1322 lines
45 KiB
Plaintext
1322 lines
45 KiB
Plaintext
|
|
# cargo-vet imports lock
|
|
|
|
[[publisher.bridgetree]]
|
|
version = "0.4.0"
|
|
when = "2023-09-08"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
|
|
[[publisher.bumpalo]]
|
|
version = "3.14.0"
|
|
when = "2023-09-14"
|
|
user-id = 696
|
|
user-login = "fitzgen"
|
|
user-name = "Nick Fitzgerald"
|
|
|
|
[[publisher.equihash]]
|
|
version = "0.2.0"
|
|
when = "2022-06-24"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
|
|
[[publisher.f4jumble]]
|
|
version = "0.1.0"
|
|
when = "2022-05-10"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
|
|
[[publisher.halo2_gadgets]]
|
|
version = "0.3.0"
|
|
when = "2023-03-22"
|
|
user-id = 1244
|
|
user-login = "ebfull"
|
|
|
|
[[publisher.halo2_legacy_pdqsort]]
|
|
version = "0.1.0"
|
|
when = "2023-03-10"
|
|
user-id = 199950
|
|
user-login = "daira"
|
|
user-name = "Daira Hopwood"
|
|
|
|
[[publisher.halo2_proofs]]
|
|
version = "0.3.0"
|
|
when = "2023-03-22"
|
|
user-id = 1244
|
|
user-login = "ebfull"
|
|
|
|
[[publisher.incrementalmerkletree]]
|
|
version = "0.5.0"
|
|
when = "2023-09-08"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
|
|
[[publisher.orchard]]
|
|
version = "0.6.0"
|
|
when = "2023-09-08"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
|
|
[[publisher.windows-sys]]
|
|
version = "0.48.0"
|
|
when = "2023-03-31"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows-targets]]
|
|
version = "0.48.5"
|
|
when = "2023-08-18"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_aarch64_gnullvm]]
|
|
version = "0.48.5"
|
|
when = "2023-08-18"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_aarch64_msvc]]
|
|
version = "0.48.5"
|
|
when = "2023-08-18"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_i686_gnu]]
|
|
version = "0.48.5"
|
|
when = "2023-08-18"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_i686_msvc]]
|
|
version = "0.48.5"
|
|
when = "2023-08-18"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_x86_64_gnu]]
|
|
version = "0.48.5"
|
|
when = "2023-08-18"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_x86_64_gnullvm]]
|
|
version = "0.48.5"
|
|
when = "2023-08-18"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.windows_x86_64_msvc]]
|
|
version = "0.48.5"
|
|
when = "2023-08-18"
|
|
user-id = 64539
|
|
user-login = "kennykerr"
|
|
user-name = "Kenny Kerr"
|
|
|
|
[[publisher.zcash_address]]
|
|
version = "0.3.0"
|
|
when = "2023-06-06"
|
|
user-id = 1244
|
|
user-login = "ebfull"
|
|
|
|
[[publisher.zcash_encoding]]
|
|
version = "0.2.0"
|
|
when = "2022-10-19"
|
|
user-id = 1244
|
|
user-login = "ebfull"
|
|
|
|
[[publisher.zcash_history]]
|
|
version = "0.3.0"
|
|
when = "2022-05-11"
|
|
user-id = 1244
|
|
user-login = "ebfull"
|
|
|
|
[[publisher.zcash_note_encryption]]
|
|
version = "0.4.0"
|
|
when = "2023-06-06"
|
|
user-id = 169181
|
|
user-login = "nuttycom"
|
|
user-name = "Kris Nuttycombe"
|
|
|
|
[[publisher.zcash_primitives]]
|
|
version = "0.13.0-rc.1"
|
|
when = "2023-09-08"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
|
|
[[publisher.zcash_proofs]]
|
|
version = "0.13.0-rc.1"
|
|
when = "2023-09-08"
|
|
user-id = 6289
|
|
user-login = "str4d"
|
|
|
|
[[audits.bytecode-alliance.wildcard-audits.bumpalo]]
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
user-id = 696 # Nick Fitzgerald (fitzgen)
|
|
start = "2019-03-16"
|
|
end = "2024-03-10"
|
|
|
|
[[audits.bytecode-alliance.audits.addr2line]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.19.0 -> 0.20.0"
|
|
notes = "This version brings support for split-dwarf which while it uses the filesystem is always done at the behest of the caller, so everything is as expected for this update."
|
|
|
|
[[audits.bytecode-alliance.audits.addr2line]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.20.0 -> 0.21.0"
|
|
notes = "This version bump updated some dependencies and optimized some internals. All looks good."
|
|
|
|
[[audits.bytecode-alliance.audits.adler]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.2"
|
|
notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm."
|
|
|
|
[[audits.bytecode-alliance.audits.anyhow]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.69 -> 1.0.71"
|
|
|
|
[[audits.bytecode-alliance.audits.arrayref]]
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.6"
|
|
notes = """
|
|
Unsafe code, but its logic looks good to me. Necessary given what it is
|
|
doing. Well tested, has quickchecks.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.base64]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.21.0"
|
|
notes = "This crate has no dependencies, no build.rs, and contains no unsafe code."
|
|
|
|
[[audits.bytecode-alliance.audits.bitflags]]
|
|
who = "Jamey Sharp <jsharp@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.1.0 -> 2.2.1"
|
|
notes = """
|
|
This version adds unsafe impls of traits from the bytemuck crate when built
|
|
with that library enabled, but I believe the impls satisfy the documented
|
|
safety requirements for bytemuck. The other changes are minor.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.bitflags]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.3.2 -> 2.3.3"
|
|
notes = """
|
|
Nothing outside the realm of what one would expect from a bitflags generator,
|
|
all as expected.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.block-buffer]]
|
|
who = "Benjamin Bouvier <public@benj.me>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.0 -> 0.10.2"
|
|
|
|
[[audits.bytecode-alliance.audits.cfg-if]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.0"
|
|
notes = "I am the author of this crate."
|
|
|
|
[[audits.bytecode-alliance.audits.constant_time_eq]]
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.4"
|
|
notes = "A few tiny blocks of `unsafe` but each of them is very obviously correct."
|
|
|
|
[[audits.bytecode-alliance.audits.crypto-common]]
|
|
who = "Benjamin Bouvier <public@benj.me>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.3"
|
|
|
|
[[audits.bytecode-alliance.audits.digest]]
|
|
who = "Benjamin Bouvier <public@benj.me>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.0 -> 0.10.3"
|
|
|
|
[[audits.bytecode-alliance.audits.errno]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.0"
|
|
notes = "This crate uses libc and windows-sys APIs to get and set the raw OS error value."
|
|
|
|
[[audits.bytecode-alliance.audits.errno]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.0 -> 0.3.1"
|
|
notes = "Just a dependency version bump and a bug fix for redox"
|
|
|
|
[[audits.bytecode-alliance.audits.errno-dragonfly]]
|
|
who = "Jamey Sharp <jsharp@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
notes = "This should be portable to any POSIX system and seems like it should be part of the libc crate, but at any rate it's safe as is."
|
|
|
|
[[audits.bytecode-alliance.audits.futures-channel]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.27"
|
|
notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)"
|
|
|
|
[[audits.bytecode-alliance.audits.futures-core]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.27"
|
|
notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting."
|
|
|
|
[[audits.bytecode-alliance.audits.gimli]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.27.0 -> 0.27.3"
|
|
notes = "More support for more DWARF, nothing major in this update. Some small refactorings and updates to publication of the package but otherwise everything's in order."
|
|
|
|
[[audits.bytecode-alliance.audits.gimli]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.27.3 -> 0.28.0"
|
|
notes = """
|
|
Still looks like a good DWARF-parsing crate, nothing major was added or deleted
|
|
and no `unsafe` code to review here.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.hashbrown]]
|
|
who = "Chris Fallin <chris@cfallin.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.12.3 -> 0.13.1"
|
|
notes = "The diff looks plausible. Much of it is low-level memory-layout code and I can't be 100% certain without a deeper dive into the implementation logic, but nothing looks actively malicious."
|
|
|
|
[[audits.bytecode-alliance.audits.hashbrown]]
|
|
who = "Trevor Elliott <telliott@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.13.1 -> 0.13.2"
|
|
notes = "I read through the diff between v0.13.1 and v0.13.2, and verified that the changes made matched up with the changelog entries. There were very few changes between these two releases, and it was easy to verify what they did."
|
|
|
|
[[audits.bytecode-alliance.audits.libm]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.2 -> 0.2.4"
|
|
notes = """
|
|
This diff primarily fixes a few issues with the `fma`-related functions,
|
|
but also contains some other minor fixes as well. Everything looks A-OK and
|
|
as expected.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.libm]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.4 -> 0.2.7"
|
|
notes = """
|
|
This is a minor update which has some testing affordances as well as some
|
|
updated math algorithms.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.matchers]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
|
|
[[audits.bytecode-alliance.audits.memoffset]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.7.1 -> 0.8.0"
|
|
notes = "This was a small update to the crate which has to do with Rust language features and compiler versions, no substantial changes."
|
|
|
|
[[audits.bytecode-alliance.audits.miniz_oxide]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.1"
|
|
notes = """
|
|
This crate is a Rust implementation of zlib compression/decompression and has
|
|
been used by default by the Rust standard library for quite some time. It's also
|
|
a default dependency of the popular `backtrace` crate for decompressing debug
|
|
information. This crate forbids unsafe code and does not otherwise access system
|
|
resources. It's originally a port of the `miniz.c` library as well, and given
|
|
its own longevity should be relatively hardened against some of the more common
|
|
compression-related issues.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.object]]
|
|
who = "Jamey Sharp <jsharp@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.30.1 -> 0.30.3"
|
|
notes = """
|
|
No unsafe blocks or I/O in the diff. The only changes clearly implement what
|
|
the changelog says is new in these versions.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.object]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.30.3 -> 0.31.1"
|
|
notes = "A large-ish update to the crate but nothing out of the ordering. Support for new formats like xcoff, new constants, minor refactorings, etc. Nothing out of the ordinary."
|
|
|
|
[[audits.bytecode-alliance.audits.object]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.31.1 -> 0.32.0"
|
|
notes = "Various new features and refactorings as one would expect from an object parsing crate, all looks good."
|
|
|
|
[[audits.bytecode-alliance.audits.pin-utils]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
|
|
[[audits.bytecode-alliance.audits.proc-macro2]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.51 -> 1.0.57"
|
|
|
|
[[audits.bytecode-alliance.audits.proc-macro2]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.59 -> 1.0.63"
|
|
notes = """
|
|
This is a routine update for new nightly features and new syntax popping up on
|
|
nightly, nothing out of the ordinary.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.quote]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.23 -> 1.0.27"
|
|
|
|
[[audits.bytecode-alliance.audits.rustc-demangle]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.21"
|
|
notes = "I am the author of this crate."
|
|
|
|
[[audits.bytecode-alliance.audits.semver]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.17"
|
|
notes = "plenty of unsafe pointer and vec tricks, but in well-structured and commented code that appears to be correct"
|
|
|
|
[[audits.bytecode-alliance.audits.tempfile]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "3.3.0 -> 3.5.0"
|
|
|
|
[[audits.bytecode-alliance.audits.tinyvec]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.6.0"
|
|
notes = """
|
|
This crate, while it implements collections, does so without `std::*` APIs and
|
|
without `unsafe`. Skimming the crate everything looks reasonable and what one
|
|
would expect from idiomatic safe collections in Rust.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.tinyvec_macros]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
notes = """
|
|
This is a trivial crate which only contains a singular macro definition which is
|
|
intended to multiplex across the internal representation of a tinyvec,
|
|
presumably. This trivially doesn't contain anything bad.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.try-lock]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.4"
|
|
notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect"
|
|
|
|
[[audits.bytecode-alliance.audits.unicode-ident]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.8"
|
|
|
|
[[audits.bytecode-alliance.audits.unicode-normalization]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.19"
|
|
notes = """
|
|
This crate contains one usage of `unsafe` which I have manually checked to see
|
|
it as correct. This crate's size comes in large part due to the generated
|
|
unicode tables that it contains. This crate is additionally widely used
|
|
throughout the ecosystem and skimming the crate shows no usage of `std::*` APIs
|
|
and nothing suspicious.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.want]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.0"
|
|
|
|
[[audits.embark-studios.audits.anyhow]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.58"
|
|
|
|
[[audits.embark-studios.audits.tap]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.1"
|
|
notes = "No unsafe usage or ambient capabilities"
|
|
|
|
[[audits.embark-studios.audits.thiserror]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.40"
|
|
notes = "Wrapper over implementation crate, found no unsafe or ambient capabilities used"
|
|
|
|
[[audits.embark-studios.audits.thiserror-impl]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.40"
|
|
notes = "Found no unsafe or ambient capabilities used"
|
|
|
|
[[audits.embark-studios.audits.toml_datetime]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.1 -> 0.6.2"
|
|
notes = "No notable changes"
|
|
|
|
[[audits.embark-studios.audits.valuable]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
notes = "No unsafe usage or ambient capabilities, sane build script"
|
|
|
|
[[audits.google.audits.cxxbridge-flags]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.106 -> 1.0.107"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.fastrand]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.9.0"
|
|
notes = """
|
|
`does-not-implement-crypto` is certified because this crate explicitly says
|
|
that the RNG here is not cryptographically secure.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.httpdate]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.3"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.link-cplusplus]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.9"
|
|
notes = """
|
|
This crate exists simply to link with libcxx or libstdcxx. No assertions
|
|
are made about the safety of either of those libraries. :)
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.pin-project-lite]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.9"
|
|
notes = "Reviewed on https://fxrev.dev/824504"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.version_check]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.4"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.isrg.audits.aes]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.2 -> 0.8.3"
|
|
|
|
[[audits.isrg.audits.base64]]
|
|
who = "Tim Geoghegan <timg@letsencrypt.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.21.0 -> 0.21.1"
|
|
|
|
[[audits.isrg.audits.base64]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.21.1 -> 0.21.2"
|
|
|
|
[[audits.isrg.audits.base64]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.21.2 -> 0.21.3"
|
|
|
|
[[audits.isrg.audits.block-buffer]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.0"
|
|
|
|
[[audits.isrg.audits.crunchy]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.2"
|
|
|
|
[[audits.isrg.audits.digest]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.6 -> 0.10.7"
|
|
|
|
[[audits.isrg.audits.either]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.6.1"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.17"
|
|
notes = """
|
|
This crate does not contain any unsafe code, and does not use any items from
|
|
the standard library or other crates, aside from operations backed by
|
|
`std::ops`. All paths with array indexing use integer literals for indexes, so
|
|
there are no panics due to indexes out of bounds (as rustc would catch an
|
|
out-of-bounds literal index). I did not check whether arithmetic overflows
|
|
could cause a panic, and I am relying on the Coq code having satisfied the
|
|
necessary preconditions to ensure panics due to overflows are unreachable.
|
|
"""
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.17 -> 0.1.18"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.18 -> 0.1.19"
|
|
notes = """
|
|
This release renames many items and adds a new module. The code in the new
|
|
module is entirely composed of arithmetic and array accesses.
|
|
"""
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.19 -> 0.1.20"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.20 -> 0.2.0"
|
|
|
|
[[audits.isrg.audits.fiat-crypto]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.0 -> 0.2.1"
|
|
|
|
[[audits.isrg.audits.getrandom]]
|
|
who = "Tim Geoghegan <timg@letsencrypt.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.9 -> 0.2.10"
|
|
notes = "These changes include some new `unsafe` code for the `emscripten` and `psvita` targets, but all it does is call `libc::getentropy`."
|
|
|
|
[[audits.isrg.audits.hmac]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.1"
|
|
|
|
[[audits.isrg.audits.num-bigint]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.3 -> 0.4.4"
|
|
|
|
[[audits.isrg.audits.num-traits]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.15 -> 0.2.16"
|
|
|
|
[[audits.isrg.audits.once_cell]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.17.1 -> 1.17.2"
|
|
|
|
[[audits.isrg.audits.once_cell]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.17.2 -> 1.18.0"
|
|
|
|
[[audits.isrg.audits.opaque-debug]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.0"
|
|
|
|
[[audits.isrg.audits.rand_chacha]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.1"
|
|
|
|
[[audits.isrg.audits.rand_core]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.6.3"
|
|
|
|
[[audits.isrg.audits.rayon]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.6.1 -> 1.7.0"
|
|
|
|
[[audits.isrg.audits.rayon-core]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.10.2 -> 1.11.0"
|
|
|
|
[[audits.isrg.audits.serde]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.152 -> 1.0.153"
|
|
|
|
[[audits.isrg.audits.serde]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.153 -> 1.0.154"
|
|
|
|
[[audits.isrg.audits.serde]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.154 -> 1.0.155"
|
|
|
|
[[audits.isrg.audits.serde]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.156 -> 1.0.159"
|
|
|
|
[[audits.isrg.audits.serde]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.160 -> 1.0.162"
|
|
|
|
[[audits.isrg.audits.serde]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.162 -> 1.0.163"
|
|
|
|
[[audits.isrg.audits.serde_derive]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.152 -> 1.0.153"
|
|
|
|
[[audits.isrg.audits.serde_derive]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.153 -> 1.0.154"
|
|
|
|
[[audits.isrg.audits.serde_derive]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.154 -> 1.0.155"
|
|
|
|
[[audits.isrg.audits.serde_derive]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.156 -> 1.0.159"
|
|
|
|
[[audits.isrg.audits.serde_derive]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.160 -> 1.0.162"
|
|
|
|
[[audits.isrg.audits.serde_derive]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.162 -> 1.0.163"
|
|
|
|
[[audits.isrg.audits.serde_json]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.93 -> 1.0.94"
|
|
|
|
[[audits.isrg.audits.serde_json]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.94 -> 1.0.95"
|
|
|
|
[[audits.isrg.audits.sha2]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.10.2"
|
|
|
|
[[audits.isrg.audits.syn]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.104 -> 2.0.11"
|
|
|
|
[[audits.isrg.audits.thiserror]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.40 -> 1.0.43"
|
|
|
|
[[audits.isrg.audits.thiserror-impl]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.40 -> 1.0.43"
|
|
|
|
[[audits.isrg.audits.universal-hash]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.1"
|
|
|
|
[[audits.isrg.audits.universal-hash]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.0 -> 0.5.1"
|
|
|
|
[[audits.isrg.audits.untrusted]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.1"
|
|
|
|
[[audits.isrg.audits.wasm-bindgen-shared]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.83"
|
|
|
|
[[audits.mozilla.audits.anyhow]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.57 -> 1.0.61"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.anyhow]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.58 -> 1.0.57"
|
|
notes = "No functional differences, just CI config and docs."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.anyhow]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.61 -> 1.0.62"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.anyhow]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.62 -> 1.0.68"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.autocfg]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.1.0"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bit-set]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.2"
|
|
notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bit-set]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.2 -> 0.5.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bit-vec]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.6.3"
|
|
notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bitflags]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.3.2 -> 2.0.2"
|
|
notes = "Removal of some unsafe code/methods. No changes to externals, just some refactoring (mostly internal)."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bitflags]]
|
|
who = "Nicolas Silva <nical@fastmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.0.2 -> 2.1.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bitflags]]
|
|
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.2.1 -> 2.3.2"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.block-buffer]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.2 -> 0.10.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bytes]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.2.1 -> 1.3.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-channel]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.7 -> 0.5.8"
|
|
notes = "Reviewed the fix, previous versions indeed had were able to trigger a race condition"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-epoch]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.8 -> 0.9.10"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-epoch]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.10 -> 0.9.13"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-utils]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.8 -> 0.8.11"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-utils]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.11 -> 0.8.14"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.digest]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.3 -> 0.10.6"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.either]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.6.1 -> 1.7.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.either]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.7.0 -> 1.8.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.fnv]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.7"
|
|
notes = "Simple hasher implementation with no unsafe code."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-task]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.21 -> 0.3.23"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-task]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.23 -> 0.3.25"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.getrandom]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.7 -> 0.2.8"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.hashbrown]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.3"
|
|
notes = "This version is used in rust's libstd, so effectively we're already trusting it"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.hex]]
|
|
who = "Simon Friedberger <simon@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.indexmap]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.9.1 -> 1.9.2"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.itoa]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.2 -> 1.0.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.itoa]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.3 -> 1.0.5"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.lazy_static]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.4.0"
|
|
notes = "I have read over the macros, and audited the unsafe code."
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.log]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.17"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.log]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.17 -> 0.4.18"
|
|
notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed."
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.mach2]]
|
|
who = "Gabriele Svelto <gsvelto@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.memoffset]]
|
|
who = "Gabriele Svelto <gsvelto@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.5 -> 0.7.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.nom]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "7.1.1 -> 7.1.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num-bigint]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.3"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num-integer]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.45"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num-traits]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.15"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num_cpus]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.13.1 -> 1.14.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.ppv-lite86]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.16 -> 0.2.17"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.proc-macro2]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.39"
|
|
notes = """
|
|
`proc-macro2` acts as either a thin(-ish) wrapper around the std-provided
|
|
`proc_macro` crate, or as a fallback implementation of the crate, depending on
|
|
where it is used.
|
|
|
|
If using this crate on older versions of rustc (1.56 and earlier), it will
|
|
temporarily replace the panic handler while initializing in order to detect if
|
|
it is running within a `proc_macro`, which could lead to surprising behaviour.
|
|
This should not be an issue for more recent compiler versions, which support
|
|
`proc_macro::is_available()`.
|
|
|
|
The `proc-macro2` crate's fallback behaviour is not identical to the complex
|
|
behaviour of the rustc compiler (e.g. it does not perform unicode normalization
|
|
for identifiers), however it behaves well enough for its intended use-case
|
|
(tests and scripts processing rust code).
|
|
|
|
`proc-macro2` does not use unsafe code, however exposes one `unsafe` API to
|
|
allow bypassing checks in the fallback implementation when constructing
|
|
`Literal` using `from_str_unchecked`. This was intended to only be used by the
|
|
`quote!` macro, however it has been removed
|
|
(https://github.com/dtolnay/quote/commit/f621fe64a8a501cae8e95ebd6848e637bbc79078),
|
|
and is likely completely unused. Even when used, this API shouldn't be able to
|
|
cause unsoundness.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.proc-macro2]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.39 -> 1.0.43"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.proc-macro2]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.43 -> 1.0.49"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.proc-macro2]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.57 -> 1.0.59"
|
|
notes = "Enabled on Wasm"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.proc-macro2]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.63 -> 1.0.66"
|
|
notes = "Removed special support for some really old Rust versions"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.quote]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.18"
|
|
notes = """
|
|
`quote` is a utility crate used by proc-macros to generate TokenStreams
|
|
conveniently from source code. The bulk of the logic is some complex
|
|
interlocking `macro_rules!` macros which are used to parse and build the
|
|
`TokenStream` within the proc-macro.
|
|
|
|
This crate contains no unsafe code, and the internal logic, while difficult to
|
|
read, is generally straightforward. I have audited the the quote macros, ident
|
|
formatter, and runtime logic.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.quote]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.18 -> 1.0.21"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.quote]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.21 -> 1.0.23"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.quote]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.27 -> 1.0.28"
|
|
notes = "Enabled on wasm targets"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.quote]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.28 -> 1.0.31"
|
|
notes = "Minimal changes and removal of the build.rs"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rand_core]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.3 -> 0.6.4"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rayon]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.5.3"
|
|
notes = "All code written or reviewed by Josh Stone or Niko Matsakis."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rayon]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.5.3 -> 1.6.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rayon-core]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.9.3"
|
|
notes = "All code written or reviewed by Josh Stone or Niko Matsakis."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rayon-core]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.9.3 -> 1.10.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rayon-core]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.10.1 -> 1.10.2"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.regex-syntax]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.27 -> 0.6.28"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.ryu]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.11 -> 1.0.12"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.143 -> 1.0.144"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.144 -> 1.0.151"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.151 -> 1.0.152"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.163 -> 1.0.179"
|
|
notes = "Internal refactorings and some new trait implementations"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde_derive]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.143 -> 1.0.144"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde_derive]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.144 -> 1.0.151"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde_derive]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.151 -> 1.0.152"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde_derive]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.163 -> 1.0.179"
|
|
notes = "Internal refactorings and dependency updates"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde_json]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.81 -> 1.0.83"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde_json]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.83 -> 1.0.85"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde_json]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.85 -> 1.0.91"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde_json]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.91 -> 1.0.93"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.sha2]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.2 -> 0.10.6"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.syn]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.0.18 -> 2.0.26"
|
|
notes = "Dependency update & internal refactorings"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.time-core]]
|
|
who = "Kershaw Chang <kershaw@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.typenum]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.15.0 -> 1.16.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.unicode-ident]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.8 -> 1.0.9"
|
|
notes = "Dependency updates only"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.unicode-normalization]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.19 -> 0.1.20"
|
|
notes = "I am the author of most of these changes upstream, and prepared the release myself, at which point I looked at the other changes since 0.1.19."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.unicode-normalization]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.20 -> 0.1.21"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.unicode-normalization]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.21 -> 0.1.22"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|