mirror of https://github.com/zcash/zcash.git
Merge pull request #6864 from daira/more-updates-for-5.9.0
More dependency updates, postponements, and audits for 5.9.0
This commit is contained in:
commit
771bc67cd7
File diff suppressed because it is too large
Load Diff
|
@ -1,8 +1,8 @@
|
|||
package=native_cmake
|
||||
$(package)_version=3.28.3
|
||||
$(package)_version=3.29.2
|
||||
$(package)_download_path=https://github.com/Kitware/CMake/releases/download/v$($(package)_version)
|
||||
$(package)_file_name=cmake-$($(package)_version).tar.gz
|
||||
$(package)_sha256_hash=72b7570e5c8593de6ac4ab433b73eab18c5fb328880460c86ce32608141ad5c1
|
||||
$(package)_sha256_hash=36db4b6926aab741ba6e4b2ea2d99c9193222132308b4dc824d4123cb730352e
|
||||
|
||||
define $(package)_set_vars
|
||||
$(package)_config_opts += -DCMAKE_BUILD_TYPE:STRING=Release
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
package=native_zstd
|
||||
$(package)_version=1.5.5
|
||||
$(package)_version=1.5.6
|
||||
$(package)_download_path=https://github.com/facebook/zstd/releases/download/v$($(package)_version)
|
||||
$(package)_file_name=zstd-$($(package)_version).tar.gz
|
||||
$(package)_sha256_hash=9c4396cc829cfae319a6e2615202e82aad41372073482fce286fac78646d3ee4
|
||||
$(package)_sha256_hash=8c29e06cf42aacc1eafc4077ae2ec6c6fcb96a626157e0593d5e82a34fd403c1
|
||||
$(package)_build_subdir=build/cmake
|
||||
$(package)_dependencies=native_cmake
|
||||
|
||||
|
|
|
@ -30,11 +30,21 @@ criteria = "safe-to-deploy"
|
|||
delta = "0.8.6 -> 0.8.7"
|
||||
notes = "Build-time `stdsimd` detection is replaced with a nightly-only feature flag."
|
||||
|
||||
[[audits.ahash]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.8.7 -> 0.8.11"
|
||||
|
||||
[[audits.aho-corasick]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.1.1 -> 1.1.2"
|
||||
|
||||
[[audits.aho-corasick]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.1.2 -> 1.1.3"
|
||||
|
||||
[[audits.allocator-api2]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -52,6 +62,11 @@ criteria = "safe-to-deploy"
|
|||
delta = "0.2.15 -> 0.2.16"
|
||||
notes = "Change to `unsafe` block is to fix the `Drop` impl of `Box` to drop its value."
|
||||
|
||||
[[audits.allocator-api2]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.16 -> 0.2.18"
|
||||
|
||||
[[audits.anyhow]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -105,6 +120,11 @@ Build script changes are to refactor the existing probe into a separate file
|
|||
changes in the build environment.
|
||||
"""
|
||||
|
||||
[[audits.anyhow]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.79 -> 1.0.82"
|
||||
|
||||
[[audits.arrayref]]
|
||||
who = "Sean Bowe <ewillbefull@gmail.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -127,6 +147,12 @@ then loaded. These appear to all derive from existing paths that themselves were
|
|||
being mmapped and loaded.
|
||||
"""
|
||||
|
||||
[[audits.backtrace]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.3.69 -> 0.3.71"
|
||||
notes = "This crate inherently requires a lot of `unsafe` code, but the changes look plausible."
|
||||
|
||||
[[audits.base64]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -137,6 +163,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "0.21.4 -> 0.21.5"
|
||||
|
||||
[[audits.base64]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.21.5 -> 0.21.7"
|
||||
|
||||
[[audits.bech32]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -204,12 +235,22 @@ criteria = "safe-to-deploy"
|
|||
delta = "0.7.1 -> 0.8.0"
|
||||
notes = "I previously reviewed the crypto-sensitive portions of these changes as well."
|
||||
|
||||
[[audits.bs58]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.5.0 -> 0.5.1"
|
||||
|
||||
[[audits.bumpalo]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "3.11.1 -> 3.12.0"
|
||||
notes = "Changes to `unsafe` code are to replace `mem::forget` uses with `ManuallyDrop`."
|
||||
|
||||
[[audits.bumpalo]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "3.15.4 -> 3.16.0"
|
||||
|
||||
[[audits.byte-slice-cast]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -246,6 +287,32 @@ notes = """
|
|||
almost identically to the existing `unsafe impl BufMut for &mut [u8]`.
|
||||
"""
|
||||
|
||||
[[audits.bytes]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.5.0 -> 1.6.0"
|
||||
notes = """
|
||||
There is significant use of `unsafe` code, but safety requirements are well documented
|
||||
and appear correct as far as I can see.
|
||||
"""
|
||||
|
||||
[[audits.cc]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.83 -> 1.0.94"
|
||||
notes = """
|
||||
The optimization to use `buffer.set_len(buffer.capacity())` in `command_helpers::StderrForwarder::forward_available`
|
||||
doesn't look panic-safe: if `stderr.read` panics and that panic is caught by a caller of `forward_available`, then
|
||||
the inner buffer of `StderrForwarder` will contain uninitialized data. This looks difficult to trigger in practice,
|
||||
but I have opened an issue <https://github.com/rust-lang/cc-rs/issues/1036>.
|
||||
|
||||
`parallel::async_executor` contains `unsafe` pinning code but it looks reasonable. Similarly for the `unsafe`
|
||||
initialization code in `parallel::job_token::JobTokenServer` and file operations in `parallel::stderr`.
|
||||
|
||||
This crate executes commands, and my review is likely not sufficient to detect subtle backdoors.
|
||||
I did not review the use of library handles in the `com` package on Windows.
|
||||
"""
|
||||
|
||||
[[audits.chacha20]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = ["crypto-reviewed", "safe-to-deploy"]
|
||||
|
@ -345,6 +412,11 @@ LoongArch64 CPU feature detection support. This and the supporting macro code is
|
|||
the same as the existing Linux code for AArch64.
|
||||
"""
|
||||
|
||||
[[audits.cpufeatures]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.11 -> 0.2.12"
|
||||
|
||||
[[audits.crossbeam-channel]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -376,6 +448,12 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "0.8.3 -> 0.8.4"
|
||||
|
||||
[[audits.crossbeam-deque]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.8.4 -> 0.8.5"
|
||||
notes = "Changes to `unsafe` code look okay."
|
||||
|
||||
[[audits.crossbeam-epoch]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -403,6 +481,11 @@ Changes to `unsafe` code are to replace manual pointer logic with equivalent
|
|||
`unsafe` stdlib methods, now that MSRV is high enough to use them.
|
||||
"""
|
||||
|
||||
[[audits.crossbeam-epoch]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.9.17 -> 0.9.18"
|
||||
|
||||
[[audits.crossbeam-utils]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -455,6 +538,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = ["safe-to-deploy", "crypto-reviewed"]
|
||||
delta = "4.1.0 -> 4.1.1"
|
||||
|
||||
[[audits.curve25519-dalek]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "4.1.1 -> 4.1.2"
|
||||
|
||||
[[audits.curve25519-dalek-derive]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = ["safe-to-deploy", "crypto-reviewed"]
|
||||
|
@ -675,6 +763,12 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.111 -> 1.0.113"
|
||||
|
||||
[[audits.der]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.7.8 -> 0.7.9"
|
||||
notes = "The change to ignore RUSTSEC-2023-0071 is correct for this crate."
|
||||
|
||||
[[audits.deranged]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -760,6 +854,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "1.8.1 -> 1.9.0"
|
||||
|
||||
[[audits.either]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.9.0 -> 1.11.0"
|
||||
|
||||
[[audits.equivalent]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -785,6 +884,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "2.0.0 -> 2.0.1"
|
||||
|
||||
[[audits.fastrand]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "2.0.1 -> 2.0.2"
|
||||
|
||||
[[audits.ff]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1037,11 +1141,21 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "0.3.1 -> 0.3.2"
|
||||
|
||||
[[audits.hermit-abi]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.3.3 -> 0.3.9"
|
||||
|
||||
[[audits.http]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.8 -> 0.2.9"
|
||||
|
||||
[[audits.http]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.11 -> 0.2.12"
|
||||
|
||||
[[audits.http]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1171,6 +1285,11 @@ notes = """
|
|||
MDN documentation.
|
||||
"""
|
||||
|
||||
[[audits.js-sys]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.3.66 -> 0.3.69"
|
||||
|
||||
[[audits.jubjub]]
|
||||
who = "Sean Bowe <ewillbefull@gmail.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1221,6 +1340,11 @@ criteria = "safe-to-deploy"
|
|||
delta = "0.2.7 -> 0.2.8"
|
||||
notes = "Forces some intermediate values to not have too much precision on the x87 FPU."
|
||||
|
||||
[[audits.libredox]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.0.1 -> 0.1.3"
|
||||
|
||||
[[audits.link-cplusplus]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1231,6 +1355,12 @@ who = "Jack Grigg <jack@z.cash>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.7 -> 1.0.8"
|
||||
|
||||
[[audits.linux-raw-sys]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.4.12 -> 0.4.13"
|
||||
notes = "Low-level OS interface crate, so `unsafe` code is expected."
|
||||
|
||||
[[audits.lock_api]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1253,6 +1383,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "0.4.19 -> 0.4.20"
|
||||
|
||||
[[audits.log]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.4.20 -> 0.4.21"
|
||||
|
||||
[[audits.maybe-rayon]]
|
||||
who = "Sean Bowe <ewillbefull@gmail.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1273,6 +1408,11 @@ comparison between `u8` pointers. The new tail code matches the existing head
|
|||
code (but adapted to `u16` and `u8` reads, instead of `u32`).
|
||||
"""
|
||||
|
||||
[[audits.memchr]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "2.7.1 -> 2.7.2"
|
||||
|
||||
[[audits.memoffset]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1330,6 +1470,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "0.15.0 -> 0.15.1"
|
||||
|
||||
[[audits.miniz_oxide]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.7.1 -> 0.7.2"
|
||||
|
||||
[[audits.mio]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1371,6 +1516,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "0.8.6 -> 0.8.8"
|
||||
|
||||
[[audits.mio]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.8.10 -> 0.8.11"
|
||||
|
||||
[[audits.nix]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1390,6 +1540,11 @@ Most of the `unsafe` changes are cleaning up their usage:
|
|||
A new unsafe trait method `SockaddrLike::set_length` is added; it's impls look fine.
|
||||
"""
|
||||
|
||||
[[audits.num-conv]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "0.1.0"
|
||||
|
||||
[[audits.num-integer]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1427,6 +1582,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "0.32.0 -> 0.32.1"
|
||||
|
||||
[[audits.object]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.32.1 -> 0.32.2"
|
||||
|
||||
[[audits.once_cell]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1436,6 +1596,11 @@ Small refactor that reduces the overall amount of `unsafe` code. The new strict
|
|||
approach looks reasonable.
|
||||
"""
|
||||
|
||||
[[audits.opaque-debug]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.3.0 -> 0.3.1"
|
||||
|
||||
[[audits.pairing]]
|
||||
who = "Sean Bowe <ewillbefull@gmail.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1568,6 +1733,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.9 -> 0.2.13"
|
||||
|
||||
[[audits.pin-project-lite]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.13 -> 0.2.14"
|
||||
|
||||
[[audits.platforms]]
|
||||
who = "Daira Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1593,6 +1763,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "3.2.0 -> 3.3.0"
|
||||
|
||||
[[audits.platforms]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "3.3.0 -> 3.4.0"
|
||||
|
||||
[[audits.poly1305]]
|
||||
who = "Daira Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1761,6 +1936,11 @@ criteria = "safe-to-deploy"
|
|||
delta = "0.4.3 -> 0.4.4"
|
||||
notes = "Switches from `redox_syscall` crate to `libredox` crate for syscalls."
|
||||
|
||||
[[audits.redox_users]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.4.4 -> 0.4.5"
|
||||
|
||||
[[audits.regex]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1776,6 +1956,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "1.9.5 -> 1.10.2"
|
||||
|
||||
[[audits.regex]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.10.2 -> 1.10.4"
|
||||
|
||||
[[audits.regex-automata]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1785,6 +1970,11 @@ There were additions to an `unsafe` trait, but the new code itself doesn't use
|
|||
any `unsafe` functions.
|
||||
"""
|
||||
|
||||
[[audits.regex-automata]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.4.3 -> 0.4.6"
|
||||
|
||||
[[audits.regex-syntax]]
|
||||
who = "Sean Bowe <ewillbefull@gmail.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1800,6 +1990,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "0.7.5 -> 0.8.2"
|
||||
|
||||
[[audits.regex-syntax]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.8.2 -> 0.8.3"
|
||||
|
||||
[[audits.rustc-demangle]]
|
||||
who = "Sean Bowe <ewillbefull@gmail.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1824,6 +2019,12 @@ execute arbitrary code. But when this crate is used within a build script, `$RUS
|
|||
be set correctly by `cargo`.
|
||||
"""
|
||||
|
||||
[[audits.rustix]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.38.28 -> 0.38.32"
|
||||
notes = "Cursory review."
|
||||
|
||||
[[audits.ryu]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1839,6 +2040,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.15 -> 1.0.16"
|
||||
|
||||
[[audits.ryu]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.16 -> 1.0.17"
|
||||
|
||||
[[audits.scopeguard]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1860,6 +2066,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.19 -> 1.0.20"
|
||||
|
||||
[[audits.semver]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.20 -> 1.0.22"
|
||||
|
||||
[[audits.serde]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1978,6 +2189,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.108 -> 1.0.110"
|
||||
|
||||
[[audits.serde_json]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.110 -> 1.0.116"
|
||||
|
||||
[[audits.sha2]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -2025,6 +2241,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.0 -> 0.2.1"
|
||||
|
||||
[[audits.sketches-ddsketch]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.1 -> 0.2.2"
|
||||
|
||||
[[audits.socket2]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -2043,6 +2264,11 @@ Adds support for Sony Vita targets. New `unsafe` blocks are for Vita-specific
|
|||
`libc` calls to `getsockopt` and `setsockopt` for non-blocking behaviour.
|
||||
"""
|
||||
|
||||
[[audits.socket2]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.5.5 -> 0.5.6"
|
||||
|
||||
[[audits.syn]]
|
||||
who = "Daira Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -2109,6 +2335,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "2.0.43 -> 2.0.46"
|
||||
|
||||
[[audits.syn]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "2.0.46 -> 2.0.59"
|
||||
|
||||
[[audits.tempfile]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -2130,6 +2361,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "3.8.1 -> 3.9.0"
|
||||
|
||||
[[audits.tempfile]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "3.9.0 -> 3.10.1"
|
||||
|
||||
[[audits.terminfo]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -2174,6 +2410,11 @@ Build script changes are to refactor the existing probe into a separate file
|
|||
changes in the build environment.
|
||||
"""
|
||||
|
||||
[[audits.thiserror]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.56 -> 1.0.58"
|
||||
|
||||
[[audits.thiserror-impl]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -2206,6 +2447,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.52 -> 1.0.56"
|
||||
|
||||
[[audits.thiserror-impl]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.56 -> 1.0.58"
|
||||
|
||||
[[audits.thread_local]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -2216,6 +2462,15 @@ New `unsafe` usage:
|
|||
- Setting and getting a `#[thread_local] static mut Option<Thread>` on nightly.
|
||||
"""
|
||||
|
||||
[[audits.thread_local]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.1.7 -> 1.1.8"
|
||||
notes = """
|
||||
Adds `unsafe` code that makes an assumption that `ptr::null_mut::<Entry<T>>()` is a valid representation
|
||||
of an `AtomicPtr<Entry<T>>`, but this is likely a correct assumption.
|
||||
"""
|
||||
|
||||
[[audits.time]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -2235,6 +2490,12 @@ Removes one `unsafe` block by repurposing a constructor containing a more
|
|||
general invocation of the same `unsafe` function.
|
||||
"""
|
||||
|
||||
[[audits.time]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.3.31 -> 0.3.36"
|
||||
notes = "Some use of `unsafe` code but its safety requirements are documented and look okay."
|
||||
|
||||
[[audits.time-core]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -2289,6 +2550,11 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.15 -> 0.2.16"
|
||||
|
||||
[[audits.time-macros]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.16 -> 0.2.18"
|
||||
|
||||
[[audits.tinyvec_macros]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -2300,6 +2566,12 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "1.35.0 -> 1.35.1"
|
||||
|
||||
[[audits.tokio]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.35.1 -> 1.37.0"
|
||||
notes = "Cursory review, but new and changed uses of `unsafe` code look fine, as far as I can see."
|
||||
|
||||
[[audits.toml_datetime]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -2468,11 +2740,26 @@ Migrates to `try-lock 0.2.4` to replace some unsafe APIs that were not marked
|
|||
`unsafe` (but that were being used safely).
|
||||
"""
|
||||
|
||||
[[audits.wasm-bindgen-backend]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.89 -> 0.2.92"
|
||||
|
||||
[[audits.wasm-bindgen-macro]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.87 -> 0.2.89"
|
||||
|
||||
[[audits.wasm-bindgen-macro]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.89 -> 0.2.92"
|
||||
|
||||
[[audits.wasm-bindgen-macro-support]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "0.2.92"
|
||||
|
||||
[[audits.wasm-bindgen-macro-support]]
|
||||
who = "Jack Grigg <jack@electriccoin.co>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -2494,6 +2781,16 @@ who = "Jack Grigg <jack@electriccoin.co>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.87 -> 0.2.89"
|
||||
|
||||
[[audits.wasm-bindgen-shared]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.89 -> 0.2.92"
|
||||
|
||||
[[audits.web-sys]]
|
||||
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.3.66 -> 0.3.69"
|
||||
|
||||
[[audits.which]]
|
||||
who = "Jack Grigg <jack@z.cash>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -2594,7 +2891,7 @@ end = "2024-09-21"
|
|||
|
||||
[[trusted.halo2_legacy_pdqsort]]
|
||||
criteria = ["safe-to-deploy", "crypto-reviewed"]
|
||||
user-id = 199950 # Daira Hopwood (daira)
|
||||
user-id = 199950 # Daira Emma Hopwood (daira)
|
||||
start = "2023-02-24"
|
||||
end = "2024-09-21"
|
||||
|
||||
|
@ -2748,6 +3045,12 @@ user-id = 6289 # str4d
|
|||
start = "2021-03-26"
|
||||
end = "2024-09-21"
|
||||
|
||||
[[trusted.zcash_protocol]]
|
||||
criteria = "safe-to-deploy"
|
||||
user-id = 169181 # Kris Nuttycombe (nuttycom)
|
||||
start = "2024-01-27"
|
||||
end = "2025-04-16"
|
||||
|
||||
[[trusted.zcash_spec]]
|
||||
criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"]
|
||||
user-id = 6289 # str4d
|
||||
|
|
|
@ -279,10 +279,6 @@ criteria = "safe-to-deploy"
|
|||
version = "2.5.0"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.itoa]]
|
||||
version = "1.0.2"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.js-sys]]
|
||||
version = "0.3.60"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -443,10 +439,6 @@ criteria = "safe-to-deploy"
|
|||
version = "0.3.0"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.redox_syscall]]
|
||||
version = "0.4.1"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.redox_users]]
|
||||
version = "0.4.3"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -503,14 +495,6 @@ criteria = "safe-to-deploy"
|
|||
version = "0.8.0"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.serde]]
|
||||
version = "1.0.136"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.serde_derive]]
|
||||
version = "1.0.136"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.serde_json]]
|
||||
version = "1.0.81"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -608,7 +592,7 @@ version = "0.11.0+wasi-snapshot-preview1"
|
|||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.wasm-bindgen]]
|
||||
version = "0.2.89"
|
||||
version = "0.2.92"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.wasm-bindgen-backend]]
|
||||
|
@ -619,10 +603,6 @@ criteria = "safe-to-deploy"
|
|||
version = "0.2.87"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.wasm-bindgen-macro-support]]
|
||||
version = "0.2.87"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.web-sys]]
|
||||
version = "0.3.66"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -643,6 +623,10 @@ criteria = "safe-to-deploy"
|
|||
version = "0.4.0"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.windows_i686_gnullvm]]
|
||||
version = "0.52.5"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.wyz]]
|
||||
version = "0.5.0"
|
||||
criteria = "safe-to-deploy"
|
||||
|
|
|
@ -8,8 +8,8 @@ user-id = 6289
|
|||
user-login = "str4d"
|
||||
|
||||
[[publisher.bumpalo]]
|
||||
version = "3.14.0"
|
||||
when = "2023-09-14"
|
||||
version = "3.15.4"
|
||||
when = "2024-03-07"
|
||||
user-id = 696
|
||||
user-login = "fitzgen"
|
||||
user-name = "Nick Fitzgerald"
|
||||
|
@ -37,7 +37,7 @@ version = "0.1.0"
|
|||
when = "2023-03-10"
|
||||
user-id = 199950
|
||||
user-login = "daira"
|
||||
user-name = "Daira Hopwood"
|
||||
user-name = "Daira Emma Hopwood"
|
||||
|
||||
[[publisher.halo2_proofs]]
|
||||
version = "0.3.0"
|
||||
|
@ -46,10 +46,11 @@ user-id = 1244
|
|||
user-login = "ebfull"
|
||||
|
||||
[[publisher.incrementalmerkletree]]
|
||||
version = "0.5.0"
|
||||
when = "2023-09-08"
|
||||
user-id = 6289
|
||||
user-login = "str4d"
|
||||
version = "0.5.1"
|
||||
when = "2024-03-25"
|
||||
user-id = 169181
|
||||
user-login = "nuttycom"
|
||||
user-name = "Kris Nuttycombe"
|
||||
|
||||
[[publisher.orchard]]
|
||||
version = "0.7.1"
|
||||
|
@ -58,11 +59,18 @@ user-id = 6289
|
|||
user-login = "str4d"
|
||||
|
||||
[[publisher.sapling-crypto]]
|
||||
version = "0.1.1"
|
||||
when = "2024-02-15"
|
||||
version = "0.1.3"
|
||||
when = "2024-03-25"
|
||||
user-id = 6289
|
||||
user-login = "str4d"
|
||||
|
||||
[[publisher.unicode-normalization]]
|
||||
version = "0.1.23"
|
||||
when = "2024-02-20"
|
||||
user-id = 1139
|
||||
user-login = "Manishearth"
|
||||
user-name = "Manish Goregaokar"
|
||||
|
||||
[[publisher.windows-sys]]
|
||||
version = "0.48.0"
|
||||
when = "2023-03-31"
|
||||
|
@ -85,8 +93,8 @@ user-login = "kennykerr"
|
|||
user-name = "Kenny Kerr"
|
||||
|
||||
[[publisher.windows-targets]]
|
||||
version = "0.52.0"
|
||||
when = "2023-11-15"
|
||||
version = "0.52.5"
|
||||
when = "2024-04-12"
|
||||
user-id = 64539
|
||||
user-login = "kennykerr"
|
||||
user-name = "Kenny Kerr"
|
||||
|
@ -99,8 +107,8 @@ user-login = "kennykerr"
|
|||
user-name = "Kenny Kerr"
|
||||
|
||||
[[publisher.windows_aarch64_gnullvm]]
|
||||
version = "0.52.0"
|
||||
when = "2023-11-15"
|
||||
version = "0.52.5"
|
||||
when = "2024-04-12"
|
||||
user-id = 64539
|
||||
user-login = "kennykerr"
|
||||
user-name = "Kenny Kerr"
|
||||
|
@ -113,8 +121,8 @@ user-login = "kennykerr"
|
|||
user-name = "Kenny Kerr"
|
||||
|
||||
[[publisher.windows_aarch64_msvc]]
|
||||
version = "0.52.0"
|
||||
when = "2023-11-15"
|
||||
version = "0.52.5"
|
||||
when = "2024-04-12"
|
||||
user-id = 64539
|
||||
user-login = "kennykerr"
|
||||
user-name = "Kenny Kerr"
|
||||
|
@ -127,8 +135,8 @@ user-login = "kennykerr"
|
|||
user-name = "Kenny Kerr"
|
||||
|
||||
[[publisher.windows_i686_gnu]]
|
||||
version = "0.52.0"
|
||||
when = "2023-11-15"
|
||||
version = "0.52.5"
|
||||
when = "2024-04-12"
|
||||
user-id = 64539
|
||||
user-login = "kennykerr"
|
||||
user-name = "Kenny Kerr"
|
||||
|
@ -141,8 +149,8 @@ user-login = "kennykerr"
|
|||
user-name = "Kenny Kerr"
|
||||
|
||||
[[publisher.windows_i686_msvc]]
|
||||
version = "0.52.0"
|
||||
when = "2023-11-15"
|
||||
version = "0.52.5"
|
||||
when = "2024-04-12"
|
||||
user-id = 64539
|
||||
user-login = "kennykerr"
|
||||
user-name = "Kenny Kerr"
|
||||
|
@ -155,8 +163,8 @@ user-login = "kennykerr"
|
|||
user-name = "Kenny Kerr"
|
||||
|
||||
[[publisher.windows_x86_64_gnu]]
|
||||
version = "0.52.0"
|
||||
when = "2023-11-15"
|
||||
version = "0.52.5"
|
||||
when = "2024-04-12"
|
||||
user-id = 64539
|
||||
user-login = "kennykerr"
|
||||
user-name = "Kenny Kerr"
|
||||
|
@ -169,8 +177,8 @@ user-login = "kennykerr"
|
|||
user-name = "Kenny Kerr"
|
||||
|
||||
[[publisher.windows_x86_64_gnullvm]]
|
||||
version = "0.52.0"
|
||||
when = "2023-11-15"
|
||||
version = "0.52.5"
|
||||
when = "2024-04-12"
|
||||
user-id = 64539
|
||||
user-login = "kennykerr"
|
||||
user-name = "Kenny Kerr"
|
||||
|
@ -183,15 +191,15 @@ user-login = "kennykerr"
|
|||
user-name = "Kenny Kerr"
|
||||
|
||||
[[publisher.windows_x86_64_msvc]]
|
||||
version = "0.52.0"
|
||||
when = "2023-11-15"
|
||||
version = "0.52.5"
|
||||
when = "2024-04-12"
|
||||
user-id = 64539
|
||||
user-login = "kennykerr"
|
||||
user-name = "Kenny Kerr"
|
||||
|
||||
[[publisher.zcash_address]]
|
||||
version = "0.3.1"
|
||||
when = "2024-01-12"
|
||||
version = "0.3.2"
|
||||
when = "2024-03-06"
|
||||
user-id = 6289
|
||||
user-login = "str4d"
|
||||
|
||||
|
@ -226,6 +234,13 @@ when = "2024-03-01"
|
|||
user-id = 6289
|
||||
user-login = "str4d"
|
||||
|
||||
[[publisher.zcash_protocol]]
|
||||
version = "0.1.1"
|
||||
when = "2024-03-25"
|
||||
user-id = 169181
|
||||
user-login = "nuttycom"
|
||||
user-name = "Kris Nuttycombe"
|
||||
|
||||
[[publisher.zcash_spec]]
|
||||
version = "0.1.0"
|
||||
when = "2023-12-07"
|
||||
|
@ -233,8 +248,8 @@ user-id = 6289
|
|||
user-login = "str4d"
|
||||
|
||||
[[publisher.zip32]]
|
||||
version = "0.1.0"
|
||||
when = "2023-12-06"
|
||||
version = "0.1.1"
|
||||
when = "2024-03-14"
|
||||
user-id = 6289
|
||||
user-login = "str4d"
|
||||
|
||||
|
@ -283,25 +298,6 @@ criteria = "safe-to-deploy"
|
|||
version = "0.21.0"
|
||||
notes = "This crate has no dependencies, no build.rs, and contains no unsafe code."
|
||||
|
||||
[[audits.bytecode-alliance.audits.bitflags]]
|
||||
who = "Jamey Sharp <jsharp@fastly.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "2.1.0 -> 2.2.1"
|
||||
notes = """
|
||||
This version adds unsafe impls of traits from the bytemuck crate when built
|
||||
with that library enabled, but I believe the impls satisfy the documented
|
||||
safety requirements for bytemuck. The other changes are minor.
|
||||
"""
|
||||
|
||||
[[audits.bytecode-alliance.audits.bitflags]]
|
||||
who = "Alex Crichton <alex@alexcrichton.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "2.3.2 -> 2.3.3"
|
||||
notes = """
|
||||
Nothing outside the realm of what one would expect from a bitflags generator,
|
||||
all as expected.
|
||||
"""
|
||||
|
||||
[[audits.bytecode-alliance.audits.block-buffer]]
|
||||
who = "Benjamin Bouvier <public@benj.me>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -371,6 +367,12 @@ criteria = "safe-to-deploy"
|
|||
delta = "0.2.9 -> 1.0.0"
|
||||
notes = "Minor changes leading up to the 1.0.0 release and nothing fundamentally new here."
|
||||
|
||||
[[audits.bytecode-alliance.audits.libc]]
|
||||
who = "Alex Crichton <alex@alexcrichton.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.151 -> 0.2.153"
|
||||
notes = "More bindings for more platforms. I have not verified that everything is exactly as-is on the platform as specified but nothing major is otherwise introduced as part of this bump."
|
||||
|
||||
[[audits.bytecode-alliance.audits.libm]]
|
||||
who = "Alex Crichton <alex@alexcrichton.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -390,6 +392,12 @@ This is a minor update which has some testing affordances as well as some
|
|||
updated math algorithms.
|
||||
"""
|
||||
|
||||
[[audits.bytecode-alliance.audits.mach2]]
|
||||
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.4.1 -> 0.4.2"
|
||||
notes = "It does unsafe FFI bindings, as expected. I didn't check the FFI bindings against the C headers."
|
||||
|
||||
[[audits.bytecode-alliance.audits.matchers]]
|
||||
who = "Pat Hickey <phickey@fastly.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -447,25 +455,6 @@ who = "Pat Hickey <phickey@fastly.com>"
|
|||
criteria = "safe-to-deploy"
|
||||
version = "0.1.0"
|
||||
|
||||
[[audits.bytecode-alliance.audits.proc-macro2]]
|
||||
who = "Pat Hickey <phickey@fastly.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.51 -> 1.0.57"
|
||||
|
||||
[[audits.bytecode-alliance.audits.proc-macro2]]
|
||||
who = "Alex Crichton <alex@alexcrichton.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.59 -> 1.0.63"
|
||||
notes = """
|
||||
This is a routine update for new nightly features and new syntax popping up on
|
||||
nightly, nothing out of the ordinary.
|
||||
"""
|
||||
|
||||
[[audits.bytecode-alliance.audits.quote]]
|
||||
who = "Pat Hickey <phickey@fastly.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.23 -> 1.0.27"
|
||||
|
||||
[[audits.bytecode-alliance.audits.rustc-demangle]]
|
||||
who = "Alex Crichton <alex@alexcrichton.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -537,18 +526,6 @@ who = "Pat Hickey <phickey@fastly.com>"
|
|||
criteria = "safe-to-deploy"
|
||||
version = "1.0.8"
|
||||
|
||||
[[audits.bytecode-alliance.audits.unicode-normalization]]
|
||||
who = "Alex Crichton <alex@alexcrichton.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "0.1.19"
|
||||
notes = """
|
||||
This crate contains one usage of `unsafe` which I have manually checked to see
|
||||
it as correct. This crate's size comes in large part due to the generated
|
||||
unicode tables that it contains. This crate is additionally widely used
|
||||
throughout the ecosystem and skimming the crate shows no usage of `std::*` APIs
|
||||
and nothing suspicious.
|
||||
"""
|
||||
|
||||
[[audits.bytecode-alliance.audits.want]]
|
||||
who = "Pat Hickey <phickey@fastly.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -583,6 +560,62 @@ criteria = "safe-to-deploy"
|
|||
version = "0.1.0"
|
||||
notes = "No unsafe usage or ambient capabilities, sane build script"
|
||||
|
||||
[[audits.google.audits.aes]]
|
||||
who = "David Koloski <dkoloski@google.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.8.2 -> 0.8.4"
|
||||
notes = "Audited at https://fxrev.dev/987054"
|
||||
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.google.audits.autocfg]]
|
||||
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "1.1.0"
|
||||
notes = """
|
||||
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
|
||||
and there were no hits except for reasonable, client-controlled usage of
|
||||
`std::fs` in `AutoCfg::with_dir`.
|
||||
|
||||
This crate has been added to Chromium in
|
||||
https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb
|
||||
The CL description contains a link to a Google-internal document with audit details.
|
||||
"""
|
||||
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.google.audits.autocfg]]
|
||||
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.1.0 -> 1.2.0"
|
||||
notes = '''
|
||||
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
|
||||
and nothing changed from the baseline audit of 1.1.0. Skimmed through the
|
||||
1.1.0 => 1.2.0 delta and everything seemed okay.
|
||||
'''
|
||||
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.google.audits.bitflags]]
|
||||
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "2.4.2"
|
||||
notes = """
|
||||
Audit notes:
|
||||
|
||||
* I've checked for any discussion in Google-internal cl/546819168 (where audit
|
||||
of version 2.3.3 happened)
|
||||
* `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]`
|
||||
* There are 2 cases of `unsafe` in `src/external.rs` but they seem to be
|
||||
correct in a straightforward way - they just propagate the marker trait's
|
||||
impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type
|
||||
* Additional discussion and/or notes may be found in https://crrev.com/c/5238056
|
||||
"""
|
||||
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.google.audits.bitflags]]
|
||||
who = "Adrian Taylor <adetaylor@chromium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "2.4.2 -> 2.5.0"
|
||||
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.google.audits.cxxbridge-flags]]
|
||||
who = "George Burgess IV <gbiv@google.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -605,6 +638,35 @@ criteria = "safe-to-deploy"
|
|||
version = "1.0.3"
|
||||
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.google.audits.itoa]]
|
||||
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "1.0.10"
|
||||
notes = '''
|
||||
I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits.
|
||||
|
||||
There are a few places where `unsafe` is used. Unsafe review notes can be found
|
||||
in https://crrev.com/c/5350697.
|
||||
|
||||
Version 1.0.1 of this crate has been added to Chromium in
|
||||
https://crrev.com/c/3321896.
|
||||
'''
|
||||
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.google.audits.itoa]]
|
||||
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.10 -> 1.0.11"
|
||||
notes = """
|
||||
Straightforward diff between 1.0.10 and 1.0.11 - only 3 commits:
|
||||
|
||||
* Bumping up the version
|
||||
* A touch up of comments
|
||||
* And my own PR to make `unsafe` blocks more granular:
|
||||
https://github.com/dtolnay/itoa/pull/42
|
||||
"""
|
||||
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.google.audits.link-cplusplus]]
|
||||
who = "George Burgess IV <gbiv@google.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -631,17 +693,82 @@ version = "0.2.9"
|
|||
notes = "Reviewed on https://fxrev.dev/824504"
|
||||
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.google.audits.proc-macro2]]
|
||||
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "1.0.78"
|
||||
notes = """
|
||||
Grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits
|
||||
(except for a benign \"fs\" hit in a doc comment)
|
||||
|
||||
Notes from the `unsafe` review can be found in https://crrev.com/c/5385745.
|
||||
"""
|
||||
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.google.audits.proc-macro2]]
|
||||
who = "Adrian Taylor <adetaylor@chromium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.78 -> 1.0.79"
|
||||
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.google.audits.proc-macro2]]
|
||||
who = "Adrian Taylor <adetaylor@chromium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.79 -> 1.0.80"
|
||||
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.google.audits.quote]]
|
||||
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "1.0.35"
|
||||
notes = """
|
||||
Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits
|
||||
(except for benign \"net\" hit in tests and \"fs\" hit in README.md)
|
||||
"""
|
||||
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.google.audits.quote]]
|
||||
who = "Adrian Taylor <adetaylor@chromium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.35 -> 1.0.36"
|
||||
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.google.audits.serde]]
|
||||
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "1.0.197"
|
||||
notes = """
|
||||
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`.
|
||||
|
||||
There were some hits for `net`, but they were related to serialization and
|
||||
not actually opening any connections or anything like that.
|
||||
|
||||
There were 2 hits of `unsafe` when grepping:
|
||||
* In `fn as_str` in `impl Buf`
|
||||
* In `fn serialize` in `impl Serialize for net::Ipv4Addr`
|
||||
|
||||
Unsafe review comments can be found in https://crrev.com/c/5350573/2 (this
|
||||
review also covered `serde_json_lenient`).
|
||||
|
||||
Version 1.0.130 of the crate has been added to Chromium in
|
||||
https://crrev.com/c/3265545. The CL description contains a link to a
|
||||
(Google-internal, sorry) document with a mini security review.
|
||||
"""
|
||||
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.google.audits.serde_derive]]
|
||||
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "1.0.197"
|
||||
notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits"
|
||||
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.google.audits.version_check]]
|
||||
who = "George Burgess IV <gbiv@google.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "0.9.4"
|
||||
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
||||
|
||||
[[audits.isrg.audits.aes]]
|
||||
who = "Brandon Pitman <bran@bran.land>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.8.2 -> 0.8.3"
|
||||
|
||||
[[audits.isrg.audits.base64]]
|
||||
who = "Tim Geoghegan <timg@letsencrypt.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -736,6 +863,16 @@ who = "David Cook <dcook@divviup.org>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.4 -> 0.2.5"
|
||||
|
||||
[[audits.isrg.audits.fiat-crypto]]
|
||||
who = "Brandon Pitman <bran@bran.land>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.5 -> 0.2.6"
|
||||
|
||||
[[audits.isrg.audits.fiat-crypto]]
|
||||
who = "Brandon Pitman <bran@bran.land>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.6 -> 0.2.7"
|
||||
|
||||
[[audits.isrg.audits.getrandom]]
|
||||
who = "Tim Geoghegan <timg@letsencrypt.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -747,6 +884,16 @@ who = "Brandon Pitman <bran@bran.land>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.10 -> 0.2.11"
|
||||
|
||||
[[audits.isrg.audits.getrandom]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.11 -> 0.2.12"
|
||||
|
||||
[[audits.isrg.audits.getrandom]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.12 -> 0.2.14"
|
||||
|
||||
[[audits.isrg.audits.hmac]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -757,6 +904,11 @@ who = "David Cook <dcook@divviup.org>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "0.4.3 -> 0.4.4"
|
||||
|
||||
[[audits.isrg.audits.num-integer]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.1.45 -> 0.1.46"
|
||||
|
||||
[[audits.isrg.audits.num-traits]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -767,6 +919,11 @@ who = "Ameer Ghani <inahga@divviup.org>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.16 -> 0.2.17"
|
||||
|
||||
[[audits.isrg.audits.num-traits]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.2.17 -> 0.2.18"
|
||||
|
||||
[[audits.isrg.audits.once_cell]]
|
||||
who = "Brandon Pitman <bran@bran.land>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -807,75 +964,25 @@ who = "David Cook <dcook@divviup.org>"
|
|||
criteria = "safe-to-deploy"
|
||||
delta = "1.7.0 -> 1.8.0"
|
||||
|
||||
[[audits.isrg.audits.rayon-core]]
|
||||
[[audits.isrg.audits.rayon]]
|
||||
who = "Ameer Ghani <inahga@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.8.0 -> 1.8.1"
|
||||
|
||||
[[audits.isrg.audits.rayon]]
|
||||
who = "Brandon Pitman <bran@bran.land>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.10.2 -> 1.11.0"
|
||||
delta = "1.8.1 -> 1.9.0"
|
||||
|
||||
[[audits.isrg.audits.rayon]]
|
||||
who = "Brandon Pitman <bran@bran.land>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.9.0 -> 1.10.0"
|
||||
|
||||
[[audits.isrg.audits.rayon-core]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
who = "Ameer Ghani <inahga@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.11.0 -> 1.12.0"
|
||||
|
||||
[[audits.isrg.audits.serde]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.152 -> 1.0.153"
|
||||
|
||||
[[audits.isrg.audits.serde]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.153 -> 1.0.154"
|
||||
|
||||
[[audits.isrg.audits.serde]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.154 -> 1.0.155"
|
||||
|
||||
[[audits.isrg.audits.serde]]
|
||||
who = "Brandon Pitman <bran@bran.land>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.156 -> 1.0.159"
|
||||
|
||||
[[audits.isrg.audits.serde]]
|
||||
who = "Brandon Pitman <bran@bran.land>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.160 -> 1.0.162"
|
||||
|
||||
[[audits.isrg.audits.serde]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.162 -> 1.0.163"
|
||||
|
||||
[[audits.isrg.audits.serde_derive]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.152 -> 1.0.153"
|
||||
|
||||
[[audits.isrg.audits.serde_derive]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.153 -> 1.0.154"
|
||||
|
||||
[[audits.isrg.audits.serde_derive]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.154 -> 1.0.155"
|
||||
|
||||
[[audits.isrg.audits.serde_derive]]
|
||||
who = "Brandon Pitman <bran@bran.land>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.156 -> 1.0.159"
|
||||
|
||||
[[audits.isrg.audits.serde_derive]]
|
||||
who = "Brandon Pitman <bran@bran.land>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.160 -> 1.0.162"
|
||||
|
||||
[[audits.isrg.audits.serde_derive]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.162 -> 1.0.163"
|
||||
version = "1.12.1"
|
||||
|
||||
[[audits.isrg.audits.serde_json]]
|
||||
who = "Brandon Pitman <bran@bran.land>"
|
||||
|
@ -922,6 +1029,15 @@ who = "David Cook <dcook@divviup.org>"
|
|||
criteria = "safe-to-deploy"
|
||||
version = "0.2.83"
|
||||
|
||||
[[audits.mozilla.wildcard-audits.unicode-normalization]]
|
||||
who = "Manish Goregaokar <manishsmail@gmail.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
user-id = 1139 # Manish Goregaokar (Manishearth)
|
||||
start = "2019-11-06"
|
||||
end = "2024-05-03"
|
||||
notes = "All code written or reviewed by Manish"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.anyhow]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -947,13 +1063,6 @@ criteria = "safe-to-deploy"
|
|||
delta = "1.0.62 -> 1.0.68"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.autocfg]]
|
||||
who = "Josh Stone <jistone@redhat.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "1.1.0"
|
||||
notes = "All code written or reviewed by Josh Stone."
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.bit-set]]
|
||||
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -974,32 +1083,6 @@ version = "0.6.3"
|
|||
notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine."
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.bitflags]]
|
||||
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.3.2 -> 2.0.2"
|
||||
notes = "Removal of some unsafe code/methods. No changes to externals, just some refactoring (mostly internal)."
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.bitflags]]
|
||||
who = "Nicolas Silva <nical@fastmail.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "2.0.2 -> 2.1.0"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.bitflags]]
|
||||
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "2.2.1 -> 2.3.2"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.bitflags]]
|
||||
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "2.4.0 -> 2.4.1"
|
||||
notes = "Only allowing new clippy lints"
|
||||
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.block-buffer]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1031,6 +1114,19 @@ delta = "0.5.7 -> 0.5.8"
|
|||
notes = "Reviewed the fix, previous versions indeed had were able to trigger a race condition"
|
||||
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.crossbeam-channel]]
|
||||
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.5.8 -> 0.5.11"
|
||||
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.crossbeam-channel]]
|
||||
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.5.11 -> 0.5.12"
|
||||
notes = "Minimal change fixing a memory leak."
|
||||
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.crossbeam-epoch]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1055,6 +1151,12 @@ criteria = "safe-to-deploy"
|
|||
delta = "0.8.11 -> 0.8.14"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.crossbeam-utils]]
|
||||
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.8.14 -> 0.8.19"
|
||||
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.digest]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1123,18 +1225,6 @@ criteria = "safe-to-deploy"
|
|||
delta = "1.9.1 -> 1.9.2"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.itoa]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.2 -> 1.0.3"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.itoa]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.3 -> 1.0.5"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.lazy_static]]
|
||||
who = "Nika Layzell <nika@thelayzells.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1200,104 +1290,6 @@ criteria = "safe-to-deploy"
|
|||
delta = "0.2.16 -> 0.2.17"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.proc-macro2]]
|
||||
who = "Nika Layzell <nika@thelayzells.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "1.0.39"
|
||||
notes = """
|
||||
`proc-macro2` acts as either a thin(-ish) wrapper around the std-provided
|
||||
`proc_macro` crate, or as a fallback implementation of the crate, depending on
|
||||
where it is used.
|
||||
|
||||
If using this crate on older versions of rustc (1.56 and earlier), it will
|
||||
temporarily replace the panic handler while initializing in order to detect if
|
||||
it is running within a `proc_macro`, which could lead to surprising behaviour.
|
||||
This should not be an issue for more recent compiler versions, which support
|
||||
`proc_macro::is_available()`.
|
||||
|
||||
The `proc-macro2` crate's fallback behaviour is not identical to the complex
|
||||
behaviour of the rustc compiler (e.g. it does not perform unicode normalization
|
||||
for identifiers), however it behaves well enough for its intended use-case
|
||||
(tests and scripts processing rust code).
|
||||
|
||||
`proc-macro2` does not use unsafe code, however exposes one `unsafe` API to
|
||||
allow bypassing checks in the fallback implementation when constructing
|
||||
`Literal` using `from_str_unchecked`. This was intended to only be used by the
|
||||
`quote!` macro, however it has been removed
|
||||
(https://github.com/dtolnay/quote/commit/f621fe64a8a501cae8e95ebd6848e637bbc79078),
|
||||
and is likely completely unused. Even when used, this API shouldn't be able to
|
||||
cause unsoundness.
|
||||
"""
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.proc-macro2]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.39 -> 1.0.43"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.proc-macro2]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.43 -> 1.0.49"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.proc-macro2]]
|
||||
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.57 -> 1.0.59"
|
||||
notes = "Enabled on Wasm"
|
||||
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.proc-macro2]]
|
||||
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.63 -> 1.0.66"
|
||||
notes = "Removed special support for some really old Rust versions"
|
||||
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.quote]]
|
||||
who = "Nika Layzell <nika@thelayzells.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "1.0.18"
|
||||
notes = """
|
||||
`quote` is a utility crate used by proc-macros to generate TokenStreams
|
||||
conveniently from source code. The bulk of the logic is some complex
|
||||
interlocking `macro_rules!` macros which are used to parse and build the
|
||||
`TokenStream` within the proc-macro.
|
||||
|
||||
This crate contains no unsafe code, and the internal logic, while difficult to
|
||||
read, is generally straightforward. I have audited the the quote macros, ident
|
||||
formatter, and runtime logic.
|
||||
"""
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.quote]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.18 -> 1.0.21"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.quote]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.21 -> 1.0.23"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.quote]]
|
||||
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.27 -> 1.0.28"
|
||||
notes = "Enabled on wasm targets"
|
||||
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.quote]]
|
||||
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.28 -> 1.0.31"
|
||||
notes = "Minimal changes and removal of the build.rs"
|
||||
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.rand_core]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1317,25 +1309,6 @@ criteria = "safe-to-deploy"
|
|||
delta = "1.5.3 -> 1.6.1"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.rayon-core]]
|
||||
who = "Josh Stone <jistone@redhat.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "1.9.3"
|
||||
notes = "All code written or reviewed by Josh Stone or Niko Matsakis."
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.rayon-core]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.9.3 -> 1.10.1"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.rayon-core]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.10.1 -> 1.10.2"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.regex-syntax]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1348,56 +1321,6 @@ criteria = "safe-to-deploy"
|
|||
delta = "1.0.11 -> 1.0.12"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.serde]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.143 -> 1.0.144"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.serde]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.144 -> 1.0.151"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.serde]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.151 -> 1.0.152"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.serde]]
|
||||
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.163 -> 1.0.179"
|
||||
notes = "Internal refactorings and some new trait implementations"
|
||||
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.serde_derive]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.143 -> 1.0.144"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.serde_derive]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.144 -> 1.0.151"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.serde_derive]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.151 -> 1.0.152"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.serde_derive]]
|
||||
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "1.0.163 -> 1.0.179"
|
||||
notes = "Internal refactorings and dependency updates"
|
||||
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.serde_json]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
@ -1447,22 +1370,3 @@ criteria = "safe-to-deploy"
|
|||
delta = "1.0.8 -> 1.0.9"
|
||||
notes = "Dependency updates only"
|
||||
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.unicode-normalization]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.1.19 -> 0.1.20"
|
||||
notes = "I am the author of most of these changes upstream, and prepared the release myself, at which point I looked at the other changes since 0.1.19."
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.unicode-normalization]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.1.20 -> 0.1.21"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
||||
[[audits.mozilla.audits.unicode-normalization]]
|
||||
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
delta = "0.1.21 -> 0.1.22"
|
||||
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
||||
|
|
|
@ -6,7 +6,9 @@
|
|||
|
||||
# Boost 1.84.0 causes gtests to fail on macOS.
|
||||
boost 1.84.0 2024-06-15
|
||||
boost 1.85.0 2024-06-15
|
||||
native_b2 1.84.0 2024-06-15
|
||||
native_b2 1.85.0 2024-06-15
|
||||
|
||||
# Clang and Rust are currently pinned to LLVM 15
|
||||
libcxx 15.0.7 2024-06-15
|
||||
|
@ -27,6 +29,9 @@ libcxx 17.0.5 2024-06-15
|
|||
libcxx 17.0.6 2024-06-15
|
||||
libcxx 18.1.0 2024-06-15
|
||||
libcxx 18.1.1 2024-06-15
|
||||
libcxx 18.1.2 2024-06-15
|
||||
libcxx 18.1.3 2024-06-15
|
||||
libcxx 18.1.4 2024-06-15
|
||||
native_clang 15.0.7 2024-06-15
|
||||
native_clang 16.0.0 2024-06-15
|
||||
native_clang 16.0.1 2024-06-15
|
||||
|
@ -44,6 +49,9 @@ native_clang 17.0.5 2024-06-15
|
|||
native_clang 17.0.6 2024-06-15
|
||||
native_clang 18.1.0 2024-06-15
|
||||
native_clang 18.1.1 2024-06-15
|
||||
native_clang 18.1.2 2024-06-15
|
||||
native_clang 18.1.3 2024-06-15
|
||||
native_clang 18.1.4 2024-06-15
|
||||
native_rust 1.70.0 2024-06-15
|
||||
native_rust 1.71.0 2024-06-15
|
||||
native_rust 1.71.1 2024-06-15
|
||||
|
@ -54,6 +62,9 @@ native_rust 1.74.0 2024-06-15
|
|||
native_rust 1.74.1 2024-06-15
|
||||
native_rust 1.75.0 2024-06-15
|
||||
native_rust 1.76.0 2024-06-15
|
||||
native_rust 1.77.0 2024-06-15
|
||||
native_rust 1.77.1 2024-06-15
|
||||
native_rust 1.77.2 2024-06-15
|
||||
|
||||
native_cxxbridge 1.0.114 2024-06-15
|
||||
native_cxxbridge 1.0.115 2024-06-15
|
||||
|
@ -61,12 +72,16 @@ native_cxxbridge 1.0.116 2024-06-15
|
|||
native_cxxbridge 1.0.117 2024-06-15
|
||||
native_cxxbridge 1.0.118 2024-06-15
|
||||
native_cxxbridge 1.0.119 2024-06-15
|
||||
native_cxxbridge 1.0.120 2024-06-15
|
||||
native_cxxbridge 1.0.121 2024-06-15
|
||||
rustcxx 1.0.114 2024-06-15
|
||||
rustcxx 1.0.115 2024-06-15
|
||||
rustcxx 1.0.116 2024-06-15
|
||||
rustcxx 1.0.117 2024-06-15
|
||||
rustcxx 1.0.118 2024-06-15
|
||||
rustcxx 1.0.119 2024-06-15
|
||||
rustcxx 1.0.120 2024-06-15
|
||||
rustcxx 1.0.121 2024-06-15
|
||||
|
||||
# We follow upstream Bitcoin Core's LevelDB updates
|
||||
leveldb 1.23 2024-06-15
|
||||
|
|
Loading…
Reference in New Issue