878 lines
32 KiB
Plaintext
878 lines
32 KiB
Plaintext
|
|
# cargo-vet imports lock
|
|
|
|
[[audits.bytecode-alliance.audits.arrayref]]
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.6"
|
|
notes = """
|
|
Unsafe code, but its logic looks good to me. Necessary given what it is
|
|
doing. Well tested, has quickchecks.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.arrayvec]]
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.2"
|
|
notes = """
|
|
Well documented invariants, good assertions for those invariants in unsafe code,
|
|
and tested with MIRI to boot. LGTM.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.base64]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.21.0"
|
|
notes = "This crate has no dependencies, no build.rs, and contains no unsafe code."
|
|
|
|
[[audits.bytecode-alliance.audits.block-buffer]]
|
|
who = "Benjamin Bouvier <public@benj.me>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.0 -> 0.10.2"
|
|
|
|
[[audits.bytecode-alliance.audits.bumpalo]]
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "3.11.1"
|
|
notes = "I am the author of this crate."
|
|
|
|
[[audits.bytecode-alliance.audits.cfg-if]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.0"
|
|
notes = "I am the author of this crate."
|
|
|
|
[[audits.bytecode-alliance.audits.constant_time_eq]]
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.4"
|
|
notes = "A few tiny blocks of `unsafe` but each of them is very obviously correct."
|
|
|
|
[[audits.bytecode-alliance.audits.crypto-common]]
|
|
who = "Benjamin Bouvier <public@benj.me>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.3"
|
|
|
|
[[audits.bytecode-alliance.audits.digest]]
|
|
who = "Benjamin Bouvier <public@benj.me>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.0 -> 0.10.3"
|
|
|
|
[[audits.bytecode-alliance.audits.errno]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.0"
|
|
notes = "This crate uses libc and windows-sys APIs to get and set the raw OS error value."
|
|
|
|
[[audits.bytecode-alliance.audits.futures-channel]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.27"
|
|
notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)"
|
|
|
|
[[audits.bytecode-alliance.audits.futures-core]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.27"
|
|
notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting."
|
|
|
|
[[audits.bytecode-alliance.audits.hashbrown]]
|
|
who = "Chris Fallin <chris@cfallin.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.12.3 -> 0.13.1"
|
|
notes = "The diff looks plausible. Much of it is low-level memory-layout code and I can't be 100% certain without a deeper dive into the implementation logic, but nothing looks actively malicious."
|
|
|
|
[[audits.bytecode-alliance.audits.hashbrown]]
|
|
who = "Trevor Elliott <telliott@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.13.1 -> 0.13.2"
|
|
notes = "I read through the diff between v0.13.1 and v0.13.2, and verified that the changes made matched up with the changelog entries. There were very few changes between these two releases, and it was easy to verify what they did."
|
|
|
|
[[audits.bytecode-alliance.audits.httpdate]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.2"
|
|
notes = "No unsafety, no io"
|
|
|
|
[[audits.bytecode-alliance.audits.matchers]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
|
|
[[audits.bytecode-alliance.audits.memoffset]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.7.1 -> 0.8.0"
|
|
notes = "This was a small update to the crate which has to do with Rust language features and compiler versions, no substantial changes."
|
|
|
|
[[audits.bytecode-alliance.audits.pin-utils]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
|
|
[[audits.bytecode-alliance.audits.proc-macro2]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.51 -> 1.0.57"
|
|
|
|
[[audits.bytecode-alliance.audits.rustc-demangle]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.21"
|
|
notes = "I am the author of this crate."
|
|
|
|
[[audits.bytecode-alliance.audits.sha2]]
|
|
who = "Benjamin Bouvier <public@benj.me>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.9 -> 0.10.2"
|
|
notes = "This upgrade is mostly a code refactor, as far as I can tell. No new uses of unsafe nor any new ambient capabilities usage."
|
|
|
|
[[audits.bytecode-alliance.audits.tempfile]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "3.3.0 -> 3.5.0"
|
|
|
|
[[audits.bytecode-alliance.audits.tinyvec]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.6.0"
|
|
notes = """
|
|
This crate, while it implements collections, does so without `std::*` APIs and
|
|
without `unsafe`. Skimming the crate everything looks reasonable and what one
|
|
would expect from idiomatic safe collections in Rust.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.tinyvec_macros]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
notes = """
|
|
This is a trivial crate which only contains a singular macro definition which is
|
|
intended to multiplex across the internal representation of a tinyvec,
|
|
presumably. This trivially doesn't contain anything bad.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.try-lock]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.4"
|
|
notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect"
|
|
|
|
[[audits.bytecode-alliance.audits.unicode-normalization]]
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.19"
|
|
notes = """
|
|
This crate contains one usage of `unsafe` which I have manually checked to see
|
|
it as correct. This crate's size comes in large part due to the generated
|
|
unicode tables that it contains. This crate is additionally widely used
|
|
throughout the ecosystem and skimming the crate shows no usage of `std::*` APIs
|
|
and nothing suspicious.
|
|
"""
|
|
|
|
[[audits.bytecode-alliance.audits.want]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.0"
|
|
|
|
[[audits.bytecode-alliance.audits.windows-sys]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.42.0"
|
|
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
|
|
|
|
[[audits.bytecode-alliance.audits.windows-sys]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.42.0 -> 0.45.0"
|
|
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
|
|
|
|
[[audits.bytecode-alliance.audits.windows-targets]]
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.42.1"
|
|
notes = "This is a Windows API bindings library maintained by Microsoft themselves. Additionally, this particular crate is empty and just collects a bunch of dependencies, which are not exported, so I don't understand why it exists at all."
|
|
|
|
[[audits.bytecode-alliance.audits.windows_aarch64_gnullvm]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.42.0"
|
|
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
|
|
|
|
[[audits.bytecode-alliance.audits.windows_aarch64_msvc]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.42.0"
|
|
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
|
|
|
|
[[audits.bytecode-alliance.audits.windows_i686_gnu]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.42.0"
|
|
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
|
|
|
|
[[audits.bytecode-alliance.audits.windows_i686_msvc]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.42.0"
|
|
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
|
|
|
|
[[audits.bytecode-alliance.audits.windows_x86_64_gnu]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.42.0"
|
|
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
|
|
|
|
[[audits.bytecode-alliance.audits.windows_x86_64_gnullvm]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.42.0"
|
|
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
|
|
|
|
[[audits.bytecode-alliance.audits.windows_x86_64_msvc]]
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.42.0"
|
|
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
|
|
|
|
[[audits.embark-studios.audits.anyhow]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.58"
|
|
|
|
[[audits.embark-studios.audits.epaint]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
violation = "<0.20.0"
|
|
notes = "Specified crate license does not include licenses of embedded fonts if using default features or the `default_fonts` feature. Tracked in: https://github.com/emilk/egui/issues/2321"
|
|
|
|
[[audits.embark-studios.audits.tap]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.1"
|
|
notes = "No unsafe usage or ambient capabilities"
|
|
|
|
[[audits.embark-studios.audits.thiserror]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.40"
|
|
notes = "Wrapper over implementation crate, found no unsafe or ambient capabilities used"
|
|
|
|
[[audits.embark-studios.audits.thiserror-impl]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.40"
|
|
notes = "Found no unsafe or ambient capabilities used"
|
|
|
|
[[audits.embark-studios.audits.toml_datetime]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.1 -> 0.6.2"
|
|
notes = "No notable changes"
|
|
|
|
[[audits.embark-studios.audits.valuable]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
notes = "No unsafe usage or ambient capabilities, sane build script"
|
|
|
|
[[audits.google.audits.fastrand]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.9.0"
|
|
notes = """
|
|
`does-not-implement-crypto` is certified because this crate explicitly says
|
|
that the RNG here is not cryptographically secure.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.version_check]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.4"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.isrg.audits.base64]]
|
|
who = "Tim Geoghegan <timg@letsencrypt.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.21.0 -> 0.21.1"
|
|
|
|
[[audits.isrg.audits.base64]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.21.1 -> 0.21.2"
|
|
|
|
[[audits.isrg.audits.block-buffer]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.0"
|
|
|
|
[[audits.isrg.audits.crunchy]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.2"
|
|
|
|
[[audits.isrg.audits.either]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.6.1"
|
|
|
|
[[audits.isrg.audits.opaque-debug]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.0"
|
|
|
|
[[audits.isrg.audits.rayon]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.6.1 -> 1.7.0"
|
|
|
|
[[audits.isrg.audits.rayon-core]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.10.2 -> 1.11.0"
|
|
|
|
[[audits.isrg.audits.serde]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.152 -> 1.0.153"
|
|
|
|
[[audits.isrg.audits.serde]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.153 -> 1.0.154"
|
|
|
|
[[audits.isrg.audits.serde]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.154 -> 1.0.155"
|
|
|
|
[[audits.isrg.audits.serde]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.156 -> 1.0.159"
|
|
|
|
[[audits.isrg.audits.serde_derive]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.152 -> 1.0.153"
|
|
|
|
[[audits.isrg.audits.serde_derive]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.153 -> 1.0.154"
|
|
|
|
[[audits.isrg.audits.serde_derive]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.154 -> 1.0.155"
|
|
|
|
[[audits.isrg.audits.serde_derive]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.156 -> 1.0.159"
|
|
|
|
[[audits.isrg.audits.serde_json]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.93 -> 1.0.94"
|
|
|
|
[[audits.isrg.audits.serde_json]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.94 -> 1.0.95"
|
|
|
|
[[audits.isrg.audits.syn]]
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.104 -> 2.0.11"
|
|
|
|
[[audits.isrg.audits.unicode-ident]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.2 -> 1.0.3"
|
|
|
|
[[audits.isrg.audits.universal-hash]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.1"
|
|
|
|
[[audits.isrg.audits.untrusted]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.1"
|
|
|
|
[[audits.isrg.audits.wasm-bindgen-shared]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.83"
|
|
|
|
[[audits.mozilla.audits.aho-corasick]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.7.18 -> 0.7.20"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.anyhow]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.57 -> 1.0.61"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.anyhow]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.58 -> 1.0.57"
|
|
notes = "No functional differences, just CI config and docs."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.anyhow]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.61 -> 1.0.62"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.anyhow]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.62 -> 1.0.68"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.autocfg]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.1.0"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bit-set]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.2"
|
|
notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bit-set]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.2 -> 0.5.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bit-vec]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.6.3"
|
|
notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.block-buffer]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.2 -> 0.10.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bytes]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.2.1 -> 1.3.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-channel]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.7 -> 0.5.8"
|
|
notes = "Reviewed the fix, previous versions indeed had were able to trigger a race condition"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-epoch]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.8 -> 0.9.10"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-epoch]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.10 -> 0.9.13"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-utils]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.8 -> 0.8.11"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crossbeam-utils]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.11 -> 0.8.14"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.digest]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.3 -> 0.10.6"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.either]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.6.1 -> 1.7.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.either]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.7.0 -> 1.8.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.fnv]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.7"
|
|
notes = "Simple hasher implementation with no unsafe code."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-task]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.21 -> 0.3.23"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.futures-task]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.23 -> 0.3.25"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.getrandom]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.7 -> 0.2.8"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.hashbrown]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.3"
|
|
notes = "This version is used in rust's libstd, so effectively we're already trusting it"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.hex]]
|
|
who = "Simon Friedberger <simon@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.indexmap]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.9.1 -> 1.9.2"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.itoa]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.2 -> 1.0.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.itoa]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.3 -> 1.0.5"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.lazy_static]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.4.0"
|
|
notes = "I have read over the macros, and audited the unsafe code."
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.log]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.17"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.mach2]]
|
|
who = "Gabriele Svelto <gsvelto@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.memoffset]]
|
|
who = "Gabriele Svelto <gsvelto@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.5 -> 0.7.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.miniz_oxide]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.3 -> 0.6.2"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.nom]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "7.1.1 -> 7.1.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num-bigint]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.3"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num-integer]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.45"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num-traits]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.15"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num_cpus]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.13.1 -> 1.14.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.ppv-lite86]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.16 -> 0.2.17"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.proc-macro2]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.39"
|
|
notes = """
|
|
`proc-macro2` acts as either a thin(-ish) wrapper around the std-provided
|
|
`proc_macro` crate, or as a fallback implementation of the crate, depending on
|
|
where it is used.
|
|
|
|
If using this crate on older versions of rustc (1.56 and earlier), it will
|
|
temporarily replace the panic handler while initializing in order to detect if
|
|
it is running within a `proc_macro`, which could lead to surprising behaviour.
|
|
This should not be an issue for more recent compiler versions, which support
|
|
`proc_macro::is_available()`.
|
|
|
|
The `proc-macro2` crate's fallback behaviour is not identical to the complex
|
|
behaviour of the rustc compiler (e.g. it does not perform unicode normalization
|
|
for identifiers), however it behaves well enough for its intended use-case
|
|
(tests and scripts processing rust code).
|
|
|
|
`proc-macro2` does not use unsafe code, however exposes one `unsafe` API to
|
|
allow bypassing checks in the fallback implementation when constructing
|
|
`Literal` using `from_str_unchecked`. This was intended to only be used by the
|
|
`quote!` macro, however it has been removed
|
|
(https://github.com/dtolnay/quote/commit/f621fe64a8a501cae8e95ebd6848e637bbc79078),
|
|
and is likely completely unused. Even when used, this API shouldn't be able to
|
|
cause unsoundness.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.proc-macro2]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.39 -> 1.0.43"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.proc-macro2]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.43 -> 1.0.49"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.proc-macro2]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.57 -> 1.0.59"
|
|
notes = "Enabled on Wasm"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.quote]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.18"
|
|
notes = """
|
|
`quote` is a utility crate used by proc-macros to generate TokenStreams
|
|
conveniently from source code. The bulk of the logic is some complex
|
|
interlocking `macro_rules!` macros which are used to parse and build the
|
|
`TokenStream` within the proc-macro.
|
|
|
|
This crate contains no unsafe code, and the internal logic, while difficult to
|
|
read, is generally straightforward. I have audited the the quote macros, ident
|
|
formatter, and runtime logic.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.quote]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.18 -> 1.0.21"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.quote]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.21 -> 1.0.23"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rayon]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.5.3"
|
|
notes = "All code written or reviewed by Josh Stone or Niko Matsakis."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rayon]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.5.3 -> 1.6.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rayon-core]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.9.3"
|
|
notes = "All code written or reviewed by Josh Stone or Niko Matsakis."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rayon-core]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.9.3 -> 1.10.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rayon-core]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.10.1 -> 1.10.2"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.regex]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.6.0 -> 1.7.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.regex-syntax]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.27 -> 0.6.28"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.ryu]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.11 -> 1.0.12"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.143 -> 1.0.144"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.144 -> 1.0.151"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.151 -> 1.0.152"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde_derive]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.143 -> 1.0.144"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde_derive]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.144 -> 1.0.151"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde_derive]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.151 -> 1.0.152"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde_json]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.81 -> 1.0.83"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde_json]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.83 -> 1.0.85"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde_json]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.85 -> 1.0.91"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.serde_json]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.91 -> 1.0.93"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.sha2]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.2 -> 0.10.6"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.typenum]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.15.0 -> 1.16.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.unicode-ident]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.3 -> 1.0.6"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.unicode-normalization]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.19 -> 0.1.20"
|
|
notes = "I am the author of most of these changes upstream, and prepared the release myself, at which point I looked at the other changes since 0.1.19."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.unicode-normalization]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.20 -> 0.1.21"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.unicode-normalization]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.21 -> 0.1.22"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|