mirror of
https://github.com/rosenpass/rosenpass.git
synced 2025-12-05 20:40:02 -08:00
1744 lines
68 KiB
Plaintext
1744 lines
68 KiB
Plaintext
|
|
# cargo-vet imports lock
|
|
|
|
[[publisher.bumpalo]]
|
|
version = "3.17.0"
|
|
when = "2025-01-28"
|
|
user-id = 696
|
|
user-login = "fitzgen"
|
|
user-name = "Nick Fitzgerald"
|
|
|
|
[[publisher.cexpr]]
|
|
version = "0.6.0"
|
|
when = "2021-10-11"
|
|
user-id = 3788
|
|
user-login = "emilio"
|
|
user-name = "Emilio Cobos Álvarez"
|
|
|
|
[[publisher.wit-bindgen-rt]]
|
|
version = "0.33.0"
|
|
when = "2024-09-30"
|
|
user-id = 73222
|
|
user-login = "wasmtime-publish"
|
|
|
|
[audits.actix.audits]
|
|
|
|
[[audits.bytecode-alliance.wildcard-audits.bumpalo]]
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
user-id = 696 # Nick Fitzgerald (fitzgen)
|
|
start = "2019-03-16"
|
|
end = "2026-08-21"
|
|
|
|
[[audits.bytecode-alliance.wildcard-audits.wit-bindgen-rt]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
user-id = 73222 # wasmtime-publish
|
|
start = "2023-01-01"
|
|
end = "2026-06-03"
|
|
notes = """
|
|
The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate
|
|
publication of this crate from CI. This repository requires all PRs are reviewed
|
|
by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.adler2]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "2.0.0"
|
|
notes = "Fork of the original `adler` crate, zero unsfae code, works in `no_std`, does what it says on th tin."
|
|
|
|
[[audits.bytecode-alliance.audits.anes]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.6"
|
|
notes = "Contains no unsafe code, no IO, no build.rs."
|
|
|
|
[[audits.bytecode-alliance.audits.arbitrary]]
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.4.1"
|
|
|
|
[[audits.bytecode-alliance.audits.base64]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.21.0"
|
|
notes = "This crate has no dependencies, no build.rs, and contains no unsafe code."
|
|
|
|
[[audits.bytecode-alliance.audits.base64]]
|
|
who = "Andrew Brown <andrew.brown@intel.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.21.3 -> 0.22.1"
|
|
|
|
[[audits.bytecode-alliance.audits.bitflags]]
|
|
who = "Jamey Sharp <jsharp@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.1.0 -> 2.2.1"
|
|
notes = """
|
|
This version adds unsafe impls of traits from the bytemuck crate when built
|
|
with that library enabled, but I believe the impls satisfy the documented
|
|
safety requirements for bytemuck. The other changes are minor.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.bitflags]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.3.2 -> 2.3.3"
|
|
notes = """
|
|
Nothing outside the realm of what one would expect from a bitflags generator,
|
|
all as expected.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.bitflags]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.4.1 -> 2.6.0"
|
|
notes = """
|
|
Changes in how macros are invoked and various bits and pieces of macro-fu.
|
|
Otherwise no major changes and nothing dealing with `unsafe`.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.block-buffer]]
|
|
who = "Benjamin Bouvier <public@benj.me>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.0 -> 0.10.2"
|
|
|
|
[[audits.bytecode-alliance.audits.cfg-if]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.0"
|
|
notes = "I am the author of this crate."
|
|
|
|
[[audits.bytecode-alliance.audits.cipher]]
|
|
who = "Andrew Brown <andrew.brown@intel.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.4"
|
|
notes = "Most unsafe is hidden by `inout` dependency; only remaining unsafe is raw-splitting a slice and an unreachable hint. Older versions of this regularly reach ~150k daily downloads."
|
|
|
|
[[audits.bytecode-alliance.audits.cobs]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.3"
|
|
notes = "No `unsafe` code in the crate and no usage of `std`"
|
|
|
|
[[audits.bytecode-alliance.audits.crossbeam-epoch]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.15 -> 0.9.18"
|
|
notes = "Nontrivial update but mostly around dependencies and how `unsafe` code is managed. Everything looks the same shape as before."
|
|
|
|
[[audits.bytecode-alliance.audits.crypto-common]]
|
|
who = "Benjamin Bouvier <public@benj.me>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.3"
|
|
|
|
[[audits.bytecode-alliance.audits.embedded-io]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.0"
|
|
notes = "No `unsafe` code and only uses `std` in ways one would expect the crate to do so."
|
|
|
|
[[audits.bytecode-alliance.audits.errno]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.0"
|
|
notes = "This crate uses libc and windows-sys APIs to get and set the raw OS error value."
|
|
|
|
[[audits.bytecode-alliance.audits.errno]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.0 -> 0.3.1"
|
|
notes = "Just a dependency version bump and a bug fix for redox"
|
|
|
|
[[audits.bytecode-alliance.audits.errno]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.9 -> 0.3.10"
|
|
|
|
[[audits.bytecode-alliance.audits.fastrand]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.0.0 -> 2.0.1"
|
|
notes = """
|
|
This update had a few doc updates but no otherwise-substantial source code
|
|
updates.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.fastrand]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.1.1 -> 2.3.0"
|
|
notes = "Minor refactoring, nothing new."
|
|
|
|
[[audits.bytecode-alliance.audits.futures]]
|
|
who = "Joel Dice <joel.dice@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.31"
|
|
|
|
[[audits.bytecode-alliance.audits.futures-channel]]
|
|
who = "Joel Dice <joel.dice@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.31"
|
|
|
|
[[audits.bytecode-alliance.audits.futures-core]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.27"
|
|
notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting."
|
|
|
|
[[audits.bytecode-alliance.audits.futures-core]]
|
|
who = "Pat Hickey <pat@moreproductive.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.28 -> 0.3.31"
|
|
|
|
[[audits.bytecode-alliance.audits.futures-executor]]
|
|
who = "Joel Dice <joel.dice@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.31"
|
|
|
|
[[audits.bytecode-alliance.audits.futures-io]]
|
|
who = "Joel Dice <joel.dice@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.31"
|
|
|
|
[[audits.bytecode-alliance.audits.futures-macro]]
|
|
who = "Joel Dice <joel.dice@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.31"
|
|
|
|
[[audits.bytecode-alliance.audits.futures-sink]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.27"
|
|
|
|
[[audits.bytecode-alliance.audits.futures-sink]]
|
|
who = "Pat Hickey <pat@moreproductive.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.28 -> 0.3.31"
|
|
|
|
[[audits.bytecode-alliance.audits.gimli]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.29.0 -> 0.31.0"
|
|
notes = "Various updates here and there, nothing too major, what you'd expect from a DWARF parsing crate."
|
|
|
|
[[audits.bytecode-alliance.audits.gimli]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.31.0 -> 0.31.1"
|
|
notes = "No fundmanetally new `unsafe` code, some small refactoring of existing code. Lots of changes in tests, not as many changes in the rest of the crate. More dwarf!"
|
|
|
|
[[audits.bytecode-alliance.audits.heck]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.1 -> 0.5.0"
|
|
notes = "Minor changes for a `no_std` upgrade but otherwise everything looks as expected."
|
|
|
|
[[audits.bytecode-alliance.audits.inout]]
|
|
who = "Andrew Brown <andrew.brown@intel.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.3"
|
|
notes = "A part of RustCrypto/utils, this crate is designed to handle unsafe buffers and carefully documents the safety concerns throughout. Older versions of this tally up to ~130k daily downloads."
|
|
|
|
[[audits.bytecode-alliance.audits.itoa]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.11 -> 1.0.14"
|
|
|
|
[[audits.bytecode-alliance.audits.log]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.22 -> 0.4.27"
|
|
notes = "Lots of minor updates to macros and such, nothing touching `unsafe`"
|
|
|
|
[[audits.bytecode-alliance.audits.miniz_oxide]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.1"
|
|
notes = """
|
|
This crate is a Rust implementation of zlib compression/decompression and has
|
|
been used by default by the Rust standard library for quite some time. It's also
|
|
a default dependency of the popular `backtrace` crate for decompressing debug
|
|
information. This crate forbids unsafe code and does not otherwise access system
|
|
resources. It's originally a port of the `miniz.c` library as well, and given
|
|
its own longevity should be relatively hardened against some of the more common
|
|
compression-related issues.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.miniz_oxide]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.7.1 -> 0.8.0"
|
|
notes = "Minor updates, using new Rust features like `const`, no major changes."
|
|
|
|
[[audits.bytecode-alliance.audits.miniz_oxide]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.0 -> 0.8.5"
|
|
notes = """
|
|
Lots of small updates here and there, for example around modernizing Rust
|
|
idioms. No new `unsafe` code and everything looks like what you'd expect a
|
|
compression library to be doing.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.num-traits]]
|
|
who = "Andrew Brown <andrew.brown@intel.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.19"
|
|
notes = "As advertised: a numeric library. The only `unsafe` is from some float-to-int conversions, which seems expected."
|
|
|
|
[[audits.bytecode-alliance.audits.peeking_take_while]]
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.0"
|
|
notes = "I am the author of this crate."
|
|
|
|
[[audits.bytecode-alliance.audits.pin-project-lite]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.13 -> 0.2.14"
|
|
notes = "No substantive changes in this update"
|
|
|
|
[[audits.bytecode-alliance.audits.pin-utils]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
|
|
[[audits.bytecode-alliance.audits.rustc-demangle]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.21"
|
|
notes = "I am the author of this crate."
|
|
|
|
[[audits.bytecode-alliance.audits.rustc-demangle]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.21 -> 0.1.24"
|
|
|
|
[[audits.bytecode-alliance.audits.semver]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.17"
|
|
notes = "plenty of unsafe pointer and vec tricks, but in well-structured and commented code that appears to be correct"
|
|
|
|
[[audits.bytecode-alliance.audits.shlex]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.1.0"
|
|
notes = "Only minor `unsafe` code blocks which look valid and otherwise does what it says on the tin."
|
|
|
|
[[audits.bytecode-alliance.audits.static_assertions]]
|
|
who = "Andrew Brown <andrew.brown@intel.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.1.0"
|
|
notes = "No dependencies and completely a compile-time crate as advertised. Uses `unsafe` in one module as a compile-time check only: `mem::transmute` and `ptr::write` are wrapped in an impossible-to-run closure."
|
|
|
|
[[audits.embark-studios.audits.ident_case]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.1"
|
|
notes = "No unsafe usage or ambient capabilities"
|
|
|
|
[[audits.embark-studios.audits.thiserror]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.40"
|
|
notes = "Wrapper over implementation crate, found no unsafe or ambient capabilities used"
|
|
|
|
[[audits.embark-studios.audits.thiserror-impl]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.40"
|
|
notes = "Found no unsafe or ambient capabilities used"
|
|
|
|
[[audits.embark-studios.audits.utf8parse]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.1"
|
|
notes = "Single unsafe usage that looks sound, no ambient capabilities"
|
|
|
|
[[audits.fermyon.audits.oorandom]]
|
|
who = "Radu Matei <radu.matei@fermyon.com>"
|
|
criteria = "safe-to-run"
|
|
version = "11.1.3"
|
|
|
|
[[audits.google.audits.autocfg]]
|
|
who = "Manish Goregaokar <manishearth@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.4.0"
|
|
notes = "Contains no unsafe"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.bitflags]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.3.2"
|
|
notes = """
|
|
Security review of earlier versions of the crate can be found at
|
|
(Google-internal, sorry): go/image-crate-chromium-security-review
|
|
|
|
The crate exposes a function marked as `unsafe`, but doesn't use any
|
|
`unsafe` blocks (except for tests of the single `unsafe` function). I
|
|
think this justifies marking this crate as `ub-risk-1`.
|
|
|
|
Additional review comments can be found at https://crrev.com/c/4723145/31
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.bitflags]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.6.0 -> 2.8.0"
|
|
notes = "No changes related to `unsafe impl ... bytemuck` pieces from `src/external.rs`."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.byteorder]]
|
|
who = "danakj <danakj@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.5.0"
|
|
notes = "Unsafe review in https://crrev.com/c/5838022"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.cast]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-run"
|
|
version = "0.3.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.ciborium]]
|
|
who = "Daniel Verkamp <dverkamp@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
version = "0.2.2"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.ciborium-io]]
|
|
who = "Daniel Verkamp <dverkamp@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
version = "0.2.2"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.ciborium-ll]]
|
|
who = "Daniel Verkamp <dverkamp@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
version = "0.2.2"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.crossbeam-channel]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-run"
|
|
version = "0.5.7"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.crossbeam-channel]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-run"
|
|
delta = "0.5.7 -> 0.5.8"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.crossbeam-epoch]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-run"
|
|
version = "0.9.14"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.crossbeam-epoch]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-run"
|
|
delta = "0.9.14 -> 0.9.15"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.either]]
|
|
who = "Manish Goregaokar <manishearth@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.13.0"
|
|
notes = "Unsafe code pertaining to wrapping Pin APIs. Mostly passes invariants down."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.equivalent]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.1"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.equivalent]]
|
|
who = "Jonathan Hao <phao@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.1 -> 1.0.2"
|
|
notes = "No changes to any .rs files or Rust code."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.fastrand]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.9.0"
|
|
notes = """
|
|
`does-not-implement-crypto` is certified because this crate explicitly says
|
|
that the RNG here is not cryptographically secure.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.glob]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.1"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.glob]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.1 -> 0.3.2"
|
|
notes = "Still no unsafe"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.half]]
|
|
who = "Daniel Verkamp <dverkamp@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
version = "2.4.1"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.heck]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.1"
|
|
notes = """
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
|
|
and there were no hits.
|
|
|
|
`heck` (version `0.3.3`) has been added to Chromium in
|
|
https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.indexmap]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "2.7.1"
|
|
notes = '''
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`
|
|
and there were no hits.
|
|
|
|
There is a little bit of `unsafe` Rust code - the audit can be found at
|
|
https://chromium-review.googlesource.com/c/chromium/src/+/6187726/2
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.itertools]]
|
|
who = "ChromeOS"
|
|
criteria = "safe-to-run"
|
|
version = "0.10.5"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.itoa]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.10"
|
|
notes = '''
|
|
I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits.
|
|
|
|
There are a few places where `unsafe` is used. Unsafe review notes can be found
|
|
in https://crrev.com/c/5350697.
|
|
|
|
Version 1.0.1 of this crate has been added to Chromium in
|
|
https://crrev.com/c/3321896.
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.itoa]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.10 -> 1.0.11"
|
|
notes = """
|
|
Straightforward diff between 1.0.10 and 1.0.11 - only 3 commits:
|
|
|
|
* Bumping up the version
|
|
* A touch up of comments
|
|
* And my own PR to make `unsafe` blocks more granular:
|
|
https://github.com/dtolnay/itoa/pull/42
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.lazy_static]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.4.0"
|
|
notes = '''
|
|
I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits.
|
|
|
|
There are two places where `unsafe` is used. Unsafe review notes can be found
|
|
in https://crrev.com/c/5347418.
|
|
|
|
This crate has been added to Chromium in https://crrev.com/c/3321895.
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.lazy_static]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.4.0 -> 1.5.0"
|
|
notes = "Unsafe review notes: https://crrev.com/c/5650836"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.log]]
|
|
who = "danakj <danakj@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.22"
|
|
notes = """
|
|
Unsafe review in https://docs.google.com/document/d/1IXQbD1GhTRqNHIGxq6yy7qHqxeO4CwN5noMFXnqyDIM/edit?usp=sharing
|
|
|
|
Unsafety is generally very well-documented, with one exception, which we
|
|
describe in the review doc.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.nom]]
|
|
who = "danakj@chromium.org"
|
|
criteria = "safe-to-deploy"
|
|
version = "7.1.3"
|
|
notes = """
|
|
Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/5046153
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.num-integer]]
|
|
who = "Manish Goregaokar <manishearth@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.46"
|
|
notes = "Contains no unsafe"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.pin-project-lite]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.9"
|
|
notes = "Reviewed on https://fxrev.dev/824504"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.pin-project-lite]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.9 -> 0.2.13"
|
|
notes = "Audited at https://fxrev.dev/946396"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro-error-attr]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.4"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.78"
|
|
notes = """
|
|
Grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits
|
|
(except for a benign \"fs\" hit in a doc comment)
|
|
|
|
Notes from the `unsafe` review can be found in https://crrev.com/c/5385745.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.78 -> 1.0.79"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.79 -> 1.0.80"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.80 -> 1.0.81"
|
|
notes = "Comment changes only"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "danakj <danakj@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.81 -> 1.0.82"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.82 -> 1.0.83"
|
|
notes = "Substantive change is replacing String with Box<str>, saving memory."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.83 -> 1.0.84"
|
|
notes = "Only doc comment changes in `src/lib.rs`."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "danakj@chromium.org"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.84 -> 1.0.85"
|
|
notes = "Test-only changes."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.85 -> 1.0.86"
|
|
notes = """
|
|
Comment-only changes in `build.rs`.
|
|
Reordering of `Cargo.toml` entries.
|
|
Just bumping up the version number in `lib.rs`.
|
|
Config-related changes in `test_size.rs`.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "danakj <danakj@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.86 -> 1.0.87"
|
|
notes = "No new unsafe interactions."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Liza Burakova <liza@chromium.org"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.87 -> 1.0.89"
|
|
notes = """
|
|
Biggest change is adding error handling in build.rs.
|
|
Some config related changes in wrapper.rs.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.89 -> 1.0.92"
|
|
notes = """
|
|
I looked at the delta and the previous discussion at
|
|
https://chromium-review.googlesource.com/c/chromium/src/+/5385745/3#message-a8e2813129fa3779dab15acede408ee26d67b7f3
|
|
and the changes look okay to me (including the `unsafe fn from_str_unchecked`
|
|
changes in `wrapper.rs`).
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.92 -> 1.0.93"
|
|
notes = "No `unsafe`-related changes."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.quote]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.35"
|
|
notes = """
|
|
Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits
|
|
(except for benign \"net\" hit in tests and \"fs\" hit in README.md)
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.quote]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.35 -> 1.0.36"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.quote]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.36 -> 1.0.37"
|
|
notes = """
|
|
The delta just 1) inlines/expands `impl ToTokens` that used to be handled via
|
|
`primitive!` macro and 2) adds `impl ToTokens` for `CStr` and `CString`.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.quote]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.37 -> 1.0.38"
|
|
notes = "Still no unsafe"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.rand]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.8.5"
|
|
notes = """
|
|
For more detailed unsafe review notes please see https://crrev.com/c/6362797
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.rand_chacha]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.1"
|
|
notes = """
|
|
For more detailed unsafe review notes please see https://crrev.com/c/6362797
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.rand_core]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.6.4"
|
|
notes = """
|
|
For more detailed unsafe review notes please see https://crrev.com/c/6362797
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.regex-syntax]]
|
|
who = "Manish Goregaokar <manishearth@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.8.5"
|
|
notes = "Contains no unsafe"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.rustversion]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.14"
|
|
notes = """
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
|
|
and there were no hits except for:
|
|
|
|
* Using trivially-safe `unsafe` in test code:
|
|
|
|
```
|
|
tests/test_const.rs:unsafe fn _unsafe() {}
|
|
tests/test_const.rs:const _UNSAFE: () = unsafe { _unsafe() };
|
|
```
|
|
|
|
* Using `unsafe` in a string:
|
|
|
|
```
|
|
src/constfn.rs: \"unsafe\" => Qualifiers::Unsafe,
|
|
```
|
|
|
|
* Using `std::fs` in `build/build.rs` to write `${OUT_DIR}/version.expr`
|
|
which is later read back via `include!` used in `src/lib.rs`.
|
|
|
|
Version `1.0.6` of this crate has been added to Chromium in
|
|
https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.rustversion]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.14 -> 1.0.15"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.rustversion]]
|
|
who = "danakj <danakj@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.15 -> 1.0.16"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.rustversion]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.16 -> 1.0.17"
|
|
notes = "Just updates windows compat"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.rustversion]]
|
|
who = "Liza Burakova <liza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.17 -> 1.0.18"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.rustversion]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.18 -> 1.0.19"
|
|
notes = "No unsafe, just doc changes"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.same-file]]
|
|
who = "Android Legacy"
|
|
criteria = "safe-to-run"
|
|
version = "1.0.6"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.197"
|
|
notes = """
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`.
|
|
|
|
There were some hits for `net`, but they were related to serialization and
|
|
not actually opening any connections or anything like that.
|
|
|
|
There were 2 hits of `unsafe` when grepping:
|
|
* In `fn as_str` in `impl Buf`
|
|
* In `fn serialize` in `impl Serialize for net::Ipv4Addr`
|
|
|
|
Unsafe review comments can be found in https://crrev.com/c/5350573/2 (this
|
|
review also covered `serde_json_lenient`).
|
|
|
|
Version 1.0.130 of the crate has been added to Chromium in
|
|
https://crrev.com/c/3265545. The CL description contains a link to a
|
|
(Google-internal, sorry) document with a mini security review.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.197 -> 1.0.198"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "danakj <danakj@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.198 -> 1.0.201"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.201 -> 1.0.202"
|
|
notes = "Trivial changes"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.202 -> 1.0.203"
|
|
notes = "s/doc_cfg/docsrs/ + tuple_impls/tuple_impl_body-related changes"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.203 -> 1.0.204"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.204 -> 1.0.207"
|
|
notes = "The small change in `src/private/ser.rs` should have no impact on `ub-risk-2`."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.207 -> 1.0.209"
|
|
notes = """
|
|
The delta carries fairly small changes in `src/private/de.rs` and
|
|
`src/private/ser.rs` (see https://crrev.com/c/5812194/2..5). AFAICT the
|
|
delta has no impact on the `unsafe`, `from_utf8_unchecked`-related parts
|
|
of the crate (in `src/de/format.rs` and `src/ser/impls.rs`).
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.209 -> 1.0.210"
|
|
notes = "Almost no new code - just feature rearrangement"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Liza Burakova <liza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.210 -> 1.0.213"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.213 -> 1.0.214"
|
|
notes = "No unsafe, no crypto"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.214 -> 1.0.215"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.215 -> 1.0.216"
|
|
notes = "The delta makes minor changes in `build.rs` - switching to the `?` syntax sugar."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.216 -> 1.0.217"
|
|
notes = "Minimal changes, nothing unsafe"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Daniel Cheng <dcheng@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.217 -> 1.0.218"
|
|
notes = "No changes outside comments and documentation."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.197"
|
|
notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "danakj <danakj@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.197 -> 1.0.201"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.201 -> 1.0.202"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.202 -> 1.0.203"
|
|
notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.203 -> 1.0.204"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.204 -> 1.0.207"
|
|
notes = 'Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits'
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.207 -> 1.0.209"
|
|
notes = '''
|
|
There are no code changes in this delta - see https://crrev.com/c/5812194/2..5
|
|
|
|
I've neverthless also grepped for `-i cipher`, `-i crypto`, `\bfs\b`,
|
|
`\bnet\b`, and `\bunsafe\b`. There were no hits.
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.209 -> 1.0.210"
|
|
notes = "Almost no new code - just feature rearrangement"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Liza Burakova <liza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.210 -> 1.0.213"
|
|
notes = "Grepped for 'unsafe', 'crypt', 'cipher', 'fs', 'net' - there were no hits"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.213 -> 1.0.214"
|
|
notes = "No changes to unsafe, no crypto"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.214 -> 1.0.215"
|
|
notes = "Minor changes should not impact UB risk"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.215 -> 1.0.216"
|
|
notes = "The delta adds `#[automatically_derived]` in a few places. Still no `unsafe`."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.216 -> 1.0.217"
|
|
notes = "No changes"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Daniel Cheng <dcheng@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.217 -> 1.0.218"
|
|
notes = "No changes outside comments and documentation."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.small_ctor]]
|
|
who = "danakj@chromium.org"
|
|
criteria = "safe-to-run"
|
|
version = "0.1.1"
|
|
notes = """
|
|
Reviewed in https://crrev.com/c/5171063
|
|
|
|
Previously reviewed during security review and the audit is grandparented in.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.small_ctor]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "0.1.1 -> 0.1.2"
|
|
notes = "I don't fully understand the changes in `lib.rs` but they seem to meet the low bar of `safe-to-run`."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.smallvec]]
|
|
who = "Manish Goregaokar <manishearth@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.13.2"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.smallvec]]
|
|
who = "Jonathan Hao <phao@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.13.2 -> 1.14.0"
|
|
notes = """
|
|
WARNING: This certification is a result of a **partial** audit. The
|
|
`malloc_size_of` feature has **not** been audited. This feature does
|
|
not explicitly document its safety requirements.
|
|
See also https://chromium-review.googlesource.com/c/chromium/src/+/6275133/comment/ea0d7a93_98051a2e/
|
|
and https://github.com/servo/malloc_size_of/issues/8.
|
|
This feature is banned in gnrt_config.toml.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.stable_deref_trait]]
|
|
who = "Manish Goregaokar <manishearth@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.2.0"
|
|
notes = "Purely a trait, crates using this should be carefully vetted since self-referential stuff can be super tricky around various unsafe rust edges."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.strsim]]
|
|
who = "danakj@chromium.org"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.10.0"
|
|
notes = """
|
|
Reviewed in https://crrev.com/c/5171063
|
|
|
|
Previously reviewed during security review and the audit is grandparented in.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.tinytemplate]]
|
|
who = "Ying Hsu <yinghsu@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
version = "1.2.1"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.isrg.audits.base64]]
|
|
who = "Tim Geoghegan <timg@letsencrypt.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.21.0 -> 0.21.1"
|
|
|
|
[[audits.isrg.audits.base64]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.21.1 -> 0.21.2"
|
|
|
|
[[audits.isrg.audits.base64]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.21.2 -> 0.21.3"
|
|
|
|
[[audits.isrg.audits.block-buffer]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.0"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.17"
|
|
notes = """
|
|
This crate does not contain any unsafe code, and does not use any items from
|
|
the standard library or other crates, aside from operations backed by
|
|
`std::ops`. All paths with array indexing use integer literals for indexes, so
|
|
there are no panics due to indexes out of bounds (as rustc would catch an
|
|
out-of-bounds literal index). I did not check whether arithmetic overflows
|
|
could cause a panic, and I am relying on the Coq code having satisfied the
|
|
necessary preconditions to ensure panics due to overflows are unreachable.
|
|
"""
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.17 -> 0.1.18"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.18 -> 0.1.19"
|
|
notes = """
|
|
This release renames many items and adds a new module. The code in the new
|
|
module is entirely composed of arithmetic and array accesses.
|
|
"""
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.19 -> 0.1.20"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.20 -> 0.2.0"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.0 -> 0.2.1"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "Tim Geoghegan <timg@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.1 -> 0.2.2"
|
|
notes = "No changes to `unsafe` code, or any functional changes that I can detect at all."
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.2 -> 0.2.4"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.4 -> 0.2.5"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.5 -> 0.2.6"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.6 -> 0.2.7"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.7 -> 0.2.8"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "Tim Geoghegan <timg@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.8 -> 0.2.9"
|
|
notes = "No changes to Rust code between 0.2.8 and 0.2.9"
|
|
|
|
[[audits.isrg.audits.opaque-debug]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.0"
|
|
|
|
[[audits.isrg.audits.rand_chacha]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.1 -> 0.9.0"
|
|
|
|
[[audits.isrg.audits.rand_core]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.4 -> 0.9.3"
|
|
|
|
[[audits.isrg.audits.rayon]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.6.1 -> 1.7.0"
|
|
|
|
[[audits.isrg.audits.rayon]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.7.0 -> 1.8.0"
|
|
|
|
[[audits.isrg.audits.rayon]]
|
|
who = "Ameer Ghani <inahga@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.8.0 -> 1.8.1"
|
|
|
|
[[audits.isrg.audits.rayon]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.8.1 -> 1.9.0"
|
|
|
|
[[audits.isrg.audits.rayon]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.9.0 -> 1.10.0"
|
|
|
|
[[audits.isrg.audits.rayon-core]]
|
|
who = "Ameer Ghani <inahga@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.12.1"
|
|
|
|
[[audits.isrg.audits.sha3]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.10.6"
|
|
|
|
[[audits.isrg.audits.sha3]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.6 -> 0.10.7"
|
|
|
|
[[audits.isrg.audits.sha3]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.7 -> 0.10.8"
|
|
|
|
[[audits.isrg.audits.subtle]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.5.0 -> 2.6.1"
|
|
|
|
[[audits.isrg.audits.thiserror]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.40 -> 1.0.43"
|
|
|
|
[[audits.isrg.audits.thiserror-impl]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.40 -> 1.0.43"
|
|
|
|
[[audits.isrg.audits.universal-hash]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.1"
|
|
|
|
[[audits.isrg.audits.universal-hash]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.0 -> 0.5.1"
|
|
|
|
[[audits.mozilla.wildcard-audits.cexpr]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
user-id = 3788 # Emilio Cobos Álvarez (emilio)
|
|
start = "2021-06-21"
|
|
end = "2024-04-21"
|
|
notes = "No unsafe code, rather straight-forward parser."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.allocator-api2]]
|
|
who = "Nicolas Silva <nical@fastmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.18"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bindgen]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.59.2"
|
|
notes = "I'm the primary author and maintainer of the crate."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bindgen]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.59.2 -> 0.63.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bindgen]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.63.0 -> 0.64.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bindgen]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.64.0 -> 0.66.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bindgen]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.66.1 -> 0.68.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bitflags]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.3.2 -> 2.0.2"
|
|
notes = "Removal of some unsafe code/methods. No changes to externals, just some refactoring (mostly internal)."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bitflags]]
|
|
who = "Nicolas Silva <nical@fastmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.0.2 -> 2.1.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bitflags]]
|
|
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.2.1 -> 2.3.2"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bitflags]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.3.3 -> 2.4.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bitflags]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.4.0 -> 2.4.1"
|
|
notes = "Only allowing new clippy lints"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.block-buffer]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.2 -> 0.10.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-channel]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.8 -> 0.5.11"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-channel]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.11 -> 0.5.12"
|
|
notes = "Minimal change fixing a memory leak."
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-channel]]
|
|
who = "Glenn Watson <git@intuitionlibrary.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.12 -> 0.5.13"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-channel]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.13 -> 0.5.14"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-channel]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.14 -> 0.5.15"
|
|
notes = "Fixes a regression from an earlier version which could lead to a double free"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crunchy]]
|
|
who = "Erich Gubler <erichdongubler@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crypto-common]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.3 -> 0.1.6"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.doc-comment]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.3"
|
|
notes = """
|
|
Trivial macro crate implementing a trick for expanding macros within doc
|
|
comments on older versions of rustc.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.errno]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.1 -> 0.3.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.fastrand]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.9.0 -> 2.0.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.fastrand]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.0.1 -> 2.1.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.fastrand]]
|
|
who = "Chris Martin <cmartin@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.1.0 -> 2.1.1"
|
|
notes = "Fairly trivial changes, no chance of security regression."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.fnv]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.7"
|
|
notes = "Simple hasher implementation with no unsafe code."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-core]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.27 -> 0.3.28"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-sink]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.27 -> 0.3.28"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.getrandom]]
|
|
who = "Chris Martin <cmartin@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.15 -> 0.3.1"
|
|
notes = """
|
|
I've looked over all unsafe code, and it appears to be safe, fully initializing the rng buffers.
|
|
In addition, I've checked Linux, Windows, Mac, and Android more thoroughly against API
|
|
documentation.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.gimli]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.30.0"
|
|
notes = """
|
|
Unsafe code blocks are sound. Minimal dependencies used. No use of
|
|
side-effectful std functions.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.gimli]]
|
|
who = "Chris Martin <cmartin@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.30.0 -> 0.29.0"
|
|
notes = "No unsafe code, mostly algorithms and parsing. Very unlikely to cause security issues."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.hex]]
|
|
who = "Simon Friedberger <simon@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.once_cell]]
|
|
who = "Erich Gubler <erichdongubler@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.20.2 -> 1.20.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.peeking_take_while]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.0 -> 0.1.2"
|
|
notes = "Small refactor of some simple iterator logic, no unsafe code or capabilities."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.pin-project-lite]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.14 -> 0.2.16"
|
|
notes = """
|
|
Only functional change is to work around a bug in the negative_impls feature
|
|
(https://github.com/taiki-e/pin-project/issues/340#issuecomment-2432146009)
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rayon]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.5.3"
|
|
notes = "All code written or reviewed by Josh Stone or Niko Matsakis."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rayon]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.5.3 -> 1.6.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rustc-hash]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.1.0"
|
|
notes = "Straightforward crate with no unsafe code, does what it says on the tin."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.ryu]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.10 -> 1.0.11"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.ryu]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.11 -> 1.0.12"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.ryu]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.12 -> 1.0.19"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.semver]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.17 -> 1.0.25"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.shlex]]
|
|
who = "Max Inden <mail@max-inden.de>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.1.0 -> 1.3.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.strsim]]
|
|
who = "Ben Dean-Kawamura <bdk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.0 -> 0.11.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.subtle]]
|
|
who = "Simon Friedberger <simon@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "2.5.0"
|
|
notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.thiserror]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.43 -> 1.0.69"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.thiserror-impl]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.43 -> 1.0.69"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.utf8parse]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.1 -> 0.2.2"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.zeroize]]
|
|
who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.8.1"
|
|
notes = """
|
|
This code DOES contain unsafe code required to internally call volatiles
|
|
for deleting data. This is expected and documented behavior.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.zeroize_derive]]
|
|
who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.4.2"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.block-buffer]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.3 -> 0.10.4"
|
|
notes = "Adds panics to prevent a block size of zero from causing unsoundness."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.crossbeam-utils]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.20 -> 0.8.21"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.errno]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.3 -> 0.3.8"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.errno]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.8 -> 0.3.9"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.inout]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.3 -> 0.1.4"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.oorandom]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-run"
|
|
delta = "11.1.3 -> 11.1.4"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.opaque-debug]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.0 -> 0.3.1"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.rustc_version]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.0"
|
|
notes = """
|
|
Most of the crate is code to parse and validate the output of `rustc -vV`. The caller can
|
|
choose which `rustc` to use, or can use `rustc_version::{version, version_meta}` which will
|
|
try `$RUSTC` followed by `rustc`.
|
|
|
|
If an adversary can arbitrarily set the `$RUSTC` environment variable then this crate will
|
|
execute arbitrary code. But when this crate is used within a build script, `$RUSTC` should
|
|
be set correctly by `cargo`.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.rustc_version]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.0 -> 0.4.1"
|
|
notes = "Changes to `Command` usage are to add support for `RUSTC_WRAPPER`."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.universal-hash]]
|
|
who = "Daira Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.1 -> 0.5.0"
|
|
notes = "I checked correctness of to_blocks which uses unsafe code in a safe function."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|