From a0b4b2c25f9c0a95c146d2c41c5239a721663238 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 16 Feb 2023 18:39:30 +0000 Subject: [PATCH 1/9] qa: Fix year in postponement lines --- qa/zcash/postponed-updates.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/qa/zcash/postponed-updates.txt b/qa/zcash/postponed-updates.txt index 735fe58b3..b4d64b546 100644 --- a/qa/zcash/postponed-updates.txt +++ b/qa/zcash/postponed-updates.txt @@ -30,8 +30,8 @@ native_ccache 4.7.3 2023-03-01 native_ccache 4.7.4 2023-03-01 # Clang and Rust are currently pinned to LLVM 15 -libcxx 15.0.7 2022-04-30 -native_clang 15.0.7 2022-04-30 +libcxx 15.0.7 2023-04-30 +native_clang 15.0.7 2023-04-30 # We're never updating to this version bdb 18.1.40 2024-02-01 From ed9b9f8a189f0d74f7acb6aff164f9f6ef8785fc Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 16 Feb 2023 18:41:41 +0000 Subject: [PATCH 2/9] qa: Fix `google/leveldb` tag parsing in `updatecheck.py` The `v` prefix has been dropped from tags starting with 1.21. --- qa/zcash/updatecheck.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/qa/zcash/updatecheck.py b/qa/zcash/updatecheck.py index b0901ac42..6d9abef8d 100755 --- a/qa/zcash/updatecheck.py +++ b/qa/zcash/updatecheck.py @@ -105,8 +105,8 @@ def get_dependency_list(): { "v4.3.1": (4, 3, 1), "v4.2.0-rc1": None }), DependsVersionGetter("zeromq")), Dependency("leveldb", - GithubTagReleaseLister("google", "leveldb", "^v(\d+)\.(\d+)$", - { "v1.13": (1, 13) }), + GithubTagReleaseLister("google", "leveldb", "^v?(\d+)\.(\d+)$", + { "v1.13": (1, 13), "1.23": (1, 23) }), LevelDbVersionGetter()), Dependency("tl_expected", GithubTagReleaseLister("TartanLlama", "expected", "^v(\d+)\.(\d+)(?:\.(\d+))?$", From 942189fc2064daff58eaa0ddb8cd772e48d52756 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 16 Feb 2023 19:11:34 +0000 Subject: [PATCH 3/9] qa: Handle commit IDs correctly to `updatecheck.py` --- qa/zcash/updatecheck.py | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/qa/zcash/updatecheck.py b/qa/zcash/updatecheck.py index 6d9abef8d..5bd2f57fc 100755 --- a/qa/zcash/updatecheck.py +++ b/qa/zcash/updatecheck.py @@ -156,6 +156,21 @@ class Version(list): def __hash__(self): return hash(tuple(self)) + def __gt__(self, other): + if type(self) != type(other): + raise TypeError + + # If one of the versions is a commit hash and the other is not, treat the commit + # hash as being newer (as it indicates we are pinning a specific revision). + self_is_commit_hash = len(self) == 1 and len(self[0]) == 40 + other_is_commit_hash = len(other) == 1 and len(other[0]) == 40 + if other_is_commit_hash: + return False + if self_is_commit_hash: + return True + + return super().__gt__(other) + class Dependency: def __init__(self, name, release_lister, current_getter): self.name = name @@ -259,8 +274,7 @@ class DependsVersionGetter: "package\)_version=(\d+)\.(\d+)$", "package\)_version=(\d+)_(\d+)_(\d+)$", "package\)_version=(\d+)\.(\d+)\.(\d+)([a-z])$", - # Workaround for wasi 0.9.0 preview - "package\)_version=(\d+)\.(\d+)\.(\d+)\+wasi-snapshot-preview1$", + "package\)_version=([0-9a-f]{40})$", ] current_version = None @@ -271,7 +285,9 @@ class DependsVersionGetter: current_version = Version(match.groups()) if not current_version: - raise RuntimeError("Couldn't parse version number from depends .mk file.") + raise RuntimeError( + "Couldn't parse version number from depends %s.mk file." % (safe_depends(self.name),) + ) return current_version From e775c13c4f2992599b5a890e01c676575ed015d5 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 16 Feb 2023 19:55:56 +0000 Subject: [PATCH 4/9] depends: `cxx 1.0.91` This also partially reverts zcash/zcash@d3b434eb0fd7652af9b1fda6d5b5018a58b780b9 so we now check in a lockfile for `cxxbridge`. --- Cargo.lock | 12 +- Cargo.toml | 2 +- depends/funcs.mk | 2 +- depends/packages/native_cxxbridge.mk | 18 +- depends/patches/native_cxxbridge/Cargo.lock | 416 ++++++++++++++++++++ qa/supply-chain/audits.toml | 19 + qa/zcash/postponed-updates.txt | 16 - 7 files changed, 457 insertions(+), 28 deletions(-) create mode 100644 depends/patches/native_cxxbridge/Cargo.lock diff --git a/Cargo.lock b/Cargo.lock index 0f7382dbf..ce37c5699 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -439,9 +439,9 @@ dependencies = [ [[package]] name = "cxx" -version = "1.0.83" +version = "1.0.91" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bdf07d07d6531bfcdbe9b8b739b104610c6508dcc4d63b410585faf338241daf" +checksum = "86d3488e7665a7a483b57e25bdd90d0aeb2bc7608c8d0346acf2ad3f1caf1d62" dependencies = [ "cc", "cxxbridge-flags", @@ -451,15 +451,15 @@ dependencies = [ [[package]] name = "cxxbridge-flags" -version = "1.0.83" +version = "1.0.91" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ac040a39517fd1674e0f32177648334b0f4074625b5588a64519804ba0553b12" +checksum = "a2ef98b8b717a829ca5603af80e1f9e2e48013ab227b68ef37872ef84ee479bf" [[package]] name = "cxxbridge-macro" -version = "1.0.83" +version = "1.0.91" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1362b0ddcfc4eb0a1f57b68bd77dd99f0e826958a96abd0ae9bd092e114ffed6" +checksum = "086c685979a698443656e5cf7856c95c642295a38599f12fb1ff76fb28d19892" dependencies = [ "proc-macro2", "quote", diff --git a/Cargo.toml b/Cargo.toml index bb3dc9733..c55eaae88 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -68,7 +68,7 @@ zeroize = "1.4.2" # Rust/C++ interop # The version needs to match depends/packages/native_cxxbridge.mk -cxx = { version = "=1.0.83", features = ["c++17"] } +cxx = { version = "=1.0.91", features = ["c++17"] } # Rust threading rayon = "1.5" diff --git a/depends/funcs.mk b/depends/funcs.mk index 1ac42c62d..afc55efe7 100644 --- a/depends/funcs.mk +++ b/depends/funcs.mk @@ -37,7 +37,7 @@ define vendor_crate_deps ( mkdir -p $$($(1)_download_dir)/$(1) && echo Vendoring dependencies for $(1)... && \ tar -xf $(native_rust_cached) -C $$($(1)_download_dir) && \ tar --strip-components=1 -xf $$($(1)_source_dir)/$(2) -C $$($(1)_download_dir)/$(1) && \ - cp $$($(1)_download_dir)/$(1)/$(3) $$($(1)_download_dir)/$(1)/Cargo.lock && \ + cp $(3) $$($(1)_download_dir)/$(1)/Cargo.lock && \ $$($(1)_download_dir)/native/bin/cargo vendor --locked --manifest-path $$($(1)_download_dir)/$(1)/$(4) $$($(1)_download_dir)/$(CRATE_REGISTRY) && \ cd $$($(1)_download_dir) && \ find $(CRATE_REGISTRY) | sort | tar --no-recursion -czf $$($(1)_download_dir)/$(5).temp -T - && \ diff --git a/depends/packages/native_cxxbridge.mk b/depends/packages/native_cxxbridge.mk index 836dcaad4..a53aaaecf 100644 --- a/depends/packages/native_cxxbridge.mk +++ b/depends/packages/native_cxxbridge.mk @@ -1,17 +1,27 @@ package=native_cxxbridge # The version needs to match cxx in Cargo.toml -$(package)_version=1.0.83 +$(package)_version=1.0.91 $(package)_download_path=https://github.com/dtolnay/cxx/archive/refs/tags $(package)_file_name=native_cxxbridge-$($(package)_version).tar.gz $(package)_download_file=$($(package)_version).tar.gz -$(package)_sha256_hash=e30cbd34fc8ec2ae78f4f9e546d29c6c92e6d714f30c3c150f7b8c6ea08ea971 +$(package)_sha256_hash=52bc434b6feb375a69bbc58291b19efeb34aa52a3de5d745f4a5e8220078e7f9 $(package)_build_subdir=gen/cmd $(package)_dependencies=native_rust +# This file is somewhat annoying to update, but can be done like so from the repo base: +# $ export VERSION=1.0.91 +# $ rm .cargo/config .cargo/.configured-for-offline +# $ mkdir tmp +# $ cd tmp +# $ tar xf ../depends/sources/native_cxxbridge-$VERSION.tar.gz +# $ cd cxx-$VERSION +# $ cargo check --release --package=cxxbridge-cmd --bin=cxxbridge +# $ cp Cargo.lock ../../depends/patches/native_cxxbridge/ +$(package)_patches=Cargo.lock $(package)_extra_sources=$(package)-$($(package)_version)-vendored.tar.gz define $(package)_fetch_cmds $(call fetch_file,$(package),$($(package)_download_path),$($(package)_download_file),$($(package)_file_name),$($(package)_sha256_hash)) && \ -$(call vendor_crate_deps,$(package),$($(package)_file_name),third-party/Cargo.lock,Cargo.toml,$(package)-$($(package)_version)-vendored.tar.gz) +$(call vendor_crate_deps,$(package),$($(package)_file_name),$(PATCHES_PATH)/$(package)/Cargo.lock,Cargo.toml,$(package)-$($(package)_version)-vendored.tar.gz) endef define $(package)_extract_cmds @@ -23,7 +33,7 @@ define $(package)_extract_cmds endef define $(package)_preprocess_cmds - cp third-party/Cargo.lock . && \ + cp $($(package)_patch_dir)/Cargo.lock . && \ mkdir -p .cargo && \ echo "[source.crates-io]" >.cargo/config && \ echo "replace-with = \"vendored-sources\"" >>.cargo/config && \ diff --git a/depends/patches/native_cxxbridge/Cargo.lock b/depends/patches/native_cxxbridge/Cargo.lock new file mode 100644 index 000000000..39f9b8ea4 --- /dev/null +++ b/depends/patches/native_cxxbridge/Cargo.lock @@ -0,0 +1,416 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 3 + +[[package]] +name = "adler" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" + +[[package]] +name = "basic-toml" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2e819b667739967cd44d308b8c7b71305d8bb0729ac44a248aa08f33d01950b4" +dependencies = [ + "serde", +] + +[[package]] +name = "bitflags" +version = "1.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" + +[[package]] +name = "cc" +version = "1.0.79" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f" +dependencies = [ + "jobserver", +] + +[[package]] +name = "cfg-if" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" + +[[package]] +name = "clang-ast" +version = "0.1.16" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f01a8823bc658ffd6c6cc1931b0283e7daacf2299fe79faab307cc08c65c98fe" +dependencies = [ + "serde", +] + +[[package]] +name = "clap" +version = "4.1.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ec0b0588d44d4d63a87dbd75c136c166bbfd9a86a31cb89e09906521c7d3f5e3" +dependencies = [ + "bitflags", + "clap_lex", + "strsim", +] + +[[package]] +name = "clap_lex" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "783fe232adfca04f90f56201b26d79682d4cd2625e0bc7290b95123afe558ade" +dependencies = [ + "os_str_bytes", +] + +[[package]] +name = "codespan-reporting" +version = "0.11.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3538270d33cc669650c4b093848450d380def10c331d38c768e34cac80576e6e" +dependencies = [ + "termcolor", + "unicode-width", +] + +[[package]] +name = "crc32fast" +version = "1.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d" +dependencies = [ + "cfg-if", +] + +[[package]] +name = "cxx" +version = "1.0.91" +dependencies = [ + "cc", + "cxx-build", + "cxx-gen", + "cxx-test-suite", + "cxxbridge-flags", + "cxxbridge-macro", + "link-cplusplus", + "rustversion", + "trybuild", +] + +[[package]] +name = "cxx-build" +version = "1.0.91" +dependencies = [ + "cc", + "codespan-reporting", + "cxx", + "cxx-gen", + "once_cell", + "pkg-config", + "proc-macro2", + "quote", + "scratch", + "syn", +] + +[[package]] +name = "cxx-gen" +version = "0.7.91" +dependencies = [ + "codespan-reporting", + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "cxx-test-suite" +version = "0.0.0" +dependencies = [ + "cxx", + "cxx-build", + "cxxbridge-flags", +] + +[[package]] +name = "cxxbridge-cmd" +version = "1.0.91" +dependencies = [ + "clap", + "codespan-reporting", + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "cxxbridge-flags" +version = "1.0.91" + +[[package]] +name = "cxxbridge-macro" +version = "1.0.91" +dependencies = [ + "clang-ast", + "cxx", + "flate2", + "memmap", + "proc-macro2", + "quote", + "serde", + "serde_json", + "syn", +] + +[[package]] +name = "demo" +version = "0.0.0" +dependencies = [ + "cxx", + "cxx-build", +] + +[[package]] +name = "dissimilar" +version = "1.0.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "210ec60ae7d710bed8683e333e9d2855a8a56a3e9892b38bad3bb0d4d29b0d5e" + +[[package]] +name = "flate2" +version = "1.0.25" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a8a2db397cb1c8772f31494cb8917e48cd1e64f0fa7efac59fbd741a0a8ce841" +dependencies = [ + "crc32fast", + "miniz_oxide", +] + +[[package]] +name = "glob" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b" + +[[package]] +name = "itoa" +version = "1.0.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fad582f4b9e86b6caa621cabeb0963332d92eea04729ab12892c2533951e6440" + +[[package]] +name = "jobserver" +version = "0.1.25" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "068b1ee6743e4d11fb9c6a1e6064b3693a1b600e7f5f5988047d98b3dc9fb90b" +dependencies = [ + "libc", +] + +[[package]] +name = "libc" +version = "0.2.139" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "201de327520df007757c1f0adce6e827fe8562fbc28bfd9c15571c66ca1f5f79" + +[[package]] +name = "link-cplusplus" +version = "1.0.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ecd207c9c713c34f95a097a5b029ac2ce6010530c7b49d7fea24d977dede04f5" +dependencies = [ + "cc", +] + +[[package]] +name = "memmap" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6585fd95e7bb50d6cc31e20d4cf9afb4e2ba16c5846fc76793f11218da9c475b" +dependencies = [ + "libc", + "winapi", +] + +[[package]] +name = "miniz_oxide" +version = "0.6.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b275950c28b37e794e8c55d88aeb5e139d0ce23fdbbeda68f8d7174abdf9e8fa" +dependencies = [ + "adler", +] + +[[package]] +name = "once_cell" +version = "1.17.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3" + +[[package]] +name = "os_str_bytes" +version = "6.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9b7820b9daea5457c9f21c69448905d723fbd21136ccf521748f23fd49e723ee" + +[[package]] +name = "pkg-config" +version = "0.3.26" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ac9a59f73473f1b8d852421e59e64809f025994837ef743615c6d0c5b305160" + +[[package]] +name = "proc-macro2" +version = "1.0.51" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5d727cae5b39d21da60fa540906919ad737832fe0b1c165da3a34d6548c849d6" +dependencies = [ + "unicode-ident", +] + +[[package]] +name = "quote" +version = "1.0.23" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8856d8364d252a14d474036ea1358d63c9e6965c8e5c1885c18f73d70bff9c7b" +dependencies = [ + "proc-macro2", +] + +[[package]] +name = "rustversion" +version = "1.0.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5583e89e108996506031660fe09baa5011b9dd0341b89029313006d1fb508d70" + +[[package]] +name = "ryu" +version = "1.0.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7b4b9743ed687d4b4bcedf9ff5eaa7398495ae14e61cba0a295704edbc7decde" + +[[package]] +name = "scratch" +version = "1.0.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ddccb15bcce173023b3fedd9436f882a0739b8dfb45e4f6b6002bee5929f61b2" + +[[package]] +name = "serde" +version = "1.0.152" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bb7d1f0d3021d347a83e556fc4683dea2ea09d87bccdf88ff5c12545d89d5efb" +dependencies = [ + "serde_derive", +] + +[[package]] +name = "serde_derive" +version = "1.0.152" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "af487d118eecd09402d70a5d72551860e788df87b464af30e5ea6a38c75c541e" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "serde_json" +version = "1.0.93" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cad406b69c91885b5107daf2c29572f6c8cdb3c66826821e286c533490c0bc76" +dependencies = [ + "itoa", + "ryu", + "serde", +] + +[[package]] +name = "strsim" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" + +[[package]] +name = "syn" +version = "1.0.107" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1f4064b5b16e03ae50984a5a8ed5d4f8803e6bc1fd170a3cda91a1be4b18e3f5" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "termcolor" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "be55cf8942feac5c765c2c993422806843c9a9a45d4d5c407ad6dd2ea95eb9b6" +dependencies = [ + "winapi-util", +] + +[[package]] +name = "trybuild" +version = "1.0.77" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a44da5a6f2164c8e14d3bbc0657d69c5966af9f5f6930d4f600b1f5c4a673413" +dependencies = [ + "basic-toml", + "dissimilar", + "glob", + "once_cell", + "serde", + "serde_derive", + "serde_json", + "termcolor", +] + +[[package]] +name = "unicode-ident" +version = "1.0.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "84a22b9f218b40614adcb3f4ff08b703773ad44fa9423e4e0d346d5db86e4ebc" + +[[package]] +name = "unicode-width" +version = "0.1.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c0edd1e5b14653f783770bce4a4dabb4a5108a5370a5f5d8cfe8710c361f6c8b" + +[[package]] +name = "winapi" +version = "0.3.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" +dependencies = [ + "winapi-i686-pc-windows-gnu", + "winapi-x86_64-pc-windows-gnu", +] + +[[package]] +name = "winapi-i686-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" + +[[package]] +name = "winapi-util" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178" +dependencies = [ + "winapi", +] + +[[package]] +name = "winapi-x86_64-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" diff --git a/qa/supply-chain/audits.toml b/qa/supply-chain/audits.toml index 2df790aa5..9f913fbbc 100644 --- a/qa/supply-chain/audits.toml +++ b/qa/supply-chain/audits.toml @@ -135,6 +135,15 @@ who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.79 -> 1.0.83" +[[audits.cxx]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.83 -> 1.0.91" +notes = """ +- Buildscript change is only to bump MSRV. +- Only change to C++ side is to fix a memory leak. +""" + [[audits.cxxbridge-flags]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -161,6 +170,11 @@ who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.79 -> 1.0.83" +[[audits.cxxbridge-flags]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.83 -> 1.0.91" + [[audits.cxxbridge-macro]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -192,6 +206,11 @@ who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.79 -> 1.0.83" +[[audits.cxxbridge-macro]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.83 -> 1.0.91" + [[audits.ed25519-zebra]] who = "Jack Grigg " criteria = "safe-to-deploy" diff --git a/qa/zcash/postponed-updates.txt b/qa/zcash/postponed-updates.txt index b4d64b546..0b43cf2cd 100644 --- a/qa/zcash/postponed-updates.txt +++ b/qa/zcash/postponed-updates.txt @@ -6,22 +6,6 @@ native_zstd 1.5.4 2023-03-01 -# cxx 1.0.84-1.0.87 didn't update third-party/Cargo.lock -native_cxxbridge 1.0.84 2024-02-01 -native_cxxbridge 1.0.85 2024-02-01 -native_cxxbridge 1.0.86 2024-02-01 -native_cxxbridge 1.0.87 2024-02-01 -native_cxxbridge 1.0.88 2024-02-01 -native_cxxbridge 1.0.89 2024-02-01 -native_cxxbridge 1.0.90 2024-02-01 -rustcxx 1.0.84 2024-02-01 -rustcxx 1.0.85 2024-02-01 -rustcxx 1.0.86 2024-02-01 -rustcxx 1.0.87 2024-02-01 -rustcxx 1.0.88 2024-02-01 -rustcxx 1.0.89 2024-02-01 -rustcxx 1.0.90 2024-02-01 - # CCache 4.7 appears to drop support for Ubuntu 18.04 native_ccache 4.7 2023-03-01 native_ccache 4.7.1 2023-03-01 From e738af6a27487eadc83ab4a1a400d4c091b7bda1 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 16 Feb 2023 20:09:15 +0000 Subject: [PATCH 5/9] depends: `native_zstd 1.5.4` --- depends/packages/native_zstd.mk | 4 ++-- qa/zcash/postponed-updates.txt | 2 -- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/depends/packages/native_zstd.mk b/depends/packages/native_zstd.mk index ed7b54faa..3d0baa400 100644 --- a/depends/packages/native_zstd.mk +++ b/depends/packages/native_zstd.mk @@ -1,8 +1,8 @@ package=native_zstd -$(package)_version=1.5.2 +$(package)_version=1.5.4 $(package)_download_path=https://github.com/facebook/zstd/releases/download/v$($(package)_version) $(package)_file_name=zstd-$($(package)_version).tar.gz -$(package)_sha256_hash=7c42d56fac126929a6a85dbc73ff1db2411d04f104fae9bdea51305663a83fd0 +$(package)_sha256_hash=0f470992aedad543126d06efab344dc5f3e171893810455787d38347343a4424 $(package)_build_subdir=build/cmake $(package)_dependencies=native_cmake diff --git a/qa/zcash/postponed-updates.txt b/qa/zcash/postponed-updates.txt index 0b43cf2cd..1afa18f50 100644 --- a/qa/zcash/postponed-updates.txt +++ b/qa/zcash/postponed-updates.txt @@ -4,8 +4,6 @@ # bdb 18.1.40 2020-09-01 # -native_zstd 1.5.4 2023-03-01 - # CCache 4.7 appears to drop support for Ubuntu 18.04 native_ccache 4.7 2023-03-01 native_ccache 4.7.1 2023-03-01 From 5cc37d59a4a512ae0ae526c8ade0f98c67063599 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 16 Feb 2023 21:27:49 +0000 Subject: [PATCH 6/9] `cargo vet regenerate imports` --- qa/supply-chain/config.toml | 4 - qa/supply-chain/imports.lock | 340 +---------------------------------- 2 files changed, 5 insertions(+), 339 deletions(-) diff --git a/qa/supply-chain/config.toml b/qa/supply-chain/config.toml index 0a15b187a..73c7c7a7e 100644 --- a/qa/supply-chain/config.toml +++ b/qa/supply-chain/config.toml @@ -34,10 +34,6 @@ criteria = "safe-to-deploy" version = "0.7.18" criteria = "safe-to-deploy" -[[exemptions.arrayref]] -version = "0.3.6" -criteria = "safe-to-deploy" - [[exemptions.backtrace]] version = "0.3.67" criteria = "safe-to-deploy" diff --git a/qa/supply-chain/imports.lock b/qa/supply-chain/imports.lock index bd10963eb..f10012311 100644 --- a/qa/supply-chain/imports.lock +++ b/qa/supply-chain/imports.lock @@ -1,15 +1,13 @@ # cargo-vet imports lock -[[audits.bytecode-alliance.audits.anyhow]] -who = "Alex Crichton " +[[audits.bytecode-alliance.audits.arrayref]] +who = "Nick Fitzgerald " criteria = "safe-to-deploy" -delta = "1.0.62 -> 1.0.66" +version = "0.3.6" notes = """ -This update looks to be related to minor fixes and mostly integrating with a -nightly feature in the standard library for backtrace integration. No undue -`unsafe` is added and nothing unsurprising for the `anyhow` crate is happening -here. +Unsafe code, but its logic looks good to me. Necessary given what it is +doing. Well tested, has quickchecks. """ [[audits.bytecode-alliance.audits.arrayvec]] @@ -21,35 +19,17 @@ Well documented invariants, good assertions for those invariants in unsafe code, and tested with MIRI to boot. LGTM. """ -[[audits.bytecode-alliance.audits.backtrace]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -version = "0.3.66" -notes = "I am the author of this crate." - [[audits.bytecode-alliance.audits.block-buffer]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.2" -[[audits.bytecode-alliance.audits.bumpalo]] -who = "Nick Fitzgerald " -criteria = "safe-to-deploy" -version = "3.9.1" -notes = "I am the author of this crate." - [[audits.bytecode-alliance.audits.bumpalo]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" version = "3.11.1" notes = "I am the author of this crate." -[[audits.bytecode-alliance.audits.cc]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -version = "1.0.73" -notes = "I am the author of this crate." - [[audits.bytecode-alliance.audits.cfg-if]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -66,40 +46,12 @@ who = "Benjamin Bouvier " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.3" -[[audits.bytecode-alliance.audits.libm]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.2.2 -> 0.2.4" -notes = """ -This diff primarily fixes a few issues with the `fma`-related functions, -but also contains some other minor fixes as well. Everything looks A-OK and -as expected. -""" - [[audits.bytecode-alliance.audits.rustc-demangle]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.1.21" notes = "I am the author of this crate." -[[audits.bytecode-alliance.audits.sha2]] -who = "Benjamin Bouvier " -criteria = "safe-to-deploy" -delta = "0.9.9 -> 0.10.2" -notes = "This upgrade is mostly a code refactor, as far as I can tell. No new uses of unsafe nor any new ambient capabilities usage." - -[[audits.bytecode-alliance.audits.spin]] -who = "Alex Crichton " -criteria = "safe-to-run" -version = "0.9.4" -notes = """ -I've verified the contents of this crate and that while they contain `unsafe` -it's exclusively around implementing atomic primitive where some `unsafe` is to -be expected. Otherwise this crate does not unduly access ambient capabilities -and does what it says on the tin, providing spin-based synchronization -primitives. -""" - [[audits.bytecode-alliance.audits.tinyvec]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -185,18 +137,6 @@ who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.58" -[[audits.embark-studios.audits.anyhow]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -delta = "1.0.58 -> 1.0.66" -notes = "New unsafe usage, looks sane. Expert maintainer" - -[[audits.embark-studios.audits.tinyvec_macros]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -version = "0.1.0" -notes = "Inspected it and is a tiny crate with single safe macro" - [[audits.firefox.audits.aho-corasick]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -234,46 +174,11 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.2 -> 0.10.3" -[[audits.firefox.audits.bumpalo]] -who = "Bobby Holley " -criteria = "safe-to-run" -delta = "3.9.1 -> 3.10.0" -notes = """ -Some nontrivial functional changes but certainly meets the no-malware bar of -safe-to-run. If we needed safe-to-deploy for this in m-c I'd ask Nick to re- -certify this version, but we don't, so this is fine for now. -""" - -[[audits.firefox.audits.bytes]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.1.0 -> 1.2.1" - [[audits.firefox.audits.bytes]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.2.1 -> 1.3.0" -[[audits.firefox.audits.cpufeatures]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.2.2 -> 0.2.4" - -[[audits.firefox.audits.cpufeatures]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.2.4 -> 0.2.5" - -[[audits.firefox.audits.crossbeam-channel]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.5.4 -> 0.5.6" - -[[audits.firefox.audits.crossbeam-deque]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.8.1 -> 0.8.2" - [[audits.firefox.audits.crossbeam-epoch]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -294,26 +199,11 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.8.11 -> 0.8.14" -[[audits.firefox.audits.crypto-common]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.1.3 -> 0.1.6" - [[audits.firefox.audits.digest]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.3 -> 0.10.6" -[[audits.firefox.audits.either]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.6.1 -> 1.7.0" - -[[audits.firefox.audits.either]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.7.0 -> 1.8.0" - [[audits.firefox.audits.fnv]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -360,16 +250,6 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.23 -> 0.3.25" -[[audits.firefox.audits.generic-array]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.14.5 -> 0.14.6" - -[[audits.firefox.audits.getrandom]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.2.6 -> 0.2.7" - [[audits.firefox.audits.getrandom]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -386,31 +266,6 @@ who = "Simon Friedberger " criteria = "safe-to-deploy" version = "0.4.3" -[[audits.firefox.audits.httparse]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "1.7.1 -> 1.8.0" - -[[audits.firefox.audits.hyper]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "0.14.19 -> 0.14.20" - -[[audits.firefox.audits.hyper]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "0.14.20 -> 0.14.22" - -[[audits.firefox.audits.hyper]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "0.14.22 -> 0.14.23" - -[[audits.firefox.audits.indexmap]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.8.2 -> 1.9.1" - [[audits.firefox.audits.indexmap]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -441,11 +296,6 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.138 -> 0.2.139" -[[audits.firefox.audits.lock_api]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.4.7 -> 0.4.9" - [[audits.firefox.audits.log]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -461,23 +311,6 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.5.3 -> 0.6.2" -[[audits.firefox.audits.nix]] -who = "Gabriele Svelto " -criteria = "safe-to-deploy" -delta = "0.15.0 -> 0.25.0" -notes = "Plenty of new bindings but also several important bug fixes (including buffer overflows). New unsafe sections are restricted to wrappers and are no more dangerous than calling the C functions." - -[[audits.firefox.audits.nix]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.25.0 -> 0.25.1" - -[[audits.firefox.audits.num-bigint]] -who = "Josh Stone " -criteria = "safe-to-deploy" -version = "0.2.6" -notes = "All code written or reviewed by Josh Stone." - [[audits.firefox.audits.num-bigint]] who = "Josh Stone " criteria = "safe-to-deploy" @@ -501,26 +334,6 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.13.1 -> 1.14.0" -[[audits.firefox.audits.object]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.28.4 -> 0.30.0" - -[[audits.firefox.audits.once_cell]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.12.0 -> 1.13.1" - -[[audits.firefox.audits.once_cell]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.13.1 -> 1.16.0" - -[[audits.firefox.audits.parking_lot_core]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.8.5 -> 0.8.6" - [[audits.firefox.audits.ppv-lite86]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -590,24 +403,6 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.21 -> 1.0.23" -[[audits.firefox.audits.radium]] -who = "Nika Layzell " -criteria = "safe-to-deploy" -version = "0.5.3" -notes = """ -I am no longer the primary maintainer of `radium`, however I have audited the -code to ensure it is still correct. The implementation contains no `unsafe` -logic, and will not abstract away `Sync` trait bounds. - -The core logic is very simple, and acts as an abstraction trait for `Cell` -and `AtomicT`. -""" - -[[audits.firefox.audits.rand_core]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.6.3 -> 0.6.4" - [[audits.firefox.audits.rayon]] who = "Josh Stone " criteria = "safe-to-deploy" @@ -630,46 +425,21 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.9.3 -> 1.10.1" -[[audits.firefox.audits.redox_syscall]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.2.13 -> 0.2.16" - -[[audits.firefox.audits.regex]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.5.6 -> 1.6.0" - [[audits.firefox.audits.regex]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.6.0 -> 1.7.0" -[[audits.firefox.audits.regex-syntax]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.6.26 -> 0.6.27" - [[audits.firefox.audits.regex-syntax]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.6.27 -> 0.6.28" -[[audits.firefox.audits.ryu]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.10 -> 1.0.11" - [[audits.firefox.audits.ryu]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.11 -> 1.0.12" -[[audits.firefox.audits.serde]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.137 -> 1.0.143" - [[audits.firefox.audits.serde]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -685,11 +455,6 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.151 -> 1.0.152" -[[audits.firefox.audits.serde_derive]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.137 -> 1.0.143" - [[audits.firefox.audits.serde_derive]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -720,36 +485,6 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.85 -> 1.0.91" -[[audits.firefox.audits.sha2]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.10.2 -> 0.10.6" - -[[audits.firefox.audits.smallvec]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.8.0 -> 1.9.0" - -[[audits.firefox.audits.smallvec]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.9.0 -> 1.10.0" - -[[audits.firefox.audits.socket2]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.4.4 -> 0.4.7" - -[[audits.firefox.audits.syn]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.96 -> 1.0.99" - -[[audits.firefox.audits.syn]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.99 -> 1.0.107" - [[audits.firefox.audits.synstructure]] who = "Nika Layzell " criteria = "safe-to-deploy" @@ -760,81 +495,21 @@ maintainer. The one use of `unsafe` is unnecessary, but documented and harmless. It will be removed in the next version. """ -[[audits.firefox.audits.thiserror]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.31 -> 1.0.32" - [[audits.firefox.audits.thiserror]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.32 -> 1.0.38" -[[audits.firefox.audits.thiserror-impl]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.31 -> 1.0.32" - [[audits.firefox.audits.thiserror-impl]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.32 -> 1.0.38" -[[audits.firefox.audits.time]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.1.44 -> 0.1.45" - -[[audits.firefox.audits.time]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "0.3.9 -> 0.3.17" - -[[audits.firefox.audits.time-macros]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "0.2.4 -> 0.2.6" - [[audits.firefox.audits.toml]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.5.9 -> 0.5.10" -[[audits.firefox.audits.tower-service]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "0.3.1 -> 0.3.2" - -[[audits.firefox.audits.tracing]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "0.1.35 -> 0.1.36" - -[[audits.firefox.audits.tracing]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "0.1.36 -> 0.1.37" - -[[audits.firefox.audits.tracing-attributes]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "0.1.21 -> 0.1.22" - -[[audits.firefox.audits.tracing-attributes]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "0.1.22 -> 0.1.23" - -[[audits.firefox.audits.tracing-core]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "0.1.27 -> 0.1.29" - -[[audits.firefox.audits.tracing-core]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "0.1.29 -> 0.1.30" - [[audits.firefox.audits.typenum]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -870,8 +545,3 @@ delta = "0.1.20 -> 0.1.21" who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.21 -> 0.1.22" - -[[audits.firefox.audits.unicode-xid]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.2.3 -> 0.2.4" From fe05310e37dbe827fc1c6744c7bfa95e266ba569 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 16 Feb 2023 21:28:52 +0000 Subject: [PATCH 7/9] qa: Import Rust crate audits from ISRG --- qa/supply-chain/config.toml | 35 ++------------------- qa/supply-chain/imports.lock | 60 ++++++++++++++++++++++++++++++------ 2 files changed, 53 insertions(+), 42 deletions(-) diff --git a/qa/supply-chain/config.toml b/qa/supply-chain/config.toml index 73c7c7a7e..ecf79777e 100644 --- a/qa/supply-chain/config.toml +++ b/qa/supply-chain/config.toml @@ -10,6 +10,9 @@ url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audit [imports.firefox] url = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[imports.isrg] +url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[exemptions.addr2line]] version = "0.17.0" criteria = "safe-to-deploy" @@ -70,10 +73,6 @@ criteria = "safe-to-deploy" version = "1.0.0" criteria = "safe-to-deploy" -[[exemptions.block-buffer]] -version = "0.9.0" -criteria = "safe-to-deploy" - [[exemptions.block-modes]] version = "0.8.1" criteria = "safe-to-deploy" @@ -150,10 +149,6 @@ criteria = "safe-to-deploy" version = "0.8.8" criteria = "safe-to-deploy" -[[exemptions.crunchy]] -version = "0.2.2" -criteria = "safe-to-deploy" - [[exemptions.crypto-mac]] version = "0.11.1" criteria = "safe-to-deploy" @@ -194,10 +189,6 @@ criteria = "safe-to-deploy" version = "3.0.0" criteria = "safe-to-deploy" -[[exemptions.either]] -version = "1.8.0" -criteria = "safe-to-deploy" - [[exemptions.ff]] version = "0.12.0" criteria = "safe-to-deploy" @@ -414,10 +405,6 @@ criteria = "safe-to-deploy" version = "1.17.0" criteria = "safe-to-deploy" -[[exemptions.opaque-debug]] -version = "0.3.0" -criteria = "safe-to-deploy" - [[exemptions.overload]] version = "0.1.1" criteria = "safe-to-deploy" @@ -730,22 +717,10 @@ criteria = "safe-to-deploy" version = "0.9.4" criteria = "safe-to-deploy" -[[exemptions.unicode-ident]] -version = "1.0.0" -criteria = "safe-to-deploy" - [[exemptions.unicode-xid]] version = "0.2.4" criteria = "safe-to-deploy" -[[exemptions.universal-hash]] -version = "0.4.1" -criteria = "safe-to-deploy" - -[[exemptions.untrusted]] -version = "0.7.1" -criteria = "safe-to-deploy" - [[exemptions.valuable]] version = "0.1.0" criteria = "safe-to-deploy" @@ -786,10 +761,6 @@ criteria = "safe-to-deploy" version = "0.2.83" criteria = "safe-to-deploy" -[[exemptions.wasm-bindgen-shared]] -version = "0.2.83" -criteria = "safe-to-deploy" - [[exemptions.web-sys]] version = "0.3.60" criteria = "safe-to-deploy" diff --git a/qa/supply-chain/imports.lock b/qa/supply-chain/imports.lock index f10012311..3ffebcf40 100644 --- a/qa/supply-chain/imports.lock +++ b/qa/supply-chain/imports.lock @@ -204,6 +204,16 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.3 -> 0.10.6" +[[audits.firefox.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.6.1 -> 1.7.0" + +[[audits.firefox.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.7.0 -> 1.8.0" + [[audits.firefox.audits.fnv]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -515,16 +525,6 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.15.0 -> 1.16.0" -[[audits.firefox.audits.unicode-ident]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.0 -> 1.0.1" - -[[audits.firefox.audits.unicode-ident]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.1 -> 1.0.3" - [[audits.firefox.audits.unicode-ident]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -545,3 +545,43 @@ delta = "0.1.20 -> 0.1.21" who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.21 -> 0.1.22" + +[[audits.isrg.audits.block-buffer]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.9.0" + +[[audits.isrg.audits.crunchy]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.2.2" + +[[audits.isrg.audits.either]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "1.6.1" + +[[audits.isrg.audits.opaque-debug]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.3.0" + +[[audits.isrg.audits.unicode-ident]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "1.0.2 -> 1.0.3" + +[[audits.isrg.audits.universal-hash]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.4.1" + +[[audits.isrg.audits.untrusted]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.7.1" + +[[audits.isrg.audits.wasm-bindgen-shared]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.2.83" From 245f9666ff602e82dc5ae1abafca2ef708007986 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Fri, 17 Feb 2023 01:20:52 +0000 Subject: [PATCH 8/9] `cargo update` --- Cargo.lock | 360 ++++++++++++++++------------------- qa/supply-chain/audits.toml | 232 ++++++++++++++++++++++ qa/supply-chain/config.toml | 62 ++---- qa/supply-chain/imports.lock | 45 +++-- 4 files changed, 446 insertions(+), 253 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index ce37c5699..670c63a28 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -33,7 +33,7 @@ version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9e8b47f52ea9bae42228d07ec09eb676433d7c4ed1ebdf0f1d1c29ed446f1ab8" dependencies = [ - "cfg-if 1.0.0", + "cfg-if", "cipher 0.3.0", "cpufeatures", "opaque-debug", @@ -45,7 +45,7 @@ version = "0.7.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fcb51a0695d8f838b1ee009b3fbf66bda078cd64590202a864a8f3e8c4315c47" dependencies = [ - "getrandom 0.2.8", + "getrandom", "once_cell", "version_check", ] @@ -61,9 +61,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.68" +version = "1.0.69" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2cb2f989d18dd141ab8ae82f64d1a8cdd37e0840f73a406896cf5e99502fab61" +checksum = "224afbd727c3d6e4b90103ece64b8d1b67fbb1973b1046c2281eed3f3803f800" [[package]] name = "arrayref" @@ -91,7 +91,7 @@ checksum = "233d376d6d185f2a3093e58f283f60f880315b6c60075b01f36b3b85154564ca" dependencies = [ "addr2line", "cc", - "cfg-if 1.0.0", + "cfg-if", "libc", "miniz_oxide", "object", @@ -139,7 +139,7 @@ checksum = "d0830ae4cc96b0617cc912970c2b17e89456fecbf55e8eed53a956f37ab50c41" dependencies = [ "hmac", "pbkdf2", - "rand 0.8.5", + "rand", "sha2", "unicode-normalization", "zeroize", @@ -165,9 +165,9 @@ dependencies = [ [[package]] name = "blake2b_simd" -version = "1.0.0" +version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72936ee4afc7f8f736d1c38383b56480b5497b4617b4a77bdbf1d2ababc76127" +checksum = "3c2f0dc9a68c6317d884f97cc36cf5a3d20ba14ce404227df55e1af708ab04bc" dependencies = [ "arrayref", "arrayvec", @@ -176,9 +176,9 @@ dependencies = [ [[package]] name = "blake2s_simd" -version = "1.0.0" +version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "db539cc2b5f6003621f1cd9ef92d7ded8ea5232c7de0f9faa2de251cd98730d4" +checksum = "6637f448b9e61dfadbdcbae9a885fadee1f3eaffb1f8d3c1965d3ade8bdfd44f" dependencies = [ "arrayref", "arrayvec", @@ -243,9 +243,9 @@ dependencies = [ [[package]] name = "bumpalo" -version = "3.11.1" +version = "3.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "572f695136211188308f16ad2ca5c851a712c464060ae6974944458eb83880ba" +checksum = "0d261e256854913907f67ed06efbc3338dfe6179796deefc1ff763fc1aee5535" [[package]] name = "byte-slice-cast" @@ -261,21 +261,15 @@ checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610" [[package]] name = "bytes" -version = "1.3.0" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dfb24e866b15a1af2a1b663f10c6b6b8f397a84aadb828f12e5b289ec23a3a3c" +checksum = "89b2fd2a0dcf38d7971e2194b6b6eebab45ae01067456a7fd93d5547a61b70be" [[package]] name = "cc" -version = "1.0.78" +version = "1.0.79" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a20104e2335ce8a659d6dd92a51a767a0c062599c73b343fd152cb401e828c3d" - -[[package]] -name = "cfg-if" -version = "0.1.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4785bdd1c96b2a846b2bd7cc02e86b6b3dbf14e7e53446c4f54c92a361040822" +checksum = "50d30906286121d95be3d479533b458f87493b30a4b5f79a607db8f5d11aa91f" [[package]] name = "cfg-if" @@ -289,7 +283,7 @@ version = "0.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c7fc89c7c5b9e7a02dfe45cd2367bae382f9ed31c61ca8debe5f827c420a2f08" dependencies = [ - "cfg-if 1.0.0", + "cfg-if", "cipher 0.4.3", "cpufeatures", ] @@ -342,9 +336,9 @@ dependencies = [ [[package]] name = "constant_time_eq" -version = "0.1.5" +version = "0.2.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "245097e9a4535ee1e3e3931fcfcd55a796a44c643e8596ff6566d68f09b87bbc" +checksum = "f3ad85c1f65dc7b37604eb0e89748faf0b9653065f2a8ef69f96a687ec1e9279" [[package]] name = "cpufeatures" @@ -361,7 +355,7 @@ version = "0.5.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c2dd04ddaf88237dc3b8d8f9a3c1004b506b54b3313403944054d23c0870c521" dependencies = [ - "cfg-if 1.0.0", + "cfg-if", "crossbeam-utils", ] @@ -371,7 +365,7 @@ version = "0.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "715e8152b692bba2d374b53d4875445368fdf21a94751410af607a5ac677d1fc" dependencies = [ - "cfg-if 1.0.0", + "cfg-if", "crossbeam-epoch", "crossbeam-utils", ] @@ -383,7 +377,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "01a9af1f4c2ef74bb8aa1f7e19706bc72d03598c8a570bb5de72243c7a9d9d5a" dependencies = [ "autocfg", - "cfg-if 1.0.0", + "cfg-if", "crossbeam-utils", "memoffset", "scopeguard", @@ -395,7 +389,7 @@ version = "0.8.14" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4fb766fa798726286dbbb842f174001dab8abc7b627a1dd86e0b7222a95d929f" dependencies = [ - "cfg-if 1.0.0", + "cfg-if", ] [[package]] @@ -496,11 +490,10 @@ dependencies = [ [[package]] name = "dirs" -version = "2.0.2" +version = "4.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13aea89a5c93364a98e9b37b2fa237effbb694d5cfe01c5b70941f7eb087d5e3" +checksum = "ca3aa72a6f96ea37bbc5aa912f6788242832f75369bdfdadcb0e38423f100059" dependencies = [ - "cfg-if 0.1.10", "dirs-sys", ] @@ -532,9 +525,9 @@ dependencies = [ [[package]] name = "either" -version = "1.8.0" +version = "1.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "90e5c1c8368803113bf0c9584fc495a58b86dc8a29edbf8fe877d21d9507e797" +checksum = "7fcaabb2fef8c910e7f4c7ce9f67a1283a1715879a7c230ca9d6d1ae31f16d91" [[package]] name = "equihash" @@ -573,7 +566,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cfcf0ed7fe52a17a03854ec54a9f76d6d84508d1c0e66bc1793301c73fc8493c" dependencies = [ "byteorder", - "rand 0.8.5", + "rand", "rustc-hex", "static_assertions", ] @@ -606,30 +599,30 @@ checksum = "e6d5a32815ae3f33302d95fdcb2ce17862f8c65363dcfd29360480ba1001fc9c" [[package]] name = "futures-channel" -version = "0.3.25" +version = "0.3.26" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "52ba265a92256105f45b719605a571ffe2d1f0fea3807304b522c1d778f79eed" +checksum = "2e5317663a9089767a1ec00a487df42e0ca174b61b4483213ac24448e4664df5" dependencies = [ "futures-core", ] [[package]] name = "futures-core" -version = "0.3.25" +version = "0.3.26" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "04909a7a7e4633ae6c4a9ab280aeb86da1236243a77b694a49eacd659a4bd3ac" +checksum = "ec90ff4d0fe1f57d600049061dc6bb68ed03c7d2fbd697274c41805dcb3f8608" [[package]] name = "futures-task" -version = "0.3.25" +version = "0.3.26" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2ffb393ac5d9a6eaa9d3fdf37ae2776656b706e200c8e16b1bdb227f5198e6ea" +checksum = "dcf79a1bf610b10f42aea489289c5a2c478a786509693b80cd39c44ccd936366" [[package]] name = "futures-util" -version = "0.3.25" +version = "0.3.26" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "197676987abd2f9cadff84926f410af1c183608d36641465df73ae8211dc65d6" +checksum = "9c1d6de3acfef38d2be4b1f543f553131788603495be83da675e180c8d6b7bd1" dependencies = [ "futures-core", "futures-task", @@ -647,33 +640,22 @@ dependencies = [ "version_check", ] -[[package]] -name = "getrandom" -version = "0.1.16" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8fc3cb4d91f53b50155bdcfd23f6a4c39ae1969c2ae85982b135750cccaf5fce" -dependencies = [ - "cfg-if 1.0.0", - "libc", - "wasi 0.9.0+wasi-snapshot-preview1", -] - [[package]] name = "getrandom" version = "0.2.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c05aeb6a22b8f62540c194aac980f2115af067bfe15a0734d7277a768d396b31" dependencies = [ - "cfg-if 1.0.0", + "cfg-if", "libc", "wasi 0.11.0+wasi-snapshot-preview1", ] [[package]] name = "gimli" -version = "0.27.0" +version = "0.27.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dec7af912d60cdbd3677c1af9352ebae6fb8394d165568a2234df0fa00f87793" +checksum = "ad0a93d233ebf96623465aad4046a8d3aa4da22d4f4beba5388838c8a434bbb4" [[package]] name = "group" @@ -720,7 +702,7 @@ dependencies = [ "halo2_proofs", "lazy_static", "pasta_curves", - "rand 0.8.5", + "rand", "subtle", "uint", ] @@ -822,9 +804,9 @@ checksum = "c4a1e36c821dbe04574f602848a19f742f4fb3c98d40449f11bcad18d6b17421" [[package]] name = "hyper" -version = "0.14.23" +version = "0.14.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "034711faac9d2166cb1baf1a2fb0b60b1f277f8492fd72176c17f3515e1abd3c" +checksum = "5e011372fa0b68db8350aa7a248930ecc7839bf46d8485577d69f117a75f164c" dependencies = [ "bytes", "futures-channel", @@ -905,9 +887,9 @@ checksum = "fad582f4b9e86b6caa621cabeb0963332d92eea04729ab12892c2533951e6440" [[package]] name = "js-sys" -version = "0.3.60" +version = "0.3.61" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49409df3e3bf0856b916e2ceaca09ee28e6871cf7d9ce97a692cacfdb2a25a47" +checksum = "445dde2150c55e483f3d8416706b97ec8e8237c307e5b7b4b8dd15e6af2a0730" dependencies = [ "wasm-bindgen", ] @@ -975,7 +957,7 @@ dependencies = [ "metrics-util", "nonempty", "orchard", - "rand 0.8.5", + "rand", "rand_core 0.6.4", "rayon", "secp256k1", @@ -1026,7 +1008,7 @@ version = "0.4.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e" dependencies = [ - "cfg-if 1.0.0", + "cfg-if", ] [[package]] @@ -1141,24 +1123,24 @@ dependencies = [ [[package]] name = "mio" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e5d732bc30207a6423068df043e3d02e0735b155ad7ce1a6f76fe2baa5b158de" +checksum = "5b9d9a46eff5b4ff64b45a9e316a6d1e0bc719ef429cbec4dc630684212bfdf9" dependencies = [ "libc", "log", "wasi 0.11.0+wasi-snapshot-preview1", - "windows-sys", + "windows-sys 0.45.0", ] [[package]] name = "nix" -version = "0.26.1" +version = "0.26.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "46a58d1d356c6597d08cde02c2f09d785b09e28711837b1ed667dc652c08a694" +checksum = "bfdda3d196821d6af13126e40375cdf7da646a96114af134d5f417a9a1dc8e1a" dependencies = [ "bitflags", - "cfg-if 1.0.0", + "cfg-if", "libc", "static_assertions", ] @@ -1173,6 +1155,15 @@ dependencies = [ "version_check", ] +[[package]] +name = "nom8" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ae01545c9c7fc4486ab7debaf2aad7003ac19431791868fb2e8066df97fad2f8" +dependencies = [ + "memchr", +] + [[package]] name = "nonempty" version = "0.7.0" @@ -1231,18 +1222,18 @@ dependencies = [ [[package]] name = "object" -version = "0.30.2" +version = "0.30.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b8c786513eb403643f2a88c244c2aaa270ef2153f55094587d0c48a3cf22a83" +checksum = "ea86265d3d3dcb6a27fc51bd29a4bf387fae9d2986b823079d4986af253eb439" dependencies = [ "memchr", ] [[package]] name = "once_cell" -version = "1.17.0" +version = "1.17.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6f61fba1741ea2b3d6a1e3178721804bb716a68a6aeba1149b5d52e3d464ea66" +checksum = "b7e5500299e16ebb147ae15a00a942af264cf3688f47923b8fc2cd5858f23ad3" [[package]] name = "opaque-debug" @@ -1270,7 +1261,7 @@ dependencies = [ "memuse", "nonempty", "pasta_curves", - "rand 0.8.5", + "rand", "reddsa", "serde", "subtle", @@ -1295,9 +1286,9 @@ dependencies = [ [[package]] name = "parity-scale-codec" -version = "3.2.1" +version = "3.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "366e44391a8af4cfd6002ef6ba072bae071a96aafca98d7d448a34c5dca38b6a" +checksum = "637935964ff85a605d114591d4d2c13c5d1ba2806dae97cea6bf180238a749ac" dependencies = [ "arrayvec", "bitvec", @@ -1309,9 +1300,9 @@ dependencies = [ [[package]] name = "parity-scale-codec-derive" -version = "3.1.3" +version = "3.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9299338969a3d2f491d65f140b00ddec470858402f888af98e8642fb5e8965cd" +checksum = "86b26a931f824dd4eca30b3e43bb4f31cd5f0d3a403c5f5ff27106b805bfde7b" dependencies = [ "proc-macro-crate", "proc-macro2", @@ -1331,15 +1322,15 @@ dependencies = [ [[package]] name = "parking_lot_core" -version = "0.9.6" +version = "0.9.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ba1ef8814b5c993410bb3adfad7a5ed269563e4a2f90c41f5d85be7fb47133bf" +checksum = "9069cbb9f99e3a5083476ccb29ceb1de18b9118cafa53e90c9551235de2b9521" dependencies = [ - "cfg-if 1.0.0", + "cfg-if", "libc", "redox_syscall", "smallvec", - "windows-sys", + "windows-sys 0.45.0", ] [[package]] @@ -1363,7 +1354,7 @@ dependencies = [ "ff", "group", "lazy_static", - "rand 0.8.5", + "rand", "static_assertions", "subtle", ] @@ -1380,18 +1371,18 @@ dependencies = [ [[package]] name = "phf" -version = "0.8.0" +version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3dfb61232e34fcb633f43d12c58f83c1df82962dcdfa565a4e866ffc17dafe12" +checksum = "928c6535de93548188ef63bb7c4036bd415cd8f36ad25af44b9789b2ee72a48c" dependencies = [ "phf_shared", ] [[package]] name = "phf_codegen" -version = "0.8.0" +version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cbffee61585b0411840d3ece935cce9cb6321f01c45477d30066498cd5e1a815" +checksum = "a56ac890c5e3ca598bbdeaa99964edb5b0258a583a9eb6ef4e89fc85d9224770" dependencies = [ "phf_generator", "phf_shared", @@ -1399,19 +1390,19 @@ dependencies = [ [[package]] name = "phf_generator" -version = "0.8.0" +version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "17367f0cc86f2d25802b2c26ee58a7b23faeccf78a396094c13dced0d0182526" +checksum = "b1181c94580fa345f50f19d738aaa39c0ed30a600d95cb2d3e23f94266f14fbf" dependencies = [ "phf_shared", - "rand 0.7.3", + "rand", ] [[package]] name = "phf_shared" -version = "0.8.0" +version = "0.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c00cf8b9eafe68dde5e9eaa2cef8ee84a9336a47d566ec55ca16589633b65af7" +checksum = "e1fb5f6f826b772a8d4c0394209441e7d37cbbb967ae9c7e0e8134365c9ee676" dependencies = [ "siphasher", ] @@ -1464,20 +1455,19 @@ dependencies = [ [[package]] name = "proc-macro-crate" -version = "1.2.1" +version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eda0fc3b0fb7c975631757e14d9049da17374063edb6ebbcbc54d880d4fe94e9" +checksum = "66618389e4ec1c7afe67d51a9bf34ff9236480f8d51e7489b7d5ab0303c13f34" dependencies = [ "once_cell", - "thiserror", - "toml", + "toml_edit", ] [[package]] name = "proc-macro2" -version = "1.0.49" +version = "1.0.51" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "57a8eca9f9c4ffde41714334dee777596264c7825420f521abc92b5b5deb63a5" +checksum = "5d727cae5b39d21da60fa540906919ad737832fe0b1c165da3a34d6548c849d6" dependencies = [ "unicode-ident", ] @@ -1513,20 +1503,6 @@ version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dc33ff2d4973d518d823d61aa239014831e521c75da58e3df4840d3f47749d09" -[[package]] -name = "rand" -version = "0.7.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6a6b1679d49b24bbfe0c803429aa1874472f50d9b363131f0e89fc356b544d03" -dependencies = [ - "getrandom 0.1.16", - "libc", - "rand_chacha 0.2.2", - "rand_core 0.5.1", - "rand_hc", - "rand_pcg", -] - [[package]] name = "rand" version = "0.8.5" @@ -1534,20 +1510,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" dependencies = [ "libc", - "rand_chacha 0.3.1", + "rand_chacha", "rand_core 0.6.4", ] -[[package]] -name = "rand_chacha" -version = "0.2.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f4c8ed856279c9737206bf725bf36935d8666ead7aa69b52be55af369d193402" -dependencies = [ - "ppv-lite86", - "rand_core 0.5.1", -] - [[package]] name = "rand_chacha" version = "0.3.1" @@ -1563,9 +1529,6 @@ name = "rand_core" version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "90bde5296fc891b0cef12a6d03ddccc162ce7b2aff54160af9338f8d40df6d19" -dependencies = [ - "getrandom 0.1.16", -] [[package]] name = "rand_core" @@ -1573,32 +1536,14 @@ version = "0.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c" dependencies = [ - "getrandom 0.2.8", -] - -[[package]] -name = "rand_hc" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ca3129af7b92a17112d59ad498c6f81eaf463253766b90396d39ea7a39d6613c" -dependencies = [ - "rand_core 0.5.1", -] - -[[package]] -name = "rand_pcg" -version = "0.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "16abd0c1b639e9eb4d7c50c0b8100b0d0f849be2349829c740fe8e6eb4816429" -dependencies = [ - "rand_core 0.5.1", + "getrandom", ] [[package]] name = "raw-cpuid" -version = "10.6.0" +version = "10.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a6823ea29436221176fe662da99998ad3b4db2c7f31e7b6f5fe43adccd6320bb" +checksum = "c307f7aacdbab3f0adee67d52739a1d71112cc068d6fab169ddeb18e48877fad" dependencies = [ "bitflags", ] @@ -1615,9 +1560,9 @@ dependencies = [ [[package]] name = "rayon-core" -version = "1.10.1" +version = "1.10.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cac410af5d00ab6884528b4ab69d1e8e146e8d471201800fa1b4524126de6ad3" +checksum = "356a0625f1954f730c0201cdab48611198dc6ce21f4acff55089b5a78e6e835b" dependencies = [ "crossbeam-channel", "crossbeam-deque", @@ -1673,7 +1618,7 @@ version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b033d837a7cf162d7993aded9304e30a83213c648b6e389db233191f891e5c2b" dependencies = [ - "getrandom 0.2.8", + "getrandom", "redox_syscall", "thiserror", ] @@ -1799,9 +1744,9 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.91" +version = "1.0.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "877c235533714907a8c2464236f5c4b2a17262ef1bd71f38f35ea592c8da6883" +checksum = "cad406b69c91885b5107daf2c29572f6c8cdb3c66826821e286c533490c0bc76" dependencies = [ "itoa", "ryu", @@ -1815,7 +1760,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4d58a1e1bf39749807d89cf2d98ac2dfa0ff1cb3faa38fbb64dd88ac8013d800" dependencies = [ "block-buffer 0.9.0", - "cfg-if 1.0.0", + "cfg-if", "cpufeatures", "digest 0.9.0", "opaque-debug", @@ -1907,9 +1852,9 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369" [[package]] name = "terminfo" -version = "0.7.3" +version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "76971977e6121664ec1b960d1313aacfa75642adc93b9d4d53b247bd4cb1747e" +checksum = "da31aef70da0f6352dbcb462683eb4dd2bfad01cf3fc96cf204547b9a839a585" dependencies = [ "dirs", "fnv", @@ -1940,18 +1885,19 @@ dependencies = [ [[package]] name = "thread_local" -version = "1.1.4" +version = "1.1.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5516c27b78311c50bf42c071425c560ac799b11c30b31f87e3081965fe5e0180" +checksum = "3fdd6f064ccff2d6567adcb3873ca630700f00b5ad3f060c25b5dcfd9a4ce152" dependencies = [ + "cfg-if", "once_cell", ] [[package]] name = "time" -version = "0.3.17" +version = "0.3.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a561bf4617eebd33bca6434b988f39ed798e527f51a1e797d0ee4f61c0a38376" +checksum = "53250a3b3fed8ff8fd988587d8925d26a83ac3845d9e03b220b37f34c2b8d6c2" dependencies = [ "itoa", "serde", @@ -1967,9 +1913,9 @@ checksum = "2e153e1f1acaef8acc537e68b44906d2db6436e2b35ac2c6b42640fff91f00fd" [[package]] name = "time-macros" -version = "0.2.6" +version = "0.2.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d967f99f534ca7e495c575c62638eebc2898a8c84c119b89e250477bc4ba16b2" +checksum = "a460aeb8de6dcb0f381e1ee05f1cd56fcf5a5f6eb8187ff3d8f0b11078d38b7c" dependencies = [ "time-core", ] @@ -1985,31 +1931,39 @@ dependencies = [ [[package]] name = "tinyvec_macros" -version = "0.1.0" +version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c" +checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.24.1" +version = "1.25.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1d9f76183f91ecfb55e1d7d5602bd1d979e38a3a522fe900241cf195624d67ae" +checksum = "c8e00990ebabbe4c14c08aca901caed183ecd5c09562a12c824bb53d3c3fd3af" dependencies = [ "autocfg", "libc", "mio", "pin-project-lite", "socket2", - "windows-sys", + "windows-sys 0.42.0", ] [[package]] -name = "toml" -version = "0.5.10" +name = "toml_datetime" +version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1333c76748e868a4d9d1017b5ab53171dfd095f70c712fdb4653a406547f598f" +checksum = "4553f467ac8e3d374bc9a177a26801e5d0f9b211aa1673fb137a403afd1c9cf5" + +[[package]] +name = "toml_edit" +version = "0.18.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "56c59d8dd7d0dcbc6428bf7aa2f0e823e26e43b3c9aca15bbc9475d23e5fa12b" dependencies = [ - "serde", + "indexmap", + "nom8", + "toml_datetime", ] [[package]] @@ -2024,7 +1978,7 @@ version = "0.1.37" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8ce8c33a8d48bd45d624a6e523445fd21ec13d3653cd51f681abf67418f54eb8" dependencies = [ - "cfg-if 1.0.0", + "cfg-if", "pin-project-lite", "tracing-attributes", "tracing-core", @@ -2162,12 +2116,6 @@ dependencies = [ "try-lock", ] -[[package]] -name = "wasi" -version = "0.9.0+wasi-snapshot-preview1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cccddf32554fecc6acb585f82a32a72e28b48f8c4c1883ddfeeeaa96f7d8e519" - [[package]] name = "wasi" version = "0.10.2+wasi-snapshot-preview1" @@ -2182,19 +2130,19 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" [[package]] name = "wasm-bindgen" -version = "0.2.83" +version = "0.2.84" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eaf9f5aceeec8be17c128b2e93e031fb8a4d469bb9c4ae2d7dc1888b26887268" +checksum = "31f8dcbc21f30d9b8f2ea926ecb58f6b91192c17e9d33594b3df58b2007ca53b" dependencies = [ - "cfg-if 1.0.0", + "cfg-if", "wasm-bindgen-macro", ] [[package]] name = "wasm-bindgen-backend" -version = "0.2.83" +version = "0.2.84" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c8ffb332579b0557b52d268b91feab8df3615f265d5270fec2a8c95b17c1142" +checksum = "95ce90fd5bcc06af55a641a86428ee4229e44e07033963a2290a8e241607ccb9" dependencies = [ "bumpalo", "log", @@ -2207,9 +2155,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.83" +version = "0.2.84" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "052be0f94026e6cbc75cdefc9bae13fd6052cdcaf532fa6c45e7ae33a1e6c810" +checksum = "4c21f77c0bedc37fd5dc21f897894a5ca01e7bb159884559461862ae90c0b4c5" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -2217,9 +2165,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.83" +version = "0.2.84" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "07bc0c051dc5f23e307b13285f9d75df86bfdf816c5721e573dec1f9b8aa193c" +checksum = "2aff81306fcac3c7515ad4e177f521b5c9a15f2b08f4e32d823066102f35a5f6" dependencies = [ "proc-macro2", "quote", @@ -2230,15 +2178,15 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.83" +version = "0.2.84" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c38c045535d93ec4f0b4defec448e4291638ee608530863b1e2ba115d4fff7f" +checksum = "0046fef7e28c3804e5e38bfa31ea2a0f73905319b677e57ebe37e49358989b5d" [[package]] name = "web-sys" -version = "0.3.60" +version = "0.3.61" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bcda906d8be16e728fd5adc5b729afad4e444e106ab28cd1c7256e54fa61510f" +checksum = "e33b99f4b23ba3eec1a53ac264e35a755f00e966e0065077d6027c0f575b0b97" dependencies = [ "js-sys", "wasm-bindgen", @@ -2246,9 +2194,9 @@ dependencies = [ [[package]] name = "which" -version = "4.3.0" +version = "4.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c831fbbee9e129a8cf93e7747a82da9d95ba8e16621cae60ec2cdc849bacb7b" +checksum = "2441c784c52b289a054b7201fc93253e288f094e2f4be9058343127c4226a269" dependencies = [ "either", "libc", @@ -2292,6 +2240,30 @@ dependencies = [ "windows_x86_64_msvc", ] +[[package]] +name = "windows-sys" +version = "0.45.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0" +dependencies = [ + "windows-targets", +] + +[[package]] +name = "windows-targets" +version = "0.42.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e2522491fbfcd58cc84d47aeb2958948c4b8982e9a2d8a2a35bbaed431390e7" +dependencies = [ + "windows_aarch64_gnullvm", + "windows_aarch64_msvc", + "windows_i686_gnu", + "windows_i686_msvc", + "windows_x86_64_gnu", + "windows_x86_64_gnullvm", + "windows_x86_64_msvc", +] + [[package]] name = "windows_aarch64_gnullvm" version = "0.42.1" @@ -2414,7 +2386,7 @@ dependencies = [ "memuse", "nonempty", "orchard", - "rand 0.8.5", + "rand", "rand_core 0.6.4", "ripemd", "secp256k1", diff --git a/qa/supply-chain/audits.toml b/qa/supply-chain/audits.toml index 9f913fbbc..6d9ad95a6 100644 --- a/qa/supply-chain/audits.toml +++ b/qa/supply-chain/audits.toml @@ -31,22 +31,55 @@ criteria = "safe-to-deploy" delta = "1.0.61 -> 1.0.65" notes = "Build script changes just alter what it is probing for; no difference in side effects." +[[audits.anyhow]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.68 -> 1.0.69" + [[audits.bellman]] who = "Jack Grigg " criteria = ["crypto-reviewed", "safe-to-deploy"] delta = "0.13.0 -> 0.13.1" notes = "Adds multi-threaded batch validation, which I checked against the existing single-threaded batch validation." +[[audits.blake2b_simd]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.0 -> 1.0.1" +notes = "Switches to `constant_time_eq 0.2.4`, which bumps its MSRV to 1.59." + +[[audits.blake2s_simd]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.0 -> 1.0.1" +notes = "Switches to `constant_time_eq 0.2.4`, which bumps its MSRV to 1.59." + [[audits.bls12_381]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.7.0 -> 0.7.1" +[[audits.bumpalo]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "3.11.1 -> 3.12.0" +notes = "Changes to `unsafe` code are to replace `mem::forget` uses with `ManuallyDrop`." + [[audits.byte-slice-cast]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.2.1 -> 1.2.2" +[[audits.bytes]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.3.0 -> 1.4.0" +notes = """ +Adds a `mem::forget` as part of avoiding `Vec::into_boxed_slice` when it would reallocate. +I checked that the required semantics of `mem::forget` are maintained, but it seems like +`ManuallyDrop` should also work here and be compatible with their MSRV. +""" + [[audits.chacha20]] who = "Jack Grigg " criteria = ["crypto-reviewed", "safe-to-deploy"] @@ -211,11 +244,22 @@ who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.83 -> 1.0.91" +[[audits.dirs]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "2.0.2 -> 4.0.0" +notes = "Some paths change across this upgrade (AFAICT they were bugfixes)." + [[audits.ed25519-zebra]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.0.0 -> 3.1.0" +[[audits.either]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.8.0 -> 1.8.1" + [[audits.equihash]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -239,6 +283,33 @@ who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.12.0 -> 0.12.1" +[[audits.futures-channel]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" +notes = "Atomics usage in `Stream::size_hint` impls looks fine." + +[[audits.futures-core]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" +notes = "Adds optional dependency on `portable-atomic 1` that can be enabled to replace `core::sync::atomic`." + +[[audits.futures-task]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" + +[[audits.futures-util]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" +notes = """ +Changes to `unsafe` usage are to split `Either::project` into `Either::as_pin_ref` and +`Either::as_pin_mut`. The new code follows the old code's pattern, and also now has SAFETY +documentation. +""" + [[audits.getrandom]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -248,6 +319,11 @@ Checked that getrandom::wasi::getrandom_inner matches wasi::random_get. Checked that getrandom::util_libc::Weak lock ordering matches std::sys::unix::weak::DlsymWeak. """ +[[audits.gimli]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.27.0 -> 0.27.2" + [[audits.group]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" @@ -277,6 +353,15 @@ criteria = ["crypto-reviewed", "safe-to-deploy"] delta = "0.1.0 -> 0.2.0" notes = "The ECC core team maintains this crate, and we have reviewed every line." +[[audits.hyper]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.14.23 -> 0.14.24" +notes = """ +Fixes a bug where memory was reserved based on an adversary-controllable size, before the +corresponding data was received. +""" + [[audits.indexmap]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -300,6 +385,16 @@ criteria = "safe-to-deploy" delta = "1.0.1 -> 1.0.3" notes = "Update makes no changes to code." +[[audits.js-sys]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.60 -> 0.3.61" +notes = """ +- Adds `i64` variants of existing `Atomics` methods, which I checked them against. +- Adds `Array.length` setter and `Intl.RelativeTimeFormat`; I checked these against their + MDN documentation. +""" + [[audits.libm]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -384,6 +479,22 @@ criteria = "safe-to-deploy" delta = "0.8.4 -> 0.8.5" notes = "The only unsafe changes are in epoll_create1 failure cases. Usage of epoll_create and fcntl looks fine; it is vulnerable to a race condition in multithreaded programs that fork child processes, but epoll_create1 is how you avoid this problem. See the discussion of the O_CLOEXEC flag in the open(2) man page for details." +[[audits.mio]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.8.5 -> 0.8.6" +notes = """ +New `unsafe` usages: +- `NonZeroU8::new_unchecked`: I verified the constant is non-zero. +- Additional `syscall!(close(socket))` calls before returning errors. +""" + +[[audits.nix]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.26.1 -> 0.26.2" +notes = "Fixes `SockaddrIn6` endianness bug." + [[audits.num-integer]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -400,6 +511,20 @@ who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.1 -> 0.30.2" +[[audits.object]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.30.2 -> 0.30.3" + +[[audits.once_cell]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.17.0 -> 1.17.1" +notes = """ +Small refactor that reduces the overall amount of `unsafe` code. The new strict provenance +approach looks reasonable. +""" + [[audits.orchard]] who = "Jack Grigg " criteria = ["crypto-reviewed", "safe-to-deploy"] @@ -417,6 +542,21 @@ who = "Kris Nuttycombe " criteria = "safe-to-deploy" delta = "0.2.0 -> 0.3.0" +[[audits.parity-scale-codec]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "3.2.1 -> 3.4.0" +notes = "No new code, just refactoring to remove the `full` feature flag." + +[[audits.parity-scale-codec-derive]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "3.1.3 -> 3.1.4" +notes = """ +- Bumps `syn` minimum version. +- Fixes `max_encoded_len()` to pay attention to `#[codec(skip)]` attribute. +""" + [[audits.parking_lot]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -433,27 +573,79 @@ who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.5 -> 0.9.6" +[[audits.parking_lot_core]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.9.6 -> 0.9.7" + [[audits.pasta_curves]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.0 -> 0.4.1" +[[audits.phf]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.11.1" +notes = """ +Mostly modernisation, migrating to `PhfBorrow`, and making more things `&'static`. +No unsafe code in the new `OrderedMap` and `OrderedSet` types. +""" + +[[audits.phf_codegen]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.11.1" +notes = "New codegen and changes to existing codegen look fine." + +[[audits.phf_generator]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.11.1" +notes = "Just dependency and edition bumps and code formatting." + +[[audits.phf_shared]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.11.1" +notes = """ +Adds `uncased` dependency, and newly generates unsafe code to transmute `&'static str` +into `&'static UncasedStr`. I verified that `UncasedStr` is a `#[repr(transparent)]` +newtype around `str`. +""" + [[audits.poly1305]] who = "Daira Hopwood " criteria = "safe-to-deploy" delta = "0.7.2 -> 0.8.0" notes = "Changes to unsafe (avx2) code look reasonable." +[[audits.proc-macro-crate]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.2.1 -> 1.3.0" +notes = "Migrates from `toml` to `toml_edit`." + [[audits.proc-macro2]] who = "Daira Hopwood " criteria = "safe-to-deploy" delta = "1.0.37 -> 1.0.41" +[[audits.proc-macro2]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.49 -> 1.0.51" + [[audits.quanta]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.3 -> 0.10.1" +[[audits.raw-cpuid]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "10.6.0 -> 10.6.1" + [[audits.regex]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -497,6 +689,12 @@ who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.102 -> 1.0.107" +[[audits.terminfo]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.7.3 -> 0.7.5" +notes = "Just dependency and edition updates." + [[audits.thiserror]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -521,11 +719,33 @@ criteria = "safe-to-deploy" delta = "1.0.32 -> 1.0.37" notes = "Proc macro changes migrating to the Provider API look fine." +[[audits.thread_local]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.1.4 -> 1.1.7" +notes = """ +New `unsafe` usage: +- An extra `deallocate_bucket`, to replace a `Mutex::lock` with a `compare_exchange`. +- Setting and getting a `#[thread_local] static mut Option` on nightly. +""" + [[audits.time-macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.4 -> 0.2.6" +[[audits.tinyvec_macros]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.1.0 -> 0.1.1" +notes = "Adds `#![forbid(unsafe_code)]` and license files." + +[[audits.toml_datetime]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +version = "0.5.1" +notes = "Crate has `#![forbid(unsafe_code)]`, no `unwrap / expect / panic`, no ambient capabilities." + [[audits.try-lock]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -548,6 +768,18 @@ criteria = "safe-to-deploy" delta = "0.4.1 -> 0.5.0" notes = "I checked correctness of to_blocks which uses unsafe code in a safe function." +[[audits.wasm-bindgen-shared]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.83 -> 0.2.84" +notes = "Bumps the schema version to add `linked_modules`." + +[[audits.which]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "4.3.0 -> 4.4.0" +notes = "New APIs are remixes of existing code." + [[audits.windows_aarch64_gnullvm]] who = "Jack Grigg " criteria = "safe-to-deploy" diff --git a/qa/supply-chain/config.toml b/qa/supply-chain/config.toml index ecf79777e..b4ff3aa9b 100644 --- a/qa/supply-chain/config.toml +++ b/qa/supply-chain/config.toml @@ -102,11 +102,7 @@ version = "1.2.1" criteria = "safe-to-deploy" [[exemptions.cc]] -version = "1.0.78" -criteria = "safe-to-deploy" - -[[exemptions.cfg-if]] -version = "0.1.10" +version = "1.0.79" criteria = "safe-to-deploy" [[exemptions.chacha20]] @@ -125,10 +121,6 @@ criteria = "safe-to-deploy" version = "1.0.9" criteria = "safe-to-deploy" -[[exemptions.constant_time_eq]] -version = "0.1.5" -criteria = "safe-to-deploy" - [[exemptions.cpufeatures]] version = "0.2.2" criteria = "safe-to-deploy" @@ -225,10 +217,6 @@ criteria = "safe-to-deploy" version = "0.14.6" criteria = "safe-to-deploy" -[[exemptions.getrandom]] -version = "0.1.16" -criteria = "safe-to-deploy" - [[exemptions.getrandom]] version = "0.2.6" criteria = "safe-to-deploy" @@ -385,6 +373,10 @@ criteria = "safe-to-deploy" version = "5.1.2" criteria = "safe-to-deploy" +[[exemptions.nom8]] +version = "0.2.0" +criteria = "safe-to-deploy" + [[exemptions.nonempty]] version = "0.7.0" criteria = "safe-to-deploy" @@ -493,18 +485,10 @@ criteria = "safe-to-deploy" version = "0.7.0" criteria = "safe-to-deploy" -[[exemptions.rand]] -version = "0.7.3" -criteria = "safe-to-deploy" - [[exemptions.rand]] version = "0.8.5" criteria = "safe-to-deploy" -[[exemptions.rand_chacha]] -version = "0.2.2" -criteria = "safe-to-deploy" - [[exemptions.rand_chacha]] version = "0.3.1" criteria = "safe-to-deploy" @@ -517,18 +501,14 @@ criteria = "safe-to-deploy" version = "0.6.4" criteria = "safe-to-deploy" -[[exemptions.rand_hc]] -version = "0.2.0" -criteria = "safe-to-deploy" - -[[exemptions.rand_pcg]] -version = "0.2.1" -criteria = "safe-to-deploy" - [[exemptions.raw-cpuid]] version = "10.6.0" criteria = "safe-to-deploy" +[[exemptions.rayon-core]] +version = "1.10.2" +criteria = "safe-to-deploy" + [[exemptions.reddsa]] version = "0.3.0" criteria = "safe-to-deploy" @@ -662,7 +642,7 @@ version = "1.1.4" criteria = "safe-to-deploy" [[exemptions.time]] -version = "0.3.17" +version = "0.3.19" criteria = "safe-to-deploy" [[exemptions.time-core]] @@ -670,15 +650,15 @@ version = "0.1.0" criteria = "safe-to-deploy" [[exemptions.time-macros]] -version = "0.2.4" +version = "0.2.7" criteria = "safe-to-deploy" [[exemptions.tokio]] -version = "1.24.1" +version = "1.25.0" criteria = "safe-to-deploy" -[[exemptions.toml]] -version = "0.5.9" +[[exemptions.toml_edit]] +version = "0.18.1" criteria = "safe-to-deploy" [[exemptions.tower-service]] @@ -733,10 +713,6 @@ criteria = "safe-to-deploy" version = "0.3.0" criteria = "safe-to-deploy" -[[exemptions.wasi]] -version = "0.9.0+wasi-snapshot-preview1" -criteria = "safe-to-deploy" - [[exemptions.wasi]] version = "0.10.2+wasi-snapshot-preview1" criteria = "safe-to-deploy" @@ -746,23 +722,23 @@ version = "0.11.0+wasi-snapshot-preview1" criteria = "safe-to-deploy" [[exemptions.wasm-bindgen]] -version = "0.2.83" +version = "0.2.84" criteria = "safe-to-deploy" [[exemptions.wasm-bindgen-backend]] -version = "0.2.83" +version = "0.2.84" criteria = "safe-to-deploy" [[exemptions.wasm-bindgen-macro]] -version = "0.2.83" +version = "0.2.84" criteria = "safe-to-deploy" [[exemptions.wasm-bindgen-macro-support]] -version = "0.2.83" +version = "0.2.84" criteria = "safe-to-deploy" [[exemptions.web-sys]] -version = "0.3.60" +version = "0.3.61" criteria = "safe-to-deploy" [[exemptions.which]] diff --git a/qa/supply-chain/imports.lock b/qa/supply-chain/imports.lock index 3ffebcf40..d59102e3f 100644 --- a/qa/supply-chain/imports.lock +++ b/qa/supply-chain/imports.lock @@ -36,6 +36,12 @@ criteria = "safe-to-deploy" version = "1.0.0" notes = "I am the author of this crate." +[[audits.bytecode-alliance.audits.constant_time_eq]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +version = "0.2.4" +notes = "A few tiny blocks of `unsafe` but each of them is very obviously correct." + [[audits.bytecode-alliance.audits.crypto-common]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" @@ -90,6 +96,18 @@ criteria = "safe-to-deploy" version = "0.42.0" notes = "This is a Windows API bindings library maintained by Microsoft themselves." +[[audits.bytecode-alliance.audits.windows-sys]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "0.42.0 -> 0.45.0" +notes = "This is a Windows API bindings library maintained by Microsoft themselves." + +[[audits.bytecode-alliance.audits.windows-targets]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.42.1" +notes = "This is a Windows API bindings library maintained by Microsoft themselves. Additionally, this particular crate is empty and just collects a bunch of dependencies, which are not exported, so I don't understand why it exists at all." + [[audits.bytecode-alliance.audits.windows_aarch64_gnullvm]] who = "Dan Gohman " criteria = "safe-to-deploy" @@ -424,17 +442,6 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.5.3 -> 1.6.1" -[[audits.firefox.audits.rayon-core]] -who = "Josh Stone " -criteria = "safe-to-deploy" -version = "1.9.3" -notes = "All code written or reviewed by Josh Stone or Niko Matsakis." - -[[audits.firefox.audits.rayon-core]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.9.3 -> 1.10.1" - [[audits.firefox.audits.regex]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -515,11 +522,6 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.32 -> 1.0.38" -[[audits.firefox.audits.toml]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.5.9 -> 0.5.10" - [[audits.firefox.audits.typenum]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -566,6 +568,17 @@ who = "David Cook " criteria = "safe-to-deploy" version = "0.3.0" +[[audits.isrg.audits.serde_json]] +who = "Tim Geoghegan " +criteria = "safe-to-deploy" +delta = "1.0.91 -> 1.0.92" +notes = "The only changes are to doccomments, a dev-dependency and the project's CI workflow, so there should be no risk to dependents." + +[[audits.isrg.audits.serde_json]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.0.92 -> 1.0.93" + [[audits.isrg.audits.unicode-ident]] who = "David Cook " criteria = "safe-to-deploy" From 4ad081714f0cb69a2114686fc2c37f38fc111af6 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Fri, 17 Feb 2023 04:37:37 +0000 Subject: [PATCH 9/9] qa: Postpone LevelDB 1.23 --- qa/zcash/postponed-updates.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/qa/zcash/postponed-updates.txt b/qa/zcash/postponed-updates.txt index 1afa18f50..81db7c23c 100644 --- a/qa/zcash/postponed-updates.txt +++ b/qa/zcash/postponed-updates.txt @@ -15,5 +15,8 @@ native_ccache 4.7.4 2023-03-01 libcxx 15.0.7 2023-04-30 native_clang 15.0.7 2023-04-30 +# We follow upstream Bitcoin Core's LevelDB updates +leveldb 1.23 2023-06-01 + # We're never updating to this version bdb 18.1.40 2024-02-01