]] +[[audits.firefox.audits.futures-channel]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "1.7.0 -> 1.8.0" +delta = "0.3.27 -> 0.3.28" -[[audits.firefox.audits.either]] +[[audits.firefox.audits.futures-core]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "1.8.0 -> 1.8.1" +delta = "0.3.27 -> 0.3.28" -[[audits.firefox.audits.env_logger]] +[[audits.firefox.audits.futures-io]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.9.0 -> 0.9.3" +delta = "0.3.27 -> 0.3.28" -[[audits.firefox.audits.env_logger]] -who = "Nicolas Silva " +[[audits.firefox.audits.futures-macro]] +who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.9.3 -> 0.10.0" +delta = "0.3.21 -> 0.3.23" -[[audits.firefox.audits.flate2]] +[[audits.firefox.audits.futures-macro]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "1.0.24 -> 1.0.25" +delta = "0.3.23 -> 0.3.25" -[[audits.firefox.audits.fnv]] -who = "Bobby Holley " +[[audits.firefox.audits.futures-macro]] +who = "Mike Hommey " criteria = "safe-to-deploy" -version = "1.0.7" -notes = "Simple hasher implementation with no unsafe code." +delta = "0.3.25 -> 0.3.26" -[[audits.firefox.audits.fs-err]] +[[audits.firefox.audits.futures-macro]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "2.8.1 -> 2.9.0" +delta = "0.3.26 -> 0.3.28" + +[[audits.firefox.audits.futures-sink]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.28" + +[[audits.firefox.audits.futures-task]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.21 -> 0.3.23" + +[[audits.firefox.audits.futures-task]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.23 -> 0.3.25" + +[[audits.firefox.audits.futures-task]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" + +[[audits.firefox.audits.futures-task]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.26 -> 0.3.28" + +[[audits.firefox.audits.futures-util]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.21 -> 0.3.23" + +[[audits.firefox.audits.futures-util]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.23 -> 0.3.25" + +[[audits.firefox.audits.futures-util]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" + +[[audits.firefox.audits.futures-util]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.26 -> 0.3.28" [[audits.firefox.audits.generic-array]] who = "Mike Hommey " @@ -685,6 +641,28 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.7 -> 0.2.8" +[[audits.firefox.audits.getrandom]] +who = "Yannis Juglaret " +criteria = "safe-to-deploy" +delta = "0.2.8 -> 0.2.9" + +[[audits.firefox.audits.goblin]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.5.4" +notes = "Several bugfixes since 2019. This version is also in use by Mozilla's crash reporting tooling, e.g. minidump-writer" + +[[audits.firefox.audits.goblin]] +who = "Gabriele Svelto " +criteria = "safe-to-deploy" +delta = "0.5.4 -> 0.6.0" +notes = "Mostly bug fixes and some added functionality" + +[[audits.firefox.audits.goblin]] +who = "Gabriele Svelto " +criteria = "safe-to-deploy" +delta = "0.6.0 -> 0.7.1" + [[audits.firefox.audits.hashbrown]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -696,20 +674,25 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.4.0 -> 0.4.1" -[[audits.firefox.audits.hermit-abi]] +[[audits.firefox.audits.indexmap]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.1.19 -> 0.2.6" +delta = "1.9.1 -> 1.9.2" -[[audits.firefox.audits.hex]] -who = "Simon Friedberger " +[[audits.firefox.audits.libc]] +who = "Mike Hommey " criteria = "safe-to-deploy" -version = "0.4.3" +delta = "0.2.126 -> 0.2.132" -[[audits.firefox.audits.indexmap]] +[[audits.firefox.audits.libc]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "1.9.1 -> 1.9.2" +delta = "0.2.132 -> 0.2.138" + +[[audits.firefox.audits.libc]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.138 -> 0.2.139" [[audits.firefox.audits.linked-hash-map]] who = "Aria Beingessner " @@ -722,20 +705,20 @@ who = "Mike Hommey " criteria = "safe-to-run" delta = "0.5.4 -> 0.5.6" -[[audits.firefox.audits.log]] -who = "Mike Hommey " +[[audits.firefox.audits.memoffset]] +who = "Gabriele Svelto " criteria = "safe-to-deploy" -version = "0.4.17" +delta = "0.6.5 -> 0.7.1" [[audits.firefox.audits.memoffset]] who = "Gabriele Svelto " criteria = "safe-to-deploy" -delta = "0.6.5 -> 0.7.1" +delta = "0.8.0 -> 0.9.0" -[[audits.firefox.audits.miniz_oxide]] +[[audits.firefox.audits.nom]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.5.3 -> 0.6.2" +delta = "7.1.1 -> 7.1.3" [[audits.firefox.audits.num-traits]] who = "Josh Stone " @@ -743,15 +726,20 @@ criteria = "safe-to-deploy" version = "0.2.15" notes = "All code written or reviewed by Josh Stone." -[[audits.firefox.audits.once_cell]] +[[audits.firefox.audits.object]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "1.16.0 -> 1.17.1" +delta = "0.28.4 -> 0.30.0" -[[audits.firefox.audits.pkg-config]] +[[audits.firefox.audits.object]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.3.25 -> 0.3.26" +delta = "0.30.0 -> 0.30.3" + +[[audits.firefox.audits.once_cell]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.16.0 -> 1.17.1" [[audits.firefox.audits.proc-macro2]] who = "Nika Layzell " @@ -797,31 +785,6 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.49 -> 1.0.51" -[[audits.firefox.audits.quote]] -who = "Nika Layzell " -criteria = "safe-to-deploy" -version = "1.0.18" -notes = """ -`quote` is a utility crate used by proc-macros to generate TokenStreams -conveniently from source code. The bulk of the logic is some complex -interlocking `macro_rules!` macros which are used to parse and build the -`TokenStream` within the proc-macro. - -This crate contains no unsafe code, and the internal logic, while difficult to -read, is generally straightforward. I have audited the the quote macros, ident -formatter, and runtime logic. -""" - -[[audits.firefox.audits.quote]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.18 -> 1.0.21" - -[[audits.firefox.audits.quote]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.21 -> 1.0.23" - [[audits.firefox.audits.rayon]] who = "Josh Stone " criteria = "safe-to-deploy" @@ -849,68 +812,51 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.10.1 -> 1.10.2" -[[audits.firefox.audits.redox_syscall]] -who = "Mike Hommey " +[[audits.firefox.audits.scroll]] +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -delta = "0.2.13 -> 0.2.16" +delta = "0.10.2 -> 0.11.0" +notes = "Small changes to exposed traits, that look reasonable and have additional buffer boundary checks. No unsafe code touched." -[[audits.firefox.audits.rustc-hash]] -who = "Bobby Holley " +[[audits.firefox.audits.scroll_derive]] +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -version = "1.1.0" -notes = "Straightforward crate with no unsafe code, does what it says on the tin." +delta = "0.10.5 -> 0.11.0" +notes = "No code changes. Tagged together with its parent crate scroll." -[[audits.firefox.audits.sha1]] -who = "Dana Keeler " +[[audits.firefox.audits.scroll_derive]] +who = "Mike Hommey " criteria = "safe-to-deploy" -version = "0.10.5" +delta = "0.11.0 -> 0.11.1" [[audits.firefox.audits.sha2]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.2 -> 0.10.6" -[[audits.firefox.audits.toml]] -who = "Bobby Holley " +[[audits.firefox.audits.time-core]] +who = "Kershaw Chang " criteria = "safe-to-deploy" -delta = "0.5.7 -> 0.5.9" - -[[audits.firefox.audits.toml]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.5.9 -> 0.5.10" - -[[audits.firefox.audits.toml]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.5.10 -> 0.5.11" +version = "0.1.0" [[audits.firefox.audits.typenum]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.15.0 -> 1.16.0" -[[audits.google.audits.console]] -who = "George Burgess IV " -criteria = "safe-to-run" -version = "0.15.5" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" - -[[audits.google.audits.fastrand]] -who = "George Burgess IV " +[[audits.firefox.audits.uluru]] +who = "Emilio Cobos Álvarez " criteria = "safe-to-deploy" -version = "1.9.0" +version = "3.0.0" notes = """ -`does-not-implement-crypto` is certified because this crate explicitly says -that the RNG here is not cryptographically secure. +I've reviewed multiple patches in this crate, including the initial +implementation back in the day. It has no unsafe code at all nowadays. """ -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" -[[audits.google.audits.glob]] -who = "George Burgess IV " +[[audits.firefox.audits.unicode-bidi]] +who = "Makoto Kato " criteria = "safe-to-deploy" -version = "0.3.1" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +delta = "0.3.8 -> 0.3.13" [[audits.google.audits.version_check]] who = "George Burgess IV " @@ -918,48 +864,46 @@ criteria = "safe-to-deploy" version = "0.9.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" -[[audits.isrg.audits.block-buffer]] +[[audits.isrg.audits.base64]] +who = "Tim Geoghegan " +criteria = "safe-to-deploy" +delta = "0.21.0 -> 0.21.1" + +[[audits.isrg.audits.base64]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.21.1 -> 0.21.2" + +[[audits.isrg.audits.base64]] who = "David Cook " criteria = "safe-to-deploy" -version = "0.9.0" +delta = "0.21.2 -> 0.21.3" -[[audits.isrg.audits.either]] +[[audits.isrg.audits.block-buffer]] who = "David Cook " criteria = "safe-to-deploy" -version = "1.6.1" +version = "0.9.0" -[[audits.isrg.audits.fiat-crypto]] +[[audits.isrg.audits.digest]] who = "David Cook " criteria = "safe-to-deploy" -version = "0.1.17" -notes = """ -This crate does not contain any unsafe code, and does not use any items from -the standard library or other crates, aside from operations backed by -`std::ops`. All paths with array indexing use integer literals for indexes, so -there are no panics due to indexes out of bounds (as rustc would catch an -out-of-bounds literal index). I did not check whether arithmetic overflows -could cause a panic, and I am relying on the Coq code having satisfied the -necessary preconditions to ensure panics due to overflows are unreachable. -""" +delta = "0.10.6 -> 0.10.7" -[[audits.isrg.audits.fiat-crypto]] -who = "Brandon Pitman " +[[audits.isrg.audits.getrandom]] +who = "Tim Geoghegan " criteria = "safe-to-deploy" -delta = "0.1.17 -> 0.1.18" +delta = "0.2.9 -> 0.2.10" +notes = "These changes include some new `unsafe` code for the `emscripten` and `psvita` targets, but all it does is call `libc::getentropy`." -[[audits.isrg.audits.fiat-crypto]] -who = "David Cook " +[[audits.isrg.audits.libc]] +who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "0.1.18 -> 0.1.19" -notes = """ -This release renames many items and adds a new module. The code in the new -module is entirely composed of arithmetic and array accesses. -""" +delta = "0.2.139 -> 0.2.141" -[[audits.isrg.audits.fiat-crypto]] +[[audits.isrg.audits.num-traits]] who = "David Cook " criteria = "safe-to-deploy" -delta = "0.1.19 -> 0.1.20" +delta = "0.2.15 -> 0.2.16" [[audits.isrg.audits.once_cell]] who = "David Cook " @@ -971,10 +915,15 @@ functionally equivalent, and call unwrap_unchecked() on already-initialized Options. The new implementation based on critical_section appears to be sound. """ -[[audits.isrg.audits.proc-macro2]] +[[audits.isrg.audits.once_cell]] who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "1.0.52 -> 1.0.54" +delta = "1.17.1 -> 1.17.2" + +[[audits.isrg.audits.once_cell]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "1.17.2 -> 1.18.0" [[audits.isrg.audits.rayon]] who = "Brandon Pitman " @@ -986,6 +935,16 @@ who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.10.2 -> 1.11.0" +[[audits.isrg.audits.sha2]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.10.2" + +[[audits.isrg.audits.untrusted]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.7.1" + [[audits.mozilla.audits.crossbeam-channel]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" @@ -1000,21 +959,63 @@ version = "1.4.0" notes = "I have read over the macros, and audited the unsafe code." aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" -[[audits.wasmtime.audits.block-buffer]] -who = "Benjamin Bouvier " +[[audits.mozilla.audits.libc]] +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -delta = "0.9.0 -> 0.10.2" +delta = "0.2.141 -> 0.2.146" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" -[[audits.wasmtime.audits.camino]] -who = "Pat Hickey " +[[audits.mozilla.audits.proc-macro2]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.57 -> 1.0.59" +notes = "Enabled on Wasm" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.proc-macro2]] +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -version = "1.1.4" +delta = "1.0.63 -> 1.0.66" +notes = "Removed special support for some really old Rust versions" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" -[[audits.wasmtime.audits.cargo-platform]] +[[audits.wasmtime.audits.addr2line]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.17.0 -> 0.19.0" +notes = """ +This is a minor update for addr2line which looks to mainly update its +dependencies and refactor existing code to expose more functionality and such. +""" + +[[audits.wasmtime.audits.addr2line]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.19.0 -> 0.20.0" +notes = "This version brings support for split-dwarf which while it uses the filesystem is always done at the behest of the caller, so everything is as expected for this update." + +[[audits.wasmtime.audits.addr2line]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.20.0 -> 0.21.0" +notes = "This version bump updated some dependencies and optimized some internals. All looks good." + +[[audits.wasmtime.audits.adler]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.0.2" +notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm." + +[[audits.wasmtime.audits.base64]] who = "Pat Hickey " criteria = "safe-to-deploy" -version = "0.1.2" -notes = "no build, no ambient capabilities, no unsafe" +version = "0.21.0" +notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." + +[[audits.wasmtime.audits.block-buffer]] +who = "Benjamin Bouvier " +criteria = "safe-to-deploy" +delta = "0.9.0 -> 0.10.2" [[audits.wasmtime.audits.cargo_metadata]] who = "Pat Hickey " @@ -1044,33 +1045,65 @@ who = "Benjamin Bouvier " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.3" -[[audits.wasmtime.audits.errno]] -who = "Dan Gohman " +[[audits.wasmtime.audits.futures-channel]] +who = "Pat Hickey " criteria = "safe-to-deploy" -version = "0.3.0" -notes = "This crate uses libc and windows-sys APIs to get and set the raw OS error value." +version = "0.3.27" +notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)" + +[[audits.wasmtime.audits.futures-core]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" +notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." -[[audits.wasmtime.audits.foreign-types]] +[[audits.wasmtime.audits.futures-io]] who = "Pat Hickey " criteria = "safe-to-deploy" -version = "0.3.2" -notes = "This crate defined a macro-rules which creates wrappers working with FFI types. The implementation of this crate appears to be safe, but each use of this macro would need to be vetted for correctness as well." +version = "0.3.27" -[[audits.wasmtime.audits.foreign-types-shared]] +[[audits.wasmtime.audits.futures-sink]] who = "Pat Hickey " criteria = "safe-to-deploy" -version = "0.1.1" +version = "0.3.27" -[[audits.wasmtime.audits.form_urlencoded]] +[[audits.wasmtime.audits.gimli]] who = "Alex Crichton " criteria = "safe-to-deploy" -version = "1.1.0" +delta = "0.26.1 -> 0.27.0" notes = """ -This is a small crate for working with url-encoded forms which doesn't have any -more than what it says on the tin. Contains one `unsafe` block related to -performance around utf-8 validation which is fairly easy to verify as correct. +This is a standard update to gimli for more DWARF support for more platforms, +more features, etc. Some minor `unsafe` code was added that does not appear +incorrect. Otherwise looks like someone probably ran clippy and/or rustfmt. """ +[[audits.wasmtime.audits.gimli]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.27.0 -> 0.27.3" +notes = "More support for more DWARF, nothing major in this update. Some small refactorings and updates to publication of the package but otherwise everything's in order." + +[[audits.wasmtime.audits.gimli]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.27.3 -> 0.28.0" +notes = """ +Still looks like a good DWARF-parsing crate, nothing major was added or deleted +and no `unsafe` code to review here. +""" + +[[audits.wasmtime.audits.hashbrown]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +delta = "0.12.3 -> 0.13.1" +notes = "The diff looks plausible. Much of it is low-level memory-layout code and I can't be 100% certain without a deeper dive into the implementation logic, but nothing looks actively malicious." + +[[audits.wasmtime.audits.hashbrown]] +who = "Trevor Elliott " +criteria = "safe-to-deploy" +delta = "0.13.1 -> 0.13.2" +notes = "I read through the diff between v0.13.1 and v0.13.2, and verified that the changes made matched up with the changelog entries. There were very few changes between these two releases, and it was easy to verify what they did." + [[audits.wasmtime.audits.heck]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -1088,192 +1121,168 @@ crate is broadly used throughout the ecosystem and does not contain anything suspicious. """ +[[audits.wasmtime.audits.libc]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.2.146 -> 0.2.147" +notes = "Only new type definitions and updating others for some platforms, no major changes" + [[audits.wasmtime.audits.memoffset]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.7.1 -> 0.8.0" notes = "This was a small update to the crate which has to do with Rust language features and compiler versions, no substantial changes." -[[audits.wasmtime.audits.openssl-probe]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.1.5" -notes = "IO is only checking for the existence of paths in the filesystem" - -[[audits.wasmtime.audits.percent-encoding]] +[[audits.wasmtime.audits.miniz_oxide]] who = "Alex Crichton " criteria = "safe-to-deploy" -version = "2.2.0" +version = "0.7.1" notes = """ -This crate is a single-file crate that does what it says on the tin. There are -a few `unsafe` blocks related to utf-8 validation which are locally verifiable -as correct and otherwise this crate is good to go. +This crate is a Rust implementation of zlib compression/decompression and has +been used by default by the Rust standard library for quite some time. It's also +a default dependency of the popular `backtrace` crate for decompressing debug +information. This crate forbids unsafe code and does not otherwise access system +resources. It's originally a port of the `miniz.c` library as well, and given +its own longevity should be relatively hardened against some of the more common +compression-related issues. """ -[[audits.wasmtime.audits.pkg-config]] -who = "Pat Hickey " +[[audits.wasmtime.audits.mio]] +who = "Alex Crichton " criteria = "safe-to-deploy" -version = "0.3.25" -notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably." +delta = "0.8.6 -> 0.8.8" +notes = "Mostly OS portability updates along with some minor bugfixes." -[[audits.wasmtime.audits.semver]] -who = "Pat Hickey " +[[audits.wasmtime.audits.object]] +who = "Alex Crichton " criteria = "safe-to-deploy" -version = "1.0.17" -notes = "plenty of unsafe pointer and vec tricks, but in well-structured and commented code that appears to be correct" +delta = "0.30.3 -> 0.31.1" +notes = "A large-ish update to the crate but nothing out of the ordering. Support for new formats like xcoff, new constants, minor refactorings, etc. Nothing out of the ordinary." -[[audits.wasmtime.audits.sha2]] -who = "Benjamin Bouvier " +[[audits.wasmtime.audits.object]] +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.9.9 -> 0.10.2" -notes = "This upgrade is mostly a code refactor, as far as I can tell. No new uses of unsafe nor any new ambient capabilities usage." +delta = "0.31.1 -> 0.32.0" +notes = "Various new features and refactorings as one would expect from an object parsing crate, all looks good." -[[audits.wasmtime.audits.tempfile]] +[[audits.wasmtime.audits.openssl-probe]] who = "Pat Hickey " criteria = "safe-to-deploy" -delta = "3.3.0 -> 3.5.0" +version = "0.1.5" +notes = "IO is only checking for the existence of paths in the filesystem" -[[audits.wasmtime.audits.tinyvec]] -who = "Alex Crichton " +[[audits.wasmtime.audits.pin-utils]] +who = "Pat Hickey " criteria = "safe-to-deploy" -version = "1.6.0" -notes = """ -This crate, while it implements collections, does so without `std::*` APIs and -without `unsafe`. Skimming the crate everything looks reasonable and what one -would expect from idiomatic safe collections in Rust. -""" +version = "0.1.0" -[[audits.wasmtime.audits.unicode-ident]] +[[audits.wasmtime.audits.proc-macro2]] who = "Pat Hickey " criteria = "safe-to-deploy" -version = "1.0.8" +delta = "1.0.51 -> 1.0.57" -[[audits.wasmtime.audits.url]] +[[audits.wasmtime.audits.proc-macro2]] who = "Alex Crichton " criteria = "safe-to-deploy" -version = "2.3.1" +delta = "1.0.59 -> 1.0.63" notes = """ -This crate contains no `unsafe` code and otherwise doesn't use any functionality -it's not supposed to from `std` or such. This crate is the defacto standard for -URL parsing in the Rust community with widespread usage to battle-test, harden, -and suss out bugs. I've historically reviewed this crate in the past and it -is similar to what it once was back then. Skimming over the crate there is -nothing suspicious and it's everything you'd expect a Rust URL parser to be. +This is a routine update for new nightly features and new syntax popping up on +nightly, nothing out of the ordinary. """ -[[audits.wasmtime.audits.vcpkg]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.2.15" -notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." - -[[audits.wasmtime.audits.windows-sys]] -who = "Dan Gohman " +[[audits.wasmtime.audits.rustc-demangle]] +who = "Alex Crichton " criteria = "safe-to-deploy" -version = "0.42.0" -notes = "This is a Windows API bindings library maintained by Microsoft themselves." +version = "0.1.21" +notes = "I am the author of this crate." -[[audits.wasmtime.audits.windows-sys]] +[[audits.wasmtime.audits.rustls-webpki]] who = "Pat Hickey " criteria = "safe-to-deploy" -delta = "0.42.0 -> 0.45.0" -notes = "This is a Windows API bindings library maintained by Microsoft themselves." +version = "0.100.1" -[[audits.wasmtime.audits.windows-targets]] +[[audits.wasmtime.audits.rustls-webpki]] who = "Pat Hickey " criteria = "safe-to-deploy" -version = "0.42.1" -notes = "This is a Windows API bindings library maintained by Microsoft themselves. Additionally, this particular crate is empty and just collects a bunch of dependencies, which are not exported, so I don't understand why it exists at all." - -[[audits.wasmtime.audits.windows_aarch64_gnullvm]] -who = "Dan Gohman " -criteria = "safe-to-deploy" -version = "0.42.0" -notes = "This is a Windows API bindings library maintained by Microsoft themselves." +delta = "0.100.1 -> 0.101.4" -[[audits.wasmtime.audits.windows_aarch64_gnullvm]] +[[audits.wasmtime.audits.sct]] who = "Pat Hickey " criteria = "safe-to-deploy" -delta = "0.42.0 -> 0.42.1" -notes = "This is a Windows API bindings library maintained by Microsoft themselves. The diff is just adding license files." +version = "0.7.0" +notes = "no unsafe, no build, no ambient capabilities" -[[audits.wasmtime.audits.windows_aarch64_msvc]] +[[audits.wasmtime.audits.smallvec]] who = "Dan Gohman " criteria = "safe-to-deploy" -version = "0.42.0" -notes = "This is a Windows API bindings library maintained by Microsoft themselves." +delta = "1.8.0 -> 1.11.0" +notes = """ +The main change is the switch to use `NonNull` internally instead of +`*mut T`. This seems reasonable, as `Vec` also never stores a null pointer, +and in particular the new `NonNull::new_unchecked`s look ok. -[[audits.wasmtime.audits.windows_aarch64_msvc]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -delta = "0.42.0 -> 0.42.1" -notes = "This is a Windows API bindings library maintained by Microsoft themselves. The diff is just adding license files." +Most of the rest of the changes are adding some new unstable features which +aren't enabled by default. +""" -[[audits.wasmtime.audits.windows_i686_gnu]] -who = "Dan Gohman " +[[audits.wasmtime.audits.tinyvec]] +who = "Alex Crichton " criteria = "safe-to-deploy" -version = "0.42.0" -notes = "This is a Windows API bindings library maintained by Microsoft themselves." +version = "1.6.0" +notes = """ +This crate, while it implements collections, does so without `std::*` APIs and +without `unsafe`. Skimming the crate everything looks reasonable and what one +would expect from idiomatic safe collections in Rust. +""" -[[audits.wasmtime.audits.windows_i686_gnu]] -who = "Pat Hickey " +[[audits.wasmtime.audits.tracing]] +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.42.0 -> 0.42.1" -notes = "This is a Windows API bindings library maintained by Microsoft themselves. The diff is just adding license files." +delta = "0.1.34 -> 0.1.37" +notes = """ +A routine set of updates for the tracing crate this includes minor refactorings, +addition of benchmarks, some test updates, but overall nothing out of the +ordinary. +""" -[[audits.wasmtime.audits.windows_i686_msvc]] -who = "Dan Gohman " +[[audits.wasmtime.audits.tracing-core]] +who = "Alex Crichton " criteria = "safe-to-deploy" -version = "0.42.0" -notes = "This is a Windows API bindings library maintained by Microsoft themselves." +delta = "0.1.28 -> 0.1.31" +notes = """ +This is a relatively minor set of releases with minor refactorings and bug +fixes. Nothing fundamental was added in these changes. +""" -[[audits.wasmtime.audits.windows_i686_msvc]] +[[audits.wasmtime.audits.try-lock]] who = "Pat Hickey " criteria = "safe-to-deploy" -delta = "0.42.0 -> 0.42.1" -notes = "This is a Windows API bindings library maintained by Microsoft themselves. The diff is just adding license files." +version = "0.2.4" +notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect" -[[audits.wasmtime.audits.windows_x86_64_gnu]] -who = "Dan Gohman " +[[audits.wasmtime.audits.unicode-bidi]] +who = "Alex Crichton " criteria = "safe-to-deploy" -version = "0.42.0" -notes = "This is a Windows API bindings library maintained by Microsoft themselves." +version = "0.3.8" +notes = """ +This crate has no unsafe code and does not use `std::*`. Skimming the crate it +does not attempt to out of the bounds of what it's already supposed to be doing. +""" -[[audits.wasmtime.audits.windows_x86_64_gnu]] +[[audits.wasmtime.audits.want]] who = "Pat Hickey " criteria = "safe-to-deploy" -delta = "0.42.0 -> 0.42.1" -notes = "This is a Windows API bindings library maintained by Microsoft themselves. The diff is just adding license files." - -[[audits.wasmtime.audits.windows_x86_64_gnullvm]] -who = "Dan Gohman " -criteria = "safe-to-deploy" -version = "0.42.0" -notes = "This is a Windows API bindings library maintained by Microsoft themselves." +version = "0.3.0" -[[audits.wasmtime.audits.windows_x86_64_gnullvm]] +[[audits.wasmtime.audits.webpki-roots]] who = "Pat Hickey " criteria = "safe-to-deploy" -delta = "0.42.0 -> 0.42.1" -notes = "This is a Windows API bindings library maintained by Microsoft themselves. The diff is just adding license files." +delta = "0.22.4 -> 0.23.0" -[[audits.wasmtime.audits.windows_x86_64_msvc]] -who = "Dan Gohman " -criteria = "safe-to-deploy" -version = "0.42.0" -notes = "This is a Windows API bindings library maintained by Microsoft themselves." - -[[audits.wasmtime.audits.windows_x86_64_msvc]] +[[audits.wasmtime.audits.webpki-roots]] who = "Pat Hickey " criteria = "safe-to-deploy" -delta = "0.42.0 -> 0.42.1" -notes = "This is a Windows API bindings library maintained by Microsoft themselves. The diff is just adding license files." - -[[audits.zcash.audits.anyhow]] -who = "Sean Bowe " -criteria = "safe-to-deploy" -delta = "1.0.69 -> 1.0.70" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +delta = "0.23.0 -> 0.25.2" [[audits.zcash.audits.block-buffer]] who = "Jack Grigg " @@ -1282,19 +1291,6 @@ delta = "0.10.3 -> 0.10.4" notes = "Adds panics to prevent a block size of zero from causing unsoundness." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.cpufeatures]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.2.2 -> 0.2.5" -notes = "Unsafe changes just introduce `#[inline(never)]` wrappers." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.cpufeatures]] -who = "Sean Bowe " -criteria = "safe-to-deploy" -delta = "0.2.5 -> 0.2.6" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.crossbeam-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1309,6 +1305,13 @@ delta = "0.8.2 -> 0.8.3" notes = "No new code." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.crossbeam-epoch]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.9.14 -> 0.9.15" +notes = "Bumps memoffset to 0.9, and unmarks some ARMv7r and Sony Vita targets as not having 64-bit atomics." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.crossbeam-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1319,34 +1322,50 @@ notes = """ """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.ff]] -who = "Jack Grigg " +[[audits.zcash.audits.crossbeam-utils]] +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.12.0 -> 0.12.1" +delta = "0.8.15 -> 0.8.16" +notes = """ +- Fixes cache line alignment for some targets. +- Replaces `mem::replace` with `Option::take` inside `unsafe` blocks. +- Unmarks some ARMv7r and Sony Vita targets as not having 64-bit atomics. +""" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.ff]] +[[audits.zcash.audits.generic-array]] who = "Sean Bowe " criteria = "safe-to-deploy" -delta = "0.12.1 -> 0.13.0" +delta = "0.14.6 -> 0.14.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.generic-array]] -who = "Sean Bowe " +[[audits.zcash.audits.hashbrown]] +who = "Daira Emma Hopwood " criteria = "safe-to-deploy" -delta = "0.14.6 -> 0.14.7" +delta = "0.13.2 -> 0.14.0" +notes = """ +There is some additional use of unsafe code but the changes in this crate looked plausible. +There is a new default dependency on the `allocator-api2` crate, which itself has quite a lot of unsafe code. +Many previously undocumented safety requirements have been documented. +""" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.group]] -who = "Kris Nuttycombe " +[[audits.zcash.audits.http]] +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.12.0 -> 0.12.1" +delta = "0.2.8 -> 0.2.9" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.group]] -who = "Sean Bowe " +[[audits.zcash.audits.hyper]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.14.25 -> 0.14.26" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.hyper]] +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.12.1 -> 0.13.0" +delta = "0.14.26 -> 0.14.27" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.indexmap]] @@ -1355,109 +1374,135 @@ criteria = "safe-to-deploy" delta = "1.9.2 -> 1.9.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.proc-macro2]] -who = "Jack Grigg " +[[audits.zcash.audits.ipnet]] +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.51 -> 1.0.52" +delta = "2.5.0 -> 2.7.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.proc-macro2]] -who = "Jack Grigg " +[[audits.zcash.audits.ipnet]] +who = "Sean Bowe " criteria = "safe-to-deploy" -delta = "1.0.54 -> 1.0.56" +delta = "2.7.1 -> 2.7.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.quote]] -who = "Jack Grigg " +[[audits.zcash.audits.ipnet]] +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.23 -> 1.0.26" +delta = "2.7.2 -> 2.8.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.time-macros]] -who = "Jack Grigg " +[[audits.zcash.audits.mio]] +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.2.7 -> 0.2.8" +delta = "0.8.2 -> 0.8.4" notes = """ -- Only new `unsafe` code takes a `NonZeroU16` at proc-macro evaluation time and hard-codes - its contents into a `NonZeroU16::new_unchecked` constructor, which is safe. -- Bumps MSRV to 1.63. +Migrates from winapi to windows-sys. The changes to API usage look reasonable +based on what I've seen in other uses of the windows-sys crate. Unsafe code +falls into two categories: +- Usage of `mem::zeroed()`, which doesn't look obviously wrong. The + `..unsafe { mem::zeroed() }` in `sys::unix::selector::kqueue` looks weird + but AFAICT is saying \"take any unspecified fields from an instance of this + struct that has been zero-initialized\", which is fine for integer fields. It + would be nice if there was documentation to this effect (explaining why this + is done instead of `..Default::default()`). +- Calls to Windows API methods. These are either pre-existing (and altered for + the differences in the crate abstractions), or newly added in logic that + appears to be copied from miow 0.3.6 (I scanned this by eye and didn't see + any noteworthy changes other than handling windows-sys API differences). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.tinyvec_macros]] +[[audits.zcash.audits.mio]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.1.0 -> 0.1.1" -notes = "Adds `#![forbid(unsafe_code)]` and license files." +delta = "0.8.4 -> 0.8.5" +notes = "The only unsafe changes are in epoll_create1 failure cases. Usage of epoll_create and fcntl looks fine; it is vulnerable to a race condition in multithreaded programs that fork child processes, but epoll_create1 is how you avoid this problem. See the discussion of the O_CLOEXEC flag in the open(2) man page for details." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.toml_datetime]] +[[audits.zcash.audits.mio]] who = "Jack Grigg " criteria = "safe-to-deploy" -version = "0.5.1" -notes = "Crate has `#![forbid(unsafe_code)]`, no `unwrap / expect / panic`, no ambient capabilities." +delta = "0.8.5 -> 0.8.6" +notes = """ +New `unsafe` usages: +- `NonZeroU8::new_unchecked`: I verified the constant is non-zero. +- Additional `syscall!(close(socket))` calls before returning errors. +""" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.toml_datetime]] -who = "Jack Grigg " +[[audits.zcash.audits.parking_lot]] +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.5.1 -> 0.6.1" -notes = "Fixes a bug in parsing negative minutes in datetime string offsets." +delta = "0.11.2 -> 0.12.1" +notes = "Most `unsafe {}` changes were to reduce the scope of the unsafe blocks. I didn't closely review the migration to the asm! macro but it looks reasonable." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.windows-targets]] -who = "Jack Grigg " +[[audits.zcash.audits.rustc-demangle]] +who = "Sean Bowe " criteria = "safe-to-deploy" -delta = "0.42.1 -> 0.42.2" +delta = "0.1.21 -> 0.1.22" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.windows_aarch64_gnullvm]] +[[audits.zcash.audits.rustc-demangle]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.42.1 -> 0.42.2" -notes = "This is an opaque Windows API bindings library maintained by Microsoft." +delta = "0.1.22 -> 0.1.23" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.windows_aarch64_msvc]] +[[audits.zcash.audits.sha2]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.42.1 -> 0.42.2" -notes = "This is an opaque Windows API bindings library maintained by Microsoft." +delta = "0.10.6 -> 0.10.7" +notes = """ +The new `unsafe` assembly backend only uses aarch64 intrinsics, via their typed +Rust APIs (aside from the SHA2-specific intrinsics that are not in Rust yet). I +did not perform a cryptographic review, but the code to load from and store into +the function arguments looks correct. +""" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.windows_i686_gnu]] +[[audits.zcash.audits.time-core]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.42.1 -> 0.42.2" -notes = "This is an opaque Windows API bindings library maintained by Microsoft." +delta = "0.1.0 -> 0.1.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.windows_i686_msvc]] -who = "Jack Grigg " +[[audits.zcash.audits.tinyvec_macros]] +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.42.1 -> 0.42.2" -notes = "This is an opaque Windows API bindings library maintained by Microsoft." +delta = "0.1.0 -> 0.1.1" +notes = "Adds `#![forbid(unsafe_code)]` and license files." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.windows_x86_64_gnu]] -who = "Jack Grigg " +[[audits.zcash.audits.toml_datetime]] +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.42.1 -> 0.42.2" -notes = "This is an opaque Windows API bindings library maintained by Microsoft." +version = "0.5.1" +notes = "Crate has `#![forbid(unsafe_code)]`, no `unwrap / expect / panic`, no ambient capabilities." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.windows_x86_64_gnullvm]] +[[audits.zcash.audits.toml_datetime]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.42.1 -> 0.42.2" -notes = "This is an opaque Windows API bindings library maintained by Microsoft." +delta = "0.5.1 -> 0.6.1" +notes = "Fixes a bug in parsing negative minutes in datetime string offsets." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.windows_x86_64_msvc]] +[[audits.zcash.audits.toml_datetime]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.6.2 -> 0.6.3" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.want]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.42.1 -> 0.42.2" -notes = "This is an opaque Windows API bindings library maintained by Microsoft." +delta = "0.3.0 -> 0.3.1" +notes = """ +Migrates to `try-lock 0.2.4` to replace some unsafe APIs that were not marked +`unsafe` (but that were being used safely). +""" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wyz]] @@ -1466,16 +1511,3 @@ criteria = "safe-to-deploy" delta = "0.5.0 -> 0.5.1" notes = "Only change to unsafe code is to extract a drop impl into a method. I note however that most of the changes in the published 0.5.1 are not present in the v0.5.1 tag on the GitHub repository." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.zeroize]] -who = "Daira Hopwood " -criteria = "safe-to-deploy" -delta = "1.4.3 -> 1.5.7" -notes = "The zeroize_c_string unit test has UB, but that's very unlikely to cause a problem in practice." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.zeroize]] -who = "Sean Bowe " -criteria = "safe-to-deploy" -delta = "1.5.7 -> 1.6.0" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"