From f8dc5a61daeee6b08e38a29d72cb6751fd82f0f3 Mon Sep 17 00:00:00 2001 From: Rosenpass CI Bot Date: Mon, 8 Jun 2026 16:27:52 +0000 Subject: [PATCH] Regenerate cargo vet exemptions --- supply-chain/config.toml | 510 +++++++------ supply-chain/imports.lock | 1507 +++++++++++++++++++++++++------------ 2 files changed, 1298 insertions(+), 719 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 85900e34..eb1b3915 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -37,10 +37,6 @@ audit-as-crates-io = false [policy.uds] audit-as-crates-io = true -[[exemptions.addr2line]] -version = "0.24.2" -criteria = "safe-to-deploy" - [[exemptions.aead]] version = "0.5.2" criteria = "safe-to-deploy" @@ -54,53 +50,69 @@ version = "0.2.15" criteria = "safe-to-run" [[exemptions.anstream]] -version = "0.6.18" +version = "1.0.0" criteria = "safe-to-deploy" [[exemptions.anstyle]] -version = "1.0.10" +version = "1.0.14" criteria = "safe-to-deploy" [[exemptions.anstyle-parse]] -version = "0.2.6" +version = "1.0.0" criteria = "safe-to-deploy" [[exemptions.anstyle-query]] -version = "1.1.2" +version = "1.1.5" criteria = "safe-to-deploy" [[exemptions.anstyle-wincon]] -version = "3.0.7" +version = "3.0.11" criteria = "safe-to-deploy" [[exemptions.anyhow]] -version = "1.0.98" +version = "1.0.102" +criteria = "safe-to-deploy" + +[[exemptions.ar_archive_writer]] +version = "0.5.1" criteria = "safe-to-deploy" [[exemptions.assert_tv]] -version = "0.6.5" +version = "0.6.6" criteria = "safe-to-deploy" [[exemptions.assert_tv_macros]] -version = "0.6.5" +version = "0.6.6" criteria = "safe-to-deploy" [[exemptions.atomic-polyfill]] version = "1.0.3" criteria = "safe-to-deploy" -[[exemptions.backtrace]] -version = "0.3.74" +[[exemptions.autocfg]] +version = "1.5.1" criteria = "safe-to-deploy" +[[exemptions.backtrace]] +version = "0.3.76" +criteria = "safe-to-run" + [[exemptions.base64ct]] -version = "1.6.0" +version = "1.8.3" criteria = "safe-to-deploy" [[exemptions.bincode]] version = "1.3.3" criteria = "safe-to-run" +[[exemptions.bindgen]] +version = "0.71.1" +criteria = "safe-to-deploy" + +[[exemptions.bitflags]] +version = "2.13.0" +criteria = "safe-to-deploy" + [[exemptions.blake2]] version = "0.10.6" criteria = "safe-to-deploy" @@ -110,11 +122,11 @@ version = "0.1.4" criteria = "safe-to-deploy" [[exemptions.bytes]] -version = "1.10.0" +version = "1.7.1" criteria = "safe-to-deploy" [[exemptions.cc]] -version = "1.2.15" +version = "1.2.63" criteria = "safe-to-deploy" [[exemptions.chacha20]] @@ -130,39 +142,39 @@ version = "1.8.1" criteria = "safe-to-deploy" [[exemptions.clap]] -version = "4.5.30" +version = "4.6.1" criteria = "safe-to-deploy" [[exemptions.clap_builder]] -version = "4.5.30" +version = "4.6.0" criteria = "safe-to-deploy" [[exemptions.clap_complete]] -version = "4.5.45" +version = "4.6.5" criteria = "safe-to-deploy" [[exemptions.clap_derive]] -version = "4.5.28" +version = "4.6.1" criteria = "safe-to-deploy" [[exemptions.clap_lex]] -version = "0.7.4" +version = "1.1.0" criteria = "safe-to-deploy" [[exemptions.clap_mangen]] -version = "0.2.29" +version = "0.2.33" criteria = "safe-to-deploy" [[exemptions.cmake]] -version = "0.1.54" +version = "0.1.58" criteria = "safe-to-deploy" [[exemptions.colorchoice]] -version = "1.0.3" +version = "1.0.5" criteria = "safe-to-deploy" [[exemptions.command-fds]] -version = "0.2.3" +version = "0.3.3" criteria = "safe-to-deploy" [[exemptions.cpufeatures]] @@ -173,10 +185,6 @@ criteria = "safe-to-deploy" version = "0.5.1" criteria = "safe-to-run" -[[exemptions.criterion-plot]] -version = "0.5.0" -criteria = "safe-to-run" - [[exemptions.critical-section]] version = "1.2.0" criteria = "safe-to-deploy" @@ -189,8 +197,12 @@ criteria = "safe-to-run" version = "0.8.20" criteria = "safe-to-run" -[[exemptions.ctrlc-async]] -version = "3.2.2" +[[exemptions.crypto-common]] +version = "0.1.7" +criteria = "safe-to-deploy" + +[[exemptions.ctrlc]] +version = "3.5.2" criteria = "safe-to-deploy" [[exemptions.curve25519-dalek]] @@ -206,7 +218,7 @@ version = "0.12.4" criteria = "safe-to-deploy" [[exemptions.darling]] -version = "0.20.10" +version = "0.20.11" criteria = "safe-to-deploy" [[exemptions.darling_core]] @@ -214,7 +226,7 @@ version = "0.12.4" criteria = "safe-to-deploy" [[exemptions.darling_core]] -version = "0.20.10" +version = "0.20.11" criteria = "safe-to-deploy" [[exemptions.darling_macro]] @@ -225,10 +237,6 @@ criteria = "safe-to-deploy" version = "0.20.10" criteria = "safe-to-deploy" -[[exemptions.derive_arbitrary]] -version = "1.4.1" -criteria = "safe-to-deploy" - [[exemptions.derive_builder]] version = "0.10.2" criteria = "safe-to-deploy" @@ -257,20 +265,68 @@ criteria = "safe-to-deploy" version = "0.10.7" criteria = "safe-to-deploy" +[[exemptions.dispatch2]] +version = "0.3.1" +criteria = "safe-to-deploy" + +[[exemptions.doc-comment]] +version = "0.3.4" +criteria = "safe-to-run" + +[[exemptions.env_filter]] +version = "1.0.1" +criteria = "safe-to-deploy" + [[exemptions.env_logger]] -version = "0.10.2" +version = "0.11.10" +criteria = "safe-to-deploy" + +[[exemptions.fastrand]] +version = "2.4.1" +criteria = "safe-to-deploy" + +[[exemptions.find-msvc-tools]] +version = "0.1.9" criteria = "safe-to-deploy" [[exemptions.findshlibs]] version = "0.10.2" criteria = "safe-to-run" +[[exemptions.futures]] +version = "0.3.32" +criteria = "safe-to-deploy" + +[[exemptions.futures-channel]] +version = "0.3.32" +criteria = "safe-to-deploy" + +[[exemptions.futures-core]] +version = "0.3.32" +criteria = "safe-to-deploy" + +[[exemptions.futures-executor]] +version = "0.3.32" +criteria = "safe-to-deploy" + +[[exemptions.futures-io]] +version = "0.3.32" +criteria = "safe-to-deploy" + +[[exemptions.futures-macro]] +version = "0.3.32" +criteria = "safe-to-deploy" + +[[exemptions.futures-sink]] +version = "0.3.32" +criteria = "safe-to-deploy" + [[exemptions.futures-task]] -version = "0.3.31" +version = "0.3.32" criteria = "safe-to-deploy" [[exemptions.futures-util]] -version = "0.3.31" +version = "0.3.32" criteria = "safe-to-deploy" [[exemptions.generic-array]] @@ -278,13 +334,21 @@ version = "0.14.7" criteria = "safe-to-deploy" [[exemptions.genetlink]] -version = "0.2.5" +version = "0.2.6" criteria = "safe-to-deploy" [[exemptions.getrandom]] version = "0.2.15" criteria = "safe-to-deploy" +[[exemptions.getrandom]] +version = "0.2.17" +criteria = "safe-to-deploy" + +[[exemptions.half]] +version = "2.7.1" +criteria = "safe-to-run" + [[exemptions.hash32]] version = "0.2.1" criteria = "safe-to-deploy" @@ -293,38 +357,10 @@ criteria = "safe-to-deploy" version = "0.15.2" criteria = "safe-to-deploy" -[[exemptions.hax-lib]] -version = "0.1.0" -criteria = "safe-to-deploy" - -[[exemptions.hax-lib]] -version = "0.2.0" -criteria = "safe-to-deploy" - -[[exemptions.hax-lib-macros]] -version = "0.1.0" -criteria = "safe-to-deploy" - -[[exemptions.hax-lib-macros]] -version = "0.2.0" -criteria = "safe-to-deploy" - -[[exemptions.hax-lib-macros-types]] -version = "0.1.0" -criteria = "safe-to-deploy" - -[[exemptions.hax-lib-macros-types]] -version = "0.2.0" -criteria = "safe-to-deploy" - [[exemptions.heapless]] version = "0.7.17" criteria = "safe-to-deploy" -[[exemptions.hermit-abi]] -version = "0.4.0" -criteria = "safe-to-deploy" - [[exemptions.hex-literal]] version = "0.4.1" criteria = "safe-to-deploy" @@ -333,72 +369,72 @@ criteria = "safe-to-deploy" version = "0.5.9" criteria = "safe-to-deploy" -[[exemptions.humantime]] -version = "2.1.0" +[[exemptions.id-arena]] +version = "2.3.0" criteria = "safe-to-deploy" -[[exemptions.io-uring]] -version = "0.7.9" +[[exemptions.indexmap]] +version = "2.14.0" criteria = "safe-to-deploy" [[exemptions.ipc-channel]] version = "0.18.3" criteria = "safe-to-run" -[[exemptions.is-terminal]] -version = "0.4.15" -criteria = "safe-to-deploy" - [[exemptions.is_terminal_polyfill]] version = "1.70.1" criteria = "safe-to-deploy" +[[exemptions.itertools]] +version = "0.13.0" +criteria = "safe-to-deploy" + +[[exemptions.itoa]] +version = "1.0.18" +criteria = "safe-to-deploy" + +[[exemptions.jiff]] +version = "0.2.28" +criteria = "safe-to-deploy" + +[[exemptions.jiff-static]] +version = "0.2.28" +criteria = "safe-to-deploy" + [[exemptions.jobserver]] -version = "0.1.32" +version = "0.1.34" criteria = "safe-to-deploy" [[exemptions.js-sys]] -version = "0.3.77" -criteria = "safe-to-deploy" - -[[exemptions.keccak]] -version = "0.1.5" -criteria = "safe-to-deploy" - -[[exemptions.lazycell]] -version = "1.3.0" -criteria = "safe-to-deploy" +version = "0.3.99" +criteria = "safe-to-run" [[exemptions.libc]] -version = "0.2.174" +version = "0.2.186" criteria = "safe-to-deploy" [[exemptions.libfuzzer-sys]] -version = "0.4.10" -criteria = "safe-to-deploy" - -[[exemptions.libjade-sys]] -version = "0.0.2-pre.2" +version = "0.4.13" criteria = "safe-to-deploy" [[exemptions.libloading]] -version = "0.8.6" +version = "0.8.9" criteria = "safe-to-deploy" [[exemptions.linux-raw-sys]] -version = "0.4.15" +version = "0.12.1" criteria = "safe-to-deploy" [[exemptions.lock_api]] -version = "0.4.12" +version = "0.4.14" +criteria = "safe-to-deploy" + +[[exemptions.log]] +version = "0.4.32" criteria = "safe-to-deploy" [[exemptions.memchr]] -version = "2.7.4" -criteria = "safe-to-deploy" - -[[exemptions.memoffset]] -version = "0.6.5" +version = "2.8.1" criteria = "safe-to-deploy" [[exemptions.memoffset]] @@ -414,11 +450,11 @@ version = "0.2.1" criteria = "safe-to-deploy" [[exemptions.mio]] -version = "1.0.3" +version = "1.2.1" criteria = "safe-to-deploy" [[exemptions.neli]] -version = "0.6.3" +version = "0.6.5" criteria = "safe-to-deploy" [[exemptions.neli-proc-macros]] @@ -429,8 +465,12 @@ criteria = "safe-to-deploy" version = "0.7.0" criteria = "safe-to-deploy" +[[exemptions.netlink-packet-core]] +version = "0.8.1" +criteria = "safe-to-deploy" + [[exemptions.netlink-packet-generic]] -version = "0.3.3" +version = "0.4.0" criteria = "safe-to-deploy" [[exemptions.netlink-packet-route]] @@ -442,55 +482,67 @@ version = "0.5.2" criteria = "safe-to-deploy" [[exemptions.netlink-packet-wireguard]] -version = "0.2.3" +version = "0.4.0" criteria = "safe-to-deploy" [[exemptions.netlink-proto]] version = "0.11.5" criteria = "safe-to-deploy" -[[exemptions.netlink-sys]] -version = "0.8.7" +[[exemptions.netlink-proto]] +version = "0.12.0" criteria = "safe-to-deploy" -[[exemptions.nix]] -version = "0.23.2" +[[exemptions.netlink-sys]] +version = "0.8.8" criteria = "safe-to-deploy" [[exemptions.nix]] version = "0.27.1" criteria = "safe-to-deploy" -[[exemptions.num-bigint]] -version = "0.4.6" +[[exemptions.nix]] +version = "0.31.3" +criteria = "safe-to-deploy" + +[[exemptions.objc2]] +version = "0.6.4" criteria = "safe-to-deploy" [[exemptions.object]] -version = "0.36.7" +version = "0.36.0" criteria = "safe-to-deploy" [[exemptions.once_cell]] version = "1.20.2" criteria = "safe-to-deploy" +[[exemptions.once_cell_polyfill]] +version = "1.70.2" +criteria = "safe-to-deploy" + [[exemptions.oqs-sys]] -version = "0.9.1+liboqs-0.9.0" +version = "0.11.0+liboqs-0.13.0" criteria = "safe-to-deploy" [[exemptions.parking_lot]] -version = "0.12.3" +version = "0.12.5" criteria = "safe-to-deploy" [[exemptions.parking_lot_core]] -version = "0.9.10" +version = "0.9.12" criteria = "safe-to-deploy" [[exemptions.paste]] version = "1.0.15" criteria = "safe-to-deploy" +[[exemptions.pin-project-lite]] +version = "0.2.17" +criteria = "safe-to-deploy" + [[exemptions.pkg-config]] -version = "0.3.31" +version = "0.3.33" criteria = "safe-to-deploy" [[exemptions.plotters]] @@ -509,20 +561,16 @@ criteria = "safe-to-run" version = "0.8.0" criteria = "safe-to-deploy" -[[exemptions.postcard]] -version = "1.1.1" +[[exemptions.portable-atomic]] +version = "1.13.1" criteria = "safe-to-deploy" -[[exemptions.ppv-lite86]] -version = "0.2.20" +[[exemptions.portable-atomic-util]] +version = "0.2.7" criteria = "safe-to-deploy" [[exemptions.prettyplease]] -version = "0.2.29" -criteria = "safe-to-deploy" - -[[exemptions.proc-macro-error]] -version = "1.0.4" +version = "0.2.37" criteria = "safe-to-deploy" [[exemptions.procspawn]] @@ -530,15 +578,27 @@ version = "1.0.1" criteria = "safe-to-run" [[exemptions.psm]] -version = "0.1.25" +version = "0.1.31" criteria = "safe-to-deploy" -[[exemptions.rand]] -version = "0.9.0" +[[exemptions.r-efi]] +version = "5.2.0" criteria = "safe-to-deploy" +[[exemptions.r-efi]] +version = "6.0.0" +criteria = "safe-to-deploy" + +[[exemptions.rand_core]] +version = "0.10.1" +criteria = "safe-to-deploy" + +[[exemptions.rayon]] +version = "1.12.0" +criteria = "safe-to-run" + [[exemptions.redox_syscall]] -version = "0.5.9" +version = "0.5.18" criteria = "safe-to-deploy" [[exemptions.regex]] @@ -549,36 +609,48 @@ criteria = "safe-to-deploy" version = "0.4.9" criteria = "safe-to-deploy" +[[exemptions.regex-syntax]] +version = "0.8.10" +criteria = "safe-to-deploy" + [[exemptions.roff]] -version = "0.2.2" +version = "1.1.1" criteria = "safe-to-deploy" [[exemptions.rtnetlink]] version = "0.14.1" criteria = "safe-to-deploy" -[[exemptions.rustix]] -version = "0.38.44" +[[exemptions.rustc-demangle]] +version = "0.1.27" +criteria = "safe-to-run" + +[[exemptions.rustc-hash]] +version = "2.1.2" criteria = "safe-to-deploy" -[[exemptions.scc]] -version = "2.3.3" -criteria = "safe-to-run" +[[exemptions.rustix]] +version = "1.1.4" +criteria = "safe-to-deploy" + +[[exemptions.ryu]] +version = "1.0.23" +criteria = "safe-to-deploy" [[exemptions.scopeguard]] version = "1.2.0" criteria = "safe-to-deploy" -[[exemptions.sdd]] -version = "3.0.7" -criteria = "safe-to-run" +[[exemptions.semver]] +version = "1.0.28" +criteria = "safe-to-deploy" [[exemptions.serde_json]] -version = "1.0.140" +version = "1.0.150" criteria = "safe-to-deploy" [[exemptions.serde_spanned]] -version = "0.6.8" +version = "1.1.1" criteria = "safe-to-deploy" [[exemptions.serde_yaml]] @@ -586,39 +658,51 @@ version = "0.9.34+deprecated" criteria = "safe-to-deploy" [[exemptions.serial_test]] -version = "3.2.0" +version = "3.5.0" criteria = "safe-to-run" [[exemptions.serial_test_derive]] -version = "3.2.0" +version = "3.5.0" criteria = "safe-to-run" +[[exemptions.sha3]] +version = "0.10.9" +criteria = "safe-to-deploy" + +[[exemptions.shlex]] +version = "2.0.1" +criteria = "safe-to-deploy" + [[exemptions.signal-hook]] version = "0.3.18" criteria = "safe-to-deploy" [[exemptions.signal-hook-mio]] -version = "0.2.4" +version = "0.2.5" criteria = "safe-to-deploy" [[exemptions.signal-hook-registry]] -version = "1.4.2" +version = "1.4.8" criteria = "safe-to-deploy" [[exemptions.slab]] -version = "0.4.9" +version = "0.4.12" criteria = "safe-to-deploy" [[exemptions.socket2]] -version = "0.6.0" +version = "0.6.4" criteria = "safe-to-deploy" [[exemptions.spin]] version = "0.9.8" criteria = "safe-to-deploy" +[[exemptions.stable_deref_trait]] +version = "1.2.1" +criteria = "safe-to-deploy" + [[exemptions.stacker]] -version = "0.1.21" +version = "0.1.24" criteria = "safe-to-deploy" [[exemptions.syn]] @@ -626,7 +710,7 @@ version = "1.0.109" criteria = "safe-to-deploy" [[exemptions.syn]] -version = "2.0.98" +version = "2.0.117" criteria = "safe-to-deploy" [[exemptions.take-until]] @@ -634,11 +718,7 @@ version = "0.1.0" criteria = "safe-to-deploy" [[exemptions.tempfile]] -version = "3.17.1" -criteria = "safe-to-deploy" - -[[exemptions.termcolor]] -version = "1.4.1" +version = "3.3.0" criteria = "safe-to-deploy" [[exemptions.test_bin]] @@ -646,35 +726,39 @@ version = "0.4.0" criteria = "safe-to-run" [[exemptions.thiserror]] -version = "2.0.11" +version = "2.0.17" criteria = "safe-to-deploy" [[exemptions.thiserror-impl]] -version = "2.0.11" +version = "2.0.17" criteria = "safe-to-deploy" [[exemptions.tokio]] -version = "1.47.0" +version = "1.52.3" criteria = "safe-to-deploy" [[exemptions.tokio-macros]] -version = "2.5.0" +version = "2.7.0" criteria = "safe-to-deploy" [[exemptions.toml]] -version = "0.7.8" +version = "1.1.2+spec-1.1.0" criteria = "safe-to-deploy" [[exemptions.toml_datetime]] -version = "0.6.8" +version = "1.1.1+spec-1.1.0" criteria = "safe-to-deploy" -[[exemptions.toml_edit]] -version = "0.19.15" +[[exemptions.toml_parser]] +version = "1.1.2+spec-1.1.0" +criteria = "safe-to-deploy" + +[[exemptions.toml_writer]] +version = "1.1.1+spec-1.1.0" criteria = "safe-to-deploy" [[exemptions.typenum]] -version = "1.18.0" +version = "1.20.1" criteria = "safe-to-deploy" [[exemptions.uds]] @@ -682,7 +766,7 @@ version = "0.4.2@git:b47934fe52422e559f7278938875f9105f91c5a2" criteria = "safe-to-deploy" [[exemptions.unicode-ident]] -version = "1.0.17" +version = "1.0.24" criteria = "safe-to-deploy" [[exemptions.unsafe-libyaml]] @@ -690,8 +774,8 @@ version = "0.2.11" criteria = "safe-to-deploy" [[exemptions.uuid]] -version = "1.14.0" -criteria = "safe-to-deploy" +version = "1.23.2" +criteria = "safe-to-run" [[exemptions.version_check]] version = "0.9.5" @@ -705,53 +789,33 @@ criteria = "safe-to-run" version = "0.11.0+wasi-snapshot-preview1" criteria = "safe-to-deploy" -[[exemptions.wasi]] -version = "0.13.3+wasi-0.2.2" -criteria = "safe-to-deploy" - [[exemptions.wasm-bindgen]] -version = "0.2.100" -criteria = "safe-to-deploy" - -[[exemptions.wasm-bindgen-backend]] -version = "0.2.100" -criteria = "safe-to-deploy" - -[[exemptions.wasm-bindgen-macro]] -version = "0.2.100" -criteria = "safe-to-deploy" - -[[exemptions.wasm-bindgen-macro-support]] -version = "0.2.100" -criteria = "safe-to-deploy" - -[[exemptions.wasm-bindgen-shared]] -version = "0.2.100" -criteria = "safe-to-deploy" - -[[exemptions.web-sys]] -version = "0.3.77" +version = "0.2.122" criteria = "safe-to-run" -[[exemptions.which]] -version = "4.4.2" -criteria = "safe-to-deploy" +[[exemptions.wasm-bindgen-macro]] +version = "0.2.122" +criteria = "safe-to-run" -[[exemptions.winapi]] -version = "0.3.9" -criteria = "safe-to-deploy" +[[exemptions.wasm-bindgen-macro-support]] +version = "0.2.122" +criteria = "safe-to-run" + +[[exemptions.wasm-bindgen-shared]] +version = "0.2.122" +criteria = "safe-to-run" + +[[exemptions.web-sys]] +version = "0.3.99" +criteria = "safe-to-run" [[exemptions.winapi-i686-pc-windows-gnu]] version = "0.4.0" -criteria = "safe-to-deploy" - -[[exemptions.winapi-util]] -version = "0.1.9" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.winapi-x86_64-pc-windows-gnu]] version = "0.4.0" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows]] version = "0.58.0" @@ -790,7 +854,7 @@ version = "0.52.0" criteria = "safe-to-deploy" [[exemptions.windows-sys]] -version = "0.59.0" +version = "0.61.2" criteria = "safe-to-deploy" [[exemptions.windows-targets]] @@ -799,7 +863,7 @@ criteria = "safe-to-deploy" [[exemptions.windows-targets]] version = "0.48.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows-targets]] version = "0.52.6" @@ -811,7 +875,7 @@ criteria = "safe-to-deploy" [[exemptions.windows_aarch64_gnullvm]] version = "0.48.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows_aarch64_gnullvm]] version = "0.52.6" @@ -823,7 +887,7 @@ criteria = "safe-to-deploy" [[exemptions.windows_aarch64_msvc]] version = "0.48.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows_aarch64_msvc]] version = "0.52.6" @@ -835,7 +899,7 @@ criteria = "safe-to-deploy" [[exemptions.windows_i686_gnu]] version = "0.48.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows_i686_gnu]] version = "0.52.6" @@ -851,7 +915,7 @@ criteria = "safe-to-deploy" [[exemptions.windows_i686_msvc]] version = "0.48.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows_i686_msvc]] version = "0.52.6" @@ -863,7 +927,7 @@ criteria = "safe-to-deploy" [[exemptions.windows_x86_64_gnu]] version = "0.48.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows_x86_64_gnu]] version = "0.52.6" @@ -875,7 +939,7 @@ criteria = "safe-to-deploy" [[exemptions.windows_x86_64_gnullvm]] version = "0.48.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows_x86_64_gnullvm]] version = "0.52.6" @@ -887,18 +951,18 @@ criteria = "safe-to-deploy" [[exemptions.windows_x86_64_msvc]] version = "0.48.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows_x86_64_msvc]] version = "0.52.6" criteria = "safe-to-deploy" [[exemptions.winnow]] -version = "0.5.40" +version = "1.0.3" criteria = "safe-to-deploy" [[exemptions.wireguard-uapi]] -version = "3.0.0" +version = "3.0.1" criteria = "safe-to-deploy" [[exemptions.x25519-dalek]] @@ -910,15 +974,23 @@ version = "0.7.35" criteria = "safe-to-deploy" [[exemptions.zerocopy]] -version = "0.8.24" -criteria = "safe-to-deploy" +version = "0.8.50" +criteria = "safe-to-run" [[exemptions.zerocopy-derive]] version = "0.7.35" criteria = "safe-to-deploy" [[exemptions.zerocopy-derive]] -version = "0.8.24" +version = "0.8.50" +criteria = "safe-to-run" + +[[exemptions.zeroize_derive]] +version = "1.4.3" +criteria = "safe-to-deploy" + +[[exemptions.zmij]] +version = "1.0.21" criteria = "safe-to-deploy" [[exemptions.zstd]] @@ -930,5 +1002,5 @@ version = "7.2.4" criteria = "safe-to-deploy" [[exemptions.zstd-sys]] -version = "2.0.15+zstd.1.5.7" +version = "2.0.16+zstd.1.5.7" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 8fcb232c..15ac66a6 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1,9 +1,16 @@ # cargo-vet imports lock +[[publisher.arbitrary]] +version = "1.4.2" +when = "2025-08-14" +user-id = 696 +user-login = "fitzgen" +user-name = "Nick Fitzgerald" + [[publisher.bumpalo]] -version = "3.17.0" -when = "2025-01-28" +version = "3.20.3" +when = "2026-05-22" user-id = 696 user-login = "fitzgen" user-name = "Nick Fitzgerald" @@ -15,14 +22,95 @@ user-id = 3788 user-login = "emilio" user-name = "Emilio Cobos Álvarez" -[[publisher.wit-bindgen-rt]] -version = "0.33.0" -when = "2024-09-30" +[[publisher.derive_arbitrary]] +version = "1.4.2" +when = "2025-08-14" +user-id = 696 +user-login = "fitzgen" +user-name = "Nick Fitzgerald" + +[[publisher.unicode-xid]] +version = "0.2.6" +when = "2024-09-19" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + +[[publisher.wasip2]] +version = "1.0.3+wasi-0.2.9" +when = "2026-04-17" +user-id = 1 +user-login = "alexcrichton" +user-name = "Alex Crichton" + +[[publisher.wasip3]] +version = "0.4.0+wasi-0.3.0-rc-2026-01-06" +when = "2026-01-15" +user-id = 1 +user-login = "alexcrichton" +user-name = "Alex Crichton" + +[[publisher.wasm-encoder]] +version = "0.244.0" +when = "2026-01-06" +trusted-publisher = "github:bytecodealliance/wasm-tools" + +[[publisher.wasm-metadata]] +version = "0.236.0" +when = "2025-07-28" user-id = 73222 user-login = "wasmtime-publish" +[[publisher.wasmparser]] +version = "0.244.0" +when = "2026-01-06" +trusted-publisher = "github:bytecodealliance/wasm-tools" + +[[publisher.wit-bindgen]] +version = "0.51.0" +when = "2026-01-12" +trusted-publisher = "github:bytecodealliance/wit-bindgen" + +[[publisher.wit-bindgen]] +version = "0.57.1" +when = "2026-04-17" +trusted-publisher = "github:bytecodealliance/wit-bindgen" + +[[publisher.wit-bindgen-core]] +version = "0.51.0" +when = "2026-01-12" +trusted-publisher = "github:bytecodealliance/wit-bindgen" + +[[publisher.wit-bindgen-rust]] +version = "0.51.0" +when = "2026-01-12" +trusted-publisher = "github:bytecodealliance/wit-bindgen" + +[[publisher.wit-bindgen-rust-macro]] +version = "0.51.0" +when = "2026-01-12" +trusted-publisher = "github:bytecodealliance/wit-bindgen" + +[[publisher.wit-component]] +version = "0.244.0" +when = "2026-01-06" +trusted-publisher = "github:bytecodealliance/wasm-tools" + +[[publisher.wit-parser]] +version = "0.244.0" +when = "2026-01-06" +trusted-publisher = "github:bytecodealliance/wasm-tools" + [audits.actix.audits] +[[audits.bytecode-alliance.wildcard-audits.arbitrary]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +user-id = 696 # Nick Fitzgerald (fitzgen) +start = "2020-01-14" +end = "2026-08-21" +notes = "I am an author of this crate." + [[audits.bytecode-alliance.wildcard-audits.bumpalo]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" @@ -30,7 +118,43 @@ user-id = 696 # Nick Fitzgerald (fitzgen) start = "2019-03-16" end = "2026-08-21" -[[audits.bytecode-alliance.wildcard-audits.wit-bindgen-rt]] +[[audits.bytecode-alliance.wildcard-audits.derive_arbitrary]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +user-id = 696 # Nick Fitzgerald (fitzgen) +start = "2020-01-14" +end = "2026-08-21" +notes = "I am an author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wasip2]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2025-08-10" +end = "2026-08-21" +notes = """ +This is a Bytecode Alliance authored crate. +""" + +[[audits.bytecode-alliance.wildcard-audits.wasip3]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2025-09-10" +end = "2026-08-21" +notes = """ +This is a Bytecode Alliance authored crate. +""" + +[[audits.bytecode-alliance.wildcard-audits.wasm-encoder]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wasm-tools" +start = "2025-08-14" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wasm-metadata]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 # wasmtime-publish @@ -42,6 +166,97 @@ publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ +[[audits.bytecode-alliance.wildcard-audits.wasmparser]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wasm-tools" +start = "2025-08-14" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-bindgen]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wit-bindgen" +start = "2025-08-13" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-bindgen-core]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wit-bindgen" +start = "2025-08-13" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-bindgen-rust]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wit-bindgen" +start = "2025-08-13" +end = "2027-01-12" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-bindgen-rust-macro]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wit-bindgen" +start = "2025-08-13" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-component]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wasm-tools" +start = "2025-08-14" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-parser]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wasm-tools" +start = "2025-08-14" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.addr2line]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.19.0 -> 0.20.0" +notes = "This version brings support for split-dwarf which while it uses the filesystem is always done at the behest of the caller, so everything is as expected for this update." + +[[audits.bytecode-alliance.audits.addr2line]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.20.0 -> 0.21.0" +notes = "This version bump updated some dependencies and optimized some internals. All looks good." + +[[audits.bytecode-alliance.audits.addr2line]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.21.0 -> 0.22.0" + +[[audits.bytecode-alliance.audits.addr2line]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.22.0 -> 0.24.1" +notes = "Lots of internal code refactorings and code movement. Nothing out of place however." + +[[audits.bytecode-alliance.audits.addr2line]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.24.1 -> 0.25.0" +notes = "All minor changes, even a net reduction of `unsafe`." + +[[audits.bytecode-alliance.audits.addr2line]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.25.0 -> 0.25.1" +notes = "Minor updates, looks like a minor bug fix, nothing awry." + [[audits.bytecode-alliance.audits.adler2]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -54,11 +269,6 @@ criteria = "safe-to-deploy" version = "0.1.6" notes = "Contains no unsafe code, no IO, no build.rs." -[[audits.bytecode-alliance.audits.arbitrary]] -who = "Nick Fitzgerald " -criteria = "safe-to-deploy" -version = "1.4.1" - [[audits.bytecode-alliance.audits.base64]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -70,34 +280,6 @@ who = "Andrew Brown " criteria = "safe-to-deploy" delta = "0.21.3 -> 0.22.1" -[[audits.bytecode-alliance.audits.bitflags]] -who = "Jamey Sharp " -criteria = "safe-to-deploy" -delta = "2.1.0 -> 2.2.1" -notes = """ -This version adds unsafe impls of traits from the bytemuck crate when built -with that library enabled, but I believe the impls satisfy the documented -safety requirements for bytemuck. The other changes are minor. -""" - -[[audits.bytecode-alliance.audits.bitflags]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "2.3.2 -> 2.3.3" -notes = """ -Nothing outside the realm of what one would expect from a bitflags generator, -all as expected. -""" - -[[audits.bytecode-alliance.audits.bitflags]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "2.4.1 -> 2.6.0" -notes = """ -Changes in how macros are invoked and various bits and pieces of macro-fu. -Otherwise no major changes and nothing dealing with `unsafe`. -""" - [[audits.bytecode-alliance.audits.block-buffer]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" @@ -121,17 +303,18 @@ criteria = "safe-to-deploy" version = "0.2.3" notes = "No `unsafe` code in the crate and no usage of `std`" +[[audits.bytecode-alliance.audits.cobs]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.2.3 -> 0.3.0" +notes = "Nothing out of the ordinary, virtually no unsafe code." + [[audits.bytecode-alliance.audits.crossbeam-epoch]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.9.15 -> 0.9.18" notes = "Nontrivial update but mostly around dependencies and how `unsafe` code is managed. Everything looks the same shape as before." -[[audits.bytecode-alliance.audits.crypto-common]] -who = "Benjamin Bouvier " -criteria = "safe-to-deploy" -version = "0.1.3" - [[audits.bytecode-alliance.audits.embedded-io]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -161,66 +344,34 @@ who = "Dan Gohman " criteria = "safe-to-deploy" delta = "0.3.9 -> 0.3.10" -[[audits.bytecode-alliance.audits.fastrand]] +[[audits.bytecode-alliance.audits.foldhash]] who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "2.0.0 -> 2.0.1" +version = "0.1.3" notes = """ -This update had a few doc updates but no otherwise-substantial source code -updates. +Only a minor amount of `unsafe` code in this crate related to global per-process +initialization which looks correct to me. """ -[[audits.bytecode-alliance.audits.fastrand]] +[[audits.bytecode-alliance.audits.getrandom]] who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "2.1.1 -> 2.3.0" -notes = "Minor refactoring, nothing new." +delta = "0.4.1 -> 0.4.2" +notes = "Nothing awry in this update, standard updates for some platforms and other misc things." -[[audits.bytecode-alliance.audits.futures]] -who = "Joel Dice " +[[audits.bytecode-alliance.audits.gimli]] +who = "Alex Crichton " criteria = "safe-to-deploy" -version = "0.3.31" +delta = "0.27.3 -> 0.28.0" +notes = """ +Still looks like a good DWARF-parsing crate, nothing major was added or deleted +and no `unsafe` code to review here. +""" -[[audits.bytecode-alliance.audits.futures-channel]] -who = "Joel Dice " +[[audits.bytecode-alliance.audits.gimli]] +who = "Alex Crichton " criteria = "safe-to-deploy" -version = "0.3.31" - -[[audits.bytecode-alliance.audits.futures-core]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.3.27" -notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." - -[[audits.bytecode-alliance.audits.futures-core]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -delta = "0.3.28 -> 0.3.31" - -[[audits.bytecode-alliance.audits.futures-executor]] -who = "Joel Dice " -criteria = "safe-to-deploy" -version = "0.3.31" - -[[audits.bytecode-alliance.audits.futures-io]] -who = "Joel Dice " -criteria = "safe-to-deploy" -version = "0.3.31" - -[[audits.bytecode-alliance.audits.futures-macro]] -who = "Joel Dice " -criteria = "safe-to-deploy" -version = "0.3.31" - -[[audits.bytecode-alliance.audits.futures-sink]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.3.27" - -[[audits.bytecode-alliance.audits.futures-sink]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -delta = "0.3.28 -> 0.3.31" +delta = "0.28.0 -> 0.29.0" [[audits.bytecode-alliance.audits.gimli]] who = "Alex Crichton " @@ -234,6 +385,18 @@ criteria = "safe-to-deploy" delta = "0.31.0 -> 0.31.1" notes = "No fundmanetally new `unsafe` code, some small refactoring of existing code. Lots of changes in tests, not as many changes in the rest of the crate. More dwarf!" +[[audits.bytecode-alliance.audits.gimli]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.31.1 -> 0.32.0" +notes = "Ever more DWARF to parse, but also no new `unsafe` and everything looks like gimli." + +[[audits.bytecode-alliance.audits.gimli]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.32.0 -> 0.32.3" +notes = "Ever more dwarf, it never ends! (nothing out of the ordinary)" + [[audits.bytecode-alliance.audits.heck]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -246,16 +409,11 @@ criteria = "safe-to-deploy" version = "0.1.3" notes = "A part of RustCrypto/utils, this crate is designed to handle unsafe buffers and carefully documents the safety concerns throughout. Older versions of this tally up to ~130k daily downloads." -[[audits.bytecode-alliance.audits.itoa]] -who = "Dan Gohman " -criteria = "safe-to-deploy" -delta = "1.0.11 -> 1.0.14" - -[[audits.bytecode-alliance.audits.log]] +[[audits.bytecode-alliance.audits.leb128fmt]] who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.4.22 -> 0.4.27" -notes = "Lots of minor updates to macros and such, nothing touching `unsafe`" +version = "0.1.0" +notes = "Well-scoped crate do doing LEB encoding with no `unsafe` code and does what it says on the tin." [[audits.bytecode-alliance.audits.miniz_oxide]] who = "Alex Crichton " @@ -287,45 +445,56 @@ idioms. No new `unsafe` code and everything looks like what you'd expect a compression library to be doing. """ +[[audits.bytecode-alliance.audits.miniz_oxide]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.8.5 -> 0.8.9" +notes = "No new unsafe code, just refactorings." + [[audits.bytecode-alliance.audits.num-traits]] who = "Andrew Brown " criteria = "safe-to-deploy" version = "0.2.19" notes = "As advertised: a numeric library. The only `unsafe` is from some float-to-int conversions, which seems expected." -[[audits.bytecode-alliance.audits.peeking_take_while]] -who = "Nick Fitzgerald " -criteria = "safe-to-deploy" -version = "1.0.0" -notes = "I am the author of this crate." - -[[audits.bytecode-alliance.audits.pin-project-lite]] +[[audits.bytecode-alliance.audits.object]] who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.2.13 -> 0.2.14" -notes = "No substantive changes in this update" +delta = "0.36.0 -> 0.36.5" +notes = "No new unsafe code, lots of new relocations/objects support, everything looks nominal" -[[audits.bytecode-alliance.audits.pin-utils]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.1.0" - -[[audits.bytecode-alliance.audits.rustc-demangle]] +[[audits.bytecode-alliance.audits.object]] who = "Alex Crichton " criteria = "safe-to-deploy" -version = "0.1.21" -notes = "I am the author of this crate." +delta = "0.36.5 -> 0.37.1" +notes = "New object file formats, new formatting, new other minor changes, no new `unsafe`." -[[audits.bytecode-alliance.audits.rustc-demangle]] +[[audits.bytecode-alliance.audits.object]] who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.1.21 -> 0.1.24" +delta = "0.37.1 -> 0.37.3" +notes = "Lots of new support for new object features, no new unsafe or anything suspicious." -[[audits.bytecode-alliance.audits.semver]] -who = "Pat Hickey " +[[audits.bytecode-alliance.audits.postcard]] +who = "Alex Crichton " criteria = "safe-to-deploy" -version = "1.0.17" -notes = "plenty of unsafe pointer and vec tricks, but in well-structured and commented code that appears to be correct" +version = "1.0.8" +notes = """ +I've audited the unsafe code to do what it looks like it's doing. Otherwise the +crate is a standard serializer/deserializer crate. +""" + +[[audits.bytecode-alliance.audits.postcard]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.0.8 -> 1.1.3" +notes = "Substantial updates, but nothing out of the ordinary one would expect from a serialization crate. Minor `unsafe` updates, but nothing major from what was already there." + +[[audits.bytecode-alliance.audits.rand]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.10.0 -> 0.10.1" +notes = "Minor logging-based updated fixing a recent advisory for the crate." [[audits.bytecode-alliance.audits.shlex]] who = "Alex Crichton " @@ -333,12 +502,88 @@ criteria = "safe-to-deploy" version = "1.1.0" notes = "Only minor `unsafe` code blocks which look valid and otherwise does what it says on the tin." +[[audits.bytecode-alliance.audits.smallvec]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.13.2 -> 1.14.0" +notes = "Minor new feature, nothing out of the ordinary." + [[audits.bytecode-alliance.audits.static_assertions]] who = "Andrew Brown " criteria = "safe-to-deploy" version = "1.1.0" notes = "No dependencies and completely a compile-time crate as advertised. Uses `unsafe` in one module as a compile-time check only: `mem::transmute` and `ptr::write` are wrapped in an impossible-to-run closure." +[[audits.bytecode-alliance.audits.tempfile]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "3.3.0 -> 3.5.0" + +[[audits.bytecode-alliance.audits.tempfile]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "3.5.0 -> 3.6.0" +notes = "Dependency updates and new optimized trait implementations, but otherwise everything looks normal." + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.236.0 -> 0.237.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.237.0 -> 0.238.1" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.238.1 -> 0.239.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.239.0 -> 0.240.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.240.0 -> 0.241.2" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.241.2 -> 0.242.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.242.0 -> 0.243.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.243.0 -> 0.244.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.zeroize]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "1.8.1 -> 1.8.2" + +[[audits.embark-studios.audits.cfg_aliases]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "0.1.1" +notes = "No unsafe usage or ambient capabilities" + [[audits.embark-studios.audits.ident_case]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -363,40 +608,13 @@ criteria = "safe-to-deploy" version = "0.2.1" notes = "Single unsafe usage that looks sound, no ambient capabilities" -[[audits.fermyon.audits.oorandom]] -who = "Radu Matei " +[audits.fermyon.audits] + +[[audits.google.audits.addr2line]] +who = "George Burgess IV " criteria = "safe-to-run" -version = "11.1.3" - -[[audits.google.audits.autocfg]] -who = "Manish Goregaokar " -criteria = "safe-to-deploy" -version = "1.4.0" -notes = "Contains no unsafe" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.bitflags]] -who = "Lukasz Anforowicz " -criteria = "safe-to-deploy" -version = "1.3.2" -notes = """ -Security review of earlier versions of the crate can be found at -(Google-internal, sorry): go/image-crate-chromium-security-review - -The crate exposes a function marked as `unsafe`, but doesn't use any -`unsafe` blocks (except for tests of the single `unsafe` function). I -think this justifies marking this crate as `ub-risk-1`. - -Additional review comments can be found at https://crrev.com/c/4723145/31 -""" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.bitflags]] -who = "Lukasz Anforowicz " -criteria = "safe-to-deploy" -delta = "2.6.0 -> 2.8.0" -notes = "No changes related to `unsafe impl ... bytemuck` pieces from `src/external.rs`." -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +version = "0.19.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.byteorder]] who = "danakj " @@ -460,6 +678,27 @@ version = "1.13.0" notes = "Unsafe code pertaining to wrapping Pin APIs. Mostly passes invariants down." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.either]] +who = "Daniel Cheng " +criteria = "safe-to-deploy" +delta = "1.13.0 -> 1.14.0" +notes = """ +Inheriting ub-risk-1 from the baseline review of 1.13.0. While the delta has some diffs in unsafe code, they are either: +- migrating code to use helper macros +- migrating match patterns to take advantage of default bindings mode from RFC 2005 +Either way, the result is code that does exactly the same thing and does not change the risk of UB. + +See https://crrev.com/c/6323164 for more audit details. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.either]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.14.0 -> 1.15.0" +notes = 'The delta in `lib.rs` only tweaks doc comments and `#[cfg(feature = "std")]`.' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.equivalent]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -473,14 +712,24 @@ delta = "1.0.1 -> 1.0.2" notes = "No changes to any .rs files or Rust code." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.fastrand]] -who = "George Burgess IV " +[[audits.google.audits.foldhash]] +who = "Adrian Taylor " criteria = "safe-to-deploy" -version = "1.9.0" -notes = """ -`does-not-implement-crypto` is certified because this crate explicitly says -that the RNG here is not cryptographically secure. -""" +delta = "0.1.3 -> 0.1.4" +notes = "No changes to safety-relevant code" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.foldhash]] +who = "Chris Palmer " +criteria = "safe-to-deploy" +delta = "0.1.4 -> 0.1.5" +notes = "No new `unsafe`." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.gimli]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.27.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.glob]] @@ -496,12 +745,6 @@ delta = "0.3.1 -> 0.3.2" notes = "Still no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.half]] -who = "Daniel Verkamp " -criteria = "safe-to-run" -version = "2.4.1" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" - [[audits.google.audits.heck]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" @@ -515,54 +758,6 @@ https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.indexmap]] -who = "Lukasz Anforowicz " -criteria = "safe-to-deploy" -version = "2.7.1" -notes = ''' -Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'` -and there were no hits. - -There is a little bit of `unsafe` Rust code - the audit can be found at -https://chromium-review.googlesource.com/c/chromium/src/+/6187726/2 -''' -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.itertools]] -who = "ChromeOS" -criteria = "safe-to-run" -version = "0.10.5" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" - -[[audits.google.audits.itoa]] -who = "Lukasz Anforowicz " -criteria = "safe-to-deploy" -version = "1.0.10" -notes = ''' -I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. - -There are a few places where `unsafe` is used. Unsafe review notes can be found -in https://crrev.com/c/5350697. - -Version 1.0.1 of this crate has been added to Chromium in -https://crrev.com/c/3321896. -''' -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.itoa]] -who = "Lukasz Anforowicz " -criteria = "safe-to-deploy" -delta = "1.0.10 -> 1.0.11" -notes = """ -Straightforward diff between 1.0.10 and 1.0.11 - only 3 commits: - -* Bumping up the version -* A touch up of comments -* And my own PR to make `unsafe` blocks more granular: - https://github.com/dtolnay/itoa/pull/42 -""" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - [[audits.google.audits.lazy_static]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" @@ -584,18 +779,6 @@ delta = "1.4.0 -> 1.5.0" notes = "Unsafe review notes: https://crrev.com/c/5650836" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.log]] -who = "danakj " -criteria = "safe-to-deploy" -version = "0.4.22" -notes = """ -Unsafe review in https://docs.google.com/document/d/1IXQbD1GhTRqNHIGxq6yy7qHqxeO4CwN5noMFXnqyDIM/edit?usp=sharing - -Unsafety is generally very well-documented, with one exception, which we -describe in the review doc. -""" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - [[audits.google.audits.nom]] who = "danakj@chromium.org" criteria = "safe-to-deploy" @@ -605,40 +788,43 @@ Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/5046153 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.num-integer]] -who = "Manish Goregaokar " -criteria = "safe-to-deploy" -version = "0.1.46" -notes = "Contains no unsafe" +[[audits.google.audits.ppv-lite86]] +who = "danakj@chromium.org" +criteria = "safe-to-run" +version = "0.2.17" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.pin-project-lite]] -who = "David Koloski " -criteria = "safe-to-deploy" -version = "0.2.9" -notes = "Reviewed on https://fxrev.dev/824504" -aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.ppv-lite86]] +who = "danakj " +criteria = "safe-to-run" +delta = "0.2.17 -> 0.2.20" +notes = "Using zerocopy to reduce unsafe usage." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.pin-project-lite]] -who = "David Koloski " -criteria = "safe-to-deploy" -delta = "0.2.9 -> 0.2.13" -notes = "Audited at https://fxrev.dev/946396" -aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.proc-macro-error-attr]] -who = "George Burgess IV " -criteria = "safe-to-deploy" -version = "1.0.4" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.ppv-lite86]] +who = "Lukasz Anforowicz " +criteria = "safe-to-run" +delta = "0.2.20 -> 0.2.21" +notes = """ +The delta mostly corresponds to @joshlf's +https://github.com/cryptocorrosion/cryptocorrosion/pull/85 which started +using an undocumented API that `zerocopy` has provided specifically for +`ppv-lite86` in https://github.com/google/zerocopy/pull/2418. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.78" notes = """ -Grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits -(except for a benign \"fs\" hit in a doc comment) +Grepped for "crypt", "cipher", "fs", "net" - there were no hits +(except for a benign "fs" hit in a doc comment) Notes from the `unsafe` review can be found in https://crrev.com/c/5385745. """ @@ -738,13 +924,20 @@ delta = "1.0.92 -> 1.0.93" notes = "No `unsafe`-related changes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.proc-macro2]] +who = "Daniel Cheng " +criteria = "safe-to-deploy" +delta = "1.0.93 -> 1.0.94" +notes = "Minor doc changes and clippy lint adjustments+fixes." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.quote]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.35" notes = """ -Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits -(except for benign \"net\" hit in tests and \"fs\" hit in README.md) +Grepped for "unsafe", "crypt", "cipher", "fs", "net" - there were no hits +(except for benign "net" hit in tests and "fs" hit in README.md) """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" @@ -771,6 +964,23 @@ delta = "1.0.37 -> 1.0.38" notes = "Still no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.quote]] +who = "Daniel Cheng " +criteria = "safe-to-deploy" +delta = "1.0.38 -> 1.0.39" +notes = "Only minor changes for clippy lints and documentation." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.quote]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.39 -> 1.0.40" +notes = """ +The delta is just a simplification of how `tokens.extend(...)` call is made. +Still no `unsafe` anywhere. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.rand]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" @@ -798,13 +1008,6 @@ For more detailed unsafe review notes please see https://crrev.com/c/6362797 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.regex-syntax]] -who = "Manish Goregaokar " -criteria = "safe-to-deploy" -version = "0.8.5" -notes = "Contains no unsafe" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - [[audits.google.audits.rustversion]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" @@ -823,7 +1026,7 @@ and there were no hits except for: * Using `unsafe` in a string: ``` - src/constfn.rs: \"unsafe\" => Qualifiers::Unsafe, + src/constfn.rs: "unsafe" => Qualifiers::Unsafe, ``` * Using `std::fs` in `build/build.rs` to write `${OUT_DIR}/version.expr` @@ -866,6 +1069,13 @@ delta = "1.0.18 -> 1.0.19" notes = "No unsafe, just doc changes" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.rustversion]] +who = "Daniel Cheng " +criteria = "safe-to-deploy" +delta = "1.0.19 -> 1.0.20" +notes = "Only minor updates to documentation and the mock today used for testing." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.same-file]] who = "Android Legacy" criteria = "safe-to-run" @@ -993,11 +1203,18 @@ delta = "1.0.217 -> 1.0.218" notes = "No changes outside comments and documentation." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.serde]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.218 -> 1.0.219" +notes = "Just allowing `clippy::elidable_lifetime_names`." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.serde_derive]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.197" -notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits" +notes = 'Grepped for "unsafe", "crypt", "cipher", "fs", "net" - there were no hits' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.serde_derive]] @@ -1016,7 +1233,7 @@ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_p who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.0.202 -> 1.0.203" -notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits" +notes = 'Grepped for "unsafe", "crypt", "cipher", "fs", "net" - there were no hits' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.serde_derive]] @@ -1093,6 +1310,13 @@ delta = "1.0.217 -> 1.0.218" notes = "No changes outside comments and documentation." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.serde_derive]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.218 -> 1.0.219" +notes = "Minor changes (clippy tweaks, using `mem::take` instead of `mem::replace`)." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.small_ctor]] who = "danakj@chromium.org" criteria = "safe-to-run" @@ -1117,27 +1341,6 @@ criteria = "safe-to-deploy" version = "1.13.2" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.smallvec]] -who = "Jonathan Hao " -criteria = "safe-to-deploy" -delta = "1.13.2 -> 1.14.0" -notes = """ -WARNING: This certification is a result of a **partial** audit. The -`malloc_size_of` feature has **not** been audited. This feature does -not explicitly document its safety requirements. -See also https://chromium-review.googlesource.com/c/chromium/src/+/6275133/comment/ea0d7a93_98051a2e/ -and https://github.com/servo/malloc_size_of/issues/8. -This feature is banned in gnrt_config.toml. -""" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.stable_deref_trait]] -who = "Manish Goregaokar " -criteria = "safe-to-deploy" -version = "1.2.0" -notes = "Purely a trait, crates using this should be carefully vetted since self-referential stuff can be super tricky around various unsafe rust edges." -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - [[audits.google.audits.strsim]] who = "danakj@chromium.org" criteria = "safe-to-deploy" @@ -1155,6 +1358,46 @@ criteria = "safe-to-run" version = "1.2.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.winapi]] +who = "danakj@chromium.org" +criteria = "safe-to-run" +version = "0.3.9" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.winapi-util]] +who = "danakj@chromium.org" +criteria = "safe-to-run" +version = "0.1.6" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.winapi-util]] +who = "danakj " +criteria = "safe-to-run" +delta = "0.1.6 -> 0.1.8" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.winapi-util]] +who = "Lukasz Anforowicz " +criteria = "safe-to-run" +delta = "0.1.8 -> 0.1.9" +notes = "The delta only changes Cargo.toml." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.isrg.audits.alloca]] +who = "David Cook " +criteria = "safe-to-run" +version = "0.4.0" + [[audits.isrg.audits.base64]] who = "Tim Geoghegan " criteria = "safe-to-deploy" @@ -1175,6 +1418,67 @@ who = "David Cook " criteria = "safe-to-deploy" version = "0.9.0" +[[audits.isrg.audits.cfg-if]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "1.0.0 -> 1.0.1" + +[[audits.isrg.audits.cfg-if]] +who = "J.C. Jones " +criteria = "safe-to-deploy" +delta = "1.0.1 -> 1.0.3" + +[[audits.isrg.audits.cfg-if]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "1.0.3 -> 1.0.4" + +[[audits.isrg.audits.chacha20]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.10.0" + +[[audits.isrg.audits.cpufeatures]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.2.17 -> 0.3.0" + +[[audits.isrg.audits.criterion]] +who = "Tim Geoghegan " +criteria = "safe-to-run" +delta = "0.5.1 -> 0.6.0" +notes = "No new unsafe code and nothing suspicious in build scripts." + +[[audits.isrg.audits.criterion]] +who = "David Cook " +criteria = "safe-to-run" +delta = "0.6.0 -> 0.7.0" + +[[audits.isrg.audits.criterion]] +who = "David Cook " +criteria = "safe-to-run" +delta = "0.7.0 -> 0.8.0" + +[[audits.isrg.audits.criterion]] +who = "J.C. Jones " +criteria = "safe-to-run" +delta = "0.8.0 -> 0.8.1" + +[[audits.isrg.audits.criterion]] +who = "J.C. Jones " +criteria = "safe-to-run" +delta = "0.8.1 -> 0.8.2" + +[[audits.isrg.audits.criterion-plot]] +who = "J.C. Jones " +criteria = "safe-to-run" +version = "0.8.1" + +[[audits.isrg.audits.criterion-plot]] +who = "J.C. Jones " +criteria = "safe-to-run" +delta = "0.8.1 -> 0.8.2" + [[audits.isrg.audits.fiat-crypto]] who = "David Cook " criteria = "safe-to-deploy" @@ -1255,65 +1559,127 @@ criteria = "safe-to-deploy" delta = "0.2.8 -> 0.2.9" notes = "No changes to Rust code between 0.2.8 and 0.2.9" +[[audits.isrg.audits.getrandom]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.3.3 -> 0.3.4" + +[[audits.isrg.audits.getrandom]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.3.4 -> 0.4.0" + +[[audits.isrg.audits.getrandom]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.4.0 -> 0.4.1" + +[[audits.isrg.audits.keccak]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.1.2" + +[[audits.isrg.audits.keccak]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.1.2 -> 0.1.3" + +[[audits.isrg.audits.keccak]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.1.4" + +[[audits.isrg.audits.once_cell]] +who = "J.C. Jones " +criteria = "safe-to-deploy" +delta = "1.21.1 -> 1.21.3" +notes = "The unsafe code has moved from `compare_exchange` to a new `init` function, which makes it easier to reason about." + +[[audits.isrg.audits.once_cell]] +who = "J.C. Jones " +criteria = "safe-to-deploy" +delta = "1.21.3 -> 1.21.4" +notes = "The addition is a safe while loop around prior behavior. I don't see any way for that to become malicious." + [[audits.isrg.audits.opaque-debug]] who = "David Cook " criteria = "safe-to-deploy" version = "0.3.0" -[[audits.isrg.audits.rand_chacha]] +[[audits.isrg.audits.page_size]] +who = "David Cook " +criteria = "safe-to-run" +version = "0.6.0" + +[[audits.isrg.audits.rand]] who = "David Cook " criteria = "safe-to-deploy" -delta = "0.3.1 -> 0.9.0" +delta = "0.8.5 -> 0.9.1" -[[audits.isrg.audits.rand_core]] +[[audits.isrg.audits.rand]] +who = "Tim Geoghegan " +criteria = "safe-to-deploy" +delta = "0.9.1 -> 0.9.2" + +[[audits.isrg.audits.rand]] who = "David Cook " criteria = "safe-to-deploy" -delta = "0.6.4 -> 0.9.3" - -[[audits.isrg.audits.rayon]] -who = "Brandon Pitman " -criteria = "safe-to-deploy" -delta = "1.6.1 -> 1.7.0" - -[[audits.isrg.audits.rayon]] -who = "David Cook " -criteria = "safe-to-deploy" -delta = "1.7.0 -> 1.8.0" - -[[audits.isrg.audits.rayon]] -who = "Ameer Ghani " -criteria = "safe-to-deploy" -delta = "1.8.0 -> 1.8.1" - -[[audits.isrg.audits.rayon]] -who = "Brandon Pitman " -criteria = "safe-to-deploy" -delta = "1.8.1 -> 1.9.0" - -[[audits.isrg.audits.rayon]] -who = "Brandon Pitman " -criteria = "safe-to-deploy" -delta = "1.9.0 -> 1.10.0" +delta = "0.9.2 -> 0.10.0" [[audits.isrg.audits.rayon-core]] who = "Ameer Ghani " criteria = "safe-to-deploy" version = "1.12.1" -[[audits.isrg.audits.sha3]] +[[audits.isrg.audits.rayon-core]] who = "David Cook " criteria = "safe-to-deploy" -version = "0.10.6" +delta = "1.12.1 -> 1.13.0" -[[audits.isrg.audits.sha3]] -who = "Brandon Pitman " +[[audits.isrg.audits.serde]] +who = "J.C. Jones " criteria = "safe-to-deploy" -delta = "0.10.6 -> 0.10.7" +delta = "1.0.219 -> 1.0.224" -[[audits.isrg.audits.sha3]] -who = "Brandon Pitman " +[[audits.isrg.audits.serde]] +who = "J.C. Jones " criteria = "safe-to-deploy" -delta = "0.10.7 -> 0.10.8" +delta = "1.0.224 -> 1.0.225" + +[[audits.isrg.audits.serde]] +who = "Tim Geoghegan " +criteria = "safe-to-deploy" +delta = "1.0.225 -> 1.0.226" + +[[audits.isrg.audits.serde_core]] +who = "J.C. Jones " +criteria = "safe-to-deploy" +version = "1.0.224" + +[[audits.isrg.audits.serde_core]] +who = "J.C. Jones " +criteria = "safe-to-deploy" +delta = "1.0.224 -> 1.0.225" + +[[audits.isrg.audits.serde_core]] +who = "Tim Geoghegan " +criteria = "safe-to-deploy" +delta = "1.0.225 -> 1.0.226" + +[[audits.isrg.audits.serde_derive]] +who = "J.C. Jones " +criteria = "safe-to-deploy" +delta = "1.0.219 -> 1.0.224" + +[[audits.isrg.audits.serde_derive]] +who = "J.C. Jones " +criteria = "safe-to-deploy" +delta = "1.0.224 -> 1.0.225" + +[[audits.isrg.audits.serde_derive]] +who = "Tim Geoghegan " +criteria = "safe-to-deploy" +delta = "1.0.225 -> 1.0.226" [[audits.isrg.audits.subtle]] who = "David Cook " @@ -1325,11 +1691,21 @@ who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.0.40 -> 1.0.43" +[[audits.isrg.audits.thiserror]] +who = "J.C. Jones " +criteria = "safe-to-deploy" +delta = "2.0.17 -> 2.0.18" + [[audits.isrg.audits.thiserror-impl]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.0.40 -> 1.0.43" +[[audits.isrg.audits.thiserror-impl]] +who = "J.C. Jones " +criteria = "safe-to-deploy" +delta = "2.0.17 -> 2.0.18" + [[audits.isrg.audits.universal-hash]] who = "David Cook " criteria = "safe-to-deploy" @@ -1349,81 +1725,47 @@ end = "2024-04-21" notes = "No unsafe code, rather straight-forward parser." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.wildcard-audits.unicode-xid]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2019-07-25" +end = "2027-04-23" +notes = "All code written or reviewed by Manish" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.adler2]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "2.0.0 -> 2.0.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.allocator-api2]] who = "Nicolas Silva " criteria = "safe-to-deploy" version = "0.2.18" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.bindgen]] -who = "Emilio Cobos Álvarez " -criteria = "safe-to-deploy" -version = "0.59.2" -notes = "I'm the primary author and maintainer of the crate." -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.bindgen]] -who = "Emilio Cobos Álvarez " -criteria = "safe-to-deploy" -delta = "0.59.2 -> 0.63.0" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.bindgen]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.63.0 -> 0.64.0" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.bindgen]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.64.0 -> 0.66.1" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.bindgen]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.66.1 -> 0.68.1" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.bitflags]] -who = "Alex Franchuk " -criteria = "safe-to-deploy" -delta = "1.3.2 -> 2.0.2" -notes = "Removal of some unsafe code/methods. No changes to externals, just some refactoring (mostly internal)." -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.bitflags]] -who = "Nicolas Silva " -criteria = "safe-to-deploy" -delta = "2.0.2 -> 2.1.0" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.bitflags]] -who = "Teodor Tanasoaia " -criteria = "safe-to-deploy" -delta = "2.2.1 -> 2.3.2" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.bitflags]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "2.3.3 -> 2.4.0" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.bitflags]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -delta = "2.4.0 -> 2.4.1" -notes = "Only allowing new clippy lints" -aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" - [[audits.mozilla.audits.block-buffer]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.2 -> 0.10.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.block2]] +who = "Andy Leiserson " +criteria = "safe-to-deploy" +version = "0.6.2" +notes = "Contains unsafe code to interoperate with the ObjC runtime." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.cfg_aliases]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.1.1 -> 0.2.1" +notes = "Very minor changes." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.crossbeam-channel]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" @@ -1462,47 +1804,18 @@ criteria = "safe-to-deploy" version = "0.2.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.crypto-common]] -who = "Mike Hommey " +[[audits.mozilla.audits.either]] +who = "Erich Gubler " criteria = "safe-to-deploy" -delta = "0.1.3 -> 0.1.6" +delta = "1.15.0 -> 1.16.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.doc-comment]] -who = "Nika Layzell " -criteria = "safe-to-deploy" -version = "0.3.3" -notes = """ -Trivial macro crate implementing a trick for expanding macros within doc -comments on older versions of rustc. -""" -aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" - [[audits.mozilla.audits.errno]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.1 -> 0.3.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.fastrand]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.9.0 -> 2.0.0" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.fastrand]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "2.0.1 -> 2.1.0" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.fastrand]] -who = "Chris Martin " -criteria = "safe-to-deploy" -delta = "2.1.0 -> 2.1.1" -notes = "Fairly trivial changes, no chance of security regression." -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.fnv]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -1510,18 +1823,6 @@ version = "1.0.7" notes = "Simple hasher implementation with no unsafe code." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.futures-core]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.3.27 -> 0.3.28" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.futures-sink]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.3.27 -> 0.3.28" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.getrandom]] who = "Chris Martin " criteria = "safe-to-deploy" @@ -1533,21 +1834,48 @@ documentation. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.gimli]] -who = "Alex Franchuk " +[[audits.mozilla.audits.getrandom]] +who = "Emilio Cobos Álvarez " criteria = "safe-to-deploy" -version = "0.30.0" +delta = "0.3.1 -> 0.3.3" notes = """ -Unsafe code blocks are sound. Minimal dependencies used. No use of -side-effectful std functions. +Biggest non-trivial change is a new UEFI back-end, which looks reasonable to +the best of my ability: There's some trickiness on initialization but doesn't +look unsafe, at worse it leaks, and it might not if the relevant pointers are +static/non-owning. Other changes also look reasonable too: some tweaks to +inlining and a syscall-based linux back-end, whose relevant unsafe code looks +reasonable. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.gimli]] -who = "Chris Martin " +[[audits.mozilla.audits.hashbrown]] +who = "Erich Gubler " criteria = "safe-to-deploy" -delta = "0.30.0 -> 0.29.0" -notes = "No unsafe code, mostly algorithms and parsing. Very unlikely to cause security issues." +delta = "0.15.2 -> 0.15.5" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.hashbrown]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.15.5 -> 0.16.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.hashbrown]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.16.0 -> 0.16.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.hashbrown]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.16.1 -> 0.17.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.hashbrown]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.17.0 -> 0.17.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.hex]] @@ -1556,71 +1884,106 @@ criteria = "safe-to-deploy" version = "0.4.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.keccak]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.1.4 -> 0.1.6" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.objc2-encode]] +who = "Andy Leiserson " +criteria = "safe-to-deploy" +version = "4.1.0" +notes = "Support library for objc2 with no unsafe code" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.once_cell]] who = "Erich Gubler " criteria = "safe-to-deploy" delta = "1.20.2 -> 1.20.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.peeking_take_while]] -who = "Bobby Holley " +[[audits.mozilla.audits.once_cell]] +who = "Erich Gubler " criteria = "safe-to-deploy" -delta = "1.0.0 -> 0.1.2" -notes = "Small refactor of some simple iterator logic, no unsafe code or capabilities." +delta = "1.20.3 -> 1.21.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.pin-project-lite]] -who = "Nika Layzell " -criteria = "safe-to-deploy" -delta = "0.2.14 -> 0.2.16" -notes = """ -Only functional change is to work around a bug in the negative_impls feature -(https://github.com/taiki-e/pin-project/issues/340#issuecomment-2432146009) -""" -aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" - -[[audits.mozilla.audits.rayon]] -who = "Josh Stone " -criteria = "safe-to-deploy" -version = "1.5.3" -notes = "All code written or reviewed by Josh Stone or Niko Matsakis." -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.rayon]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.5.3 -> 1.6.1" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.rustc-hash]] -who = "Bobby Holley " -criteria = "safe-to-deploy" -version = "1.1.0" -notes = "Straightforward crate with no unsafe code, does what it says on the tin." -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.ryu]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.10 -> 1.0.11" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.ryu]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.11 -> 1.0.12" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.ryu]] +[[audits.mozilla.audits.oorandom]] who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -delta = "1.0.12 -> 1.0.19" +criteria = "safe-to-run" +version = "11.1.5" +notes = "Small random number generator, explicitly not cryptographically secure, no use of unsafe code, no dependencies" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" -[[audits.mozilla.audits.semver]] +[[audits.mozilla.audits.proc-macro2]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -delta = "1.0.17 -> 1.0.25" +delta = "1.0.94 -> 1.0.106" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.quote]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.40 -> 1.0.45" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.rand]] +who = "Henrik Skupin " +criteria = "safe-to-deploy" +delta = "0.8.5 -> 0.8.6" +notes = """ +Fixes RUSTSEC-2026-0097 by removing `log` dependency. Removes `simd_support` +feature. No new dependencies or unsafe code. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.regex]] +who = "Benjamin VanderSloot " +criteria = "safe-to-deploy" +delta = "1.11.1 -> 1.12.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.regex-automata]] +who = "Benjamin VanderSloot " +criteria = "safe-to-deploy" +delta = "0.4.9 -> 0.4.14" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.serde]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "1.0.226 -> 1.0.227" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.serde]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.227 -> 1.0.228" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.serde_core]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "1.0.226 -> 1.0.227" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.serde_core]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.227 -> 1.0.228" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.serde_derive]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "1.0.226 -> 1.0.227" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.serde_derive]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.227 -> 1.0.228" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.shlex]] @@ -1629,6 +1992,12 @@ criteria = "safe-to-deploy" delta = "1.1.0 -> 1.3.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.smallvec]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "1.14.0 -> 1.15.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.strsim]] who = "Ben Dean-Kawamura " criteria = "safe-to-deploy" @@ -1642,6 +2011,37 @@ version = "2.5.0" notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.tempfile]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "3.6.0 -> 3.8.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.tempfile]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "3.8.0 -> 3.9.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.tempfile]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "3.9.0 -> 3.10.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.tempfile]] +who = "Chris Martin " +criteria = "safe-to-deploy" +delta = "3.10.1 -> 3.16.0" +notes = "Big change, but nothing unsafe and lots of it is documentation and convenience APIs" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.tempfile]] +who = "Jim Blandy " +criteria = "safe-to-deploy" +delta = "3.16.0 -> 3.27.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.thiserror]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" @@ -1660,6 +2060,19 @@ criteria = "safe-to-deploy" delta = "0.2.1 -> 0.2.2" aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" +[[audits.mozilla.audits.windows-link]] +who = "Mark Hammond " +criteria = "safe-to-deploy" +version = "0.1.1" +notes = "A microsoft crate allowing unsafe calls to windows apis." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.windows-link]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.1.1 -> 0.2.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.zeroize]] who = "Benjamin Beurdouche " criteria = "safe-to-deploy" @@ -1670,11 +2083,11 @@ for deleting data. This is expected and documented behavior. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.zeroize_derive]] -who = "Benjamin Beurdouche " +[[audits.zcash.audits.aho-corasick]] +who = "Jack Grigg " criteria = "safe-to-deploy" -version = "1.4.2" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +delta = "1.1.3 -> 1.1.4" +aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.zcash.audits.block-buffer]] who = "Jack Grigg " @@ -1683,12 +2096,42 @@ delta = "0.10.3 -> 0.10.4" notes = "Adds panics to prevent a block size of zero from causing unsoundness." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.bytes]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.7.1 -> 1.7.2" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.bytes]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "1.7.2 -> 1.11.1" +notes = "New/changed uses of unsafe are documented and seem plausible." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.crossbeam-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.20 -> 0.8.21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.crunchy]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.3 -> 0.2.4" +notes = """ +Build script change is to fix a bug where a path separator for an included file +was being selected by the target OS instead of the host OS. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.darling_macro]] +who = "Schell Carl Scivally " +criteria = "safe-to-deploy" +delta = "0.20.10 -> 0.20.11" +notes = "Only includes changes to cargo packaging, the library source itself is unchanged." +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[audits.zcash.audits.errno]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1701,17 +2144,42 @@ criteria = "safe-to-deploy" delta = "0.3.8 -> 0.3.9" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" +[[audits.zcash.audits.errno]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.10 -> 0.3.11" +notes = "The `__errno` location for vxworks and cygwin looks correct from a quick search." +aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" + +[[audits.zcash.audits.errno]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.11 -> 0.3.13" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.errno]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.13 -> 0.3.14" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.glob]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.2 -> 0.3.3" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[audits.zcash.audits.inout]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.3 -> 0.1.4" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" -[[audits.zcash.audits.oorandom]] +[[audits.zcash.audits.is_terminal_polyfill]] who = "Jack Grigg " -criteria = "safe-to-run" -delta = "11.1.3 -> 11.1.4" -aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" +criteria = "safe-to-deploy" +delta = "1.70.1 -> 1.70.2" +aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.zcash.audits.opaque-debug]] who = "Daira-Emma Hopwood " @@ -1719,6 +2187,12 @@ criteria = "safe-to-deploy" delta = "0.3.0 -> 0.3.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.r-efi]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "5.2.0 -> 5.3.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" + [[audits.zcash.audits.rustc_version]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1741,9 +2215,42 @@ delta = "0.4.0 -> 0.4.1" notes = "Changes to `Command` usage are to add support for `RUSTC_WRAPPER`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.rustversion]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.20 -> 1.0.21" +notes = "Build script change is to fix building with `-Zfmt-debug=none`." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.rustversion]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.21 -> 1.0.22" +notes = "Changes to generated code are to prepend a clippy annotation." +aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" + [[audits.zcash.audits.universal-hash]] who = "Daira Hopwood " criteria = "safe-to-deploy" delta = "0.4.1 -> 0.5.0" notes = "I checked correctness of to_blocks which uses unsafe code in a safe function." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.wasi]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.11.0+wasi-snapshot-preview1 -> 0.11.1+wasi-snapshot-preview1" +aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" + +[[audits.zcash.audits.winapi-util]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.1.9 -> 0.1.11" +aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" + +[[audits.zcash.audits.windows-link]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.0 -> 0.2.1" +notes = "No code changes at all." +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"