1675 lines
68 KiB
Plaintext
1675 lines
68 KiB
Plaintext
|
|
# cargo-vet imports lock
|
|
|
|
[[unpublished.tower-batch-control]]
|
|
version = "0.2.41-beta.16"
|
|
audited_as = "0.2.41-beta.15"
|
|
|
|
[[unpublished.tower-fallback]]
|
|
version = "0.2.41-beta.16"
|
|
audited_as = "0.2.41-beta.15"
|
|
|
|
[[unpublished.zebra-chain]]
|
|
version = "1.0.0-beta.40"
|
|
audited_as = "1.0.0-beta.39"
|
|
|
|
[[unpublished.zebra-consensus]]
|
|
version = "1.0.0-beta.40"
|
|
audited_as = "1.0.0-beta.39"
|
|
|
|
[[unpublished.zebra-grpc]]
|
|
version = "0.1.0-alpha.7"
|
|
audited_as = "0.1.0-alpha.6"
|
|
|
|
[[unpublished.zebra-network]]
|
|
version = "1.0.0-beta.40"
|
|
audited_as = "1.0.0-beta.39"
|
|
|
|
[[unpublished.zebra-node-services]]
|
|
version = "1.0.0-beta.40"
|
|
audited_as = "1.0.0-beta.39"
|
|
|
|
[[unpublished.zebra-rpc]]
|
|
version = "1.0.0-beta.40"
|
|
audited_as = "1.0.0-beta.39"
|
|
|
|
[[unpublished.zebra-scan]]
|
|
version = "0.1.0-alpha.9"
|
|
audited_as = "0.1.0-alpha.7"
|
|
|
|
[[unpublished.zebra-script]]
|
|
version = "1.0.0-beta.40"
|
|
audited_as = "1.0.0-beta.39"
|
|
|
|
[[unpublished.zebra-state]]
|
|
version = "1.0.0-beta.40"
|
|
audited_as = "1.0.0-beta.39"
|
|
|
|
[[unpublished.zebra-utils]]
|
|
version = "1.0.0-beta.40"
|
|
audited_as = "1.0.0-beta.39"
|
|
|
|
[[unpublished.zebrad]]
|
|
version = "2.0.0-rc.0"
|
|
audited_as = "1.9.0"
|
|
|
|
[[publisher.cexpr]]
|
|
version = "0.6.0"
|
|
when = "2021-10-11"
|
|
user-id = 3788
|
|
user-login = "emilio"
|
|
user-name = "Emilio Cobos Álvarez"
|
|
|
|
[[publisher.clap]]
|
|
version = "4.5.20"
|
|
when = "2024-10-08"
|
|
user-id = 6743
|
|
user-login = "epage"
|
|
user-name = "Ed Page"
|
|
|
|
[[publisher.clap_builder]]
|
|
version = "4.5.20"
|
|
when = "2024-10-08"
|
|
user-id = 6743
|
|
user-login = "epage"
|
|
user-name = "Ed Page"
|
|
|
|
[[publisher.clap_derive]]
|
|
version = "4.5.18"
|
|
when = "2024-09-20"
|
|
user-id = 6743
|
|
user-login = "epage"
|
|
user-name = "Ed Page"
|
|
|
|
[[publisher.core-foundation]]
|
|
version = "0.9.3"
|
|
when = "2022-02-07"
|
|
user-id = 5946
|
|
user-login = "jrmuizel"
|
|
user-name = "Jeff Muizelaar"
|
|
|
|
[[publisher.encoding_rs]]
|
|
version = "0.8.34"
|
|
when = "2024-04-10"
|
|
user-id = 4484
|
|
user-login = "hsivonen"
|
|
user-name = "Henri Sivonen"
|
|
|
|
[[publisher.serde_json]]
|
|
version = "1.0.132"
|
|
when = "2024-10-19"
|
|
user-id = 3618
|
|
user-login = "dtolnay"
|
|
user-name = "David Tolnay"
|
|
|
|
[[publisher.syn]]
|
|
version = "1.0.109"
|
|
when = "2023-02-24"
|
|
user-id = 3618
|
|
user-login = "dtolnay"
|
|
user-name = "David Tolnay"
|
|
|
|
[[publisher.syn]]
|
|
version = "2.0.82"
|
|
when = "2024-10-20"
|
|
user-id = 3618
|
|
user-login = "dtolnay"
|
|
user-name = "David Tolnay"
|
|
|
|
[[publisher.tokio]]
|
|
version = "1.41.0"
|
|
when = "2024-10-22"
|
|
user-id = 6741
|
|
user-login = "Darksonn"
|
|
user-name = "Alice Ryhl"
|
|
|
|
[[publisher.unicode-normalization]]
|
|
version = "0.1.23"
|
|
when = "2024-02-20"
|
|
user-id = 1139
|
|
user-login = "Manishearth"
|
|
user-name = "Manish Goregaokar"
|
|
|
|
[[publisher.unicode-segmentation]]
|
|
version = "1.11.0"
|
|
when = "2024-02-07"
|
|
user-id = 1139
|
|
user-login = "Manishearth"
|
|
user-name = "Manish Goregaokar"
|
|
|
|
[[audits.google.audits.adler]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.2"
|
|
notes = '''
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`
|
|
and there were no hits (except in comments and in the `README.md` file).
|
|
|
|
Note that some additional, internal notes about an older version of this crate
|
|
can be found at go/image-crate-chromium-security-review.
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.async-stream]]
|
|
who = "Tyler Mandry <tmandry@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.4"
|
|
notes = "Reviewed on https://fxrev.dev/761470"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.async-stream]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.4 -> 0.3.5"
|
|
notes = "Reviewed on https://fxrev.dev/906795"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.async-stream-impl]]
|
|
who = "Tyler Mandry <tmandry@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.4"
|
|
notes = "Reviewed on https://fxrev.dev/761470"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.async-stream-impl]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.4 -> 0.3.5"
|
|
notes = "Reviewed on https://fxrev.dev/906795"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.autocfg]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.1.0"
|
|
notes = """
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
|
|
and there were no hits except for reasonable, client-controlled usage of
|
|
`std::fs` in `AutoCfg::with_dir`.
|
|
|
|
This crate has been added to Chromium in
|
|
https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb
|
|
The CL description contains a link to a Google-internal document with audit details.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.autocfg]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.1.0 -> 1.2.0"
|
|
notes = '''
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
|
|
and nothing changed from the baseline audit of 1.1.0. Skimmed through the
|
|
1.1.0 => 1.2.0 delta and everything seemed okay.
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.base64]]
|
|
who = "Adam Langley <agl@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.13.1"
|
|
notes = "Skimmed the uses of `std` to ensure that nothing untoward is happening. Code uses `forbid(unsafe_code)` and, indeed, there are no uses of `unsafe`"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.bitflags]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.3.2"
|
|
notes = """
|
|
Security review of earlier versions of the crate can be found at
|
|
(Google-internal, sorry): go/image-crate-chromium-security-review
|
|
|
|
The crate exposes a function marked as `unsafe`, but doesn't use any
|
|
`unsafe` blocks (except for tests of the single `unsafe` function). I
|
|
think this justifies marking this crate as `ub-risk-1`.
|
|
|
|
Additional review comments can be found at https://crrev.com/c/4723145/31
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.bitflags]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "2.4.2"
|
|
notes = """
|
|
Audit notes:
|
|
|
|
* I've checked for any discussion in Google-internal cl/546819168 (where audit
|
|
of version 2.3.3 happened)
|
|
* `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]`
|
|
* There are 2 cases of `unsafe` in `src/external.rs` but they seem to be
|
|
correct in a straightforward way - they just propagate the marker trait's
|
|
impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type
|
|
* Additional discussion and/or notes may be found in https://crrev.com/c/5238056
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.bitflags]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.4.2 -> 2.5.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.bitflags]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.5.0 -> 2.6.0"
|
|
notes = "The changes from the previous version are negligible and thus it retains the same properties."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.bytemuck]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.16.3"
|
|
notes = """
|
|
Review notes from the original audit (of 1.14.3) may be found in
|
|
https://crrev.com/c/5362675. Note that this audit has initially missed UB risk
|
|
that was fixed in 1.16.2 - see https://github.com/Lokathor/bytemuck/pull/258.
|
|
Because of this, the original audit has been edited to certify version `1.16.3`
|
|
instead (see also https://crrev.com/c/5771867).
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.byteorder]]
|
|
who = "danakj <danakj@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.5.0"
|
|
notes = "Unsafe review in https://crrev.com/c/5838022"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.cast]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-run"
|
|
version = "0.3.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.cfg-if]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.crc32fast]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.4.2"
|
|
notes = """
|
|
Security review of earlier versions of the crate can be found at
|
|
(Google-internal, sorry): go/image-crate-chromium-security-review
|
|
|
|
Audit comments for 1.4.2 can be found at https://crrev.com/c/4723145.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.equivalent]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.1"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.fastrand]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.9.0"
|
|
notes = """
|
|
`does-not-implement-crypto` is certified because this crate explicitly says
|
|
that the RNG here is not cryptographically secure.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.flate2]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.30"
|
|
notes = '''
|
|
WARNING: This certification is a result of a **partial** audit. The
|
|
`any_zlib` code has **not** been audited. Ability to track partial
|
|
audits is tracked in https://github.com/mozilla/cargo-vet/issues/380
|
|
Chromium does use the `any_zlib` feature(s). Accidentally depending on
|
|
this feature in the future is prevented using the `ban_features` feature
|
|
of `gnrt` - see:
|
|
https://crrev.com/c/4723145/31/third_party/rust/chromium_crates_io/gnrt_config.toml
|
|
|
|
Security review of earlier versions of the crate can be found at
|
|
(Google-internal, sorry): go/image-crate-chromium-security-review
|
|
|
|
I grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`.
|
|
|
|
All `unsafe` in `flate2` is gated behind `#[cfg(feature = "any_zlib")]`:
|
|
|
|
* The code under `src/ffi/...` will not be used because the `mod c`
|
|
declaration in `src/ffi/mod.rs` depends on the `any_zlib` config
|
|
* 7 uses of `unsafe` in `src/mem.rs` also all depend on the
|
|
`any_zlib` config:
|
|
- 2 in `fn set_dictionary` (under `impl Compress`)
|
|
- 2 in `fn set_level` (under `impl Compress`)
|
|
- 3 in `fn set_dictionary` (under `impl Decompress`)
|
|
|
|
All hits of `'\bfs\b'` are in comments, or example code, or test code
|
|
(but not in product code).
|
|
|
|
There were no hits of `-i cipher`, `-i crypto`, `'\bnet\b'`.
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.futures]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.28"
|
|
notes = """
|
|
`futures` has no logic other than tests - it simply `pub use`s things from
|
|
other crates.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.glob]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.1"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.httpdate]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.3"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.itertools]]
|
|
who = "ChromeOS"
|
|
criteria = "safe-to-run"
|
|
version = "0.10.5"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.itoa]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.10"
|
|
notes = '''
|
|
I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits.
|
|
|
|
There are a few places where `unsafe` is used. Unsafe review notes can be found
|
|
in https://crrev.com/c/5350697.
|
|
|
|
Version 1.0.1 of this crate has been added to Chromium in
|
|
https://crrev.com/c/3321896.
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.itoa]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.10 -> 1.0.11"
|
|
notes = """
|
|
Straightforward diff between 1.0.10 and 1.0.11 - only 3 commits:
|
|
|
|
* Bumping up the version
|
|
* A touch up of comments
|
|
* And my own PR to make `unsafe` blocks more granular:
|
|
https://github.com/dtolnay/itoa/pull/42
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.lazy_static]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.4.0"
|
|
notes = '''
|
|
I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits.
|
|
|
|
There are two places where `unsafe` is used. Unsafe review notes can be found
|
|
in https://crrev.com/c/5347418.
|
|
|
|
This crate has been added to Chromium in https://crrev.com/c/3321895.
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.lazy_static]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.4.0 -> 1.5.0"
|
|
notes = "Unsafe review notes: https://crrev.com/c/5650836"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.miniz_oxide]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.4"
|
|
notes = '''
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`
|
|
and there were no hits, except for some mentions of "unsafe" in the `README.md`
|
|
and in a comment in `src/deflate/core.rs`. The comment discusses whether a
|
|
function should be treated as unsafe, but there is no actual `unsafe` code, so
|
|
the crate meets the `ub-risk-0` criteria.
|
|
|
|
Note that some additional, internal notes about an older version of this crate
|
|
can be found at go/image-crate-chromium-security-review.
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.nom]]
|
|
who = "danakj@chromium.org"
|
|
criteria = "safe-to-deploy"
|
|
version = "7.1.3"
|
|
notes = """
|
|
Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/5046153
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.number_prefix]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.pin-project-lite]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.9"
|
|
notes = "Reviewed on https://fxrev.dev/824504"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.pin-project-lite]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.9 -> 0.2.13"
|
|
notes = "Audited at https://fxrev.dev/946396"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro-error-attr]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.4"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.78"
|
|
notes = """
|
|
Grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits
|
|
(except for a benign \"fs\" hit in a doc comment)
|
|
|
|
Notes from the `unsafe` review can be found in https://crrev.com/c/5385745.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.78 -> 1.0.79"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.79 -> 1.0.80"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.80 -> 1.0.81"
|
|
notes = "Comment changes only"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "danakj <danakj@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.81 -> 1.0.82"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.82 -> 1.0.83"
|
|
notes = "Substantive change is replacing String with Box<str>, saving memory."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.83 -> 1.0.84"
|
|
notes = "Only doc comment changes in `src/lib.rs`."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "danakj@chromium.org"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.84 -> 1.0.85"
|
|
notes = "Test-only changes."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.proc-macro2]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.85 -> 1.0.86"
|
|
notes = """
|
|
Comment-only changes in `build.rs`.
|
|
Reordering of `Cargo.toml` entries.
|
|
Just bumping up the version number in `lib.rs`.
|
|
Config-related changes in `test_size.rs`.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.quote]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.35"
|
|
notes = """
|
|
Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits
|
|
(except for benign \"net\" hit in tests and \"fs\" hit in README.md)
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.quote]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.35 -> 1.0.36"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.quote]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.36 -> 1.0.37"
|
|
notes = """
|
|
The delta just 1) inlines/expands `impl ToTokens` that used to be handled via
|
|
`primitive!` macro and 2) adds `impl ToTokens` for `CStr` and `CString`.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.rustversion]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.14"
|
|
notes = """
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
|
|
and there were no hits except for:
|
|
|
|
* Using trivially-safe `unsafe` in test code:
|
|
|
|
```
|
|
tests/test_const.rs:unsafe fn _unsafe() {}
|
|
tests/test_const.rs:const _UNSAFE: () = unsafe { _unsafe() };
|
|
```
|
|
|
|
* Using `unsafe` in a string:
|
|
|
|
```
|
|
src/constfn.rs: \"unsafe\" => Qualifiers::Unsafe,
|
|
```
|
|
|
|
* Using `std::fs` in `build/build.rs` to write `${OUT_DIR}/version.expr`
|
|
which is later read back via `include!` used in `src/lib.rs`.
|
|
|
|
Version `1.0.6` of this crate has been added to Chromium in
|
|
https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.rustversion]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.14 -> 1.0.15"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.rustversion]]
|
|
who = "danakj <danakj@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.15 -> 1.0.16"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.rustversion]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.16 -> 1.0.17"
|
|
notes = "Just updates windows compat"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.same-file]]
|
|
who = "Android Legacy"
|
|
criteria = "safe-to-run"
|
|
version = "1.0.6"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.197"
|
|
notes = """
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`.
|
|
|
|
There were some hits for `net`, but they were related to serialization and
|
|
not actually opening any connections or anything like that.
|
|
|
|
There were 2 hits of `unsafe` when grepping:
|
|
* In `fn as_str` in `impl Buf`
|
|
* In `fn serialize` in `impl Serialize for net::Ipv4Addr`
|
|
|
|
Unsafe review comments can be found in https://crrev.com/c/5350573/2 (this
|
|
review also covered `serde_json_lenient`).
|
|
|
|
Version 1.0.130 of the crate has been added to Chromium in
|
|
https://crrev.com/c/3265545. The CL description contains a link to a
|
|
(Google-internal, sorry) document with a mini security review.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.197 -> 1.0.198"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "danakj <danakj@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.198 -> 1.0.201"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.201 -> 1.0.202"
|
|
notes = "Trivial changes"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.202 -> 1.0.203"
|
|
notes = "s/doc_cfg/docsrs/ + tuple_impls/tuple_impl_body-related changes"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.203 -> 1.0.204"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.204 -> 1.0.207"
|
|
notes = "The small change in `src/private/ser.rs` should have no impact on `ub-risk-2`."
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.207 -> 1.0.209"
|
|
notes = """
|
|
The delta carries fairly small changes in `src/private/de.rs` and
|
|
`src/private/ser.rs` (see https://crrev.com/c/5812194/2..5). AFAICT the
|
|
delta has no impact on the `unsafe`, `from_utf8_unchecked`-related parts
|
|
of the crate (in `src/de/format.rs` and `src/ser/impls.rs`).
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.209 -> 1.0.210"
|
|
notes = "Almost no new code - just feature rearrangement"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.197"
|
|
notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "danakj <danakj@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.197 -> 1.0.201"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.201 -> 1.0.202"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.202 -> 1.0.203"
|
|
notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.203 -> 1.0.204"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.204 -> 1.0.207"
|
|
notes = 'Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits'
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.207 -> 1.0.209"
|
|
notes = '''
|
|
There are no code changes in this delta - see https://crrev.com/c/5812194/2..5
|
|
|
|
I've neverthless also grepped for `-i cipher`, `-i crypto`, `\bfs\b`,
|
|
`\bnet\b`, and `\bunsafe\b`. There were no hits.
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.serde_derive]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.209 -> 1.0.210"
|
|
notes = "Almost no new code - just feature rearrangement"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.static_assertions]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.1.0"
|
|
notes = """
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`
|
|
and there were no hits except for one `unsafe`.
|
|
|
|
The lambda where `unsafe` is used is never invoked (e.g. the `unsafe` code
|
|
never runs) and is only introduced for some compile-time checks. Additional
|
|
unsafe review comments can be found in https://crrev.com/c/5353376.
|
|
|
|
This crate has been added to Chromium in https://crrev.com/c/3736562. The CL
|
|
description contains a link to a document with an additional security review.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.strsim]]
|
|
who = "danakj@chromium.org"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.10.0"
|
|
notes = """
|
|
Reviewed in https://crrev.com/c/5171063
|
|
|
|
Previously reviewed during security review and the audit is grandparented in.
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.tinytemplate]]
|
|
who = "Ying Hsu <yinghsu@chromium.org>"
|
|
criteria = "safe-to-run"
|
|
version = "1.2.1"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.tinyvec]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.6.0"
|
|
notes = """
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
|
|
and there were no hits except for some \"unsafe\" appearing in comments:
|
|
|
|
```
|
|
src/arrayvec.rs: // Note: This shouldn't use A::CAPACITY, because unsafe code can't rely on
|
|
src/lib.rs://! All of this is done with no `unsafe` code within the crate. Technically the
|
|
src/lib.rs://! `Vec` type from the standard library uses `unsafe` internally, but *this
|
|
src/lib.rs://! crate* introduces no new `unsafe` code into your project.
|
|
src/array.rs:/// Just a reminder: this trait is 100% safe, which means that `unsafe` code
|
|
```
|
|
|
|
This crate has been added to Chromium in
|
|
https://source.chromium.org/chromium/chromium/src/+/24773c33e1b7a1b5069b9399fd034375995f290b
|
|
"""
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.tinyvec]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.6.0 -> 1.6.1"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.tinyvec]]
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.6.1 -> 1.7.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.tinyvec]]
|
|
who = "Dustin J. Mitchell <djmitche@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.7.0 -> 1.8.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.tinyvec_macros]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.tokio-stream]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.11"
|
|
notes = "Reviewed on https://fxrev.dev/804724"
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.tokio-stream]]
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.11 -> 0.1.14"
|
|
notes = "Reviewed on https://fxrev.dev/907732."
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.unicode-ident]]
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.12"
|
|
notes = '''
|
|
I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits.
|
|
|
|
All two functions from the public API of this crate use `unsafe` to avoid bound
|
|
checks for an array access. Cross-module analysis shows that the offsets can
|
|
be statically proven to be within array bounds. More details can be found in
|
|
the unsafe review CL at https://crrev.com/c/5350386.
|
|
|
|
This crate has been added to Chromium in https://crrev.com/c/3891618.
|
|
'''
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.unicode-xid]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.4"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.version_check]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.4"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.void]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.2"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.mozilla.wildcard-audits.cexpr]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
user-id = 3788 # Emilio Cobos Álvarez (emilio)
|
|
start = "2021-06-21"
|
|
end = "2024-04-21"
|
|
notes = "No unsafe code, rather straight-forward parser."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.wildcard-audits.core-foundation]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
user-id = 5946 # Jeff Muizelaar (jrmuizel)
|
|
start = "2019-03-29"
|
|
end = "2023-05-04"
|
|
renew = false
|
|
notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.wildcard-audits.encoding_rs]]
|
|
who = "Henri Sivonen <hsivonen@hsivonen.fi>"
|
|
criteria = "safe-to-deploy"
|
|
user-id = 4484 # Henri Sivonen (hsivonen)
|
|
start = "2019-02-26"
|
|
end = "2024-08-28"
|
|
notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.wildcard-audits.unicode-normalization]]
|
|
who = "Manish Goregaokar <manishsmail@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
user-id = 1139 # Manish Goregaokar (Manishearth)
|
|
start = "2019-11-06"
|
|
end = "2024-05-03"
|
|
notes = "All code written or reviewed by Manish"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.wildcard-audits.unicode-segmentation]]
|
|
who = "Manish Goregaokar <manishsmail@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
user-id = 1139 # Manish Goregaokar (Manishearth)
|
|
start = "2019-05-15"
|
|
end = "2024-05-03"
|
|
notes = "All code written or reviewed by Manish"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.allocator-api2]]
|
|
who = "Nicolas Silva <nical@fastmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.18"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.android_system_properties]]
|
|
who = "Nicolas Silva <nical@fastmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.android_system_properties]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.2 -> 0.1.4"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.android_system_properties]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.4 -> 0.1.5"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bindgen]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.59.2"
|
|
notes = "I'm the primary author and maintainer of the crate."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bindgen]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.59.2 -> 0.63.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bindgen]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.63.0 -> 0.64.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bindgen]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.64.0 -> 0.66.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bindgen]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.66.1 -> 0.68.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bindgen]]
|
|
who = "Andreas Pehrson <apehrson@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.68.1 -> 0.69.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bindgen]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.69.1 -> 0.69.2"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bindgen]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.69.2 -> 0.69.4"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bit-set]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.2"
|
|
notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bit-set]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.2 -> 0.5.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bit-vec]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.6.3"
|
|
notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.cfg_aliases]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.1 -> 0.2.1"
|
|
notes = "Very minor changes."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.core-foundation]]
|
|
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.3 -> 0.9.4"
|
|
notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.debugid]]
|
|
who = "Gabriele Svelto <gsvelto@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.8.0"
|
|
notes = "This crates was written by Sentry and I've fully audited it as Firefox crash reporting machinery relies on it."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.deranged]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.11"
|
|
notes = """
|
|
This crate contains a decent bit of `unsafe` code, however all internal
|
|
unsafety is verified with copious assertions (many are compile-time), and
|
|
otherwise the unsafety is documented and left to the caller to verify.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.document-features]]
|
|
who = "Erich Gubler <erichdongubler@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.8"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.fastrand]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.9.0 -> 2.0.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.fastrand]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.0.1 -> 2.1.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.fnv]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.7"
|
|
notes = "Simple hasher implementation with no unsafe code."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.form_urlencoded]]
|
|
who = "Valentin Gosu <valentin.gosu@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.2.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.form_urlencoded]]
|
|
who = "Valentin Gosu <valentin.gosu@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.2.0 -> 1.2.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.hashbrown]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.3"
|
|
notes = "This version is used in rust's libstd, so effectively we're already trusting it"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.hex]]
|
|
who = "Simon Friedberger <simon@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.3"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.linked-hash-map]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.4"
|
|
notes = "I own this crate (I am contain-rs) and 0.5.4 passes miri. This code is very old and used by lots of people, so I'm pretty confident in it, even though it's in maintenance-mode and missing some nice-to-have APIs."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.linked-hash-map]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.4 -> 0.5.6"
|
|
notes = "New unsafe code has debug assertions and meets invariants. All other changes are formatting-related."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.litrs]]
|
|
who = "Erich Gubler <erichdongubler@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.log]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.17"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.log]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.17 -> 0.4.18"
|
|
notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed."
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.log]]
|
|
who = "Kagami Sascha Rosylight <krosylight@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.18 -> 0.4.20"
|
|
notes = "Only cfg attribute and internal macro changes and module refactorings"
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.nix]]
|
|
who = "Gabriele Svelto <gsvelto@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.15.0 -> 0.25.0"
|
|
notes = "Plenty of new bindings but also several important bug fixes (including buffer overflows). New unsafe sections are restricted to wrappers and are no more dangerous than calling the C functions."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.nix]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.25.0 -> 0.25.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.nix]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.25.1 -> 0.26.2"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.nix]]
|
|
who = "Gabriele Svelto <gsvelto@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.26.2 -> 0.27.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.nix]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.27.1 -> 0.28.0"
|
|
notes = """
|
|
Many new features and bugfixes. Obviously there's a lot of unsafe code calling
|
|
libc, but the usage looks correct.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.nix]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.28.0 -> 0.29.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num-conv]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
notes = """
|
|
Very straightforward, simple crate. No dependencies, unsafe, extern,
|
|
side-effectful std functions, etc.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.powerfmt]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
notes = """
|
|
A tiny bit of unsafe code to implement functionality that isn't in stable rust
|
|
yet, but it's all valid. Otherwise it's a pretty simple crate.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.rustc-hash]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.1.0"
|
|
notes = "Straightforward crate with no unsafe code, does what it says on the tin."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.strsim]]
|
|
who = "Ben Dean-Kawamura <bdk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.0 -> 0.11.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.synstructure]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.6"
|
|
notes = """
|
|
I am the primary author of the `synstructure` crate, and its current
|
|
maintainer. The one use of `unsafe` is unnecessary, but documented and
|
|
harmless. It will be removed in the next version.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.time-core]]
|
|
who = "Kershaw Chang <kershaw@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.time-core]]
|
|
who = "Kershaw Chang <kershaw@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.0 -> 0.1.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.time-core]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.1 -> 0.1.2"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.time-macros]]
|
|
who = "Kershaw Chang <kershaw@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.6"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.time-macros]]
|
|
who = "Kershaw Chang <kershaw@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.6 -> 0.2.10"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.time-macros]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.10 -> 0.2.18"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.tracing-core]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.30"
|
|
notes = """
|
|
Most unsafe code is in implementing non-std sync primitives. Unsafe impls are
|
|
logically correct and justified in comments, and unsafe code is sound and
|
|
justified in comments.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.zerocopy]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.32"
|
|
notes = """
|
|
This crate is `no_std` so doesn't use any side-effectful std functions. It
|
|
contains quite a lot of `unsafe` code, however. I verified portions of this. It
|
|
also has a large, thorough test suite. The project claims to run tests with
|
|
Miri to have stronger soundness checks, and also claims to use formal
|
|
verification tools to prove correctness.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.zerocopy-derive]]
|
|
who = "Alex Franchuk <afranchuk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.32"
|
|
notes = "Clean, safe macros for zerocopy."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.autocfg]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.2.0 -> 1.3.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.bip32]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.1"
|
|
notes = """
|
|
- Crate has no unsafe code, and sets `#![forbid(unsafe_code)]`.
|
|
- Crate has no powerful imports. Only filesystem acces is via `include_str!`, and is safe.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.bytes]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.7.1 -> 1.7.2"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.fastrand]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.0.0 -> 2.0.1"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.fastrand]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.1.0 -> 2.1.1"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.futures]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.28 -> 0.3.30"
|
|
notes = "Only sub-crate updates and corresponding changes to tests."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.h2]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.26 -> 0.4.5"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.hyper-timeout]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.1 -> 0.5.1"
|
|
notes = "New uses of pin_project! look fine."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.hyper-util]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.5 -> 0.1.6"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.inout]]
|
|
who = "Daira Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.3"
|
|
notes = "Reviewed in full."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.known-folders]]
|
|
who = "Jack Grigg <thestr4d@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.1"
|
|
notes = """
|
|
Uses `unsafe` blocks to interact with `windows-sys` crate.
|
|
- `SHGetKnownFolderPath` safety requirements are met.
|
|
- `CoTaskMemFree` has no effect if passed `NULL`, so there is no issue if some
|
|
future refactor created a pathway where `ffi::Guard` could be dropped before
|
|
`SHGetKnownFolderPath` is called.
|
|
- Small nit: `ffi::Guard::as_pwstr` takes `&self` but returns `PWSTR` which is
|
|
the mutable type; it should instead return `PCWSTR` which is the const type
|
|
(and what `lstrlenW` takes) instead of implicitly const-casting the pointer,
|
|
as this would better reflect the intent to take an immutable reference.
|
|
- The slice constructed from the `PWSTR` correctly goes out of scope before
|
|
`guard` is dropped.
|
|
- A code comment says that `path_ptr` is valid for `len` bytes, but `PCWSTR` is
|
|
a `*const u16` and `lstrlenW` returns its length \"in characters\" (which the
|
|
Windows documentation confirms means the number of `WCHAR` values). This is
|
|
likely a typo; the code checks that `len * size_of::<u16>() <= isize::MAX`.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.known-folders]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.1 -> 1.1.0"
|
|
notes = "Addresses the notes from my previous review :)"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.log]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.20 -> 0.4.21"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.maybe-rayon]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.1"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.pin-project-lite]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.13 -> 0.2.14"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.rand_xorshift]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.redjubjub]]
|
|
who = "Daira Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.0"
|
|
notes = """
|
|
This crate is a thin wrapper around the `reddsa` crate, which I did not review. I also
|
|
did not review tests or verify test vectors.
|
|
|
|
The comment on `batch::Verifier::verify` has an error in the batch verification equation,
|
|
filed as https://github.com/ZcashFoundation/redjubjub/issues/163 . It does not affect the
|
|
implementation which just delegates to `reddsa`. `reddsa` has the same comment bug filed as
|
|
https://github.com/ZcashFoundation/reddsa/issues/52 , but its batch verification implementation
|
|
is correct. (I checked the latter against https://zips.z.cash/protocol/protocol.pdf#reddsabatchvalidate
|
|
which has had previous cryptographic review by NCC group; see finding NCC-Zcash2018-009 in
|
|
https://research.nccgroup.com/wp-content/uploads/2020/07/NCC_Group_Zcash2018_Public_Report_2019-01-30_v1.3.pdf ).
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.rustc_version]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.0"
|
|
notes = """
|
|
Most of the crate is code to parse and validate the output of `rustc -vV`. The caller can
|
|
choose which `rustc` to use, or can use `rustc_version::{version, version_meta}` which will
|
|
try `$RUSTC` followed by `rustc`.
|
|
|
|
If an adversary can arbitrarily set the `$RUSTC` environment variable then this crate will
|
|
execute arbitrary code. But when this crate is used within a build script, `$RUSTC` should
|
|
be set correctly by `cargo`.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.secp256k1]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.26.0 -> 0.27.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.signature]]
|
|
who = "Daira Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "2.1.0"
|
|
notes = """
|
|
This crate uses `#![forbid(unsafe_code)]`, has no build script, and only provides traits with some trivial default implementations.
|
|
I did not review whether implementing these APIs would present any undocumented cryptographic hazards.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.signature]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.1.0 -> 2.2.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.sync_wrapper]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.2 -> 1.0.1"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.thiserror]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.61 -> 1.0.63"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.thiserror-impl]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.61 -> 1.0.63"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.tinyvec_macros]]
|
|
who = "Jack Grigg <jack@z.cash>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.0 -> 0.1.1"
|
|
notes = "Adds `#![forbid(unsafe_code)]` and license files."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.tokio-stream]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.14 -> 0.1.15"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.tonic]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.2 -> 0.11.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.tonic]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.12.0 -> 0.12.1"
|
|
notes = "Changes to generics bounds look fine"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.tonic-build]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.10.2 -> 0.11.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.tonic-build]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.11.0 -> 0.12.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.tonic-build]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.12.0 -> 0.12.1"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.tracing-core]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.30 -> 0.1.31"
|
|
notes = """
|
|
The only new `unsafe` block is to intentionally leak a scoped subscriber onto
|
|
the heap when setting it as the global default dispatcher. I checked that the
|
|
global default can only be set once and is never dropped.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.tracing-core]]
|
|
who = "Jack Grigg <jack@electriccoin.co>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.31 -> 0.1.32"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.visibility]]
|
|
who = "Kris Nuttycombe <kris@nutty.land>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.1"
|
|
notes = """
|
|
- Crate has no unsafe code, and sets `#![forbid(unsafe_code)]`.
|
|
- Crate has no powerful imports, and exclusively provides a proc macro
|
|
that safely malleates a visibility modifier.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wagyu-zcash-parameters]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wagyu-zcash-parameters-1]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wagyu-zcash-parameters-2]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wagyu-zcash-parameters-3]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wagyu-zcash-parameters-4]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wagyu-zcash-parameters-5]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wagyu-zcash-parameters-6]]
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.wasm-bindgen-macro-support]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.92"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.zcash_address]]
|
|
who = "Kris Nuttycombe <kris@nutty.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.2 -> 0.4.0"
|
|
notes = "This release contains no unsafe code and consists soley of added convenience methods."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.zcash_encoding]]
|
|
who = "Kris Nuttycombe <kris@nutty.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.0 -> 0.2.1"
|
|
notes = "This release adds minor convenience methods and involves no unsafe code."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.zcash_keys]]
|
|
who = "Kris Nuttycombe <kris@nutty.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.0 -> 0.3.0"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.zcash_primitives]]
|
|
who = "Kris Nuttycombe <kris@nutty.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.15.1 -> 0.16.0"
|
|
notes = "The primary change here is the switch from the `hdwallet` dependency to using `bip32`."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.zcash_proofs]]
|
|
who = "Kris Nuttycombe <kris@nutty.land>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.15.0 -> 0.16.0"
|
|
notes = "This release involves only updates of previously-vetted dependencies."
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.zerocopy]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.7.32 -> 0.7.34"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[[audits.zcash.audits.zerocopy-derive]]
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.7.32 -> 0.7.34"
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
[audits.zcashd.audits]
|