3473 lines
128 KiB
Plaintext
3473 lines
128 KiB
Plaintext
|
|
# cargo-vet imports lock
|
|
|
|
[[publisher.bumpalo]]
|
|
version = "3.16.0"
|
|
when = "2024-04-08"
|
|
user-id = 696
|
|
user-login = "fitzgen"
|
|
user-name = "Nick Fitzgerald"
|
|
|
|
[[publisher.core-foundation-sys]]
|
|
version = "0.8.4"
|
|
when = "2023-04-03"
|
|
user-id = 5946
|
|
user-login = "jrmuizel"
|
|
user-name = "Jeff Muizelaar"
|
|
|
|
[[publisher.equihash]]
|
|
version = "0.2.0"
|
|
when = "2022-06-24"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
user-name = "Jack Grigg"
|
|
|
|
[[publisher.f4jumble]]
|
|
version = "0.1.0"
|
|
when = "2022-05-10"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
user-name = "Jack Grigg"
|
|
|
|
[[publisher.halo2_gadgets]]
|
|
version = "0.3.0"
|
|
when = "2023-03-22"
|
|
user-id = 1244
|
|
user-login = "ebfull"
|
|
|
|
[[publisher.halo2_legacy_pdqsort]]
|
|
version = "0.1.0"
|
|
when = "2023-03-10"
|
|
user-id = 199950
|
|
user-login = "daira"
|
|
user-name = "Daira Emma Hopwood"
|
|
|
|
[[publisher.halo2_proofs]]
|
|
version = "0.3.0"
|
|
when = "2023-03-22"
|
|
user-id = 1244
|
|
user-login = "ebfull"
|
|
|
|
[[publisher.incrementalmerkletree]]
|
|
version = "0.6.0"
|
|
when = "2024-08-12"
|
|
user-id = 169181
|
|
user-login = "nuttycom"
|
|
user-name = "Kris Nuttycombe"
|
|
|
|
[[publisher.orchard]]
|
|
version = "0.9.0"
|
|
when = "2024-08-12"
|
|
user-id = 169181
|
|
user-login = "nuttycom"
|
|
user-name = "Kris Nuttycombe"
|
|
|
|
[[publisher.sapling-crypto]]
|
|
version = "0.2.0"
|
|
when = "2024-08-12"
|
|
user-id = 169181
|
|
user-login = "nuttycom"
|
|
user-name = "Kris Nuttycombe"
|
|
|
|
[[publisher.shardtree]]
|
|
version = "0.4.0"
|
|
when = "2024-08-12"
|
|
user-id = 169181
|
|
user-login = "nuttycom"
|
|
user-name = "Kris Nuttycombe"
|
|
|
|
[[publisher.unicode-normalization]]
|
|
version = "0.1.23"
|
|
when = "2024-02-20"
|
|
user-id = 1139
|
|
user-login = "Manishearth"
|
|
user-name = "Manish Goregaokar"
|
|
|
|
[[publisher.windows-sys]]
|
|
version = "0.48.0"
|
|
when = "2023-03-31"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows-sys]]
|
|
version = "0.52.0"
|
|
when = "2023-11-15"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows-targets]]
|
|
version = "0.48.5"
|
|
when = "2023-08-18"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows-targets]]
|
|
version = "0.52.6"
|
|
when = "2024-07-03"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_aarch64_gnullvm]]
|
|
version = "0.48.5"
|
|
when = "2023-08-18"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_aarch64_gnullvm]]
|
|
version = "0.52.6"
|
|
when = "2024-07-03"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_aarch64_msvc]]
|
|
version = "0.48.5"
|
|
when = "2023-08-18"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_aarch64_msvc]]
|
|
version = "0.52.6"
|
|
when = "2024-07-03"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_i686_gnu]]
|
|
version = "0.48.5"
|
|
when = "2023-08-18"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_i686_gnu]]
|
|
version = "0.52.6"
|
|
when = "2024-07-03"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_i686_gnullvm]]
|
|
version = "0.52.6"
|
|
when = "2024-07-03"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_i686_msvc]]
|
|
version = "0.48.5"
|
|
when = "2023-08-18"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_i686_msvc]]
|
|
version = "0.52.6"
|
|
when = "2024-07-03"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_x86_64_gnu]]
|
|
version = "0.48.5"
|
|
when = "2023-08-18"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_x86_64_gnu]]
|
|
version = "0.52.6"
|
|
when = "2024-07-03"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_x86_64_gnullvm]]
|
|
version = "0.48.5"
|
|
when = "2023-08-18"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_x86_64_gnullvm]]
|
|
version = "0.52.6"
|
|
when = "2024-07-03"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_x86_64_msvc]]
|
|
version = "0.48.5"
|
|
when = "2023-08-18"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_x86_64_msvc]]
|
|
version = "0.52.6"
|
|
when = "2024-07-03"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.zcash]]
|
|
version = "0.1.0"
|
|
when = "2024-07-15"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
user-name = "Jack Grigg"
|
|
|
|
[[publisher.zcash_address]]
|
|
version = "0.3.2"
|
|
when = "2024-03-06"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
user-name = "Jack Grigg"
|
|
|
|
[[publisher.zcash_client_backend]]
|
|
version = "0.13.0"
|
|
when = "2024-08-20"
|
|
user-id = 169181
|
|
user-login = "nuttycom"
|
|
user-name = "Kris Nuttycombe"
|
|
|
|
[[publisher.zcash_client_sqlite]]
|
|
version = "0.11.0"
|
|
when = "2024-08-20"
|
|
user-id = 169181
|
|
user-login = "nuttycom"
|
|
user-name = "Kris Nuttycombe"
|
|
|
|
[[publisher.zcash_encoding]]
|
|
version = "0.2.0"
|
|
when = "2022-10-19"
|
|
user-id = 1244
|
|
user-login = "ebfull"
|
|
|
|
[[publisher.zcash_extensions]]
|
|
version = "0.1.0"
|
|
when = "2024-07-15"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
user-name = "Jack Grigg"
|
|
|
|
[[publisher.zcash_history]]
|
|
version = "0.4.0"
|
|
when = "2024-03-01"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
user-name = "Jack Grigg"
|
|
|
|
[[publisher.zcash_keys]]
|
|
version = "0.3.0"
|
|
when = "2024-08-20"
|
|
user-id = 169181
|
|
user-login = "nuttycom"
|
|
user-name = "Kris Nuttycombe"
|
|
|
|
[[publisher.zcash_note_encryption]]
|
|
version = "0.4.0"
|
|
when = "2023-06-06"
|
|
user-id = 169181
|
|
user-login = "nuttycom"
|
|
user-name = "Kris Nuttycombe"
|
|
|
|
[[publisher.zcash_primitives]]
|
|
version = "0.15.1"
|
|
when = "2024-05-24"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
user-name = "Jack Grigg"
|
|
|
|
[[publisher.zcash_proofs]]
|
|
version = "0.15.0"
|
|
when = "2024-03-25"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
user-name = "Jack Grigg"
|
|
|
|
[[publisher.zcash_protocol]]
|
|
version = "0.2.0"
|
|
when = "2024-08-19"
|
|
user-id = 169181
|
|
user-login = "nuttycom"
|
|
user-name = "Kris Nuttycombe"
|
|
|
|
[[publisher.zcash_spec]]
|
|
version = "0.1.0"
|
|
when = "2023-12-07"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
user-name = "Jack Grigg"
|
|
|
|
[[publisher.zip32]]
|
|
version = "0.1.1"
|
|
when = "2024-03-14"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
user-name = "Jack Grigg"
|
|
|
|
[[publisher.zip321]]
|
|
version = "0.1.0"
|
|
when = "2024-08-20"
|
|
user-id = 169181
|
|
user-login = "nuttycom"
|
|
user-name = "Kris Nuttycombe"
|
|
|
|
[[audits.bytecode-alliance.wildcard-audits.bumpalo]]
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
user-id = 696 # Nick Fitzgerald (fitzgen)
|
|
start = "2019-03-16"
|
|
end = "2025-07-30"
|
|
|
|
[[audits.bytecode-alliance.audits.adler]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.2"
|
|
notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm."
|
|
|
|
[[audits.bytecode-alliance.audits.anes]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.6"
|
|
notes = "Contains no unsafe code, no IO, no build.rs."
|
|
|
|
[[audits.bytecode-alliance.audits.anyhow]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.69 -> 1.0.71"
|
|
|
|
[[audits.bytecode-alliance.audits.arrayref]]
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.6"
|
|
notes = """
|
|
Unsafe code, but its logic looks good to me. Necessary given what it is
|
|
doing. Well tested, has quickchecks.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.base64]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.21.0"
|
|
notes = "This crate has no dependencies, no build.rs, and contains no unsafe code."
|
|
|
|
[[audits.bytecode-alliance.audits.base64]]
|
|
who = "Andrew Brown <andrew.brown@intel.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.21.3 -> 0.22.1"
|
|
|
|
[[audits.bytecode-alliance.audits.block-buffer]]
|
|
who = "Benjamin Bouvier <public@benj.me>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.0 -> 0.10.2"
|
|
|
|
[[audits.bytecode-alliance.audits.cc]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.73"
|
|
notes = "I am the author of this crate."
|
|
|
|
[[audits.bytecode-alliance.audits.constant_time_eq]]
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.4"
|
|
notes = "A few tiny blocks of `unsafe` but each of them is very obviously correct."
|
|
|
|
[[audits.bytecode-alliance.audits.core-foundation-sys]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.4 -> 0.8.6"
|
|
notes = """
|
|
The changes here are all typical bindings updates: new functions, types, and
|
|
constants. I have not audited all the bindings for ABI conformance.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.crypto-common]]
|
|
who = "Benjamin Bouvier <public@benj.me>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.3"
|
|
|
|
[[audits.bytecode-alliance.audits.digest]]
|
|
who = "Benjamin Bouvier <public@benj.me>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.0 -> 0.10.3"
|
|
|
|
[[audits.bytecode-alliance.audits.ed25519]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.4.1 -> 1.5.3"
|
|
notes = """
|
|
This diff brings in a number of minor updates of which none are related to
|
|
`unsafe` code or anything system-related like filesystems.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.errno]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.0"
|
|
notes = "This crate uses libc and windows-sys APIs to get and set the raw OS error value."
|
|
|
|
[[audits.bytecode-alliance.audits.errno]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.0 -> 0.3.1"
|
|
notes = "Just a dependency version bump and a bug fix for redox"
|
|
|
|
[[audits.bytecode-alliance.audits.fastrand]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.0.0 -> 2.0.1"
|
|
notes = """
|
|
This update had a few doc updates but no otherwise-substantial source code
|
|
updates.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.futures-channel]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.27"
|
|
notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)"
|
|
|
|
[[audits.bytecode-alliance.audits.futures-core]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.27"
|
|
notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting."
|
|
|
|
[[audits.bytecode-alliance.audits.futures-executor]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.27"
|
|
notes = "Unsafe used to implement the unpark mutex, which is well commented and not obviously incorrect. Like with futures-channel I wouldn't be able to certify it as correct without formal methods."
|
|
|
|
[[audits.bytecode-alliance.audits.futures-io]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.27"
|
|
|
|
[[audits.bytecode-alliance.audits.http]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.9 -> 1.0.0"
|
|
notes = "Minor changes leading up to the 1.0.0 release and nothing fundamentally new here."
|
|
|
|
[[audits.bytecode-alliance.audits.http-body]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.0-rc.2"
|
|
|
|
[[audits.bytecode-alliance.audits.http-body]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.0-rc.2 -> 1.0.0"
|
|
notes = "Only minor changes made for a stable release."
|
|
|
|
[[audits.bytecode-alliance.audits.http-body-util]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0-rc.2"
|
|
notes = "only one use of unsafe related to pin projection. unclear to me why pin_project! is used in many modules of the project, but the expanded output of that macro is inlined in either.rs"
|
|
|
|
[[audits.bytecode-alliance.audits.http-body-util]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.0-rc.2 -> 0.1.0"
|
|
notes = "Minor documentation updates an additions, nothing major."
|
|
|
|
[[audits.bytecode-alliance.audits.iana-time-zone-haiku]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
|
|
[[audits.bytecode-alliance.audits.itertools]]
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.5 -> 0.12.1"
|
|
notes = """
|
|
Minimal `unsafe` usage. Few blocks that existed looked reasonable. Does what it
|
|
says on the tin: lots of iterators.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.libm]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.2 -> 0.2.4"
|
|
notes = """
|
|
This diff primarily fixes a few issues with the `fma`-related functions,
|
|
but also contains some other minor fixes as well. Everything looks A-OK and
|
|
as expected.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.libm]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.4 -> 0.2.7"
|
|
notes = """
|
|
This is a minor update which has some testing affordances as well as some
|
|
updated math algorithms.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.matchers]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
|
|
[[audits.bytecode-alliance.audits.miniz_oxide]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.1"
|
|
notes = """
|
|
This crate is a Rust implementation of zlib compression/decompression and has
|
|
been used by default by the Rust standard library for quite some time. It's also
|
|
a default dependency of the popular `backtrace` crate for decompressing debug
|
|
information. This crate forbids unsafe code and does not otherwise access system
|
|
resources. It's originally a port of the `miniz.c` library as well, and given
|
|
its own longevity should be relatively hardened against some of the more common
|
|
compression-related issues.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.nu-ansi-term]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.46.0"
|
|
notes = "one use of unsafe to call windows specific api to get console handle."
|
|
|
|
[[audits.bytecode-alliance.audits.overload]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.1"
|
|
notes = "small crate, only defines macro-rules!, nicely documented as well"
|
|
|
|
[[audits.bytecode-alliance.audits.percent-encoding]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "2.2.0"
|
|
notes = """
|
|
This crate is a single-file crate that does what it says on the tin. There are
|
|
a few `unsafe` blocks related to utf-8 validation which are locally verifiable
|
|
as correct and otherwise this crate is good to go.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.pin-utils]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
|
|
[[audits.bytecode-alliance.audits.pkg-config]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.25"
|
|
notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably."
|
|
|
|
[[audits.bytecode-alliance.audits.pkg-config]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.26 -> 0.3.29"
|
|
notes = """
|
|
No `unsafe` additions or anything outside of the purview of the crate in this
|
|
change.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.rustc-demangle]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.21"
|
|
notes = "I am the author of this crate."
|
|
|
|
[[audits.bytecode-alliance.audits.semver]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.17"
|
|
notes = "plenty of unsafe pointer and vec tricks, but in well-structured and commented code that appears to be correct"
|
|
|
|
[[audits.bytecode-alliance.audits.sharded-slab]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.4"
|
|
notes = "I always really enjoy reading eliza's code, she left perfect comments at every use of unsafe."
|
|
|
|
[[audits.bytecode-alliance.audits.signal-hook-registry]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.4.1"
|
|
|
|
[[audits.bytecode-alliance.audits.thread_local]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.1.4"
|
|
notes = "uses unsafe to implement thread local storage of objects"
|
|
|
|
[[audits.bytecode-alliance.audits.tinyvec]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.6.0"
|
|
notes = """
|
|
This crate, while it implements collections, does so without `std::*` APIs and
|
|
without `unsafe`. Skimming the crate everything looks reasonable and what one
|
|
would expect from idiomatic safe collections in Rust.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.tokio-rustls]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.24.0"
|
|
notes = "no unsafe, no build, no ambient capabilities"
|
|
|
|
[[audits.bytecode-alliance.audits.tracing-subscriber]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.17"
|
|
|
|
[[audits.bytecode-alliance.audits.try-lock]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.4"
|
|
notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect"
|
|
|
|
[[audits.bytecode-alliance.audits.vcpkg]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.15"
|
|
notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR."
|
|
|
|
[[audits.bytecode-alliance.audits.want]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.0"
|
|
|
|
[[audits.bytecode-alliance.audits.webpki-roots]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.22.4 -> 0.23.0"
|
|
|
|
[[audits.bytecode-alliance.audits.webpki-roots]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.23.0 -> 0.25.2"
|
|
|
|
[[audits.embark-studios.audits.anyhow]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.58"
|
|
|
|
[[audits.embark-studios.audits.colorchoice]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.0"
|
|
notes = "No unsafe usage or ambient capabilities"
|
|
|
|
[[audits.embark-studios.audits.convert_case]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.0"
|
|
notes = "No unsafe usage or ambient capabilities"
|
|
|
|
[[audits.embark-studios.audits.derive_more]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.99.17"
|
|
notes = "No unsafe usage or ambient capabilities"
|
|
|
|
[[audits.embark-studios.audits.ident_case]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.1"
|
|
notes = "No unsafe usage or ambient capabilities"
|
|
|
|
[[audits.embark-studios.audits.num_enum]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.11"
|
|
notes = "No unsafe usage or ambient capabilities"
|
|
|
|
[[audits.embark-studios.audits.num_enum]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.11 -> 0.6.1"
|
|
notes = "Minor changes"
|
|
|
|
[[audits.embark-studios.audits.num_enum]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.1 -> 0.7.0"
|
|
|
|
[[audits.embark-studios.audits.num_enum_derive]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.11"
|
|
notes = "Proc macro that generates some unsafe code for conversion but looks sound, no ambient capabilities"
|
|
|
|
[[audits.embark-studios.audits.num_enum_derive]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.11 -> 0.6.1"
|
|
notes = "Minor changes"
|
|
|
|
[[audits.embark-studios.audits.num_enum_derive]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.1 -> 0.7.0"
|
|
|
|
[[audits.embark-studios.audits.tap]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.1"
|
|
notes = "No unsafe usage or ambient capabilities"
|
|
|
|
[[audits.embark-studios.audits.thiserror]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.40"
|
|
notes = "Wrapper over implementation crate, found no unsafe or ambient capabilities used"
|
|
|
|
[[audits.embark-studios.audits.thiserror-impl]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.40"
|
|
notes = "Found no unsafe or ambient capabilities used"
|
|
|
|
[[audits.embark-studios.audits.toml]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.4"
|
|
notes = "No unsafe usage or ambient capabilities"
|
|
|
|
[[audits.embark-studios.audits.toml_datetime]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.1 -> 0.6.2"
|
|
notes = "No notable changes"
|
|
|
|
[[audits.embark-studios.audits.utf8parse]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.1"
|
|
notes = "Single unsafe usage that looks sound, no ambient capabilities"
|
|
|
|
[[audits.embark-studios.audits.valuable]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
notes = "No unsafe usage or ambient capabilities, sane build script"
|
|
|
|
[[audits.embark-studios.audits.webpki-roots]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.22.4"
|
|
notes = "Inspected it to confirm that it only contains data definitions and no runtime code"
|
|
|
|
[[audits.fermyon.audits.oorandom]]
|
|
who = "Radu Matei <radu.matei@fermyon.com>"
|
|
criteria = "safe-to-run"
|
|
version = "11.1.3"
|
|
|
|
[[audits.google.audits.anstream]]
|
|
who = "Ying Hsu <yinghsu@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
version = "0.6.13"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.anstyle]]
|
|
who = "Yu-An Wang <wyuang@google.com>"
|
|
criteria = "safe-to-run"
|
|
version = "1.0.4"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.anstyle]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "1.0.4 -> 1.0.6"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.anstyle]]
|
|
who = "danakj <danakj@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "1.0.6 -> 1.0.7"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.anstyle-parse]]
|
|
who = "Ying Hsu <yinghsu@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
version = "0.2.3"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.anstyle-query]]
|
|
who = "Ying Hsu <yinghsu@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
version = "1.0.2"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.async-stream]]
|
|
who = "Tyler Mandry <tmandry@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.4"
|
|
notes = "Reviewed on https://fxrev.dev/761470"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.async-stream]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.4 -> 0.3.5"
|
|
notes = "Reviewed on https://fxrev.dev/906795"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.async-stream-impl]]
|
|
who = "Tyler Mandry <tmandry@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.4"
|
|
notes = "Reviewed on https://fxrev.dev/761470"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.async-stream-impl]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.4 -> 0.3.5"
|
|
notes = "Reviewed on https://fxrev.dev/906795"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.autocfg]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.1.0"
|
|
notes = """
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
|
|
and there were no hits except for reasonable, client-controlled usage of
|
|
`std::fs` in `AutoCfg::with_dir`.
|
|
|
|
This crate has been added to Chromium in
|
|
https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb
|
|
The CL description contains a link to a Google-internal document with audit details.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.autocfg]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.1.0 -> 1.2.0"
|
|
notes = '''
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
|
|
and nothing changed from the baseline audit of 1.1.0. Skimmed through the
|
|
1.1.0 => 1.2.0 delta and everything seemed okay.
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.bitflags]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.3.2"
|
|
notes = """
|
|
Security review of earlier versions of the crate can be found at
|
|
(Google-internal, sorry): go/image-crate-chromium-security-review
|
|
|
|
The crate exposes a function marked as `unsafe`, but doesn't use any
|
|
`unsafe` blocks (except for tests of the single `unsafe` function). I
|
|
think this justifies marking this crate as `ub-risk-1`.
|
|
|
|
Additional review comments can be found at https://crrev.com/c/4723145/31
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.bitflags]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "2.4.2"
|
|
notes = """
|
|
Audit notes:
|
|
|
|
* I've checked for any discussion in Google-internal cl/546819168 (where audit
|
|
of version 2.3.3 happened)
|
|
* `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]`
|
|
* There are 2 cases of `unsafe` in `src/external.rs` but they seem to be
|
|
correct in a straightforward way - they just propagate the marker trait's
|
|
impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type
|
|
* Additional discussion and/or notes may be found in https://crrev.com/c/5238056
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.bitflags]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.4.2 -> 2.5.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.bitflags]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.5.0 -> 2.6.0"
|
|
notes = "The changes from the previous version are negligible and thus it retains the same properties."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.bytemuck]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.16.3"
|
|
notes = """
|
|
Review notes from the original audit (of 1.14.3) may be found in
|
|
https://crrev.com/c/5362675. Note that this audit has initially missed UB risk
|
|
that was fixed in 1.16.2 - see https://github.com/Lokathor/bytemuck/pull/258.
|
|
Because of this, the original audit has been edited to certify version `1.16.3`
|
|
instead (see also https://crrev.com/c/5771867).
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.cast]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-run"
|
|
version = "0.3.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.cfg-if]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.clap]]
|
|
who = "danakj@chromium.org"
|
|
criteria = "safe-to-run"
|
|
version = "4.4.8"
|
|
notes = """
|
|
Reviewed in https://crrev.com/c/5171063
|
|
|
|
Previously reviewed during security review and the audit is grandparented in.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.clap]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "4.4.8 -> 4.4.14"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.clap_builder]]
|
|
who = "danakj@chromium.org"
|
|
criteria = "safe-to-run"
|
|
version = "4.4.8"
|
|
notes = """
|
|
Reviewed in https://crrev.com/c/5171063
|
|
|
|
Previously reviewed during security review and the audit is grandparented in.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.clap_builder]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "4.4.8 -> 4.4.14"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.clap_builder]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "4.4.14 -> 4.5.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.clap_lex]]
|
|
who = "danakj@chromium.org"
|
|
criteria = "safe-to-run"
|
|
version = "0.6.0"
|
|
notes = """
|
|
Reviewed in https://crrev.com/c/5171063
|
|
|
|
Previously reviewed during security review and the audit is grandparented in.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.cpp_demangle]]
|
|
who = "Hidenori Kobayashi <hidenorik@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
version = "0.4.3"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.crc32fast]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.4.2"
|
|
notes = """
|
|
Security review of earlier versions of the crate can be found at
|
|
(Google-internal, sorry): go/image-crate-chromium-security-review
|
|
|
|
Audit comments for 1.4.2 can be found at https://crrev.com/c/4723145.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.equivalent]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.1"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.fastrand]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.9.0"
|
|
notes = """
|
|
`does-not-implement-crypto` is certified because this crate explicitly says
|
|
that the RNG here is not cryptographically secure.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.flate2]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.30"
|
|
notes = '''
|
|
WARNING: This certification is a result of a **partial** audit. The
|
|
`any_zlib` code has **not** been audited. Ability to track partial
|
|
audits is tracked in https://github.com/mozilla/cargo-vet/issues/380
|
|
Chromium does use the `any_zlib` feature(s). Accidentally depending on
|
|
this feature in the future is prevented using the `ban_features` feature
|
|
of `gnrt` - see:
|
|
https://crrev.com/c/4723145/31/third_party/rust/chromium_crates_io/gnrt_config.toml
|
|
|
|
Security review of earlier versions of the crate can be found at
|
|
(Google-internal, sorry): go/image-crate-chromium-security-review
|
|
|
|
I grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`.
|
|
|
|
All `unsafe` in `flate2` is gated behind `#[cfg(feature = "any_zlib")]`:
|
|
|
|
* The code under `src/ffi/...` will not be used because the `mod c`
|
|
declaration in `src/ffi/mod.rs` depends on the `any_zlib` config
|
|
* 7 uses of `unsafe` in `src/mem.rs` also all depend on the
|
|
`any_zlib` config:
|
|
- 2 in `fn set_dictionary` (under `impl Compress`)
|
|
- 2 in `fn set_level` (under `impl Compress`)
|
|
- 3 in `fn set_dictionary` (under `impl Decompress`)
|
|
|
|
All hits of `'\bfs\b'` are in comments, or example code, or test code
|
|
(but not in product code).
|
|
|
|
There were no hits of `-i cipher`, `-i crypto`, `'\bnet\b'`.
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.futures]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.28"
|
|
notes = """
|
|
`futures` has no logic other than tests - it simply `pub use`s things from
|
|
other crates.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.heck]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.1"
|
|
notes = """
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
|
|
and there were no hits.
|
|
|
|
`heck` (version `0.3.3`) has been added to Chromium in
|
|
https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.httpdate]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.3"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.is-terminal]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-run"
|
|
version = "0.4.2"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.is-terminal]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-run"
|
|
delta = "0.4.2 -> 0.4.9"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.itertools]]
|
|
who = "ChromeOS"
|
|
criteria = "safe-to-run"
|
|
version = "0.10.5"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.itoa]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.10"
|
|
notes = '''
|
|
I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits.
|
|
|
|
There are a few places where `unsafe` is used. Unsafe review notes can be found
|
|
in https://crrev.com/c/5350697.
|
|
|
|
Version 1.0.1 of this crate has been added to Chromium in
|
|
https://crrev.com/c/3321896.
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.itoa]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.10 -> 1.0.11"
|
|
notes = """
|
|
Straightforward diff between 1.0.10 and 1.0.11 - only 3 commits:
|
|
|
|
* Bumping up the version
|
|
* A touch up of comments
|
|
* And my own PR to make `unsafe` blocks more granular:
|
|
https://github.com/dtolnay/itoa/pull/42
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.lazy_static]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.4.0"
|
|
notes = '''
|
|
I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits.
|
|
|
|
There are two places where `unsafe` is used. Unsafe review notes can be found
|
|
in https://crrev.com/c/5347418.
|
|
|
|
This crate has been added to Chromium in https://crrev.com/c/3321895.
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.lazy_static]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.4.0 -> 1.5.0"
|
|
notes = "Unsafe review notes: https://crrev.com/c/5650836"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.nix]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-run"
|
|
version = "0.26.2"
|
|
notes = """
|
|
Reviewed on https://fxrev.dev/780283
|
|
Issues:
|
|
- https://github.com/nix-rust/nix/issues/1975
|
|
- https://github.com/nix-rust/nix/issues/1977
|
|
- https://github.com/nix-rust/nix/pull/1978
|
|
- https://github.com/nix-rust/nix/pull/1979
|
|
- https://github.com/nix-rust/nix/issues/1980
|
|
- https://github.com/nix-rust/nix/issues/1981
|
|
- https://github.com/nix-rust/nix/pull/1983
|
|
- https://github.com/nix-rust/nix/issues/1990
|
|
- https://github.com/nix-rust/nix/pull/1992
|
|
- https://github.com/nix-rust/nix/pull/1993
|
|
"""
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.nom]]
|
|
who = "danakj@chromium.org"
|
|
criteria = "safe-to-deploy"
|
|
version = "7.1.3"
|
|
notes = """
|
|
Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/5046153
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.num-iter]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.43"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.password-hash]]
|
|
who = "Joshua Liebow-Feeser <joshlf@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.2 -> 0.4.2"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.pbkdf2]]
|
|
who = "Joshua Liebow-Feeser <joshlf@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.0 -> 0.11.0"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.pin-project-lite]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.9"
|
|
notes = "Reviewed on https://fxrev.dev/824504"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.pin-project-lite]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.9 -> 0.2.13"
|
|
notes = "Audited at https://fxrev.dev/946396"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.78"
|
|
notes = """
|
|
Grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits
|
|
(except for a benign \"fs\" hit in a doc comment)
|
|
|
|
Notes from the `unsafe` review can be found in https://crrev.com/c/5385745.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.78 -> 1.0.79"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.79 -> 1.0.80"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.80 -> 1.0.81"
|
|
notes = "Comment changes only"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.82 -> 1.0.83"
|
|
notes = "Substantive change is replacing String with Box<str>, saving memory."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.83 -> 1.0.84"
|
|
notes = "Only doc comment changes in `src/lib.rs`."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "danakj@chromium.org"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.84 -> 1.0.85"
|
|
notes = "Test-only changes."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.85 -> 1.0.86"
|
|
notes = """
|
|
Comment-only changes in `build.rs`.
|
|
Reordering of `Cargo.toml` entries.
|
|
Just bumping up the version number in `lib.rs`.
|
|
Config-related changes in `test_size.rs`.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.quote]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.35"
|
|
notes = """
|
|
Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits
|
|
(except for benign \"net\" hit in tests and \"fs\" hit in README.md)
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.quote]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.35 -> 1.0.36"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.ring]]
|
|
who = "Laura Peskin <pesk@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.16.12 -> 0.16.20"
|
|
notes = """
|
|
Reviewed on: https://fxrev.dev/923001 (0.16.13 -> 0.16.20)
|
|
Reviewed on: https://fxrev.dev/716624 (0.16.12 -> 0.16.13)
|
|
"""
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.rustversion]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.14"
|
|
notes = """
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
|
|
and there were no hits except for:
|
|
|
|
* Using trivially-safe `unsafe` in test code:
|
|
|
|
```
|
|
tests/test_const.rs:unsafe fn _unsafe() {}
|
|
tests/test_const.rs:const _UNSAFE: () = unsafe { _unsafe() };
|
|
```
|
|
|
|
* Using `unsafe` in a string:
|
|
|
|
```
|
|
src/constfn.rs: \"unsafe\" => Qualifiers::Unsafe,
|
|
```
|
|
|
|
* Using `std::fs` in `build/build.rs` to write `${OUT_DIR}/version.expr`
|
|
which is later read back via `include!` used in `src/lib.rs`.
|
|
|
|
Version `1.0.6` of this crate has been added to Chromium in
|
|
https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.rustversion]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.14 -> 1.0.15"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.197"
|
|
notes = """
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`.
|
|
|
|
There were some hits for `net`, but they were related to serialization and
|
|
not actually opening any connections or anything like that.
|
|
|
|
There were 2 hits of `unsafe` when grepping:
|
|
* In `fn as_str` in `impl Buf`
|
|
* In `fn serialize` in `impl Serialize for net::Ipv4Addr`
|
|
|
|
Unsafe review comments can be found in https://crrev.com/c/5350573/2 (this
|
|
review also covered `serde_json_lenient`).
|
|
|
|
Version 1.0.130 of the crate has been added to Chromium in
|
|
https://crrev.com/c/3265545. The CL description contains a link to a
|
|
(Google-internal, sorry) document with a mini security review.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.197 -> 1.0.198"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "danakj <danakj@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.198 -> 1.0.201"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.202 -> 1.0.203"
|
|
notes = "s/doc_cfg/docsrs/ + tuple_impls/tuple_impl_body-related changes"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.203 -> 1.0.204"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.197"
|
|
notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "danakj <danakj@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.197 -> 1.0.201"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.202 -> 1.0.203"
|
|
notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.203 -> 1.0.204"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.sha1]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.10.5"
|
|
notes = "Reviewed on https://fxrev.dev/712371."
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.stable_deref_trait]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-run"
|
|
version = "1.2.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.static_assertions]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.1.0"
|
|
notes = """
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`
|
|
and there were no hits except for one `unsafe`.
|
|
|
|
The lambda where `unsafe` is used is never invoked (e.g. the `unsafe` code
|
|
never runs) and is only introduced for some compile-time checks. Additional
|
|
unsafe review comments can be found in https://crrev.com/c/5353376.
|
|
|
|
This crate has been added to Chromium in https://crrev.com/c/3736562. The CL
|
|
description contains a link to a document with an additional security review.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.strsim]]
|
|
who = "danakj@chromium.org"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.10.0"
|
|
notes = """
|
|
Reviewed in https://crrev.com/c/5171063
|
|
|
|
Previously reviewed during security review and the audit is grandparented in.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.strum]]
|
|
who = "danakj@chromium.org"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.25.0"
|
|
notes = """
|
|
Reviewed in https://crrev.com/c/5171063
|
|
|
|
Previously reviewed during security review and the audit is grandparented in.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.strum_macros]]
|
|
who = "danakj@chromium.org"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.25.3"
|
|
notes = """
|
|
Reviewed in https://crrev.com/c/5171063
|
|
|
|
Previously reviewed during security review and the audit is grandparented in.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.tinytemplate]]
|
|
who = "Ying Hsu <yinghsu@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
version = "1.2.1"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.tinyvec]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.6.0 -> 1.6.1"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.tinyvec]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.6.1 -> 1.7.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.tinyvec]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.7.0 -> 1.8.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.tinyvec_macros]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.tokio-stream]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.11"
|
|
notes = "Reviewed on https://fxrev.dev/804724"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.tokio-stream]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.11 -> 0.1.14"
|
|
notes = "Reviewed on https://fxrev.dev/907732."
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.unicode-ident]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.12"
|
|
notes = '''
|
|
I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits.
|
|
|
|
All two functions from the public API of this crate use `unsafe` to avoid bound
|
|
checks for an array access. Cross-module analysis shows that the offsets can
|
|
be statically proven to be within array bounds. More details can be found in
|
|
the unsafe review CL at https://crrev.com/c/5350386.
|
|
|
|
This crate has been added to Chromium in https://crrev.com/c/3891618.
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.version_check]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.4"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.void]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.2"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.isrg.audits.aes]]
|
|
who = "Tim Geoghegan <timg@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.3 -> 0.8.4"
|
|
notes = """
|
|
Change affects some unsafe code. The only functional change is to add an
|
|
assertion checking alignment and to change an `as *mut u32` cast to a
|
|
call to `std::pointer::cast`.
|
|
"""
|
|
|
|
[[audits.isrg.audits.base64]]
|
|
who = "Tim Geoghegan <timg@letsencrypt.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.21.0 -> 0.21.1"
|
|
|
|
[[audits.isrg.audits.base64]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.21.1 -> 0.21.2"
|
|
|
|
[[audits.isrg.audits.base64]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.21.2 -> 0.21.3"
|
|
|
|
[[audits.isrg.audits.block-buffer]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.0"
|
|
|
|
[[audits.isrg.audits.criterion]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-run"
|
|
delta = "0.4.0 -> 0.5.1"
|
|
|
|
[[audits.isrg.audits.crunchy]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.2"
|
|
|
|
[[audits.isrg.audits.digest]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.6 -> 0.10.7"
|
|
|
|
[[audits.isrg.audits.either]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.6.1"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.17"
|
|
notes = """
|
|
This crate does not contain any unsafe code, and does not use any items from
|
|
the standard library or other crates, aside from operations backed by
|
|
`std::ops`. All paths with array indexing use integer literals for indexes, so
|
|
there are no panics due to indexes out of bounds (as rustc would catch an
|
|
out-of-bounds literal index). I did not check whether arithmetic overflows
|
|
could cause a panic, and I am relying on the Coq code having satisfied the
|
|
necessary preconditions to ensure panics due to overflows are unreachable.
|
|
"""
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.17 -> 0.1.18"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.18 -> 0.1.19"
|
|
notes = """
|
|
This release renames many items and adds a new module. The code in the new
|
|
module is entirely composed of arithmetic and array accesses.
|
|
"""
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.19 -> 0.1.20"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.20 -> 0.2.0"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.0 -> 0.2.1"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "Tim Geoghegan <timg@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.1 -> 0.2.2"
|
|
notes = "No changes to `unsafe` code, or any functional changes that I can detect at all."
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.2 -> 0.2.4"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.4 -> 0.2.5"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.5 -> 0.2.6"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.6 -> 0.2.7"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.7 -> 0.2.8"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "Tim Geoghegan <timg@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.8 -> 0.2.9"
|
|
notes = "No changes to Rust code between 0.2.8 and 0.2.9"
|
|
|
|
[[audits.isrg.audits.getrandom]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.11 -> 0.2.12"
|
|
|
|
[[audits.isrg.audits.getrandom]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.12 -> 0.2.14"
|
|
|
|
[[audits.isrg.audits.getrandom]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.14 -> 0.2.15"
|
|
|
|
[[audits.isrg.audits.hmac]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.1"
|
|
|
|
[[audits.isrg.audits.keccak]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
|
|
[[audits.isrg.audits.keccak]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.2 -> 0.1.3"
|
|
|
|
[[audits.isrg.audits.keccak]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.3 -> 0.1.4"
|
|
|
|
[[audits.isrg.audits.num-bigint]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.3 -> 0.4.4"
|
|
|
|
[[audits.isrg.audits.num-integer]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.45 -> 0.1.46"
|
|
|
|
[[audits.isrg.audits.num-iter]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.43 -> 0.1.44"
|
|
|
|
[[audits.isrg.audits.num-iter]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.44 -> 0.1.45"
|
|
|
|
[[audits.isrg.audits.num-traits]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.15 -> 0.2.16"
|
|
|
|
[[audits.isrg.audits.num-traits]]
|
|
who = "Ameer Ghani <inahga@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.16 -> 0.2.17"
|
|
|
|
[[audits.isrg.audits.num-traits]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.17 -> 0.2.18"
|
|
|
|
[[audits.isrg.audits.num-traits]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.18 -> 0.2.19"
|
|
|
|
[[audits.isrg.audits.once_cell]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.18.0 -> 1.19.0"
|
|
|
|
[[audits.isrg.audits.opaque-debug]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.0"
|
|
|
|
[[audits.isrg.audits.rand_chacha]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.1"
|
|
|
|
[[audits.isrg.audits.rand_core]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.6.3"
|
|
|
|
[[audits.isrg.audits.rayon]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.6.1 -> 1.7.0"
|
|
|
|
[[audits.isrg.audits.rayon]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.7.0 -> 1.8.0"
|
|
|
|
[[audits.isrg.audits.rayon]]
|
|
who = "Ameer Ghani <inahga@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.8.0 -> 1.8.1"
|
|
|
|
[[audits.isrg.audits.rayon]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.8.1 -> 1.9.0"
|
|
|
|
[[audits.isrg.audits.rayon]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.9.0 -> 1.10.0"
|
|
|
|
[[audits.isrg.audits.rayon-core]]
|
|
who = "Ameer Ghani <inahga@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.12.1"
|
|
|
|
[[audits.isrg.audits.sha3]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.10.6"
|
|
|
|
[[audits.isrg.audits.sha3]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.6 -> 0.10.7"
|
|
|
|
[[audits.isrg.audits.sha3]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.7 -> 0.10.8"
|
|
|
|
[[audits.isrg.audits.subtle]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.5.0 -> 2.6.1"
|
|
|
|
[[audits.isrg.audits.thiserror]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.40 -> 1.0.43"
|
|
|
|
[[audits.isrg.audits.thiserror-impl]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.40 -> 1.0.43"
|
|
|
|
[[audits.isrg.audits.universal-hash]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.1"
|
|
|
|
[[audits.isrg.audits.universal-hash]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.0 -> 0.5.1"
|
|
|
|
[[audits.isrg.audits.untrusted]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.1"
|
|
|
|
[[audits.isrg.audits.wasm-bindgen-shared]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.83"
|
|
|
|
[[audits.mozilla.wildcard-audits.core-foundation-sys]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
user-id = 5946 # Jeff Muizelaar (jrmuizel)
|
|
start = "2020-10-14"
|
|
end = "2023-05-04"
|
|
renew = false
|
|
notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.wildcard-audits.unicode-normalization]]
|
|
who = "Manish Goregaokar <manishsmail@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
user-id = 1139 # Manish Goregaokar (Manishearth)
|
|
start = "2019-11-06"
|
|
end = "2024-05-03"
|
|
notes = "All code written or reviewed by Manish"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.ahash]]
|
|
who = "Erich Gubler <erichdongubler@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.7 -> 0.8.11"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.android_system_properties]]
|
|
who = "Nicolas Silva <nical@fastmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.android_system_properties]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.2 -> 0.1.4"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.android_system_properties]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.4 -> 0.1.5"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.anyhow]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.57 -> 1.0.61"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.anyhow]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.58 -> 1.0.57"
|
|
notes = "No functional differences, just CI config and docs."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.anyhow]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.61 -> 1.0.62"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.anyhow]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.62 -> 1.0.68"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.anyhow]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.68 -> 1.0.69"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bit-set]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.2"
|
|
notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bit-set]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.2 -> 0.5.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bit-vec]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.6.3"
|
|
notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.block-buffer]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.2 -> 0.10.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.cc]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.73 -> 1.0.78"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.cc]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.78 -> 1.0.83"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-channel]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.8 -> 0.5.11"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-channel]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.11 -> 0.5.12"
|
|
notes = "Minimal change fixing a memory leak."
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-queue]]
|
|
who = "Matthew Gregan <kinetik@flim.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.8"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-utils]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.19 -> 0.8.20"
|
|
notes = "Minor changes."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crypto-common]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.3 -> 0.1.6"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.debugid]]
|
|
who = "Gabriele Svelto <gsvelto@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.8.0"
|
|
notes = "This crates was written by Sentry and I've fully audited it as Firefox crash reporting machinery relies on it."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.deranged]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.11"
|
|
notes = """
|
|
This crate contains a decent bit of `unsafe` code, however all internal
|
|
unsafety is verified with copious assertions (many are compile-time), and
|
|
otherwise the unsafety is documented and left to the caller to verify.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.digest]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.3 -> 0.10.6"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.displaydoc]]
|
|
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.3"
|
|
notes = """
|
|
This crate is convenient macros to implement core::fmt::Display trait.
|
|
Although `unsafe` is used for test code to call `libc::abort()`, it has no `unsafe` code in this crate. And there is no file access.
|
|
It meets the criteria for safe-to-deploy.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.displaydoc]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.3 -> 0.2.4"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.document-features]]
|
|
who = "Erich Gubler <erichdongubler@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.8"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.either]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.6.1 -> 1.7.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.either]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.7.0 -> 1.8.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.either]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.8.0 -> 1.8.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.errno]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.1 -> 0.3.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.fastrand]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.9.0 -> 2.0.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.fnv]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.7"
|
|
notes = "Simple hasher implementation with no unsafe code."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-channel]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.27 -> 0.3.28"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-core]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.27 -> 0.3.28"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-executor]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.27 -> 0.3.28"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-io]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.27 -> 0.3.28"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-macro]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.21 -> 0.3.23"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-macro]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.23 -> 0.3.25"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-macro]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.25 -> 0.3.26"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-macro]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.26 -> 0.3.28"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-util]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.21 -> 0.3.23"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-util]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.23 -> 0.3.25"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-util]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.25 -> 0.3.26"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-util]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.26 -> 0.3.28"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.half]]
|
|
who = "John M. Schanck <jschanck@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.8.2"
|
|
notes = """
|
|
This crate contains unsafe code for bitwise casts to/from binary16 floating-point
|
|
format. I've reviewed these and found no issues. There are no uses of ambient
|
|
capabilities.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.hashbrown]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.3"
|
|
notes = "This version is used in rust's libstd, so effectively we're already trusting it"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.hex]]
|
|
who = "Simon Friedberger <simon@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.litrs]]
|
|
who = "Erich Gubler <erichdongubler@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.log]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.17"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.log]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.17 -> 0.4.18"
|
|
notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed."
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.log]]
|
|
who = "Kagami Sascha Rosylight <krosylight@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.18 -> 0.4.20"
|
|
notes = "Only cfg attribute and internal macro changes and module refactorings"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.memmap2]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.4 -> 0.5.7"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.memmap2]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.7 -> 0.5.8"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.memmap2]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.8 -> 0.5.9"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.memmap2]]
|
|
who = "Gabriele Svelto <gsvelto@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.9 -> 0.8.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.memmap2]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.0 -> 0.9.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num-bigint]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.3"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num-conv]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
notes = """
|
|
Very straightforward, simple crate. No dependencies, unsafe, extern,
|
|
side-effectful std functions, etc.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num-integer]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.45"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num-traits]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.15"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.percent-encoding]]
|
|
who = "Valentin Gosu <valentin.gosu@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.2.0 -> 2.3.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.percent-encoding]]
|
|
who = "Valentin Gosu <valentin.gosu@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.3.0 -> 2.3.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.phf_macros]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.0 -> 0.11.2"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.pkg-config]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.25 -> 0.3.26"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.powerfmt]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
notes = """
|
|
A tiny bit of unsafe code to implement functionality that isn't in stable rust
|
|
yet, but it's all valid. Otherwise it's a pretty simple crate.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rand_core]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.3 -> 0.6.4"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rayon]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.5.3"
|
|
notes = "All code written or reviewed by Josh Stone or Niko Matsakis."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rayon]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.5.3 -> 1.6.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.regex-syntax]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.26 -> 0.6.27"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.regex-syntax]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.27 -> 0.6.28"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.subtle]]
|
|
who = "Simon Friedberger <simon@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "2.5.0"
|
|
notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.syn]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.96 -> 1.0.99"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.syn]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.99 -> 1.0.107"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.time]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.23 -> 0.3.36"
|
|
notes = """
|
|
There's a bit of new unsafe code that is self-imposed because they now assert
|
|
that ordinals are non-zero. All unsafe code was checked to ensure that the
|
|
invariants claimed were true.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.time-core]]
|
|
who = "Kershaw Chang <kershaw@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.time-core]]
|
|
who = "Kershaw Chang <kershaw@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.0 -> 0.1.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.time-core]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.1 -> 0.1.2"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.time-macros]]
|
|
who = "Kershaw Chang <kershaw@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.6"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.time-macros]]
|
|
who = "Kershaw Chang <kershaw@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.6 -> 0.2.10"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.time-macros]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.10 -> 0.2.18"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.tinystr]]
|
|
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.0"
|
|
notes = "One of original auther was Zibi Braniecki who worked at Mozilla and maintained by ICU4X developers (Google and Mozilla). I've vetted the one instance of unsafe code."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.tinystr]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.7.0 -> 0.7.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.tinystr]]
|
|
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.7.1 -> 0.7.4"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.tinystr]]
|
|
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.7.4 -> 0.7.6"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.toml]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.7 -> 0.5.9"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.toml]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.9 -> 0.5.10"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.toml]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.10 -> 0.5.11"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.zerocopy]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.32"
|
|
notes = """
|
|
This crate is `no_std` so doesn't use any side-effectful std functions. It
|
|
contains quite a lot of `unsafe` code, however. I verified portions of this. It
|
|
also has a large, thorough test suite. The project claims to run tests with
|
|
Miri to have stronger soundness checks, and also claims to use formal
|
|
verification tools to prove correctness.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.zerocopy-derive]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.32"
|
|
notes = "Clean, safe macros for zerocopy."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.ahash]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.6 -> 0.8.7"
|
|
notes = "Build-time `stdsimd` detection is replaced with a nightly-only feature flag."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.aho-corasick]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.1.2 -> 1.1.3"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.allocator-api2]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.16 -> 0.2.18"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.anyhow]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.71 -> 1.0.75"
|
|
notes = """
|
|
`unsafe` changes are migrating from `core::any::Demand` to `std::error::Request` when the
|
|
nightly features are available.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.anyhow]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.75 -> 1.0.77"
|
|
notes = """
|
|
- Build script changes are to rerun cargo if the `RUSTC_BOOTSTRAP` env variable
|
|
changes, and enable a few more `rustc` config flags.
|
|
- Some `unsafe fn`s were altered to add `unsafe` blocks, to make the safety
|
|
contracts in the code clearer (instead of using the `unsafe fn`'s implicit
|
|
`unsafe` block); no actual `unsafe` changes were made.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.anyhow]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.77 -> 1.0.79"
|
|
notes = """
|
|
Build script changes are to refactor the existing probe into a separate file
|
|
(which removes a filesystem write), and adjust how it gets rerun in response to
|
|
changes in the build environment.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.anyhow]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.79 -> 1.0.82"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.arrayref]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.6 -> 0.3.7"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.backtrace]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.69 -> 0.3.71"
|
|
notes = "This crate inherently requires a lot of `unsafe` code, but the changes look plausible."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.base64]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.21.3 -> 0.21.4"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.base64]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.21.4 -> 0.21.5"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.base64]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.21.5 -> 0.21.7"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.blake2b_simd]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.1 -> 1.0.2"
|
|
notes = "Switches to `constant_time_eq 0.3.0`, which bumps its MSRV to 1.66."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.blake2s_simd]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.1 -> 1.0.2"
|
|
notes = "Switches to `constant_time_eq 0.3.0`, which bumps its MSRV to 1.66."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.block-buffer]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.3 -> 0.10.4"
|
|
notes = "Adds panics to prevent a block size of zero from causing unsoundness."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.bs58]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.0 -> 0.5.1"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.bytes]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.5.0 -> 1.6.0"
|
|
notes = """
|
|
There is significant use of `unsafe` code, but safety requirements are well documented
|
|
and appear correct as far as I can see.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.cc]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.83 -> 1.0.94"
|
|
notes = """
|
|
The optimization to use `buffer.set_len(buffer.capacity())` in `command_helpers::StderrForwarder::forward_available`
|
|
doesn't look panic-safe: if `stderr.read` panics and that panic is caught by a caller of `forward_available`, then
|
|
the inner buffer of `StderrForwarder` will contain uninitialized data. This looks difficult to trigger in practice,
|
|
but I have opened an issue <https://github.com/rust-lang/cc-rs/issues/1036>.
|
|
|
|
`parallel::async_executor` contains `unsafe` pinning code but it looks reasonable. Similarly for the `unsafe`
|
|
initialization code in `parallel::job_token::JobTokenServer` and file operations in `parallel::stderr`.
|
|
|
|
This crate executes commands, and my review is likely not sufficient to detect subtle backdoors.
|
|
I did not review the use of library handles in the `com` package on Windows.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.constant_time_eq]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.4 -> 0.2.5"
|
|
notes = "No code changes."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.constant_time_eq]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.5 -> 0.2.6"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.constant_time_eq]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.6 -> 0.3.0"
|
|
notes = "Replaces some `unsafe` code by bumping MSRV to 1.66 (to access `core::hint::black_box`)."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.cpufeatures]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.11 -> 0.2.12"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.crossbeam-deque]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.3 -> 0.8.4"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.crossbeam-deque]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.4 -> 0.8.5"
|
|
notes = "Changes to `unsafe` code look okay."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.crossbeam-epoch]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.15 -> 0.9.16"
|
|
notes = "Moved an `unsafe` block while removing `scopeguard` dependency."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.crossbeam-epoch]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.16 -> 0.9.17"
|
|
notes = """
|
|
Changes to `unsafe` code are to replace manual pointer logic with equivalent
|
|
`unsafe` stdlib methods, now that MSRV is high enough to use them.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.crossbeam-epoch]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.17 -> 0.9.18"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.curve25519-dalek]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "4.1.0 -> 4.1.1"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.curve25519-dalek]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "4.1.1 -> 4.1.2"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.curve25519-dalek]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "4.1.2 -> 4.1.3"
|
|
notes = """
|
|
- New unsafe is adding `core::ptr::read_volatile` calls for black box
|
|
optimization barriers.
|
|
- `build.rs` changes are to use `CARGO_CFG_TARGET_POINTER_WIDTH` instead of
|
|
`TARGET` and the `platforms` crate for deciding on the target pointer width.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.curve25519-dalek-derive]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.0 -> 0.1.1"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.der]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.7.8 -> 0.7.9"
|
|
notes = "The change to ignore RUSTSEC-2023-0071 is correct for this crate."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.ed25519]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.2.1 -> 2.2.2"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.ed25519]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.2.2 -> 2.2.3"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.ed25519-zebra]]
|
|
who = "Jack Grigg <jack@z.cash>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "3.0.0 -> 3.1.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.ed25519-zebra]]
|
|
who = "Daira Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "3.1.0 -> 4.0.0"
|
|
notes = """
|
|
Changes are mainly in the pem and pkcs8 features and in Java or Scala code. These do not introduce unsafe code,
|
|
but I cannot vouch for their cryptographic correctness or conformance to PEM or PKCS8 standards. I reviewed the
|
|
remaining changes from 3.1.0 to 4.0.0 fully.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.ed25519-zebra]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "4.0.0 -> 4.0.3"
|
|
notes = """
|
|
`SigningKey::from([u8; 32])` parsing now uses `Scalar::from_bytes_mod_order` instead of
|
|
`Scalar::from_bits`. This means that the clamped scalar bits are now reduced before they
|
|
are used, which removes the implicit mul-by-cofactor during scalar multiplication (as the
|
|
last 3 bits of the scalar are no longer guaranteed to be zero). However, this happens to
|
|
be fine in the context of this crate:
|
|
|
|
- `SigningKey` does not expose its inner `Scalar` directly, so we only need to consider
|
|
how it is used within the crate.
|
|
- For multiplication within a prime-order (sub)group, we get the same result whether we
|
|
reduce before or not. This means that the field-element multiplication during signing,
|
|
and the prime-order subgroup component of any group-element scalar multiplication, are
|
|
unaffected.
|
|
- The only group element that the `Scalar` is multiplied by is the Ed25519 basepoint,
|
|
which is torsion free (so the implicit mul-by-cofactor is unnecessary).
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.either]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.8.1 -> 1.9.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.either]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.9.0 -> 1.11.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.errno]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.3 -> 0.3.8"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.fastrand]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.0.1 -> 2.0.2"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.futures-channel]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.28 -> 0.3.29"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.futures-channel]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.29 -> 0.3.30"
|
|
notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.futures-core]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.28 -> 0.3.29"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.futures-core]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.29 -> 0.3.30"
|
|
notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.futures-task]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.29 -> 0.3.30"
|
|
notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.futures-util]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.28 -> 0.3.29"
|
|
notes = """
|
|
Only change to `unsafe` code is to add a `Fut: Send` bound to the
|
|
`unsafe impl Sync for FuturesUnordered<Fut>`.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.futures-util]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.29 -> 0.3.30"
|
|
notes = """
|
|
- Removes `build.rs` now that it can rely on the `target_has_atomic` attribute.
|
|
- Almost all changes to `unsafe` blocks are to either move them around, or
|
|
replace them with safe method calls.
|
|
- One new `unsafe` block is added for a slice lifetime transmutation. The slice
|
|
reconstruction is obviously correct. AFAICT the lifetime transmutation is also
|
|
correct; the slice's lifetime logically comes from the `AsyncBufRead` reader
|
|
inside `FillBuf`, rather than the `Context`.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.hermit-abi]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.3 -> 0.3.9"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.http]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.8 -> 0.2.9"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.http]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.11 -> 0.2.12"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.http]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.0 -> 0.2.11"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.inout]]
|
|
who = "Daira Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.3"
|
|
notes = "Reviewed in full."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.js-sys]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.66 -> 0.3.69"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.known-folders]]
|
|
who = "Jack Grigg <thestr4d@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.1"
|
|
notes = """
|
|
Uses `unsafe` blocks to interact with `windows-sys` crate.
|
|
- `SHGetKnownFolderPath` safety requirements are met.
|
|
- `CoTaskMemFree` has no effect if passed `NULL`, so there is no issue if some
|
|
future refactor created a pathway where `ffi::Guard` could be dropped before
|
|
`SHGetKnownFolderPath` is called.
|
|
- Small nit: `ffi::Guard::as_pwstr` takes `&self` but returns `PWSTR` which is
|
|
the mutable type; it should instead return `PCWSTR` which is the const type
|
|
(and what `lstrlenW` takes) instead of implicitly const-casting the pointer,
|
|
as this would better reflect the intent to take an immutable reference.
|
|
- The slice constructed from the `PWSTR` correctly goes out of scope before
|
|
`guard` is dropped.
|
|
- A code comment says that `path_ptr` is valid for `len` bytes, but `PCWSTR` is
|
|
a `*const u16` and `lstrlenW` returns its length \"in characters\" (which the
|
|
Windows documentation confirms means the number of `WCHAR` values). This is
|
|
likely a typo; the code checks that `len * size_of::<u16>() <= isize::MAX`.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.known-folders]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.1 -> 1.1.0"
|
|
notes = "Addresses the notes from my previous review :)"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.libm]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.7 -> 0.2.8"
|
|
notes = "Forces some intermediate values to not have too much precision on the x87 FPU."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.libredox]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.0.1 -> 0.1.3"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.linux-raw-sys]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.12 -> 0.4.13"
|
|
notes = "Low-level OS interface crate, so `unsafe` code is expected."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.log]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.20 -> 0.4.21"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.maybe-rayon]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.1"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.memchr]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.6.4 -> 2.7.1"
|
|
notes = """
|
|
Change to an `unsafe fn` is to rework the short-tail handling of a fixed-length
|
|
comparison between `u8` pointers. The new tail code matches the existing head
|
|
code (but adapted to `u16` and `u8` reads, instead of `u32`).
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.memchr]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.7.1 -> 2.7.2"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.miniz_oxide]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.7.1 -> 0.7.2"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.mio]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.10 -> 0.8.11"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.nix]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.26.2 -> 0.26.4"
|
|
notes = """
|
|
Most of the `unsafe` changes are cleaning up their usage:
|
|
- Replacing `data.len() * std::mem::size_of::<$ty>()` with `std::mem::size_of_val(data)`.
|
|
- Removing some `mem::transmute`s.
|
|
- Using `*mut` instead of `*const` to convey intended semantics.
|
|
|
|
A new unsafe trait method `SockaddrLike::set_length` is added; it's impls look fine.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.object]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.32.1 -> 0.32.2"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.opaque-debug]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.0 -> 0.3.1"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.phf]]
|
|
who = "Jack Grigg <jack@z.cash>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.0 -> 0.11.1"
|
|
notes = """
|
|
Mostly modernisation, migrating to `PhfBorrow`, and making more things `&'static`.
|
|
No unsafe code in the new `OrderedMap` and `OrderedSet` types.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.phf]]
|
|
who = "Jack Grigg <thestr4d@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.11.1 -> 0.11.2"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.phf_generator]]
|
|
who = "Jack Grigg <jack@z.cash>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.0 -> 0.11.1"
|
|
notes = "Just dependency and edition bumps and code formatting."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.phf_generator]]
|
|
who = "Jack Grigg <thestr4d@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.11.1 -> 0.11.2"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.phf_shared]]
|
|
who = "Jack Grigg <jack@z.cash>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.0 -> 0.11.1"
|
|
notes = """
|
|
Adds `uncased` dependency, and newly generates unsafe code to transmute `&'static str`
|
|
into `&'static UncasedStr`. I verified that `UncasedStr` is a `#[repr(transparent)]`
|
|
newtype around `str`.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.phf_shared]]
|
|
who = "Jack Grigg <thestr4d@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.11.1 -> 0.11.2"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.pin-project-lite]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.13 -> 0.2.14"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.proc-macro-crate]]
|
|
who = "Jack Grigg <jack@z.cash>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.2.1 -> 1.3.0"
|
|
notes = "Migrates from `toml` to `toml_edit`."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.proc-macro-crate]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.3.0 -> 1.3.1"
|
|
notes = "Bumps MSRV to 1.60."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.rand_xorshift]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.redjubjub]]
|
|
who = "Daira Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.0"
|
|
notes = """
|
|
This crate is a thin wrapper around the `reddsa` crate, which I did not review. I also
|
|
did not review tests or verify test vectors.
|
|
|
|
The comment on `batch::Verifier::verify` has an error in the batch verification equation,
|
|
filed as https://github.com/ZcashFoundation/redjubjub/issues/163 . It does not affect the
|
|
implementation which just delegates to `reddsa`. `reddsa` has the same comment bug filed as
|
|
https://github.com/ZcashFoundation/reddsa/issues/52 , but its batch verification implementation
|
|
is correct. (I checked the latter against https://zips.z.cash/protocol/protocol.pdf#reddsabatchvalidate
|
|
which has had previous cryptographic review by NCC group; see finding NCC-Zcash2018-009 in
|
|
https://research.nccgroup.com/wp-content/uploads/2020/07/NCC_Group_Zcash2018_Public_Report_2019-01-30_v1.3.pdf ).
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.redox_users]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.3 -> 0.4.4"
|
|
notes = "Switches from `redox_syscall` crate to `libredox` crate for syscalls."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.redox_users]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.4 -> 0.4.5"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.regex]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.10.2 -> 1.10.4"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.regex-automata]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.3 -> 0.4.6"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.regex-syntax]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.28 -> 0.6.29"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.regex-syntax]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.7.5 -> 0.8.2"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.regex-syntax]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.2 -> 0.8.3"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.rustc-demangle]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.21 -> 0.1.22"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.rustc-demangle]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.22 -> 0.1.23"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.rustc_version]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.0"
|
|
notes = """
|
|
Most of the crate is code to parse and validate the output of `rustc -vV`. The caller can
|
|
choose which `rustc` to use, or can use `rustc_version::{version, version_meta}` which will
|
|
try `$RUSTC` followed by `rustc`.
|
|
|
|
If an adversary can arbitrarily set the `$RUSTC` environment variable then this crate will
|
|
execute arbitrary code. But when this crate is used within a build script, `$RUSTC` should
|
|
be set correctly by `cargo`.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.scopeguard]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.1.0 -> 1.2.0"
|
|
notes = "Only change to an `unsafe` block is to replace a `mem::forget` with `ManuallyDrop`."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.semver]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.17 -> 1.0.18"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.semver]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.18 -> 1.0.19"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.semver]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.19 -> 1.0.20"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.semver]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.20 -> 1.0.22"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.sharded-slab]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.4 -> 0.1.7"
|
|
notes = "Only change to an `unsafe` block is to fix a clippy lint."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.signature]]
|
|
who = "Daira Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "2.1.0"
|
|
notes = """
|
|
This crate uses `#![forbid(unsafe_code)]`, has no build script, and only provides traits with some trivial default implementations.
|
|
I did not review whether implementing these APIs would present any undocumented cryptographic hazards.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.signature]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.1.0 -> 2.2.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.siphasher]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.10 -> 0.3.11"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.socket2]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.5 -> 0.5.6"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.syn]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.107 -> 1.0.109"
|
|
notes = "Fixes string literal parsing to only skip specified whitespace characters."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.tempfile]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "3.8.1 -> 3.9.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.tempfile]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "3.9.0 -> 3.10.1"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.thiserror]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.43 -> 1.0.48"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.thiserror]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.48 -> 1.0.51"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.thiserror]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.51 -> 1.0.52"
|
|
notes = "Reruns the build script if the `RUSTC_BOOTSTRAP` env variable changes."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.thiserror]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.52 -> 1.0.56"
|
|
notes = """
|
|
Build script changes are to refactor the existing probe into a separate file
|
|
(which removes a filesystem write), and adjust how it gets rerun in response to
|
|
changes in the build environment.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.thiserror]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.56 -> 1.0.58"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.thiserror-impl]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.43 -> 1.0.48"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.thiserror-impl]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.48 -> 1.0.51"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.thiserror-impl]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.51 -> 1.0.52"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.thiserror-impl]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.52 -> 1.0.56"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.thiserror-impl]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.56 -> 1.0.58"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.thread_local]]
|
|
who = "Jack Grigg <jack@z.cash>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.1.4 -> 1.1.7"
|
|
notes = """
|
|
New `unsafe` usage:
|
|
- An extra `deallocate_bucket`, to replace a `Mutex::lock` with a `compare_exchange`.
|
|
- Setting and getting a `#[thread_local] static mut Option<Thread>` on nightly.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.thread_local]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.1.7 -> 1.1.8"
|
|
notes = """
|
|
Adds `unsafe` code that makes an assumption that `ptr::null_mut::<Entry<T>>()` is a valid representation
|
|
of an `AtomicPtr<Entry<T>>`, but this is likely a correct assumption.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.tinyvec_macros]]
|
|
who = "Jack Grigg <jack@z.cash>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.0 -> 0.1.1"
|
|
notes = "Adds `#![forbid(unsafe_code)]` and license files."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.tokio]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.35.1 -> 1.37.0"
|
|
notes = "Cursory review, but new and changed uses of `unsafe` code look fine, as far as I can see."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.toml_datetime]]
|
|
who = "Jack Grigg <jack@z.cash>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.1"
|
|
notes = "Crate has `#![forbid(unsafe_code)]`, no `unwrap / expect / panic`, no ambient capabilities."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.toml_datetime]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.1 -> 0.6.1"
|
|
notes = "Fixes a bug in parsing negative minutes in datetime string offsets."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.toml_datetime]]
|
|
who = "Jack Grigg <thestr4d@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.2 -> 0.6.3"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.tracing-subscriber]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.17 -> 0.3.18"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.try-lock]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.4 -> 0.2.5"
|
|
notes = "Bumps MSRV to remove unsafe code block."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.universal-hash]]
|
|
who = "Daira Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.1 -> 0.5.0"
|
|
notes = "I checked correctness of to_blocks which uses unsafe code in a safe function."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wagyu-zcash-parameters]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wagyu-zcash-parameters-1]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wagyu-zcash-parameters-2]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wagyu-zcash-parameters-3]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wagyu-zcash-parameters-4]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wagyu-zcash-parameters-5]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wagyu-zcash-parameters-6]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.want]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.0 -> 0.3.1"
|
|
notes = """
|
|
Migrates to `try-lock 0.2.4` to replace some unsafe APIs that were not marked
|
|
`unsafe` (but that were being used safely).
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wasm-bindgen-backend]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.89 -> 0.2.92"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wasm-bindgen-macro]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.89 -> 0.2.92"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wasm-bindgen-macro-support]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.92"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wasm-bindgen-shared]]
|
|
who = "Jack Grigg <jack@z.cash>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.83 -> 0.2.84"
|
|
notes = "Bumps the schema version to add `linked_modules`."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wasm-bindgen-shared]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.84 -> 0.2.87"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wasm-bindgen-shared]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.87 -> 0.2.89"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wasm-bindgen-shared]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.89 -> 0.2.92"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.web-sys]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.66 -> 0.3.69"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|