diff --git a/supply-chain/config.toml b/supply-chain/config.toml
index a52fd144..56943e06 100644
--- a/supply-chain/config.toml
+++ b/supply-chain/config.toml
@@ -162,7 +162,7 @@ version = "1.1.0"
 criteria = "safe-to-deploy"
 
 [[exemptions.clap_mangen]]
-version = "0.2.33"
+version = "0.3.0"
 criteria = "safe-to-deploy"
 
 [[exemptions.cmake]]
@@ -177,6 +177,10 @@ criteria = "safe-to-deploy"
 version = "0.3.3"
 criteria = "safe-to-deploy"
 
+[[exemptions.const-oid]]
+version = "0.10.2"
+criteria = "safe-to-deploy"
+
 [[exemptions.cpufeatures]]
 version = "0.2.17"
 criteria = "safe-to-deploy"
@@ -201,6 +205,10 @@ criteria = "safe-to-run"
 version = "0.1.7"
 criteria = "safe-to-deploy"
 
+[[exemptions.crypto-common]]
+version = "0.2.2"
+criteria = "safe-to-deploy"
+
 [[exemptions.ctrlc]]
 version = "3.5.2"
 criteria = "safe-to-deploy"
@@ -265,6 +273,10 @@ criteria = "safe-to-deploy"
 version = "0.10.7"
 criteria = "safe-to-deploy"
 
+[[exemptions.digest]]
+version = "0.11.3"
+criteria = "safe-to-deploy"
+
 [[exemptions.dispatch2]]
 version = "0.3.1"
 criteria = "safe-to-deploy"
@@ -366,7 +378,11 @@ version = "1.1.0"
 criteria = "safe-to-deploy"
 
 [[exemptions.home]]
-version = "0.5.9"
+version = "0.5.12"
+criteria = "safe-to-deploy"
+
+[[exemptions.hybrid-array]]
+version = "0.4.12"
 criteria = "safe-to-deploy"
 
 [[exemptions.id-arena]]
@@ -409,6 +425,10 @@ criteria = "safe-to-deploy"
 version = "0.3.99"
 criteria = "safe-to-run"
 
+[[exemptions.keccak]]
+version = "0.2.0"
+criteria = "safe-to-deploy"
+
 [[exemptions.libc]]
 version = "0.2.186"
 criteria = "safe-to-deploy"
@@ -461,10 +481,6 @@ criteria = "safe-to-deploy"
 version = "0.1.4"
 criteria = "safe-to-deploy"
 
-[[exemptions.netlink-packet-core]]
-version = "0.7.0"
-criteria = "safe-to-deploy"
-
 [[exemptions.netlink-packet-core]]
 version = "0.8.1"
 criteria = "safe-to-deploy"
@@ -474,21 +490,13 @@ version = "0.4.0"
 criteria = "safe-to-deploy"
 
 [[exemptions.netlink-packet-route]]
-version = "0.19.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.netlink-packet-utils]]
-version = "0.5.2"
+version = "0.30.0"
 criteria = "safe-to-deploy"
 
 [[exemptions.netlink-packet-wireguard]]
 version = "0.4.0"
 criteria = "safe-to-deploy"
 
-[[exemptions.netlink-proto]]
-version = "0.11.5"
-criteria = "safe-to-deploy"
-
 [[exemptions.netlink-proto]]
 version = "0.12.0"
 criteria = "safe-to-deploy"
@@ -618,7 +626,7 @@ version = "1.1.1"
 criteria = "safe-to-deploy"
 
 [[exemptions.rtnetlink]]
-version = "0.14.1"
+version = "0.21.0"
 criteria = "safe-to-deploy"
 
 [[exemptions.rustc-demangle]]
@@ -666,7 +674,7 @@ version = "3.5.0"
 criteria = "safe-to-run"
 
 [[exemptions.sha3]]
-version = "0.10.9"
+version = "0.12.0"
 criteria = "safe-to-deploy"
 
 [[exemptions.shlex]]
@@ -674,11 +682,11 @@ version = "2.0.1"
 criteria = "safe-to-deploy"
 
 [[exemptions.signal-hook]]
-version = "0.3.18"
+version = "0.4.4"
 criteria = "safe-to-deploy"
 
 [[exemptions.signal-hook-mio]]
-version = "0.2.5"
+version = "0.3.0"
 criteria = "safe-to-deploy"
 
 [[exemptions.signal-hook-registry]]
@@ -697,6 +705,10 @@ criteria = "safe-to-deploy"
 version = "0.9.8"
 criteria = "safe-to-deploy"
 
+[[exemptions.sponge-cursor]]
+version = "0.1.0"
+criteria = "safe-to-deploy"
+
 [[exemptions.stable_deref_trait]]
 version = "1.2.1"
 criteria = "safe-to-deploy"
@@ -722,7 +734,7 @@ version = "3.3.0"
 criteria = "safe-to-deploy"
 
 [[exemptions.test_bin]]
-version = "0.4.0"
+version = "0.5.0"
 criteria = "safe-to-run"
 
 [[exemptions.thiserror]]
@@ -849,10 +861,6 @@ criteria = "safe-to-deploy"
 version = "0.48.0"
 criteria = "safe-to-run"
 
-[[exemptions.windows-sys]]
-version = "0.52.0"
-criteria = "safe-to-deploy"
-
 [[exemptions.windows-sys]]
 version = "0.61.2"
 criteria = "safe-to-deploy"
@@ -867,7 +875,7 @@ criteria = "safe-to-run"
 
 [[exemptions.windows-targets]]
 version = "0.52.6"
-criteria = "safe-to-deploy"
+criteria = "safe-to-run"
 
 [[exemptions.windows_aarch64_gnullvm]]
 version = "0.42.2"
@@ -879,7 +887,7 @@ criteria = "safe-to-run"
 
 [[exemptions.windows_aarch64_gnullvm]]
 version = "0.52.6"
-criteria = "safe-to-deploy"
+criteria = "safe-to-run"
 
 [[exemptions.windows_aarch64_msvc]]
 version = "0.42.2"
@@ -891,7 +899,7 @@ criteria = "safe-to-run"
 
 [[exemptions.windows_aarch64_msvc]]
 version = "0.52.6"
-criteria = "safe-to-deploy"
+criteria = "safe-to-run"
 
 [[exemptions.windows_i686_gnu]]
 version = "0.42.2"
@@ -903,11 +911,11 @@ criteria = "safe-to-run"
 
 [[exemptions.windows_i686_gnu]]
 version = "0.52.6"
-criteria = "safe-to-deploy"
+criteria = "safe-to-run"
 
 [[exemptions.windows_i686_gnullvm]]
 version = "0.52.6"
-criteria = "safe-to-deploy"
+criteria = "safe-to-run"
 
 [[exemptions.windows_i686_msvc]]
 version = "0.42.2"
@@ -919,7 +927,7 @@ criteria = "safe-to-run"
 
 [[exemptions.windows_i686_msvc]]
 version = "0.52.6"
-criteria = "safe-to-deploy"
+criteria = "safe-to-run"
 
 [[exemptions.windows_x86_64_gnu]]
 version = "0.42.2"
@@ -931,7 +939,7 @@ criteria = "safe-to-run"
 
 [[exemptions.windows_x86_64_gnu]]
 version = "0.52.6"
-criteria = "safe-to-deploy"
+criteria = "safe-to-run"
 
 [[exemptions.windows_x86_64_gnullvm]]
 version = "0.42.2"
@@ -943,7 +951,7 @@ criteria = "safe-to-run"
 
 [[exemptions.windows_x86_64_gnullvm]]
 version = "0.52.6"
-criteria = "safe-to-deploy"
+criteria = "safe-to-run"
 
 [[exemptions.windows_x86_64_msvc]]
 version = "0.42.2"
@@ -955,7 +963,7 @@ criteria = "safe-to-run"
 
 [[exemptions.windows_x86_64_msvc]]
 version = "0.52.6"
-criteria = "safe-to-deploy"
+criteria = "safe-to-run"
 
 [[exemptions.winnow]]
 version = "1.0.3"
diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock
index 15ac66a6..b8658612 100644
--- a/supply-chain/imports.lock
+++ b/supply-chain/imports.lock
@@ -1574,21 +1574,6 @@ who = "David Cook <dcook@divviup.org>"
 criteria = "safe-to-deploy"
 delta = "0.4.0 -> 0.4.1"
 
-[[audits.isrg.audits.keccak]]
-who = "David Cook <dcook@divviup.org>"
-criteria = "safe-to-deploy"
-version = "0.1.2"
-
-[[audits.isrg.audits.keccak]]
-who = "Brandon Pitman <bran@bran.land>"
-criteria = "safe-to-deploy"
-delta = "0.1.2 -> 0.1.3"
-
-[[audits.isrg.audits.keccak]]
-who = "Brandon Pitman <bran@bran.land>"
-criteria = "safe-to-deploy"
-delta = "0.1.3 -> 0.1.4"
-
 [[audits.isrg.audits.once_cell]]
 who = "J.C. Jones <jc@insufficient.coffee>"
 criteria = "safe-to-deploy"
@@ -1884,10 +1869,27 @@ criteria = "safe-to-deploy"
 version = "0.4.3"
 aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
 
-[[audits.mozilla.audits.keccak]]
-who = "Erich Gubler <erichdongubler@gmail.com>"
+[[audits.mozilla.audits.nix]]
+who = "Alex Franchuk <afranchuk@mozilla.com>"
 criteria = "safe-to-deploy"
-delta = "0.1.4 -> 0.1.6"
+delta = "0.27.1 -> 0.28.0"
+notes = """
+Many new features and bugfixes. Obviously there's a lot of unsafe code calling
+libc, but the usage looks correct.
+"""
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
+[[audits.mozilla.audits.nix]]
+who = "Alex Franchuk <afranchuk@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.28.0 -> 0.29.0"
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
+[[audits.mozilla.audits.nix]]
+who = "Gabriele Svelto <gsvelto@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.29.0 -> 0.30.1"
+notes = "Some new wrappers, support for minor platforms and lots of work around type safety that reduces the unsafe surafce."
 aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
 
 [[audits.mozilla.audits.objc2-encode]]