# cargo-vet imports lock [[publisher.bumpalo]] version = "3.15.4" when = "2024-03-07" user-id = 696 user-login = "fitzgen" user-name = "Nick Fitzgerald" [[publisher.core-foundation-sys]] version = "0.8.4" when = "2023-04-03" user-id = 5946 user-login = "jrmuizel" user-name = "Jeff Muizelaar" [[publisher.equihash]] version = "0.2.0" when = "2022-06-24" user-id = 6289 user-login = "str4d" [[publisher.f4jumble]] version = "0.1.0" when = "2022-05-10" user-id = 6289 user-login = "str4d" [[publisher.halo2_gadgets]] version = "0.3.0" when = "2023-03-22" user-id = 1244 user-login = "ebfull" [[publisher.halo2_legacy_pdqsort]] version = "0.1.0" when = "2023-03-10" user-id = 199950 user-login = "daira" user-name = "Daira Emma Hopwood" [[publisher.halo2_proofs]] version = "0.3.0" when = "2023-03-22" user-id = 1244 user-login = "ebfull" [[publisher.incrementalmerkletree]] version = "0.5.1" when = "2024-03-25" user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" [[publisher.orchard]] version = "0.8.0" when = "2024-03-25" user-id = 6289 user-login = "str4d" [[publisher.sapling-crypto]] version = "0.1.3" when = "2024-03-25" user-id = 6289 user-login = "str4d" [[publisher.shardtree]] version = "0.3.1" when = "2024-04-03" user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" [[publisher.windows-sys]] version = "0.48.0" when = "2023-03-31" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-sys]] version = "0.52.0" when = "2023-11-15" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-targets]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-targets]] version = "0.52.5" when = "2024-04-12" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_gnullvm]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_gnullvm]] version = "0.52.5" when = "2024-04-12" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_msvc]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_msvc]] version = "0.52.5" when = "2024-04-12" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_gnu]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_gnu]] version = "0.52.5" when = "2024-04-12" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_gnullvm]] version = "0.52.5" when = "2024-04-12" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_msvc]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_msvc]] version = "0.52.5" when = "2024-04-12" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnu]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnu]] version = "0.52.5" when = "2024-04-12" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnullvm]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnullvm]] version = "0.52.5" when = "2024-04-12" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_msvc]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_msvc]] version = "0.52.5" when = "2024-04-12" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.zcash_address]] version = "0.3.2" when = "2024-03-06" user-id = 6289 user-login = "str4d" [[publisher.zcash_client_backend]] version = "0.12.1" when = "2024-03-27" user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" [[publisher.zcash_client_sqlite]] version = "0.10.3" when = "2024-04-08" user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" [[publisher.zcash_encoding]] version = "0.2.0" when = "2022-10-19" user-id = 1244 user-login = "ebfull" [[publisher.zcash_extensions]] version = "0.1.0" when = "2024-07-15" user-id = 6289 user-login = "str4d" [[publisher.zcash_history]] version = "0.4.0" when = "2024-03-01" user-id = 6289 user-login = "str4d" [[publisher.zcash_keys]] version = "0.2.0" when = "2024-03-25" user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" [[publisher.zcash_note_encryption]] version = "0.4.0" when = "2023-06-06" user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" [[publisher.zcash_primitives]] version = "0.15.1" when = "2024-05-24" user-id = 6289 user-login = "str4d" [[publisher.zcash_proofs]] version = "0.15.0" when = "2024-03-25" user-id = 6289 user-login = "str4d" [[publisher.zcash_protocol]] version = "0.1.1" when = "2024-03-25" user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" [[publisher.zcash_spec]] version = "0.1.0" when = "2023-12-07" user-id = 6289 user-login = "str4d" [[publisher.zip32]] version = "0.1.1" when = "2024-03-14" user-id = 6289 user-login = "str4d" [[publisher.zip321]] version = "0.0.0" when = "2024-01-15" user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" [[audits.bytecode-alliance.wildcard-audits.bumpalo]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" user-id = 696 # Nick Fitzgerald (fitzgen) start = "2019-03-16" end = "2024-03-10" [[audits.bytecode-alliance.audits.adler]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.0.2" notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm." [[audits.bytecode-alliance.audits.anes]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.6" notes = "Contains no unsafe code, no IO, no build.rs." [[audits.bytecode-alliance.audits.anyhow]] who = "Pat Hickey " criteria = "safe-to-deploy" delta = "1.0.69 -> 1.0.71" [[audits.bytecode-alliance.audits.arrayref]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" version = "0.3.6" notes = """ Unsafe code, but its logic looks good to me. Necessary given what it is doing. Well tested, has quickchecks. """ [[audits.bytecode-alliance.audits.base64]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.21.0" notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." [[audits.bytecode-alliance.audits.block-buffer]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.2" [[audits.bytecode-alliance.audits.cc]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.0.73" notes = "I am the author of this crate." [[audits.bytecode-alliance.audits.constant_time_eq]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" version = "0.2.4" notes = "A few tiny blocks of `unsafe` but each of them is very obviously correct." [[audits.bytecode-alliance.audits.core-foundation-sys]] who = "Dan Gohman " criteria = "safe-to-deploy" delta = "0.8.4 -> 0.8.6" notes = """ The changes here are all typical bindings updates: new functions, types, and constants. I have not audited all the bindings for ABI conformance. """ [[audits.bytecode-alliance.audits.crypto-common]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" version = "0.1.3" [[audits.bytecode-alliance.audits.digest]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.3" [[audits.bytecode-alliance.audits.ed25519]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "1.4.1 -> 1.5.3" notes = """ This diff brings in a number of minor updates of which none are related to `unsafe` code or anything system-related like filesystems. """ [[audits.bytecode-alliance.audits.errno]] who = "Dan Gohman " criteria = "safe-to-deploy" version = "0.3.0" notes = "This crate uses libc and windows-sys APIs to get and set the raw OS error value." [[audits.bytecode-alliance.audits.errno]] who = "Dan Gohman " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.3.1" notes = "Just a dependency version bump and a bug fix for redox" [[audits.bytecode-alliance.audits.fastrand]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "2.0.0 -> 2.0.1" notes = """ This update had a few doc updates but no otherwise-substantial source code updates. """ [[audits.bytecode-alliance.audits.futures-channel]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.27" notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)" [[audits.bytecode-alliance.audits.futures-core]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.27" notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." [[audits.bytecode-alliance.audits.futures-executor]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.27" notes = "Unsafe used to implement the unpark mutex, which is well commented and not obviously incorrect. Like with futures-channel I wouldn't be able to certify it as correct without formal methods." [[audits.bytecode-alliance.audits.futures-io]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.27" [[audits.bytecode-alliance.audits.http]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.2.9 -> 1.0.0" notes = "Minor changes leading up to the 1.0.0 release and nothing fundamentally new here." [[audits.bytecode-alliance.audits.http-body]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "1.0.0-rc.2" [[audits.bytecode-alliance.audits.http-body]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "1.0.0-rc.2 -> 1.0.0" notes = "Only minor changes made for a stable release." [[audits.bytecode-alliance.audits.http-body-util]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0-rc.2" notes = "only one use of unsafe related to pin projection. unclear to me why pin_project! is used in many modules of the project, but the expanded output of that macro is inlined in either.rs" [[audits.bytecode-alliance.audits.http-body-util]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.1.0-rc.2 -> 0.1.0" notes = "Minor documentation updates an additions, nothing major." [[audits.bytecode-alliance.audits.iana-time-zone-haiku]] who = "Dan Gohman " criteria = "safe-to-deploy" version = "0.1.2" [[audits.bytecode-alliance.audits.itertools]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" delta = "0.10.5 -> 0.12.1" notes = """ Minimal `unsafe` usage. Few blocks that existed looked reasonable. Does what it says on the tin: lots of iterators. """ [[audits.bytecode-alliance.audits.libm]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.2.2 -> 0.2.4" notes = """ This diff primarily fixes a few issues with the `fma`-related functions, but also contains some other minor fixes as well. Everything looks A-OK and as expected. """ [[audits.bytecode-alliance.audits.libm]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.2.4 -> 0.2.7" notes = """ This is a minor update which has some testing affordances as well as some updated math algorithms. """ [[audits.bytecode-alliance.audits.matchers]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" [[audits.bytecode-alliance.audits.miniz_oxide]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.7.1" notes = """ This crate is a Rust implementation of zlib compression/decompression and has been used by default by the Rust standard library for quite some time. It's also a default dependency of the popular `backtrace` crate for decompressing debug information. This crate forbids unsafe code and does not otherwise access system resources. It's originally a port of the `miniz.c` library as well, and given its own longevity should be relatively hardened against some of the more common compression-related issues. """ [[audits.bytecode-alliance.audits.nu-ansi-term]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.46.0" notes = "one use of unsafe to call windows specific api to get console handle." [[audits.bytecode-alliance.audits.overload]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.1" notes = "small crate, only defines macro-rules!, nicely documented as well" [[audits.bytecode-alliance.audits.percent-encoding]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "2.2.0" notes = """ This crate is a single-file crate that does what it says on the tin. There are a few `unsafe` blocks related to utf-8 validation which are locally verifiable as correct and otherwise this crate is good to go. """ [[audits.bytecode-alliance.audits.pin-utils]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" [[audits.bytecode-alliance.audits.pkg-config]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.25" notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably." [[audits.bytecode-alliance.audits.pkg-config]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.3.26 -> 0.3.29" notes = """ No `unsafe` additions or anything outside of the purview of the crate in this change. """ [[audits.bytecode-alliance.audits.rustc-demangle]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.1.21" notes = "I am the author of this crate." [[audits.bytecode-alliance.audits.semver]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "1.0.17" notes = "plenty of unsafe pointer and vec tricks, but in well-structured and commented code that appears to be correct" [[audits.bytecode-alliance.audits.sharded-slab]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.4" notes = "I always really enjoy reading eliza's code, she left perfect comments at every use of unsafe." [[audits.bytecode-alliance.audits.signal-hook-registry]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "1.4.1" [[audits.bytecode-alliance.audits.thread_local]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "1.1.4" notes = "uses unsafe to implement thread local storage of objects" [[audits.bytecode-alliance.audits.tokio-rustls]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.24.0" notes = "no unsafe, no build, no ambient capabilities" [[audits.bytecode-alliance.audits.tracing-subscriber]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.17" [[audits.bytecode-alliance.audits.try-lock]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.2.4" notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect" [[audits.bytecode-alliance.audits.vcpkg]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.2.15" notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." [[audits.bytecode-alliance.audits.want]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.0" [[audits.bytecode-alliance.audits.webpki-roots]] who = "Pat Hickey " criteria = "safe-to-deploy" delta = "0.22.4 -> 0.23.0" [[audits.bytecode-alliance.audits.webpki-roots]] who = "Pat Hickey " criteria = "safe-to-deploy" delta = "0.23.0 -> 0.25.2" [[audits.embark-studios.audits.anyhow]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.58" [[audits.embark-studios.audits.colorchoice]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.0" notes = "No unsafe usage or ambient capabilities" [[audits.embark-studios.audits.convert_case]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.4.0" notes = "No unsafe usage or ambient capabilities" [[audits.embark-studios.audits.derive_more]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.99.17" notes = "No unsafe usage or ambient capabilities" [[audits.embark-studios.audits.ident_case]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.1" notes = "No unsafe usage or ambient capabilities" [[audits.embark-studios.audits.num_enum]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.5.11" notes = "No unsafe usage or ambient capabilities" [[audits.embark-studios.audits.num_enum]] who = "Johan Andersson " criteria = "safe-to-deploy" delta = "0.5.11 -> 0.6.1" notes = "Minor changes" [[audits.embark-studios.audits.num_enum]] who = "Johan Andersson " criteria = "safe-to-deploy" delta = "0.6.1 -> 0.7.0" [[audits.embark-studios.audits.num_enum_derive]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.5.11" notes = "Proc macro that generates some unsafe code for conversion but looks sound, no ambient capabilities" [[audits.embark-studios.audits.num_enum_derive]] who = "Johan Andersson " criteria = "safe-to-deploy" delta = "0.5.11 -> 0.6.1" notes = "Minor changes" [[audits.embark-studios.audits.num_enum_derive]] who = "Johan Andersson " criteria = "safe-to-deploy" delta = "0.6.1 -> 0.7.0" [[audits.embark-studios.audits.tap]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.1" notes = "No unsafe usage or ambient capabilities" [[audits.embark-studios.audits.thiserror]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.40" notes = "Wrapper over implementation crate, found no unsafe or ambient capabilities used" [[audits.embark-studios.audits.thiserror-impl]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.40" notes = "Found no unsafe or ambient capabilities used" [[audits.embark-studios.audits.toml]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.7.4" notes = "No unsafe usage or ambient capabilities" [[audits.embark-studios.audits.toml_datetime]] who = "Johan Andersson " criteria = "safe-to-deploy" delta = "0.6.1 -> 0.6.2" notes = "No notable changes" [[audits.embark-studios.audits.utf8parse]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.2.1" notes = "Single unsafe usage that looks sound, no ambient capabilities" [[audits.embark-studios.audits.valuable]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.1.0" notes = "No unsafe usage or ambient capabilities, sane build script" [[audits.embark-studios.audits.webpki-roots]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.22.4" notes = "Inspected it to confirm that it only contains data definitions and no runtime code" [[audits.fermyon.audits.oorandom]] who = "Radu Matei " criteria = "safe-to-run" version = "11.1.3" [[audits.google.audits.anstream]] who = "Ying Hsu " criteria = "safe-to-run" version = "0.6.13" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.anstyle]] who = "Yu-An Wang " criteria = "safe-to-run" version = "1.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.anstyle]] who = "Lukasz Anforowicz " criteria = "safe-to-run" delta = "1.0.4 -> 1.0.6" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.anstyle]] who = "danakj " criteria = "safe-to-run" delta = "1.0.6 -> 1.0.7" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.anstyle-parse]] who = "Ying Hsu " criteria = "safe-to-run" version = "0.2.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.anstyle-query]] who = "Ying Hsu " criteria = "safe-to-run" version = "1.0.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.async-stream]] who = "Tyler Mandry " criteria = "safe-to-deploy" version = "0.3.4" notes = "Reviewed on https://fxrev.dev/761470" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.async-stream]] who = "David Koloski " criteria = "safe-to-deploy" delta = "0.3.4 -> 0.3.5" notes = "Reviewed on https://fxrev.dev/906795" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.async-stream-impl]] who = "Tyler Mandry " criteria = "safe-to-deploy" version = "0.3.4" notes = "Reviewed on https://fxrev.dev/761470" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.async-stream-impl]] who = "David Koloski " criteria = "safe-to-deploy" delta = "0.3.4 -> 0.3.5" notes = "Reviewed on https://fxrev.dev/906795" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.autocfg]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.1.0" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits except for reasonable, client-controlled usage of `std::fs` in `AutoCfg::with_dir`. This crate has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb The CL description contains a link to a Google-internal document with audit details. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.autocfg]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.1.0 -> 1.2.0" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and nothing changed from the baseline audit of 1.1.0. Skimmed through the 1.1.0 => 1.2.0 delta and everything seemed okay. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.bitflags]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "2.4.2" notes = """ Audit notes: * I've checked for any discussion in Google-internal cl/546819168 (where audit of version 2.3.3 happened) * `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]` * There are 2 cases of `unsafe` in `src/external.rs` but they seem to be correct in a straightforward way - they just propagate the marker trait's impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type * Additional discussion and/or notes may be found in https://crrev.com/c/5238056 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.bitflags]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "2.4.2 -> 2.5.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.bytemuck]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.14.3" notes = "Additional review notes may be found in https://crrev.com/c/5362675." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.bytemuck]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "1.14.3 -> 1.15.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.cast]] who = "George Burgess IV " criteria = "safe-to-run" version = "0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.cfg-if]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.clap]] who = "danakj@chromium.org" criteria = "safe-to-run" version = "4.4.8" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.clap]] who = "Lukasz Anforowicz " criteria = "safe-to-run" delta = "4.4.8 -> 4.4.14" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.clap_builder]] who = "danakj@chromium.org" criteria = "safe-to-run" version = "4.4.8" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.clap_builder]] who = "Lukasz Anforowicz " criteria = "safe-to-run" delta = "4.4.8 -> 4.4.14" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.clap_lex]] who = "danakj@chromium.org" criteria = "safe-to-run" version = "0.6.0" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.equivalent]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.fastrand]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.9.0" notes = """ `does-not-implement-crypto` is certified because this crate explicitly says that the RNG here is not cryptographically secure. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.futures]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.3.28" notes = """ `futures` has no logic other than tests - it simply `pub use`s things from other crates. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.heck]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "0.4.1" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits. `heck` (version `0.3.3`) has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.httpdate]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.is-terminal]] who = "George Burgess IV " criteria = "safe-to-run" version = "0.4.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.is-terminal]] who = "George Burgess IV " criteria = "safe-to-run" delta = "0.4.2 -> 0.4.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.itertools]] who = "ChromeOS" criteria = "safe-to-run" version = "0.10.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.itoa]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.10" notes = ''' I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. There are a few places where `unsafe` is used. Unsafe review notes can be found in https://crrev.com/c/5350697. Version 1.0.1 of this crate has been added to Chromium in https://crrev.com/c/3321896. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.itoa]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.0.10 -> 1.0.11" notes = """ Straightforward diff between 1.0.10 and 1.0.11 - only 3 commits: * Bumping up the version * A touch up of comments * And my own PR to make `unsafe` blocks more granular: https://github.com/dtolnay/itoa/pull/42 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.nix]] who = "David Koloski " criteria = "safe-to-run" version = "0.26.2" notes = """ Reviewed on https://fxrev.dev/780283 Issues: - https://github.com/nix-rust/nix/issues/1975 - https://github.com/nix-rust/nix/issues/1977 - https://github.com/nix-rust/nix/pull/1978 - https://github.com/nix-rust/nix/pull/1979 - https://github.com/nix-rust/nix/issues/1980 - https://github.com/nix-rust/nix/issues/1981 - https://github.com/nix-rust/nix/pull/1983 - https://github.com/nix-rust/nix/issues/1990 - https://github.com/nix-rust/nix/pull/1992 - https://github.com/nix-rust/nix/pull/1993 """ aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.nom]] who = "danakj@chromium.org" criteria = "safe-to-deploy" version = "7.1.3" notes = """ Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/5046153 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.num-iter]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.1.43" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.pin-project-lite]] who = "David Koloski " criteria = "safe-to-deploy" version = "0.2.9" notes = "Reviewed on https://fxrev.dev/824504" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.pin-project-lite]] who = "David Koloski " criteria = "safe-to-deploy" delta = "0.2.9 -> 0.2.13" notes = "Audited at https://fxrev.dev/946396" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.78" notes = """ Grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits (except for a benign \"fs\" hit in a doc comment) Notes from the `unsafe` review can be found in https://crrev.com/c/5385745. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "1.0.78 -> 1.0.79" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "1.0.79 -> 1.0.80" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Dustin J. Mitchell " criteria = "safe-to-deploy" delta = "1.0.80 -> 1.0.81" notes = "Comment changes only" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Dustin J. Mitchell " criteria = "safe-to-deploy" delta = "1.0.82 -> 1.0.83" notes = "Substantive change is replacing String with Box, saving memory." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.0.83 -> 1.0.84" notes = "Only doc comment changes in `src/lib.rs`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "danakj@chromium.org" criteria = "safe-to-deploy" delta = "1.0.84 -> 1.0.85" notes = "Test-only changes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.quote]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.35" notes = """ Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits (except for benign \"net\" hit in tests and \"fs\" hit in README.md) """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.quote]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "1.0.35 -> 1.0.36" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.ring]] who = "Laura Peskin " criteria = "safe-to-deploy" delta = "0.16.12 -> 0.16.20" notes = """ Reviewed on: https://fxrev.dev/923001 (0.16.13 -> 0.16.20) Reviewed on: https://fxrev.dev/716624 (0.16.12 -> 0.16.13) """ aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.rustversion]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.14" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits except for: * Using trivially-safe `unsafe` in test code: ``` tests/test_const.rs:unsafe fn _unsafe() {} tests/test_const.rs:const _UNSAFE: () = unsafe { _unsafe() }; ``` * Using `unsafe` in a string: ``` src/constfn.rs: \"unsafe\" => Qualifiers::Unsafe, ``` * Using `std::fs` in `build/build.rs` to write `${OUT_DIR}/version.expr` which is later read back via `include!` used in `src/lib.rs`. Version `1.0.6` of this crate has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.rustversion]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "1.0.14 -> 1.0.15" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.serde]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.197" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`. There were some hits for `net`, but they were related to serialization and not actually opening any connections or anything like that. There were 2 hits of `unsafe` when grepping: * In `fn as_str` in `impl Buf` * In `fn serialize` in `impl Serialize for net::Ipv4Addr` Unsafe review comments can be found in https://crrev.com/c/5350573/2 (this review also covered `serde_json_lenient`). Version 1.0.130 of the crate has been added to Chromium in https://crrev.com/c/3265545. The CL description contains a link to a (Google-internal, sorry) document with a mini security review. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.serde]] who = "Dustin J. Mitchell " criteria = "safe-to-deploy" delta = "1.0.197 -> 1.0.198" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.serde_derive]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.197" notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.serde_derive]] who = "danakj " criteria = "safe-to-deploy" delta = "1.0.197 -> 1.0.201" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.sha1]] who = "David Koloski " criteria = "safe-to-deploy" version = "0.10.5" notes = "Reviewed on https://fxrev.dev/712371." aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.stable_deref_trait]] who = "George Burgess IV " criteria = "safe-to-run" version = "1.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.static_assertions]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.1.0" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` and there were no hits except for one `unsafe`. The lambda where `unsafe` is used is never invoked (e.g. the `unsafe` code never runs) and is only introduced for some compile-time checks. Additional unsafe review comments can be found in https://crrev.com/c/5353376. This crate has been added to Chromium in https://crrev.com/c/3736562. The CL description contains a link to a document with an additional security review. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.strsim]] who = "danakj@chromium.org" criteria = "safe-to-deploy" version = "0.10.0" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.strum]] who = "danakj@chromium.org" criteria = "safe-to-deploy" version = "0.25.0" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.strum_macros]] who = "danakj@chromium.org" criteria = "safe-to-deploy" version = "0.25.3" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.tinytemplate]] who = "Ying Hsu " criteria = "safe-to-run" version = "1.2.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.tinyvec]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.6.0" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits except for some \"unsafe\" appearing in comments: ``` src/arrayvec.rs: // Note: This shouldn't use A::CAPACITY, because unsafe code can't rely on src/lib.rs://! All of this is done with no `unsafe` code within the crate. Technically the src/lib.rs://! `Vec` type from the standard library uses `unsafe` internally, but *this src/lib.rs://! crate* introduces no new `unsafe` code into your project. src/array.rs:/// Just a reminder: this trait is 100% safe, which means that `unsafe` code ``` This crate has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/24773c33e1b7a1b5069b9399fd034375995f290b """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.tinyvec_macros]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.tokio-stream]] who = "David Koloski " criteria = "safe-to-deploy" version = "0.1.11" notes = "Reviewed on https://fxrev.dev/804724" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.tokio-stream]] who = "David Koloski " criteria = "safe-to-deploy" delta = "0.1.11 -> 0.1.14" notes = "Reviewed on https://fxrev.dev/907732." aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.unicode-ident]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.12" notes = ''' I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. All two functions from the public API of this crate use `unsafe` to avoid bound checks for an array access. Cross-module analysis shows that the offsets can be statically proven to be within array bounds. More details can be found in the unsafe review CL at https://crrev.com/c/5350386. This crate has been added to Chromium in https://crrev.com/c/3891618. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.version_check]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.9.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.void]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.isrg.audits.aes]] who = "Tim Geoghegan " criteria = "safe-to-deploy" delta = "0.8.3 -> 0.8.4" notes = """ Change affects some unsafe code. The only functional change is to add an assertion checking alignment and to change an `as *mut u32` cast to a call to `std::pointer::cast`. """ [[audits.isrg.audits.base64]] who = "Tim Geoghegan " criteria = "safe-to-deploy" delta = "0.21.0 -> 0.21.1" [[audits.isrg.audits.base64]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "0.21.1 -> 0.21.2" [[audits.isrg.audits.base64]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.21.2 -> 0.21.3" [[audits.isrg.audits.block-buffer]] who = "David Cook " criteria = "safe-to-deploy" version = "0.9.0" [[audits.isrg.audits.criterion]] who = "Brandon Pitman " criteria = "safe-to-run" delta = "0.4.0 -> 0.5.1" [[audits.isrg.audits.crunchy]] who = "David Cook " criteria = "safe-to-deploy" version = "0.2.2" [[audits.isrg.audits.digest]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.10.6 -> 0.10.7" [[audits.isrg.audits.either]] who = "David Cook " criteria = "safe-to-deploy" version = "1.6.1" [[audits.isrg.audits.getrandom]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.2.11 -> 0.2.12" [[audits.isrg.audits.getrandom]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.2.12 -> 0.2.14" [[audits.isrg.audits.getrandom]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.2.14 -> 0.2.15" [[audits.isrg.audits.hmac]] who = "David Cook " criteria = "safe-to-deploy" version = "0.12.1" [[audits.isrg.audits.keccak]] who = "David Cook " criteria = "safe-to-deploy" version = "0.1.2" [[audits.isrg.audits.keccak]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "0.1.2 -> 0.1.3" [[audits.isrg.audits.keccak]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "0.1.3 -> 0.1.4" [[audits.isrg.audits.num-bigint]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.4.3 -> 0.4.4" [[audits.isrg.audits.num-integer]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.1.45 -> 0.1.46" [[audits.isrg.audits.num-iter]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.1.43 -> 0.1.44" [[audits.isrg.audits.num-iter]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.1.44 -> 0.1.45" [[audits.isrg.audits.num-traits]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.2.15 -> 0.2.16" [[audits.isrg.audits.num-traits]] who = "Ameer Ghani " criteria = "safe-to-deploy" delta = "0.2.16 -> 0.2.17" [[audits.isrg.audits.num-traits]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.2.17 -> 0.2.18" [[audits.isrg.audits.num-traits]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.2.18 -> 0.2.19" [[audits.isrg.audits.once_cell]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.18.0 -> 1.19.0" [[audits.isrg.audits.opaque-debug]] who = "David Cook " criteria = "safe-to-deploy" version = "0.3.0" [[audits.isrg.audits.rand_chacha]] who = "David Cook " criteria = "safe-to-deploy" version = "0.3.1" [[audits.isrg.audits.rand_core]] who = "David Cook " criteria = "safe-to-deploy" version = "0.6.3" [[audits.isrg.audits.rayon]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.6.1 -> 1.7.0" [[audits.isrg.audits.rayon]] who = "David Cook " criteria = "safe-to-deploy" delta = "1.7.0 -> 1.8.0" [[audits.isrg.audits.rayon]] who = "Ameer Ghani " criteria = "safe-to-deploy" delta = "1.8.0 -> 1.8.1" [[audits.isrg.audits.rayon]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.8.1 -> 1.9.0" [[audits.isrg.audits.rayon]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.9.0 -> 1.10.0" [[audits.isrg.audits.rayon-core]] who = "Ameer Ghani " criteria = "safe-to-deploy" version = "1.12.1" [[audits.isrg.audits.sha3]] who = "David Cook " criteria = "safe-to-deploy" version = "0.10.6" [[audits.isrg.audits.sha3]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "0.10.6 -> 0.10.7" [[audits.isrg.audits.sha3]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "0.10.7 -> 0.10.8" [[audits.isrg.audits.thiserror]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.0.40 -> 1.0.43" [[audits.isrg.audits.thiserror-impl]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.0.40 -> 1.0.43" [[audits.isrg.audits.universal-hash]] who = "David Cook " criteria = "safe-to-deploy" version = "0.4.1" [[audits.isrg.audits.universal-hash]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.5.0 -> 0.5.1" [[audits.isrg.audits.untrusted]] who = "David Cook " criteria = "safe-to-deploy" version = "0.7.1" [[audits.isrg.audits.wasm-bindgen-shared]] who = "David Cook " criteria = "safe-to-deploy" version = "0.2.83" [[audits.mozilla.wildcard-audits.core-foundation-sys]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 5946 # Jeff Muizelaar (jrmuizel) start = "2020-10-14" end = "2023-05-04" renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.ahash]] who = "Erich Gubler " criteria = "safe-to-deploy" delta = "0.8.7 -> 0.8.11" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.android_system_properties]] who = "Nicolas Silva " criteria = "safe-to-deploy" version = "0.1.2" notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.android_system_properties]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.2 -> 0.1.4" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.android_system_properties]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.4 -> 0.1.5" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.anyhow]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.57 -> 1.0.61" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.anyhow]] who = "Bobby Holley " criteria = "safe-to-deploy" delta = "1.0.58 -> 1.0.57" notes = "No functional differences, just CI config and docs." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.anyhow]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.61 -> 1.0.62" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.anyhow]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.62 -> 1.0.68" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.anyhow]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.68 -> 1.0.69" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.bit-set]] who = "Aria Beingessner " criteria = "safe-to-deploy" version = "0.5.2" notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.bit-set]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.5.2 -> 0.5.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.bit-vec]] who = "Aria Beingessner " criteria = "safe-to-deploy" version = "0.6.3" notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.block-buffer]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.2 -> 0.10.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.cc]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.73 -> 1.0.78" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.cc]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "1.0.78 -> 1.0.83" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.crossbeam-channel]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "0.5.8 -> 0.5.11" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.crossbeam-channel]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "0.5.11 -> 0.5.12" notes = "Minimal change fixing a memory leak." aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.crossbeam-queue]] who = "Matthew Gregan " criteria = "safe-to-deploy" version = "0.3.8" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.crypto-common]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.3 -> 0.1.6" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.debugid]] who = "Gabriele Svelto " criteria = "safe-to-deploy" version = "0.8.0" notes = "This crates was written by Sentry and I've fully audited it as Firefox crash reporting machinery relies on it." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.deranged]] who = "Alex Franchuk " criteria = "safe-to-deploy" version = "0.3.11" notes = """ This crate contains a decent bit of `unsafe` code, however all internal unsafety is verified with copious assertions (many are compile-time), and otherwise the unsafety is documented and left to the caller to verify. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.digest]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.3 -> 0.10.6" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.displaydoc]] who = "Makoto Kato " criteria = "safe-to-deploy" version = "0.2.3" notes = """ This crate is convenient macros to implement core::fmt::Display trait. Although `unsafe` is used for test code to call `libc::abort()`, it has no `unsafe` code in this crate. And there is no file access. It meets the criteria for safe-to-deploy. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.displaydoc]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.3 -> 0.2.4" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.document-features]] who = "Erich Gubler " criteria = "safe-to-deploy" version = "0.2.8" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.either]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.6.1 -> 1.7.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.either]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.7.0 -> 1.8.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.either]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.8.0 -> 1.8.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.errno]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.1 -> 0.3.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fastrand]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.9.0 -> 2.0.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fnv]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "1.0.7" notes = "Simple hasher implementation with no unsafe code." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-channel]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-core]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-executor]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-io]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-macro]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.21 -> 0.3.23" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-macro]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.23 -> 0.3.25" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-macro]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-macro]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.26 -> 0.3.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-util]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.21 -> 0.3.23" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-util]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.23 -> 0.3.25" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-util]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-util]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.26 -> 0.3.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.half]] who = "John M. Schanck " criteria = "safe-to-deploy" version = "1.8.2" notes = """ This crate contains unsafe code for bitwise casts to/from binary16 floating-point format. I've reviewed these and found no issues. There are no uses of ambient capabilities. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.hashbrown]] who = "Mike Hommey " criteria = "safe-to-deploy" version = "0.12.3" notes = "This version is used in rust's libstd, so effectively we're already trusting it" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.hex]] who = "Simon Friedberger " criteria = "safe-to-deploy" version = "0.4.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.lazy_static]] who = "Nika Layzell " criteria = "safe-to-deploy" version = "1.4.0" notes = "I have read over the macros, and audited the unsafe code." aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" [[audits.mozilla.audits.litrs]] who = "Erich Gubler " criteria = "safe-to-deploy" version = "0.4.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.log]] who = "Mike Hommey " criteria = "safe-to-deploy" version = "0.4.17" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.log]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "0.4.17 -> 0.4.18" notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed." aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.log]] who = "Kagami Sascha Rosylight " criteria = "safe-to-deploy" delta = "0.4.18 -> 0.4.20" notes = "Only cfg attribute and internal macro changes and module refactorings" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.memmap2]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.5.4 -> 0.5.7" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.memmap2]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.5.7 -> 0.5.8" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.memmap2]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.5.8 -> 0.5.9" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.memmap2]] who = "Gabriele Svelto " criteria = "safe-to-deploy" delta = "0.5.9 -> 0.8.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.memmap2]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.8.0 -> 0.9.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num-bigint]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.4.3" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num-conv]] who = "Alex Franchuk " criteria = "safe-to-deploy" version = "0.1.0" notes = """ Very straightforward, simple crate. No dependencies, unsafe, extern, side-effectful std functions, etc. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num-integer]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.1.45" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num-traits]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.2.15" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.percent-encoding]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "2.2.0 -> 2.3.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.percent-encoding]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "2.3.0 -> 2.3.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.phf_macros]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.0 -> 0.11.2" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.pkg-config]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.powerfmt]] who = "Alex Franchuk " criteria = "safe-to-deploy" version = "0.2.0" notes = """ A tiny bit of unsafe code to implement functionality that isn't in stable rust yet, but it's all valid. Otherwise it's a pretty simple crate. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.rand_core]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.6.3 -> 0.6.4" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.rayon]] who = "Josh Stone " criteria = "safe-to-deploy" version = "1.5.3" notes = "All code written or reviewed by Josh Stone or Niko Matsakis." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.rayon]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.5.3 -> 1.6.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.regex-syntax]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.6.26 -> 0.6.27" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.regex-syntax]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.6.27 -> 0.6.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.serde]] who = "Erich Gubler " criteria = "safe-to-deploy" delta = "1.0.198 -> 1.0.201" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.subtle]] who = "Simon Friedberger " criteria = "safe-to-deploy" version = "2.5.0" notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.syn]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.96 -> 1.0.99" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.syn]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.99 -> 1.0.107" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.time]] who = "Alex Franchuk " criteria = "safe-to-deploy" delta = "0.3.23 -> 0.3.36" notes = """ There's a bit of new unsafe code that is self-imposed because they now assert that ordinals are non-zero. All unsafe code was checked to ensure that the invariants claimed were true. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.time-core]] who = "Kershaw Chang " criteria = "safe-to-deploy" version = "0.1.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.time-core]] who = "Kershaw Chang " criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.time-core]] who = "Alex Franchuk " criteria = "safe-to-deploy" delta = "0.1.1 -> 0.1.2" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.time-macros]] who = "Kershaw Chang " criteria = "safe-to-deploy" version = "0.2.6" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.time-macros]] who = "Kershaw Chang " criteria = "safe-to-deploy" delta = "0.2.6 -> 0.2.10" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.time-macros]] who = "Alex Franchuk " criteria = "safe-to-deploy" delta = "0.2.10 -> 0.2.18" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.tinystr]] who = "Makoto Kato " criteria = "safe-to-deploy" version = "0.7.0" notes = "One of original auther was Zibi Braniecki who worked at Mozilla and maintained by ICU4X developers (Google and Mozilla). I've vetted the one instance of unsafe code." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.tinystr]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.7.0 -> 0.7.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.tinystr]] who = "Makoto Kato " criteria = "safe-to-deploy" delta = "0.7.1 -> 0.7.4" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.tinystr]] who = "Makoto Kato " criteria = "safe-to-deploy" delta = "0.7.4 -> 0.7.6" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.toml]] who = "Bobby Holley " criteria = "safe-to-deploy" delta = "0.5.7 -> 0.5.9" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.toml]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.5.9 -> 0.5.10" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.toml]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.5.10 -> 0.5.11" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.zerocopy]] who = "Alex Franchuk " criteria = "safe-to-deploy" version = "0.7.32" notes = """ This crate is `no_std` so doesn't use any side-effectful std functions. It contains quite a lot of `unsafe` code, however. I verified portions of this. It also has a large, thorough test suite. The project claims to run tests with Miri to have stronger soundness checks, and also claims to use formal verification tools to prove correctness. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.zerocopy-derive]] who = "Alex Franchuk " criteria = "safe-to-deploy" version = "0.7.32" notes = "Clean, safe macros for zerocopy." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.zcash.audits.ahash]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.6 -> 0.8.7" notes = "Build-time `stdsimd` detection is replaced with a nightly-only feature flag." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.aho-corasick]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.1.2 -> 1.1.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.allocator-api2]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.16 -> 0.2.18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.anyhow]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.71 -> 1.0.75" notes = """ `unsafe` changes are migrating from `core::any::Demand` to `std::error::Request` when the nightly features are available. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.anyhow]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.75 -> 1.0.77" notes = """ - Build script changes are to rerun cargo if the `RUSTC_BOOTSTRAP` env variable changes, and enable a few more `rustc` config flags. - Some `unsafe fn`s were altered to add `unsafe` blocks, to make the safety contracts in the code clearer (instead of using the `unsafe fn`'s implicit `unsafe` block); no actual `unsafe` changes were made. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.anyhow]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.77 -> 1.0.79" notes = """ Build script changes are to refactor the existing probe into a separate file (which removes a filesystem write), and adjust how it gets rerun in response to changes in the build environment. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.anyhow]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.79 -> 1.0.82" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.arrayref]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.3.6 -> 0.3.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.backtrace]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.69 -> 0.3.71" notes = "This crate inherently requires a lot of `unsafe` code, but the changes look plausible." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.base64]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.21.3 -> 0.21.4" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.base64]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.21.4 -> 0.21.5" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.base64]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.21.5 -> 0.21.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.blake2b_simd]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.1 -> 1.0.2" notes = "Switches to `constant_time_eq 0.3.0`, which bumps its MSRV to 1.66." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.blake2s_simd]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.1 -> 1.0.2" notes = "Switches to `constant_time_eq 0.3.0`, which bumps its MSRV to 1.66." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.block-buffer]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.10.3 -> 0.10.4" notes = "Adds panics to prevent a block size of zero from causing unsoundness." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.bs58]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.5.0 -> 0.5.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.bumpalo]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "3.15.4 -> 3.16.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.bytes]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.5.0 -> 1.6.0" notes = """ There is significant use of `unsafe` code, but safety requirements are well documented and appear correct as far as I can see. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.cc]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.83 -> 1.0.94" notes = """ The optimization to use `buffer.set_len(buffer.capacity())` in `command_helpers::StderrForwarder::forward_available` doesn't look panic-safe: if `stderr.read` panics and that panic is caught by a caller of `forward_available`, then the inner buffer of `StderrForwarder` will contain uninitialized data. This looks difficult to trigger in practice, but I have opened an issue . `parallel::async_executor` contains `unsafe` pinning code but it looks reasonable. Similarly for the `unsafe` initialization code in `parallel::job_token::JobTokenServer` and file operations in `parallel::stderr`. This crate executes commands, and my review is likely not sufficient to detect subtle backdoors. I did not review the use of library handles in the `com` package on Windows. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.constant_time_eq]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.4 -> 0.2.5" notes = "No code changes." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.constant_time_eq]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.5 -> 0.2.6" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.constant_time_eq]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.6 -> 0.3.0" notes = "Replaces some `unsafe` code by bumping MSRV to 1.66 (to access `core::hint::black_box`)." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.cpufeatures]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.11 -> 0.2.12" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.crossbeam-deque]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.3 -> 0.8.4" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.crossbeam-deque]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.8.4 -> 0.8.5" notes = "Changes to `unsafe` code look okay." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.crossbeam-epoch]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.15 -> 0.9.16" notes = "Moved an `unsafe` block while removing `scopeguard` dependency." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.crossbeam-epoch]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.16 -> 0.9.17" notes = """ Changes to `unsafe` code are to replace manual pointer logic with equivalent `unsafe` stdlib methods, now that MSRV is high enough to use them. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.crossbeam-epoch]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.9.17 -> 0.9.18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.der]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.7.8 -> 0.7.9" notes = "The change to ignore RUSTSEC-2023-0071 is correct for this crate." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.either]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.8.1 -> 1.9.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.either]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.9.0 -> 1.11.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.errno]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.3 -> 0.3.8" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.fastrand]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "2.0.1 -> 2.0.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.futures-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.29" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.futures-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.futures-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.29" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.futures-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.futures-task]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.hermit-abi]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.3 -> 0.3.9" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.http]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.8 -> 0.2.9" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.http]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.11 -> 0.2.12" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.http]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.0 -> 0.2.11" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.inout]] who = "Daira Hopwood " criteria = "safe-to-deploy" version = "0.1.3" notes = "Reviewed in full." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.js-sys]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.66 -> 0.3.69" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.known-folders]] who = "Jack Grigg " criteria = "safe-to-deploy" version = "1.0.1" notes = """ Uses `unsafe` blocks to interact with `windows-sys` crate. - `SHGetKnownFolderPath` safety requirements are met. - `CoTaskMemFree` has no effect if passed `NULL`, so there is no issue if some future refactor created a pathway where `ffi::Guard` could be dropped before `SHGetKnownFolderPath` is called. - Small nit: `ffi::Guard::as_pwstr` takes `&self` but returns `PWSTR` which is the mutable type; it should instead return `PCWSTR` which is the const type (and what `lstrlenW` takes) instead of implicitly const-casting the pointer, as this would better reflect the intent to take an immutable reference. - The slice constructed from the `PWSTR` correctly goes out of scope before `guard` is dropped. - A code comment says that `path_ptr` is valid for `len` bytes, but `PCWSTR` is a `*const u16` and `lstrlenW` returns its length \"in characters\" (which the Windows documentation confirms means the number of `WCHAR` values). This is likely a typo; the code checks that `len * size_of::() <= isize::MAX`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.known-folders]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.1 -> 1.1.0" notes = "Addresses the notes from my previous review :)" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.libm]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.7 -> 0.2.8" notes = "Forces some intermediate values to not have too much precision on the x87 FPU." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.libredox]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.0.1 -> 0.1.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.linux-raw-sys]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.4.12 -> 0.4.13" notes = "Low-level OS interface crate, so `unsafe` code is expected." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.log]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.4.20 -> 0.4.21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.maybe-rayon]] who = "Sean Bowe " criteria = "safe-to-deploy" version = "0.1.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.memchr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.6.4 -> 2.7.1" notes = """ Change to an `unsafe fn` is to rework the short-tail handling of a fixed-length comparison between `u8` pointers. The new tail code matches the existing head code (but adapted to `u16` and `u8` reads, instead of `u32`). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.memchr]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "2.7.1 -> 2.7.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.miniz_oxide]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.7.1 -> 0.7.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.mio]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.8.10 -> 0.8.11" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.nix]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.26.2 -> 0.26.4" notes = """ Most of the `unsafe` changes are cleaning up their usage: - Replacing `data.len() * std::mem::size_of::<$ty>()` with `std::mem::size_of_val(data)`. - Removing some `mem::transmute`s. - Using `*mut` instead of `*const` to convey intended semantics. A new unsafe trait method `SockaddrLike::set_length` is added; it's impls look fine. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.object]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.32.1 -> 0.32.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.opaque-debug]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.3.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.phf]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.0 -> 0.11.1" notes = """ Mostly modernisation, migrating to `PhfBorrow`, and making more things `&'static`. No unsafe code in the new `OrderedMap` and `OrderedSet` types. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.phf]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.1 -> 0.11.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.phf_generator]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.0 -> 0.11.1" notes = "Just dependency and edition bumps and code formatting." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.phf_generator]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.1 -> 0.11.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.phf_shared]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.0 -> 0.11.1" notes = """ Adds `uncased` dependency, and newly generates unsafe code to transmute `&'static str` into `&'static UncasedStr`. I verified that `UncasedStr` is a `#[repr(transparent)]` newtype around `str`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.phf_shared]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.1 -> 0.11.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.pin-project-lite]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.13 -> 0.2.14" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.proc-macro-crate]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.2.1 -> 1.3.0" notes = "Migrates from `toml` to `toml_edit`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.proc-macro-crate]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.3.0 -> 1.3.1" notes = "Bumps MSRV to 1.60." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.rand_xorshift]] who = "Sean Bowe " criteria = "safe-to-deploy" version = "0.3.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.redjubjub]] who = "Daira Emma Hopwood " criteria = "safe-to-deploy" version = "0.7.0" notes = """ This crate is a thin wrapper around the `reddsa` crate, which I did not review. I also did not review tests or verify test vectors. The comment on `batch::Verifier::verify` has an error in the batch verification equation, filed as https://github.com/ZcashFoundation/redjubjub/issues/163 . It does not affect the implementation which just delegates to `reddsa`. `reddsa` has the same comment bug filed as https://github.com/ZcashFoundation/reddsa/issues/52 , but its batch verification implementation is correct. (I checked the latter against https://zips.z.cash/protocol/protocol.pdf#reddsabatchvalidate which has had previous cryptographic review by NCC group; see finding NCC-Zcash2018-009 in https://research.nccgroup.com/wp-content/uploads/2020/07/NCC_Group_Zcash2018_Public_Report_2019-01-30_v1.3.pdf ). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.redox_users]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.3 -> 0.4.4" notes = "Switches from `redox_syscall` crate to `libredox` crate for syscalls." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.redox_users]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.4.4 -> 0.4.5" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.regex]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.10.2 -> 1.10.4" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.regex-automata]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.4.3 -> 0.4.6" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.regex-syntax]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.6.28 -> 0.6.29" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.regex-syntax]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.7.5 -> 0.8.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.regex-syntax]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.8.2 -> 0.8.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.rustc-demangle]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.1.21 -> 0.1.22" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.rustc-demangle]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.22 -> 0.1.23" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.rustc_version]] who = "Jack Grigg " criteria = "safe-to-deploy" version = "0.4.0" notes = """ Most of the crate is code to parse and validate the output of `rustc -vV`. The caller can choose which `rustc` to use, or can use `rustc_version::{version, version_meta}` which will try `$RUSTC` followed by `rustc`. If an adversary can arbitrarily set the `$RUSTC` environment variable then this crate will execute arbitrary code. But when this crate is used within a build script, `$RUSTC` should be set correctly by `cargo`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.scopeguard]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.1.0 -> 1.2.0" notes = "Only change to an `unsafe` block is to replace a `mem::forget` with `ManuallyDrop`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.semver]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.17 -> 1.0.18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.semver]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.18 -> 1.0.19" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.semver]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.19 -> 1.0.20" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.semver]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.20 -> 1.0.22" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.sharded-slab]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.4 -> 0.1.7" notes = "Only change to an `unsafe` block is to fix a clippy lint." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.signature]] who = "Daira Emma Hopwood " criteria = "safe-to-deploy" version = "2.1.0" notes = """ This crate uses `#![forbid(unsafe_code)]`, has no build script, and only provides traits with some trivial default implementations. I did not review whether implementing these APIs would present any undocumented cryptographic hazards. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.signature]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.1.0 -> 2.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.siphasher]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.10 -> 0.3.11" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.socket2]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.5.5 -> 0.5.6" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.syn]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.107 -> 1.0.109" notes = "Fixes string literal parsing to only skip specified whitespace characters." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.tempfile]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.8.1 -> 3.9.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.tempfile]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "3.9.0 -> 3.10.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.thiserror]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.43 -> 1.0.48" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.thiserror]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.48 -> 1.0.51" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.thiserror]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.51 -> 1.0.52" notes = "Reruns the build script if the `RUSTC_BOOTSTRAP` env variable changes." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.thiserror]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.52 -> 1.0.56" notes = """ Build script changes are to refactor the existing probe into a separate file (which removes a filesystem write), and adjust how it gets rerun in response to changes in the build environment. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.thiserror]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.56 -> 1.0.58" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.thiserror-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.43 -> 1.0.48" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.thiserror-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.48 -> 1.0.51" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.thiserror-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.51 -> 1.0.52" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.thiserror-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.52 -> 1.0.56" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.thiserror-impl]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.56 -> 1.0.58" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.thread_local]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.1.4 -> 1.1.7" notes = """ New `unsafe` usage: - An extra `deallocate_bucket`, to replace a `Mutex::lock` with a `compare_exchange`. - Setting and getting a `#[thread_local] static mut Option` on nightly. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.thread_local]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.1.7 -> 1.1.8" notes = """ Adds `unsafe` code that makes an assumption that `ptr::null_mut::>()` is a valid representation of an `AtomicPtr>`, but this is likely a correct assumption. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.tinyvec_macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" notes = "Adds `#![forbid(unsafe_code)]` and license files." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.tokio]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.35.1 -> 1.37.0" notes = "Cursory review, but new and changed uses of `unsafe` code look fine, as far as I can see." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.toml_datetime]] who = "Jack Grigg " criteria = "safe-to-deploy" version = "0.5.1" notes = "Crate has `#![forbid(unsafe_code)]`, no `unwrap / expect / panic`, no ambient capabilities." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.toml_datetime]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.1 -> 0.6.1" notes = "Fixes a bug in parsing negative minutes in datetime string offsets." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.toml_datetime]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.6.2 -> 0.6.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.tracing-subscriber]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.17 -> 0.3.18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.try-lock]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.4 -> 0.2.5" notes = "Bumps MSRV to remove unsafe code block." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.universal-hash]] who = "Daira Hopwood " criteria = "safe-to-deploy" delta = "0.4.1 -> 0.5.0" notes = "I checked correctness of to_blocks which uses unsafe code in a safe function." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wagyu-zcash-parameters]] who = "Sean Bowe " criteria = "safe-to-deploy" version = "0.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wagyu-zcash-parameters-1]] who = "Sean Bowe " criteria = "safe-to-deploy" version = "0.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wagyu-zcash-parameters-2]] who = "Sean Bowe " criteria = "safe-to-deploy" version = "0.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wagyu-zcash-parameters-3]] who = "Sean Bowe " criteria = "safe-to-deploy" version = "0.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wagyu-zcash-parameters-4]] who = "Sean Bowe " criteria = "safe-to-deploy" version = "0.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wagyu-zcash-parameters-5]] who = "Sean Bowe " criteria = "safe-to-deploy" version = "0.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wagyu-zcash-parameters-6]] who = "Sean Bowe " criteria = "safe-to-deploy" version = "0.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.want]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.3.1" notes = """ Migrates to `try-lock 0.2.4` to replace some unsafe APIs that were not marked `unsafe` (but that were being used safely). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wasm-bindgen-backend]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.89 -> 0.2.92" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wasm-bindgen-macro]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.89 -> 0.2.92" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wasm-bindgen-macro-support]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" version = "0.2.92" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wasm-bindgen-shared]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.83 -> 0.2.84" notes = "Bumps the schema version to add `linked_modules`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wasm-bindgen-shared]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.84 -> 0.2.87" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wasm-bindgen-shared]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.87 -> 0.2.89" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wasm-bindgen-shared]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.89 -> 0.2.92" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.web-sys]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.66 -> 0.3.69" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"