zcash_primitivies: Update zcash-specific dependencies.

* sapling-crypto 0.2 * orchard 0.9 * incrementalmerketree 0.6 * shardtree 0.4
2024-08-12 15:30:32 -06:00 · 2024-08-12 15:30:32 -06:00 · 12752cbcd6
parent 05887be962
commit 12752cbcd6
6 changed files with 178 additions and 85 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -634,9 +634,9 @@ checksum = "64fa3c856b712db6612c019f14756e64e4bcea13337a6b33b696333a9eaa2d06"

 [[package]]
 name = "bytemuck"
-version = "1.16.1"
+version = "1.16.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b236fc92302c97ed75b38da1f4917b5cdda4984745740f153a5d3059e48d725e"
+checksum = "102087e286b4677862ea56cf8fc58bb2cdfa8725c40ffb80fe3a008eb7f2fc83"

 [[package]]
 name = "byteorder"
@ -2103,8 +2103,9 @@ checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"

 [[package]]
 name = "incrementalmerkletree"
-version = "0.5.1"
-source = "git+https://github.com/zcash/incrementalmerkletree?rev=337f59179eda51261e9ddfc6b18e8fb84ea277c9#337f59179eda51261e9ddfc6b18e8fb84ea277c9"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75346da3bd8e3d8891d02508245ed2df34447ca6637e343829f8d08986e9cde2"
 dependencies = [
 "either",
 "proptest",
@ -2624,9 +2625,9 @@ checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d"

 [[package]]
 name = "orchard"
-version = "0.8.0"
+version = "0.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0462569fc8b0d1b158e4d640571867a4e4319225ebee2ab6647e60c70af19ae3"
+checksum = "4dc7bde644aeb980be296cd908c6650894dc8541deb56f9f5294c52ed7ca568f"
 dependencies = [
 "aes",
 "bitvec",
@ -2648,6 +2649,7 @@ dependencies = [
 "serde",
 "subtle",
 "tracing",
+ "visibility",
 "zcash_note_encryption",
 "zcash_spec",
 "zip32",
@ -3641,9 +3643,9 @@ dependencies = [

 [[package]]
 name = "sapling-crypto"
-version = "0.1.3"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "02f4270033afcb0c74c5c7d59c73cfd1040367f67f224fe7ed9a919ae618f1b7"
+checksum = "15e379398fffad84e49f9a45a05635fc004f66086e65942dbf4eb95332c26d2a"
 dependencies = [
 "aes",
 "bellman",
@ -3903,8 +3905,9 @@ dependencies = [

 [[package]]
 name = "shardtree"
-version = "0.3.1"
-source = "git+https://github.com/zcash/incrementalmerkletree?rev=337f59179eda51261e9ddfc6b18e8fb84ea277c9#337f59179eda51261e9ddfc6b18e8fb84ea277c9"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78222845cd8bbe5eb95687407648ff17693a35de5e8abaa39a4681fb21e033f9"
 dependencies = [
 "assert_matches",
 "bitflags 2.6.0",
@ -5342,6 +5345,17 @@ version = "0.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"

+[[package]]
+name = "visibility"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d674d135b4a8c1d7e813e2f8d1c9a58308aee4a680323066025e53132218bd91"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.63",
+]
+
 [[package]]
 name = "void"
 version = "1.0.2"
--- a/Cargo.toml
+++ b/Cargo.toml
@ -47,8 +47,8 @@ zcash_proofs = { version = "0.15", path = "zcash_proofs", default-features = fal
 bellman = { version = "0.14", default-features = false, features = ["groth16"] }
 ff = "0.13"
 group = "0.13"
-incrementalmerkletree = "0.5.1"
-shardtree = "0.3.1"
+incrementalmerkletree = "0.6"
+shardtree = "0.4"
 zcash_spec = "0.1"

 # Payment protocols
@ -57,11 +57,11 @@ bitvec = "1"
 blake2s_simd = "1"
 bls12_381 = "0.8"
 jubjub = "0.10"
-sapling = { package = "sapling-crypto", version = "0.1.3", default-features = false }
+sapling = { package = "sapling-crypto", version = "0.2", default-features = false }

 # - Orchard
 nonempty = "0.7"
-orchard = { version = "0.8.0", default-features = false }
+orchard = { version = "0.9", default-features = false }
 pasta_curves = "0.5"

 # - Transparent
@ -155,7 +155,3 @@ zip32 = "0.1.1"
 lto = true
 panic = 'abort'
 codegen-units = 1
-
-[patch.crates-io]
-incrementalmerkletree = { git = "https://github.com/zcash/incrementalmerkletree", rev = "337f59179eda51261e9ddfc6b18e8fb84ea277c9" }
-shardtree = { git = "https://github.com/zcash/incrementalmerkletree", rev = "337f59179eda51261e9ddfc6b18e8fb84ea277c9" }
--- a/supply-chain/audits.toml
+++ b/supply-chain/audits.toml
@ -524,6 +524,16 @@ who = "Jack Grigg <jack@electriccoin.co>"
 criteria = "safe-to-run"
 delta = "0.2.1 -> 0.2.2"

+[[audits.visibility]]
+who = "Kris Nuttycombe <kris@nutty.land>"
+criteria = ["safe-to-deploy", "license-reviewed"]
+version = "0.1.1"
+notes = """
+- Crate has no unsafe code, and sets `#![forbid(unsafe_code)]`.
+- Crate has no powerful imports, and exclusively provides a proc macro
+  that safely malleates a visibility modifier.
+"""
+
 [[audits.walkdir]]
 who = "Daira-Emma Hopwood <daira@jacaranda.org>"
 criteria = "safe-to-run"
@ -572,13 +582,13 @@ delta = "1.6.0 -> 1.7.0"

 [[trusted.equihash]]
 criteria = "safe-to-deploy"
-user-id = 6289 # str4d
+user-id = 6289 # Jack Grigg (str4d)
 start = "2020-06-26"
 end = "2025-04-22"

 [[trusted.f4jumble]]
 criteria = ["safe-to-deploy", "crypto-reviewed"]
-user-id = 6289 # str4d
+user-id = 6289 # Jack Grigg (str4d)
 start = "2021-09-22"
 end = "2025-04-22"

@ -602,7 +612,7 @@ end = "2025-04-22"

 [[trusted.incrementalmerkletree]]
 criteria = "safe-to-deploy"
-user-id = 6289 # str4d
+user-id = 6289 # Jack Grigg (str4d)
 start = "2021-12-17"
 end = "2025-04-22"

@ -620,7 +630,7 @@ end = "2025-04-22"

 [[trusted.orchard]]
 criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"]
-user-id = 6289 # str4d
+user-id = 6289 # Jack Grigg (str4d)
 start = "2021-01-07"
 end = "2025-04-22"

@ -630,12 +640,36 @@ user-id = 1244 # ebfull
 start = "2022-10-19"
 end = "2025-04-22"

+[[trusted.orchard]]
+criteria = "safe-to-deploy"
+user-id = 169181 # Kris Nuttycombe (nuttycom)
+start = "2024-08-12"
+end = "2025-08-12"
+
+[[trusted.orchard]]
+criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"]
+user-id = 169181 # Kris Nuttycombe (nuttycom)
+start = "2024-08-12"
+end = "2025-08-12"
+
 [[trusted.sapling-crypto]]
 criteria = ["safe-to-deploy", "crypto-reviewed"]
-user-id = 6289 # str4d
+user-id = 6289 # Jack Grigg (str4d)
 start = "2024-01-26"
 end = "2025-04-22"

+[[trusted.sapling-crypto]]
+criteria = "safe-to-deploy"
+user-id = 169181 # Kris Nuttycombe (nuttycom)
+start = "2024-08-12"
+end = "2025-08-12"
+
+[[trusted.sapling-crypto]]
+criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"]
+user-id = 169181 # Kris Nuttycombe (nuttycom)
+start = "2024-08-12"
+end = "2025-08-12"
+
 [[trusted.shardtree]]
 criteria = "safe-to-deploy"
 user-id = 169181 # Kris Nuttycombe (nuttycom)
@ -704,7 +738,7 @@ end = "2025-04-22"

 [[trusted.zcash]]
 criteria = "safe-to-deploy"
-user-id = 6289 # str4d
+user-id = 6289 # Jack Grigg (str4d)
 start = "2024-07-15"
 end = "2025-07-19"

@ -716,7 +750,7 @@ end = "2025-04-22"

 [[trusted.zcash_address]]
 criteria = "safe-to-deploy"
-user-id = 6289 # str4d
+user-id = 6289 # Jack Grigg (str4d)
 start = "2021-03-07"
 end = "2025-04-22"

@ -740,7 +774,7 @@ end = "2025-04-22"

 [[trusted.zcash_extensions]]
 criteria = "safe-to-deploy"
-user-id = 6289 # str4d
+user-id = 6289 # Jack Grigg (str4d)
 start = "2020-04-24"
 end = "2025-04-23"

@ -752,7 +786,7 @@ end = "2025-04-22"

 [[trusted.zcash_history]]
 criteria = "safe-to-deploy"
-user-id = 6289 # str4d
+user-id = 6289 # Jack Grigg (str4d)
 start = "2024-03-01"
 end = "2025-04-22"

@ -770,7 +804,7 @@ end = "2025-04-22"

 [[trusted.zcash_primitives]]
 criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"]
-user-id = 6289 # str4d
+user-id = 6289 # Jack Grigg (str4d)
 start = "2021-03-26"
 end = "2025-04-22"

@ -782,7 +816,7 @@ end = "2025-04-22"

 [[trusted.zcash_proofs]]
 criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"]
-user-id = 6289 # str4d
+user-id = 6289 # Jack Grigg (str4d)
 start = "2021-03-26"
 end = "2025-04-22"

@ -794,13 +828,13 @@ end = "2025-04-22"

 [[trusted.zcash_spec]]
 criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"]
-user-id = 6289 # str4d
+user-id = 6289 # Jack Grigg (str4d)
 start = "2023-12-07"
 end = "2025-04-22"

 [[trusted.zip32]]
 criteria = "safe-to-deploy"
-user-id = 6289 # str4d
+user-id = 6289 # Jack Grigg (str4d)
 start = "2023-12-06"
 end = "2025-04-22"

--- a/supply-chain/config.toml
+++ b/supply-chain/config.toml
@ -175,10 +175,6 @@ criteria = "safe-to-deploy"
 version = "0.2.0"
 criteria = "safe-to-deploy"

-[[exemptions.base64]]
-version = "0.22.1"
-criteria = "safe-to-deploy"
-
 [[exemptions.base64ct]]
 version = "1.6.0"
 criteria = "safe-to-deploy"
@ -195,10 +191,6 @@ criteria = "safe-to-deploy"
 version = "0.11.0"
 criteria = "safe-to-deploy"

-[[exemptions.bitflags]]
-version = "1.3.2"
-criteria = "safe-to-run"
-
 [[exemptions.bitvec]]
 version = "1.0.1"
 criteria = "safe-to-deploy"
@ -295,10 +287,6 @@ criteria = "safe-to-deploy"
 version = "0.2.11"
 criteria = "safe-to-deploy"

-[[exemptions.crc32fast]]
-version = "1.4.2"
-criteria = "safe-to-deploy"
-
 [[exemptions.criterion]]
 version = "0.4.0"
 criteria = "safe-to-run"
@ -483,10 +471,6 @@ criteria = "safe-to-deploy"
 version = "0.4.2"
 criteria = "safe-to-deploy"

-[[exemptions.flate2]]
-version = "1.0.30"
-criteria = "safe-to-deploy"
-
 [[exemptions.fluid-let]]
 version = "1.0.0"
 criteria = "safe-to-deploy"
--- a/supply-chain/imports.lock
+++ b/supply-chain/imports.lock
@ -2,8 +2,8 @@
 # cargo-vet imports lock

 [[publisher.bumpalo]]
-version = "3.15.4"
-when = "2024-03-07"
+version = "3.16.0"
+when = "2024-04-08"
 user-id = 696
 user-login = "fitzgen"
 user-name = "Nick Fitzgerald"
@ -20,12 +20,14 @@ version = "0.2.0"
 when = "2022-06-24"
 user-id = 6289
 user-login = "str4d"
+user-name = "Jack Grigg"

 [[publisher.f4jumble]]
 version = "0.1.0"
 when = "2022-05-10"
 user-id = 6289
 user-login = "str4d"
+user-name = "Jack Grigg"

 [[publisher.halo2_gadgets]]
 version = "0.3.0"
@ -47,27 +49,29 @@ user-id = 1244
 user-login = "ebfull"

 [[publisher.incrementalmerkletree]]
-version = "0.5.1"
-when = "2024-03-25"
+version = "0.6.0"
+when = "2024-08-12"
 user-id = 169181
 user-login = "nuttycom"
 user-name = "Kris Nuttycombe"

 [[publisher.orchard]]
-version = "0.8.0"
-when = "2024-03-25"
-user-id = 6289
-user-login = "str4d"
+version = "0.9.0"
+when = "2024-08-12"
+user-id = 169181
+user-login = "nuttycom"
+user-name = "Kris Nuttycombe"

 [[publisher.sapling-crypto]]
-version = "0.1.3"
-when = "2024-03-25"
-user-id = 6289
-user-login = "str4d"
+version = "0.2.0"
+when = "2024-08-12"
+user-id = 169181
+user-login = "nuttycom"
+user-name = "Kris Nuttycombe"

 [[publisher.shardtree]]
-version = "0.3.1"
-when = "2024-04-03"
+version = "0.4.0"
+when = "2024-08-12"
 user-id = 169181
 user-login = "nuttycom"
 user-name = "Kris Nuttycombe"
@ -217,12 +221,14 @@ version = "0.1.0"
 when = "2024-07-15"
 user-id = 6289
 user-login = "str4d"
+user-name = "Jack Grigg"

 [[publisher.zcash_address]]
 version = "0.3.2"
 when = "2024-03-06"
 user-id = 6289
 user-login = "str4d"
+user-name = "Jack Grigg"

 [[publisher.zcash_client_backend]]
 version = "0.12.1"
@ -249,12 +255,14 @@ version = "0.1.0"
 when = "2024-07-15"
 user-id = 6289
 user-login = "str4d"
+user-name = "Jack Grigg"

 [[publisher.zcash_history]]
 version = "0.4.0"
 when = "2024-03-01"
 user-id = 6289
 user-login = "str4d"
+user-name = "Jack Grigg"

 [[publisher.zcash_keys]]
 version = "0.2.0"
@ -275,12 +283,14 @@ version = "0.15.1"
 when = "2024-05-24"
 user-id = 6289
 user-login = "str4d"
+user-name = "Jack Grigg"

 [[publisher.zcash_proofs]]
 version = "0.15.0"
 when = "2024-03-25"
 user-id = 6289
 user-login = "str4d"
+user-name = "Jack Grigg"

 [[publisher.zcash_protocol]]
 version = "0.1.1"
@ -294,12 +304,14 @@ version = "0.1.0"
 when = "2023-12-07"
 user-id = 6289
 user-login = "str4d"
+user-name = "Jack Grigg"

 [[publisher.zip32]]
 version = "0.1.1"
 when = "2024-03-14"
 user-id = 6289
 user-login = "str4d"
+user-name = "Jack Grigg"

 [[publisher.zip321]]
 version = "0.0.0"
@ -313,7 +325,7 @@ who = "Nick Fitzgerald <fitzgen@gmail.com>"
 criteria = "safe-to-deploy"
 user-id = 696 # Nick Fitzgerald (fitzgen)
 start = "2019-03-16"
-end = "2024-03-10"
+end = "2025-07-30"

 [[audits.bytecode-alliance.audits.adler]]
 who = "Alex Crichton <alex@alexcrichton.com>"
@ -347,6 +359,11 @@ criteria = "safe-to-deploy"
 version = "0.21.0"
 notes = "This crate has no dependencies, no build.rs, and contains no unsafe code."

+[[audits.bytecode-alliance.audits.base64]]
+who = "Andrew Brown <andrew.brown@intel.com>"
+criteria = "safe-to-deploy"
+delta = "0.21.3 -> 0.22.1"
+
 [[audits.bytecode-alliance.audits.block-buffer]]
 who = "Benjamin Bouvier <public@benj.me>"
 criteria = "safe-to-deploy"
@ -842,6 +859,22 @@ and nothing changed from the baseline audit of 1.1.0.  Skimmed through the
 '''
 aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

+[[audits.google.audits.bitflags]]
+who = "Lukasz Anforowicz <lukasza@chromium.org>"
+criteria = "safe-to-deploy"
+version = "1.3.2"
+notes = """
+Security review of earlier versions of the crate can be found at
+(Google-internal, sorry): go/image-crate-chromium-security-review
+
+The crate exposes a function marked as `unsafe`, but doesn't use any
+`unsafe` blocks (except for tests of the single `unsafe` function).  I
+think this justifies marking this crate as `ub-risk-1`.
+
+Additional review comments can be found at https://crrev.com/c/4723145/31
+"""
+aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
+
 [[audits.google.audits.bitflags]]
 who = "Lukasz Anforowicz <lukasza@chromium.org>"
 criteria = "safe-to-deploy"
@ -875,23 +908,13 @@ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_p
 [[audits.google.audits.bytemuck]]
 who = "Lukasz Anforowicz <lukasza@chromium.org>"
 criteria = "safe-to-deploy"
-version = "1.14.3"
-notes = "Additional review notes may be found in https://crrev.com/c/5362675."
-aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
-
-[[audits.google.audits.bytemuck]]
-who = "Adrian Taylor <adetaylor@chromium.org>"
-criteria = "safe-to-deploy"
-delta = "1.14.3 -> 1.15.0"
-aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
-
-[[audits.google.audits.bytemuck]]
-who = "Lukasz Anforowicz <lukasza@chromium.org>"
-criteria = "safe-to-deploy"
-delta = "1.16.0 -> 1.16.1"
+version = "1.16.3"
 notes = """
-The delta only adds `f16` and `f128` support (with some other minor changes)
-and has no impact on the audit criteria.
+Review notes from the original audit (of 1.14.3) may be found in
+https://crrev.com/c/5362675.  Note that this audit has initially missed UB risk
+that was fixed in 1.16.2 - see https://github.com/Lokathor/bytemuck/pull/258.
+Because of this, the original audit has been edited to certify version `1.16.3`
+instead (see also https://crrev.com/c/5771867).
 """
 aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

@ -964,6 +987,18 @@ criteria = "safe-to-run"
 version = "0.4.3"
 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"

+[[audits.google.audits.crc32fast]]
+who = "Lukasz Anforowicz <lukasza@chromium.org>"
+criteria = "safe-to-deploy"
+version = "1.4.2"
+notes = """
+Security review of earlier versions of the crate can be found at
+(Google-internal, sorry): go/image-crate-chromium-security-review
+
+Audit comments for 1.4.2 can be found at https://crrev.com/c/4723145.
+"""
+aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
+
 [[audits.google.audits.equivalent]]
 who = "George Burgess IV <gbiv@google.com>"
 criteria = "safe-to-deploy"
@ -980,6 +1015,41 @@ that the RNG here is not cryptographically secure.
 """
 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"

+[[audits.google.audits.flate2]]
+who = "Lukasz Anforowicz <lukasza@chromium.org>"
+criteria = "safe-to-deploy"
+version = "1.0.30"
+notes = '''
+WARNING: This certification is a result of a **partial** audit.  The
+`any_zlib` code has **not** been audited.  Ability to track partial
+audits is tracked in https://github.com/mozilla/cargo-vet/issues/380
+Chromium does use the `any_zlib` feature(s).  Accidentally depending on
+this feature in the future is prevented using the `ban_features` feature
+of `gnrt` - see:
+https://crrev.com/c/4723145/31/third_party/rust/chromium_crates_io/gnrt_config.toml
+
+Security review of earlier versions of the crate can be found at
+(Google-internal, sorry): go/image-crate-chromium-security-review
+
+I grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`.
+
+All `unsafe` in `flate2` is gated behind `#[cfg(feature = "any_zlib")]`:
+
+* The code under `src/ffi/...` will not be used because the `mod c`
+  declaration in `src/ffi/mod.rs` depends on the `any_zlib` config
+* 7 uses of `unsafe` in `src/mem.rs` also all depend on the
+  `any_zlib` config:
+    - 2 in `fn set_dictionary` (under `impl Compress`)
+    - 2 in `fn set_level` (under `impl Compress`)
+    - 3 in `fn set_dictionary` (under `impl Decompress`)
+
+All hits of `'\bfs\b'` are in comments, or example code, or test code
+(but not in product code).
+
+There were no hits of `-i cipher`, `-i crypto`, `'\bnet\b'`.
+'''
+aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
+
 [[audits.google.audits.futures]]
 who = "George Burgess IV <gbiv@google.com>"
 criteria = "safe-to-deploy"
@ -2500,12 +2570,6 @@ criteria = "safe-to-deploy"
 delta = "0.5.0 -> 0.5.1"
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"

-[[audits.zcash.audits.bumpalo]]
-who = "Daira-Emma Hopwood <daira@jacaranda.org>"
-criteria = "safe-to-deploy"
-delta = "3.15.4 -> 3.16.0"
-aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
-
 [[audits.zcash.audits.bytes]]
 who = "Daira-Emma Hopwood <daira@jacaranda.org>"
 criteria = "safe-to-deploy"
--- a/zcash_primitives/CHANGELOG.md
+++ b/zcash_primitives/CHANGELOG.md
@ -25,7 +25,8 @@ and this library adheres to Rust's notion of

 ### Changed
 - MSRV is now 1.70.0.
- Bumped dependencies to `secp256k1 0.27`.
+- Bumped dependencies to `secp256k1 0.27`, `incrementalmerkletree 0.6`,
+  `orchard 0.9`, `sapling-crypto 0.2`.
 - `zcash_primitives::legacy::keys`:
  - `AccountPrivKey::{from_bytes, to_bytes}` now use the byte encoding from the
    inside of a `xprv` Base58 string encoding from BIP 32, excluding the prefix