From 312a4b5876070f020eafeed2d5e8b7bf9890d83c Mon Sep 17 00:00:00 2001 From: "cargo-vet[bot]" Date: Wed, 6 Nov 2024 01:38:53 +0000 Subject: [PATCH] Aggregate new audits --- supply-chain/first-party-audits.toml | 8 +- supply-chain/third-party-audits.toml | 13974 +++++++++++++++---------- 2 files changed, 8416 insertions(+), 5566 deletions(-) diff --git a/supply-chain/first-party-audits.toml b/supply-chain/first-party-audits.toml index b84ea3d..96c8ed6 100644 --- a/supply-chain/first-party-audits.toml +++ b/supply-chain/first-party-audits.toml @@ -231,8 +231,8 @@ aggregated-from = "https://raw.githubusercontent.com/FerrisCraft/fc5-tool/main/s [[trusted.libc]] criteria = "safe-to-deploy" -user-id = 4333 -start = "2020-10-01" +user-id = 1 +start = "2019-03-29" end = "2024-09-12" aggregated-from = "https://raw.githubusercontent.com/FerrisCraft/fc5-tool/main/supply-chain/audits.toml" @@ -245,8 +245,8 @@ aggregated-from = "https://raw.githubusercontent.com/FerrisCraft/fc5-tool/main/s [[trusted.libc]] criteria = "safe-to-deploy" -user-id = 1 -start = "2019-03-29" +user-id = 4333 +start = "2020-10-01" end = "2024-09-12" aggregated-from = "https://raw.githubusercontent.com/FerrisCraft/fc5-tool/main/supply-chain/audits.toml" diff --git a/supply-chain/third-party-audits.toml b/supply-chain/third-party-audits.toml index 20a3ed2..98ff4c1 100644 --- a/supply-chain/third-party-audits.toml +++ b/supply-chain/third-party-audits.toml @@ -246,7 +246,7 @@ who = "John M. Schanck " criteria = "safe-to-deploy" user-id = 175410 start = "2022-11-15" -end = "2024-04-26" +end = "2025-09-25" notes = "Maintained by the CryptoEng team at Mozilla." aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", @@ -265,6 +265,18 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[wildcard-audits.breakpad-symbols]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +user-id = 72814 +start = "2022-11-30" +end = "2025-02-28" +notes = "This crate is written and maintained by mozilla employees." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[wildcard-audits.bumpalo]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" @@ -273,6 +285,18 @@ start = "2019-03-16" end = "2025-07-30" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[wildcard-audits.cachemap2]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +user-id = 106639 +start = "2023-03-21" +end = "2025-02-28" +notes = "This crate is written and solely maintained by a mozilla employee." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[wildcard-audits.cervo]] who = "Tom Solberg " criteria = "safe-to-deploy" @@ -348,6 +372,30 @@ end = "2024-05-23" notes = "Maintained by Embark. No unsafe usage or ambient capabilities" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" +[[wildcard-audits.clubcard]] +who = "John M. Schanck " +criteria = "safe-to-deploy" +user-id = 175410 +start = "2024-10-01" +end = "2025-10-01" +notes = "Maintained by the CryptoEng team at Mozilla." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[wildcard-audits.clubcard-crlite]] +who = "John M. Schanck " +criteria = "safe-to-deploy" +user-id = 175410 +start = "2024-10-01" +end = "2025-10-01" +notes = "Maintained by the CryptoEng team at Mozilla." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[wildcard-audits.cocoa]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -377,8 +425,8 @@ aggregated-from = [ [[wildcard-audits.cocoa-foundation]] who = "Bobby Holley " criteria = "safe-to-deploy" -user-id = 5946 -start = "2023-03-16" +user-id = 2396 +start = "2020-07-20" end = "2023-05-04" renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." @@ -390,8 +438,8 @@ aggregated-from = [ [[wildcard-audits.cocoa-foundation]] who = "Bobby Holley " criteria = "safe-to-deploy" -user-id = 2396 -start = "2020-07-20" +user-id = 5946 +start = "2023-03-16" end = "2023-05-04" renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." @@ -748,7 +796,7 @@ who = "Henri Sivonen " criteria = "safe-to-deploy" user-id = 4484 start = "2019-02-26" -end = "2024-08-28" +end = "2025-10-23" notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ." aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", @@ -779,6 +827,18 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[wildcard-audits.framehop]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +user-id = 20227 +start = "2022-03-12" +end = "2025-02-28" +notes = "This crate is written and solely maintained by a mozilla employee." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[wildcard-audits.freetype]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -795,8 +855,8 @@ aggregated-from = [ [[wildcard-audits.gleam]] who = "Bobby Holley " criteria = "safe-to-deploy" -user-id = 2396 -start = "2019-03-18" +user-id = 1039 +start = "2019-03-01" end = "2023-05-04" renew = false notes = "All code written or reviewed by Mozilla." @@ -808,8 +868,8 @@ aggregated-from = [ [[wildcard-audits.gleam]] who = "Bobby Holley " criteria = "safe-to-deploy" -user-id = 5946 -start = "2023-04-21" +user-id = 2396 +start = "2019-03-18" end = "2023-05-04" renew = false notes = "All code written or reviewed by Mozilla." @@ -821,8 +881,8 @@ aggregated-from = [ [[wildcard-audits.gleam]] who = "Bobby Holley " criteria = "safe-to-deploy" -user-id = 1039 -start = "2019-03-01" +user-id = 5946 +start = "2023-04-21" end = "2023-05-04" renew = false notes = "All code written or reviewed by Mozilla." @@ -882,7 +942,7 @@ who = "Jamie Nicol " criteria = "safe-to-deploy" user-id = 84794 start = "2020-04-07" -end = "2024-04-25" +end = "2025-08-30" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", @@ -946,6 +1006,18 @@ end = "2024-05-23" notes = "Maintained by the Ark team at Embark" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" +[[wildcard-audits.macho-unwind-info]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +user-id = 20227 +start = "2022-01-31" +end = "2025-02-28" +notes = "This crate is written and solely maintained by a mozilla employee." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[wildcard-audits.marionette]] who = "Henrik Skupin " criteria = "safe-to-run" @@ -958,6 +1030,18 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[wildcard-audits.minidump]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +user-id = 72814 +start = "2022-11-30" +end = "2025-02-28" +notes = "This crate is written and maintained by mozilla employees." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[wildcard-audits.minidump-common]] who = "Alex Franchuk " criteria = "safe-to-deploy" @@ -970,6 +1054,18 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[wildcard-audits.minidump-unwind]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +user-id = 72814 +start = "2023-05-17" +end = "2025-02-28" +notes = "This crate is written and maintained by mozilla employees." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[wildcard-audits.minidumper]] who = "Jake Shadle " criteria = "safe-to-deploy" @@ -1076,6 +1172,18 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[wildcard-audits.pe-unwind-info]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +user-id = 106639 +start = "2023-07-25" +end = "2025-02-28" +notes = "This crate is written and solely maintained by a mozilla employee." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[wildcard-audits.perchance]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -1170,6 +1278,15 @@ end = "2024-05-23" notes = "Maintained by Embark & emilk" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" +[[wildcard-audits.pulley-interpreter]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +user-id = 73222 +start = "2024-09-20" +end = "2025-09-25" +notes = "The Bytecode Alliance is the author of this crate." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[wildcard-audits.qcms]] who = "Jeff Muizelaar " criteria = "safe-to-deploy" @@ -1405,11 +1522,11 @@ aggregated-from = [ ] [[wildcard-audits.uniffi]] -who = "Jan-Erik Rediger " +who = "Ben Dean-Kawamura " criteria = "safe-to-deploy" -user-id = 48 -start = "2022-05-05" -end = "2024-06-21" +user-id = 127697 +start = "2021-10-27" +end = "2024-12-11" notes = "Maintained by the Glean and Application Services teams" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", @@ -1417,11 +1534,11 @@ aggregated-from = [ ] [[wildcard-audits.uniffi]] -who = "Ben Dean-Kawamura " +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -user-id = 127697 -start = "2021-10-27" -end = "2024-12-11" +user-id = 48 +start = "2022-05-05" +end = "2024-06-21" notes = "Maintained by the Glean and Application Services teams" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", @@ -1463,11 +1580,11 @@ aggregated-from = [ ] [[wildcard-audits.uniffi_bindgen]] -who = "Jan-Erik Rediger " +who = "Ben Dean-Kawamura " criteria = "safe-to-deploy" -user-id = 48 -start = "2022-05-05" -end = "2024-06-21" +user-id = 127697 +start = "2021-10-27" +end = "2024-12-11" notes = "Maintained by the Glean and Application Services teams" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", @@ -1475,11 +1592,11 @@ aggregated-from = [ ] [[wildcard-audits.uniffi_bindgen]] -who = "Ben Dean-Kawamura " +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -user-id = 127697 -start = "2021-10-27" -end = "2024-12-11" +user-id = 48 +start = "2022-05-05" +end = "2024-06-21" notes = "Maintained by the Glean and Application Services teams" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", @@ -1521,11 +1638,11 @@ aggregated-from = [ ] [[wildcard-audits.uniffi_build]] -who = "Jan-Erik Rediger " +who = "Ben Dean-Kawamura " criteria = "safe-to-deploy" -user-id = 48 -start = "2022-05-05" -end = "2024-06-21" +user-id = 127697 +start = "2021-10-27" +end = "2024-12-11" notes = "Maintained by the Glean and Application Services teams" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", @@ -1533,11 +1650,11 @@ aggregated-from = [ ] [[wildcard-audits.uniffi_build]] -who = "Ben Dean-Kawamura " +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -user-id = 127697 -start = "2021-10-27" -end = "2024-12-11" +user-id = 48 +start = "2022-05-05" +end = "2024-06-21" notes = "Maintained by the Glean and Application Services teams" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", @@ -1578,18 +1695,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[wildcard-audits.uniffi_checksum_derive]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -user-id = 48 -start = "2022-12-16" -end = "2024-06-21" -notes = "Maintained by the Glean and Application Services teams" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[wildcard-audits.uniffi_checksum_derive]] who = "Ben Dean-Kawamura " criteria = "safe-to-deploy" @@ -1614,6 +1719,18 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[wildcard-audits.uniffi_checksum_derive]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +user-id = 48 +start = "2022-12-16" +end = "2024-06-21" +notes = "Maintained by the Glean and Application Services teams" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[wildcard-audits.uniffi_checksum_derive]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" @@ -1636,18 +1753,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[wildcard-audits.uniffi_core]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -user-id = 48 -start = "2023-06-21" -end = "2024-06-21" -notes = "Maintained by the Glean and Application Services teams" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[wildcard-audits.uniffi_core]] who = "Ben Dean-Kawamura " criteria = "safe-to-deploy" @@ -1672,6 +1777,18 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[wildcard-audits.uniffi_core]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +user-id = 48 +start = "2023-06-21" +end = "2024-06-21" +notes = "Maintained by the Glean and Application Services teams" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[wildcard-audits.uniffi_core]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" @@ -1695,11 +1812,11 @@ aggregated-from = [ ] [[wildcard-audits.uniffi_macros]] -who = "Jan-Erik Rediger " +who = "Ben Dean-Kawamura " criteria = "safe-to-deploy" -user-id = 48 -start = "2022-05-05" -end = "2024-06-21" +user-id = 127697 +start = "2021-10-27" +end = "2024-12-11" notes = "Maintained by the Glean and Application Services teams" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", @@ -1707,11 +1824,11 @@ aggregated-from = [ ] [[wildcard-audits.uniffi_macros]] -who = "Ben Dean-Kawamura " +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -user-id = 127697 -start = "2021-10-27" -end = "2024-12-11" +user-id = 48 +start = "2022-05-05" +end = "2024-06-21" notes = "Maintained by the Glean and Application Services teams" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", @@ -1753,11 +1870,11 @@ aggregated-from = [ ] [[wildcard-audits.uniffi_meta]] -who = "Jan-Erik Rediger " +who = "Ben Dean-Kawamura " criteria = "safe-to-deploy" -user-id = 48 -start = "2022-08-31" -end = "2024-06-21" +user-id = 127697 +start = "2022-09-13" +end = "2024-12-11" notes = "Maintained by the Glean and Application Services teams" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", @@ -1765,11 +1882,11 @@ aggregated-from = [ ] [[wildcard-audits.uniffi_meta]] -who = "Ben Dean-Kawamura " +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -user-id = 127697 -start = "2022-09-13" -end = "2024-12-11" +user-id = 48 +start = "2022-08-31" +end = "2024-06-21" notes = "Maintained by the Glean and Application Services teams" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", @@ -1810,18 +1927,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[wildcard-audits.uniffi_testing]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -user-id = 48 -start = "2022-12-16" -end = "2024-06-21" -notes = "Maintained by the Glean and Application Services teams" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[wildcard-audits.uniffi_testing]] who = "Ben Dean-Kawamura " criteria = "safe-to-deploy" @@ -1846,6 +1951,18 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[wildcard-audits.uniffi_testing]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +user-id = 48 +start = "2022-12-16" +end = "2024-06-21" +notes = "Maintained by the Glean and Application Services teams" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[wildcard-audits.uniffi_testing]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" @@ -1995,14 +2112,6 @@ by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[wildcard-audits.wasm-mutate]] -who = "Nick Fitzgerald " -criteria = "safe-to-deploy" -user-id = 696 -start = "2022-02-17" -end = "2025-07-30" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[wildcard-audits.wasm-mutate]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -2017,6 +2126,14 @@ so and will actively maintain this crate over time. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[wildcard-audits.wasm-mutate]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +user-id = 696 +start = "2022-02-17" +end = "2025-07-30" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[wildcard-audits.wasm-smith]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -2058,14 +2175,6 @@ by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[wildcard-audits.wasmprinter]] -who = "Nick Fitzgerald " -criteria = "safe-to-deploy" -user-id = 696 -start = "2021-04-28" -end = "2025-07-30" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[wildcard-audits.wasmprinter]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -2093,6 +2202,14 @@ by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[wildcard-audits.wasmprinter]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +user-id = 696 +start = "2021-04-28" +end = "2025-07-30" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[wildcard-audits.wasmtime]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -2648,14 +2765,6 @@ so and will actively maintain this crate over time. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[wildcard-audits.wit-component]] -who = "Nick Fitzgerald " -criteria = "safe-to-deploy" -user-id = 696 -start = "2019-03-16" -end = "2025-07-30" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[wildcard-audits.wit-component]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -2669,6 +2778,14 @@ by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[wildcard-audits.wit-component]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +user-id = 696 +start = "2019-03-16" +end = "2025-07-30" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[wildcard-audits.wit-parser]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -2734,6 +2851,15 @@ version = "0.2.21" notes = "No unsafe usage or ambient capabilities" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" +[[audits.addr2line]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.19.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.addr2line]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -2745,42 +2871,37 @@ dependencies and refactor existing code to expose more functionality and such. aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.addr2line]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.19.0 -> 0.20.0" -notes = "This version brings support for split-dwarf which while it uses the filesystem is always done at the behest of the caller, so everything is as expected for this update." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.addr2line]] -who = "Alex Crichton " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.20.0 -> 0.21.0" -notes = "This version bump updated some dependencies and optimized some internals. All looks good." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +delta = "0.17.0 -> 0.19.0" +notes = "Only change to unsafe code is to reduce the scope of some unsafe blocks." +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] [[audits.addr2line]] who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.21.0 -> 0.22.0" +delta = "0.19.0 -> 0.20.0" +notes = "This version brings support for split-dwarf which while it uses the filesystem is always done at the behest of the caller, so everything is as expected for this update." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.addr2line]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.19.0" +delta = "0.19.0 -> 0.20.0" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.addr2line]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.19.0 -> 0.20.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.20.0 -> 0.21.0" +notes = "This version bump updated some dependencies and optimized some internals. All looks good." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.addr2line]] who = "George Burgess IV " @@ -2792,14 +2913,10 @@ aggregated-from = [ ] [[audits.addr2line]] -who = "Jack Grigg " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.17.0 -> 0.19.0" -notes = "Only change to unsafe code is to reduce the scope of some unsafe blocks." -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "0.21.0 -> 0.22.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.addr2line]] who = "Jack Grigg " @@ -2810,6 +2927,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.addr2line]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.22.0 -> 0.24.1" +notes = "Lots of internal code refactorings and code movement. Nothing out of place however." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.adler]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -2817,6 +2941,22 @@ version = "1.0.2" notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.adler]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +version = "1.0.2" +notes = ''' +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` +and there were no hits (except in comments and in the `README.md` file). + +Note that some additional, internal notes about an older version of this crate +can be found at go/image-crate-chromium-security-review. +''' +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.adler]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -2830,22 +2970,37 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.adler]] +[[audits.adler2]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "2.0.0" +notes = "Fork of the original `adler` crate, zero unsfae code, works in `no_std`, does what it says on th tin." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.adler2]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] -version = "1.0.2" +version = "2.0.0" notes = ''' -Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` -and there were no hits (except in comments and in the `README.md` file). +This audit has been reviewed in https://crrev.com/c/5811890 -Note that some additional, internal notes about an older version of this crate -can be found at go/image-crate-chromium-security-review. +The crate is fairly easy to read thanks to its small size and rich comments. + +I've grepped for `-i cipher`, `-i crypto`, `\bfs\b`, `\bnet\b`, and +`\bunsafe\b`. There were no hits (except for a comment in `README.md` +and `lib.rs` pointing out "Zero `unsafe`"). ''' aggregated-from = [ "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.aead]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +version = "0.5.2" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.aead]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -2865,12 +3020,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.aead]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "0.5.2" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.aes]] who = "Joshua Liebow-Feeser " criteria = ["safe-to-deploy", "ub-risk-2"] @@ -2887,6 +3036,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.aes]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.8.2 -> 0.8.3" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[audits.aes]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-1"] @@ -2897,12 +3052,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.aes]] -who = "Brandon Pitman " -criteria = "safe-to-deploy" -delta = "0.8.2 -> 0.8.3" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - [[audits.aes]] who = "Tim Geoghegan " criteria = "safe-to-deploy" @@ -2938,6 +3087,28 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.ahash]] +who = "Nicholas Bishop " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.8.3" +notes = """ +Note on does-not-implement-crypto: the aHash documentation explicitly +states it is not a cryptographically secure hash. +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.ahash]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.7.6 -> 0.7.8" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.ahash]] who = "Chris Fallin " criteria = "safe-to-deploy" @@ -2954,19 +3125,6 @@ code it's no different than before and the usage remains the same. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.ahash]] -who = "Nicholas Bishop " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.8.3" -notes = """ -Note on does-not-implement-crypto: the aHash documentation explicitly -states it is not a cryptographically secure hash. -""" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.ahash]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -2986,21 +3144,12 @@ aggregated-from = [ ] [[audits.ahash]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.7.6 -> 0.7.8" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.ahash]] -who = "Erich Gubler " -criteria = "safe-to-deploy" -delta = "0.8.7 -> 0.8.11" +who = "Nicholas Bishop " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.8.5 -> 0.8.11" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.ahash]] @@ -3022,6 +3171,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.ahash]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.8.7 -> 0.8.11" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.aho-corasick]] who = "Android Legacy" criteria = "safe-to-run" @@ -3040,15 +3198,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.aho-corasick]] -who = "Ying Hsu " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "1.1.3" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.aho-corasick]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -3064,11 +3213,11 @@ aggregated-from = [ ] [[audits.aho-corasick]] -who = "Dustin J. Mitchell " +who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.1.2 -> 1.1.3" +version = "1.1.3" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] @@ -3099,12 +3248,56 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.aho-corasick]] +who = "Dustin J. Mitchell " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.1.2 -> 1.1.3" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.alga]] who = "David Cook " criteria = "safe-to-run" version = "0.9.3" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +[[audits.alloc-no-stdlib]] +who = [ + "Luca Versari ", + "Manish Goregaokar ", +] +criteria = "ub-risk-4" +version = "2.0.4" +notes = """ +Reviewed in CL 636730294 +#REF! +""" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.alloc-stdlib]] +who = "Taylor Cramer " +criteria = "ub-risk-2" +version = "0.2.2" +notes = "Reviewed in CL 636730499" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.allocator-api2]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +version = "0.2.18" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.allocator-api2]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -3157,6 +3350,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.ambassador]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +version = "0.4.1" +notes = "Crate uses no unsafe code and the macros introduced by this crate generate the expected trait implementations without introducing additional unexpected operations." +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.ambient-authority]] who = "Dan Gohman " criteria = "safe-to-deploy" @@ -3184,16 +3387,6 @@ Written by Robert Bragg who now works at Embark Studios. """ aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" -[[audits.android_logger]] -who = "Manish Goregaokar " -criteria = ["ub-risk-3", "does-not-implement-crypto"] -version = "0.13.3" -notes = "Reviewed in CL 559548165" -aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.android_logger]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" @@ -3204,6 +3397,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.android_logger]] +who = "Manish Goregaokar " +criteria = ["ub-risk-3", "does-not-implement-crypto"] +version = "0.13.3" +notes = "Reviewed in CL 559548165" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.android_logger]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" @@ -3277,15 +3480,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.anstream]] -who = "Ying Hsu " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.6.13" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.anstream]] who = "Manish Goregaokar " criteria = "ub-risk-3" @@ -3311,6 +3505,31 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.anstream]] +who = "Ying Hsu " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.6.13" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.anstyle]] +who = "Brandon Pitman " +criteria = "safe-to-run" +version = "1.0.0" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.anstyle]] +who = "Ben Saunders " +criteria = ["ub-risk-1", "does-not-implement-crypto"] +version = "1.0.0" +notes = "Reviewed in CL 559404826" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.anstyle]] who = "Yu-An Wang " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -3363,27 +3582,12 @@ aggregated-from = [ ] [[audits.anstyle]] -who = "Ben Saunders " -criteria = ["ub-risk-1", "does-not-implement-crypto"] -version = "1.0.0" -notes = "Reviewed in CL 559404826" -aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.anstyle]] -who = "Brandon Pitman " -criteria = "safe-to-run" -version = "1.0.0" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - -[[audits.anstyle-parse]] -who = "Ying Hsu " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.2.3" +who = "Dustin J. Mitchell " +criteria = ["safe-to-deploy", "does-not-implement-crypto"] +delta = "1.0.8 -> 1.0.9" +notes = "No changes" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] @@ -3397,6 +3601,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.anstyle-parse]] +who = "Ying Hsu " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.2.3" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.anstyle-query]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -3427,22 +3640,10 @@ aggregated-from = [ ] [[audits.anyhow]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "1.0.62 -> 1.0.66" -notes = """ -This update looks to be related to minor fixes and mostly integrating with a -nightly feature in the standard library for backtrace integration. No undue -`unsafe` is added and nothing unsurprising for the `anyhow` crate is happening -here. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.anyhow]] -who = "Pat Hickey " +who = "Conrad Ludgate " criteria = "safe-to-deploy" -delta = "1.0.69 -> 1.0.71" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +version = "1.0.57" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.anyhow]] who = "Johan Andersson " @@ -3450,13 +3651,6 @@ criteria = "safe-to-deploy" version = "1.0.58" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" -[[audits.anyhow]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -delta = "1.0.58 -> 1.0.66" -notes = "New unsafe usage, looks sane. Expert maintainer" -aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" - [[audits.anyhow]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -3467,110 +3661,13 @@ aggregated-from = [ ] [[audits.anyhow]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.68 -> 1.0.70" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.anyhow]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.70 -> 1.0.71" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.anyhow]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.71 -> 1.0.72" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.anyhow]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.72 -> 1.0.75" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.anyhow]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.75 -> 1.0.79" -notes = """ -1.0.75 has been previously audited as \"safe-to-run\", -\"does-not-implement-crypto\" - see -https://github.com/google/rust-crate-audits/blob/c2d49cb6e80bb817f569debecf846161dcebd88c/audits.toml#L277-L305 -The \"1.0.75 -> 1.0.79\" delta meets the same criteria. - -This is an incremental/delta audit - we don't claim any particular `ub-risk-N` -level for the baseline or for the final version. OTOH note that additional -uses of `unsafe` have been reviewed in https://crrev.com/c/5178771 and the -**delta** was evaluated as `ub-risk-3` - no known unsoundness but: -* Little safety comments to explain why a particular usage of `unsafe` - is safe and/or necessary -* Safety analysis couldn't be done locally, but required considering the - whole crate (e.g. checking if the public `Ref.ptr` is mutated anywhere) -""" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.anyhow]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.79 -> 1.0.80" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.anyhow]] -who = "Adrian Taylor " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.80 -> 1.0.81" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.anyhow]] -who = "Adrian Taylor " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.81 -> 1.0.82" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.anyhow]] -who = "danakj " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.82 -> 1.0.83" -notes = "No change to UB-risk profile either." -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.anyhow]] -who = "Dustin J. Mitchell " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.83 -> 1.0.86" -notes = "Delta only updates the ensure macro implementation, still safe to run, no crypto" +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.56 -> 1.0.61" +notes = "Update does not introduce new code. Minor build script changes look fine." aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.anyhow]] @@ -3592,6 +3689,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.anyhow]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +delta = "1.0.58 -> 1.0.66" +notes = "New unsafe usage, looks sane. Expert maintainer" +aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + [[audits.anyhow]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -3601,6 +3705,28 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.anyhow]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.61 -> 1.0.65" +notes = "Build script changes just alter what it is probing for; no difference in side effects." +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.anyhow]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.0.62 -> 1.0.66" +notes = """ +This update looks to be related to minor fixes and mostly integrating with a +nightly feature in the standard library for backtrace integration. No undue +`unsafe` is added and nothing unsurprising for the `anyhow` crate is happening +here. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.anyhow]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -3610,6 +3736,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.anyhow]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.68 -> 1.0.69" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.anyhow]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -3620,51 +3755,52 @@ aggregated-from = [ ] [[audits.anyhow]] -who = "Daira-Emma Hopwood " -criteria = "safe-to-deploy" -delta = "1.0.82 -> 1.0.83" +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.68 -> 1.0.70" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.anyhow]] -who = "Jack Grigg " +who = "Sean Bowe " criteria = "safe-to-deploy" -delta = "1.0.56 -> 1.0.61" -notes = "Update does not introduce new code. Minor build script changes look fine." +delta = "1.0.69 -> 1.0.70" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.anyhow]] -who = "Jack Grigg " +who = "Pat Hickey " criteria = "safe-to-deploy" -delta = "1.0.61 -> 1.0.65" -notes = "Build script changes just alter what it is probing for; no difference in side effects." +delta = "1.0.69 -> 1.0.71" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.anyhow]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.70 -> 1.0.71" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.anyhow]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.68 -> 1.0.69" +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.71 -> 1.0.72" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.anyhow]] -who = "Sean Bowe " +who = "Conrad Ludgate " criteria = "safe-to-deploy" -delta = "1.0.69 -> 1.0.70" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "1.0.71 -> 1.0.75" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.anyhow]] who = "Jack Grigg " @@ -3679,6 +3815,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.anyhow]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.72 -> 1.0.75" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.anyhow]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -3695,6 +3840,30 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.anyhow]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.75 -> 1.0.79" +notes = """ +1.0.75 has been previously audited as \"safe-to-run\", +\"does-not-implement-crypto\" - see +https://github.com/google/rust-crate-audits/blob/c2d49cb6e80bb817f569debecf846161dcebd88c/audits.toml#L277-L305 +The \"1.0.75 -> 1.0.79\" delta meets the same criteria. + +This is an incremental/delta audit - we don't claim any particular `ub-risk-N` +level for the baseline or for the final version. OTOH note that additional +uses of `unsafe` have been reviewed in https://crrev.com/c/5178771 and the +**delta** was evaluated as `ub-risk-3` - no known unsoundness but: +* Little safety comments to explain why a particular usage of `unsafe` + is safe and/or necessary +* Safety analysis couldn't be done locally, but required considering the + whole crate (e.g. checking if the public `Ref.ptr` is mutated anywhere) +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.anyhow]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -3709,6 +3878,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.anyhow]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.79 -> 1.0.80" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.anyhow]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -3719,16 +3897,81 @@ aggregated-from = [ ] [[audits.anyhow]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "1.0.57" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +who = "Adrian Taylor " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.80 -> 1.0.81" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.anyhow]] -who = "Conrad Ludgate " +who = "Adrian Taylor " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.81 -> 1.0.82" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.anyhow]] +who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" -delta = "1.0.71 -> 1.0.75" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +delta = "1.0.82 -> 1.0.83" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.anyhow]] +who = "danakj " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.82 -> 1.0.83" +notes = "No change to UB-risk profile either." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.anyhow]] +who = "Dustin J. Mitchell " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.83 -> 1.0.86" +notes = "Delta only updates the ensure macro implementation, still safe to run, no crypto" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.anyhow]] +who = "Adrian Taylor " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.86 -> 1.0.87" +notes = "Minimal changes, mostly renaming std to core for a type" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.anyhow]] +who = "Dustin J. Mitchell " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.87 -> 1.0.89" +notes = "No safety-related changes in this delta" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.anyhow]] +who = "Liza Burakova " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.89 -> 1.0.91" +notes = "Minimal changes" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.anymap]] who = "Manish Goregaokar " @@ -3813,15 +4056,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.arbitrary]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.2.3 -> 1.3.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.arbitrary]] who = "Mike Hommey " criteria = "safe-to-run" @@ -3858,6 +4092,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.arbitrary]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.2.3 -> 1.3.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.argh]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -3938,6 +4181,25 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.arrayref]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "0.3.6 -> 0.3.8" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.arrayref]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.8 -> 0.3.9" +notes = "Changes to `unsafe` lines are to make some existing `unsafe fn`s `const`." +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.arraystring]] who = "Henri Sivonen " criteria = "safe-to-deploy" @@ -3966,6 +4228,56 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.arrayvec]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.7.2 -> 0.7.6" +notes = "Manually verified new unsafe pointer arithmetic." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.arrow-buffer]] +who = "Augie Fackler " +criteria = "ub-risk-2" +version = "51.0.0" +notes = "Reviewed in CL 637904132" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.arrow-cast]] +who = "Augie Fackler " +criteria = "ub-risk-2" +version = "51.0.0" +notes = "Reviewed in CL 638739847" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.arrow-data]] +who = "Ben Saunders " +criteria = "ub-risk-3" +version = "51.0.0" +notes = "Reviewed in CL 638739833" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.arrow-select]] +who = "Augie Fackler " +criteria = "ub-risk-3" +version = "51.0.0" +notes = "Reviewed in CL 638739853" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.ascii]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -3985,6 +4297,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.ash]] +who = "Chia-I Wu " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.38.0+1.3.281" +notes = "Vulkan binding mostly generated from vk.xml" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.ash]] who = "Jim Blandy " criteria = "safe-to-deploy" @@ -4080,6 +4402,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.assert-json-diff]] +who = "Conrad Ludgate " +criteria = "safe-to-run" +version = "2.0.1" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.assert-json-diff]] who = "Johan Andersson " criteria = "safe-to-run" @@ -4087,11 +4415,11 @@ version = "2.0.2" notes = "No unsafe usage or ambient capabilities" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" -[[audits.assert-json-diff]] -who = "Conrad Ludgate " +[[audits.assert_matches]] +who = "David Cook " criteria = "safe-to-run" -version = "2.0.1" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +version = "1.5.0" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.assert_matches]] who = "ChromeOS" @@ -4102,12 +4430,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.assert_matches]] -who = "David Cook " -criteria = "safe-to-run" -version = "1.5.0" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - [[audits.async-channel]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -4129,18 +4451,15 @@ notes = "Proc macro. No unsafe usage or ambient capabilities" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" [[audits.async-stream]] -who = "ChromeOS" -criteria = ["safe-to-run", "does-not-implement-crypto"] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" version = "0.3.3" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.async-stream]] -who = "George Burgess IV " +who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.3.4" +version = "0.3.3" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", @@ -4149,7 +4468,7 @@ aggregated-from = [ [[audits.async-stream]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.3.4 -> 0.3.5" +version = "0.3.4" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", @@ -4176,6 +4495,15 @@ aggregated-from = [ ] [[audits.async-stream]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.3.4 -> 0.3.5" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.async-stream-impl]] who = "Conrad Ludgate " criteria = "safe-to-deploy" version = "0.3.3" @@ -4199,15 +4527,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.async-stream-impl]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.3.4 -> 0.3.5" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.async-stream-impl]] who = "Tyler Mandry " criteria = ["ub-risk-2", "safe-to-deploy"] @@ -4229,10 +4548,13 @@ aggregated-from = [ ] [[audits.async-stream-impl]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "0.3.3" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.3.4 -> 0.3.5" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.async-task]] who = "George Burgess IV " @@ -4300,30 +4622,12 @@ aggregated-from = [ ] [[audits.async-trait]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.1.66 -> 0.1.68" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.async-trait]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.1.68 -> 0.1.69" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.async-trait]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.1.69 -> 0.1.73" +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.1.56 -> 0.1.57" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.async-trait]] @@ -4338,7 +4642,7 @@ aggregated-from = [ [[audits.async-trait]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.1.56 -> 0.1.57" +delta = "0.1.57 -> 0.1.60" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", @@ -4347,19 +4651,37 @@ aggregated-from = [ [[audits.async-trait]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.1.57 -> 0.1.60" +delta = "0.1.60 -> 0.1.64" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.async-trait]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.1.60 -> 0.1.64" +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.1.66 -> 0.1.68" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.async-trait]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.1.68 -> 0.1.69" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.async-trait]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.1.69 -> 0.1.73" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.async-trait]] @@ -4429,6 +4751,12 @@ no more. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.atty]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +version = "0.2.14" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.atty]] who = "Android Legacy" criteria = "safe-to-run" @@ -4447,12 +4775,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.atty]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "0.2.14" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.audio-mixer]] who = "Chun-Min Chang " criteria = "safe-to-deploy" @@ -4511,12 +4833,13 @@ aggregated-from = [ ] [[audits.autocfg]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.1.8 -> 1.1.0" +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = "All code written or reviewed by Josh Stone." aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.autocfg]] @@ -4537,6 +4860,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.autocfg]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.1.8 -> 1.1.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.autocfg]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] @@ -4551,16 +4883,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.autocfg]] -who = "Josh Stone " -criteria = "safe-to-deploy" -version = "1.1.0" -notes = "All code written or reviewed by Josh Stone." -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.autocfg]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -4639,17 +4961,6 @@ version = "0.3.66" notes = "I am the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.backtrace]] -who = "Alex Crichton " -criteria = "safe-to-run" -delta = "0.3.66 -> 0.3.67" -notes = """ -This change introduced a new means of learning the current exe by parsing -Linux-specific constructs and does not constitute any major changes to the -crate. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.backtrace]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -4660,33 +4971,35 @@ aggregated-from = [ ] [[audits.backtrace]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.3.67 -> 0.3.68" +who = "Nika Layzell " +criteria = "safe-to-deploy" +delta = "0.3.66 -> 0.3.65" +notes = "Only changes were to the miri backend, which will be checked" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.backtrace]] +who = "Alex Crichton " +criteria = "safe-to-run" +delta = "0.3.66 -> 0.3.67" +notes = """ +This change introduced a new means of learning the current exe by parsing +Linux-specific constructs and does not constitute any major changes to the +crate. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.backtrace]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.3.68 -> 0.3.69" +delta = "0.3.67 -> 0.3.68" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.backtrace]] -who = "Nika Layzell " -criteria = "safe-to-deploy" -delta = "0.3.66 -> 0.3.65" -notes = "Only changes were to the miri backend, which will be checked" -aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.backtrace]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -4708,6 +5021,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.backtrace]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.3.68 -> 0.3.69" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.backtrace]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -4736,26 +5058,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.base64]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.21.0" -notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.base64]] -who = "Pat Hickey " -criteria = "safe-to-run" -version = "0.21.0" -notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.base64]] -who = "Andrew Brown " -criteria = "safe-to-deploy" -delta = "0.21.3 -> 0.22.1" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.base64]] who = "Android Legacy" criteria = "safe-to-run" @@ -4784,6 +5086,29 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.base64]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.21.0" +notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.base64]] +who = "Pat Hickey " +criteria = "safe-to-run" +version = "0.21.0" +notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.base64]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.13.0 -> 0.13.1" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.base64]] who = "David Cook " criteria = "safe-to-deploy" @@ -4808,12 +5133,36 @@ criteria = "safe-to-deploy" delta = "0.21.2 -> 0.21.3" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +[[audits.base64]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.21.3 -> 0.21.4" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.base64]] who = "Ameer Ghani " criteria = "safe-to-run" delta = "0.21.3 -> 0.21.4" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +[[audits.base64]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +delta = "0.21.3 -> 0.22.1" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.base64]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.21.4 -> 0.21.5" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.base64]] who = "David Cook " criteria = "safe-to-run" @@ -4827,6 +5176,15 @@ delta = "0.21.5 -> 0.21.6" notes = "sourcegraph-based diff did not see the v0.21.6 tag; I retrieved a local copy of the repo and used that for diff'ing." aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +[[audits.base64]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "0.21.5 -> 0.21.7" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.base64]] who = "David Cook " criteria = "safe-to-run" @@ -4845,42 +5203,6 @@ criteria = "safe-to-run" delta = "0.22.0 -> 0.22.1" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" -[[audits.base64]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.13.0 -> 0.13.1" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.base64]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.21.3 -> 0.21.4" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.base64]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.21.4 -> 0.21.5" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.base64]] -who = "Daira-Emma Hopwood " -criteria = "safe-to-deploy" -delta = "0.21.5 -> 0.21.7" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - [[audits.base64-serde]] who = "Conrad Ludgate " criteria = "safe-to-deploy" @@ -4961,94 +5283,85 @@ aggregated-from = [ ] [[audits.bindgen]] -who = "ChromeOS" -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.60.1" +who = "Emilio Cobos Álvarez " +criteria = "safe-to-deploy" +version = "0.59.2" +notes = "I'm the primary author and maintainer of the crate." aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.bindgen]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.63.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.bindgen]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.60.1 -> 0.59.2" +version = "0.60.1" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.bindgen]] -who = "Abhishek Pandit-Subedi " +who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.63.0 -> 0.64.0" +version = "0.63.0" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.bindgen]] -who = "Dennis Kempin " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.64.0 -> 0.68.1" +who = "Emilio Cobos Álvarez " +criteria = "safe-to-deploy" +delta = "0.59.2 -> 0.63.0" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.bindgen]] -who = "Bob Haarman " +who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.68.1 -> 0.69.4" +delta = "0.60.1 -> 0.59.2" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.bindgen]] -who = "Emilio Cobos Álvarez " +who = "Mike Hommey " criteria = "safe-to-deploy" -version = "0.59.2" -notes = "I'm the primary author and maintainer of the crate." +delta = "0.63.0 -> 0.64.0" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.bindgen]] -who = "Emilio Cobos Álvarez " -criteria = "safe-to-deploy" -delta = "0.59.2 -> 0.63.0" +who = "Abhishek Pandit-Subedi " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.63.0 -> 0.64.0" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.bindgen]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.63.0 -> 0.64.0" +delta = "0.64.0 -> 0.66.1" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.bindgen]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.64.0 -> 0.66.1" +who = "Dennis Kempin " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.64.0 -> 0.68.1" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.bindgen]] @@ -5069,6 +5382,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.bindgen]] +who = "Bob Haarman " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.68.1 -> 0.69.4" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.bindgen]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -5109,6 +5431,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.bit-set]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.5.2" +notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.bit-set]] who = [ "Manish Goregaokar ", @@ -5125,16 +5457,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.bit-set]] -who = "Aria Beingessner " -criteria = "safe-to-deploy" -version = "0.5.2" -notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues." -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.bit-set]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -5209,27 +5531,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.bitflags]] -who = "Jamey Sharp " -criteria = "safe-to-deploy" -delta = "2.1.0 -> 2.2.1" -notes = """ -This version adds unsafe impls of traits from the bytemuck crate when built -with that library enabled, but I believe the impls satisfy the documented -safety requirements for bytemuck. The other changes are minor. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.bitflags]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "2.3.2 -> 2.3.3" -notes = """ -Nothing outside the realm of what one would expect from a bitflags generator, -all as expected. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.bitflags]] who = "Android Legacy" criteria = "safe-to-run" @@ -5239,42 +5540,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.bitflags]] -who = "Dennis Kempin " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.3.2 -> 2.2.1" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.bitflags]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "2.2.1 -> 2.3.1" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.bitflags]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "2.3.1 -> 2.3.2" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.bitflags]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "2.3.2 -> 2.4.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.bitflags]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] @@ -5294,6 +5559,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.bitflags]] +who = "Taylor Cramer " +criteria = ["ub-risk-1", "does-not-implement-crypto"] +version = "2.3.3" +notes = "Reviewed in CL 545304270" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.bitflags]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] @@ -5315,60 +5590,97 @@ aggregated-from = [ ] [[audits.bitflags]] -who = "Adrian Taylor " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] -delta = "2.4.2 -> 2.5.0" +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "1.3.2 -> 2.0.2" +notes = "Removal of some unsafe code/methods. No changes to externals, just some refactoring (mostly internal)." aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.bitflags]] -who = "Adrian Taylor " -criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-2"] -delta = "2.5.0 -> 2.6.0" -notes = "The changes from the previous version are negligible and thus it retains the same properties." +who = "Dennis Kempin " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.3.2 -> 2.2.1" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.bitflags]] -who = "Taylor Cramer " -criteria = ["ub-risk-1", "does-not-implement-crypto"] -version = "2.3.3" -notes = "Reviewed in CL 545304270" +who = "Nicolas Silva " +criteria = "safe-to-deploy" +delta = "2.0.2 -> 2.1.0" aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.bitflags]] +who = "Jamey Sharp " +criteria = "safe-to-deploy" +delta = "2.1.0 -> 2.2.1" +notes = """ +This version adds unsafe impls of traits from the bytemuck crate when built +with that library enabled, but I believe the impls satisfy the documented +safety requirements for bytemuck. The other changes are minor. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.bitflags]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "2.2.1 -> 2.3.1" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.bitflags]] -who = "Alex Franchuk " +who = "Teodor Tanasoaia " criteria = "safe-to-deploy" -delta = "1.3.2 -> 2.0.2" -notes = "Removal of some unsafe code/methods. No changes to externals, just some refactoring (mostly internal)." +delta = "2.2.1 -> 2.3.2" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.bitflags]] -who = "Nicolas Silva " +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "2.3.1 -> 2.3.2" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.bitflags]] +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "2.0.2 -> 2.1.0" +delta = "2.3.2 -> 2.3.3" +notes = """ +Nothing outside the realm of what one would expect from a bitflags generator, +all as expected. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.bitflags]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "2.3.2 -> 2.4.0" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.bitflags]] -who = "Teodor Tanasoaia " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "2.2.1 -> 2.3.2" +delta = "2.3.3 -> 2.4.0" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.bitflags]] @@ -5391,12 +5703,32 @@ aggregated-from = [ ] [[audits.bitflags]] -who = "Jack Grigg " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "2.3.3 -> 2.4.0" +delta = "2.4.1 -> 2.6.0" +notes = """ +Changes in how macros are invoked and various bits and pieces of macro-fu. +Otherwise no major changes and nothing dealing with `unsafe`. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.bitflags]] +who = "Adrian Taylor " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "2.4.2 -> 2.5.0" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.bitflags]] +who = "Adrian Taylor " +criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-2"] +delta = "2.5.0 -> 2.6.0" +notes = "The changes from the previous version are negligible and thus it retains the same properties." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.bitreader]] @@ -5495,10 +5827,10 @@ aggregated-from = [ ] [[audits.block-buffer]] -who = "Benjamin Bouvier " +who = "David Cook " criteria = "safe-to-deploy" -delta = "0.9.0 -> 0.10.2" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +version = "0.9.0" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.block-buffer]] who = "George Burgess IV " @@ -5510,10 +5842,10 @@ aggregated-from = [ ] [[audits.block-buffer]] -who = "David Cook " +who = "Benjamin Bouvier " criteria = "safe-to-deploy" -version = "0.9.0" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +delta = "0.9.0 -> 0.10.2" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.block-buffer]] who = "Mike Hommey " @@ -5553,6 +5885,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.brotli]] +who = "Ben Saunders " +criteria = "ub-risk-2" +version = "3.5.0" +notes = "Reviewed in CL 641306142" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.bs58]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -5562,6 +5904,23 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.bstr]] +who = "danakj " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +version = "1.10.0" +notes = """ +WARNING: This certification is a result of a **partial** audit. The +`unicode` feature has **not** been audited. The unicode feature has +soundness that depends on the correctness of regex automata that are +shipped as binary blobs. They have not been reviewed here.Ability to +track partial audits is tracked in +https://github.com/mozilla/cargo-vet/issues/380. +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.btoi]] who = "Ben Saunders " criteria = ["ub-risk-0", "does-not-implement-crypto"] @@ -5628,15 +5987,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.bumpalo]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "3.11.1 -> 3.12.0" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.bumpalo]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -5647,6 +5997,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.bumpalo]] +who = "Mike Hommey " +criteria = "safe-to-run" +delta = "3.11.1 -> 3.12.0" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.bumpalo]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -5705,6 +6064,19 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.bytemuck]] +who = [ + "Manish Goregaokar ", + "Łukasz Anforowicz ", +] +criteria = ["ub-risk-2", "does-not-implement-crypto"] +version = "1.13.1" +notes = "Reviewed in CL 561111794" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.bytemuck]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" @@ -5781,6 +6153,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.bytemuck]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-run" +delta = "1.15.0 -> 1.16.0" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.bytemuck]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] @@ -5818,25 +6199,23 @@ aggregated-from = [ ] [[audits.bytemuck]] -who = [ - "Manish Goregaokar ", - "Łukasz Anforowicz ", -] -criteria = ["ub-risk-2", "does-not-implement-crypto"] -version = "1.13.1" -notes = "Reviewed in CL 561111794" +who = "Adrian Taylor " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.17.1 -> 1.18.0" +notes = "No code changes - just altering feature flag arrangements" aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.bytemuck]] -who = "Daira-Emma Hopwood " -criteria = "safe-to-run" -delta = "1.15.0 -> 1.16.0" +who = "Adrian Taylor " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.18.0 -> 1.19.0" +notes = "No code changes - just comment changes and adding the track_caller attribute." aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.bytemuck_derive]] @@ -5904,6 +6283,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.bytemuck_derive]] +who = "danakj " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.7.1 -> 1.8.0" +notes = "Unsafe review: https://crrev.com/c/5921014" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.byteorder]] who = "Alyssa Haroldsen " criteria = ["ub-risk-3", "does-not-implement-crypto"] @@ -5918,6 +6307,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.byteorder]] +who = "danakj " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +version = "1.5.0" +notes = "Unsafe review in https://crrev.com/c/5838022" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.byteorder]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -5959,45 +6358,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.bytes]] -who = "agl@chromium.org" -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.4.0 -> 1.5.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.bytes]] -who = "Dustin J. Mitchell " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.5.0 -> 1.6.0" -notes = "Update removes some unsafe, and includes verifiable safety comments for newly-added unsafe." -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.bytes]] -who = "Dustin J. Mitchell " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.6.0 -> 1.6.1" -notes = "Very minor update, no unsafe changes" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.bytes]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.6.1 -> 1.7.1" -notes = "Many changes but they seem to meet the low bar of safe-to-run." -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.bytes]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -6016,15 +6376,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.bytes]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.3.0 -> 1.4.0" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.bytes]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -6039,6 +6390,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.bytes]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.3.0 -> 1.4.0" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.bytes]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -6054,6 +6414,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.bytes]] +who = "agl@chromium.org" +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.4.0 -> 1.5.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.bytes]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -6067,6 +6436,64 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.bytes]] +who = "Dustin J. Mitchell " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.5.0 -> 1.6.0" +notes = "Update removes some unsafe, and includes verifiable safety comments for newly-added unsafe." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.bytes]] +who = "Dustin J. Mitchell " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.6.0 -> 1.6.1" +notes = "Very minor update, no unsafe changes" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.bytes]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.6.1 -> 1.7.1" +notes = "Many changes but they seem to meet the low bar of safe-to-run." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.bytes]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.7.1 -> 1.7.2" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.bytes]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.7.1 -> 1.7.2" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.bytes]] +who = "Liza Burakova " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.7.2 -> 1.8.0" +notes = "smol change, does not add unsafe code, majority of change is new tests" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.bytesize]] who = "Andrew Brown " criteria = "safe-to-deploy" @@ -6165,6 +6592,42 @@ delta = "1.0.5 -> 1.0.14" notes = "The Bytecode Alliance is the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.cap-fs-ext]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.2.0 -> 3.3.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.cap-fs-ext]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.3.0 -> 3.4.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.cap-fs-ext]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.4.0 -> 3.4.1" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.cap-net-ext]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.2.0 -> 3.3.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.cap-net-ext]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.3.0 -> 3.4.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.cap-net-ext]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.4.0 -> 3.4.1" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.cap-primitives]] who = "Dan Gohman " criteria = "safe-to-deploy" @@ -6193,6 +6656,24 @@ delta = "1.0.5 -> 1.0.14" notes = "The Bytecode Alliance is the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.cap-primitives]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.2.0 -> 3.3.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.cap-primitives]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.3.0 -> 3.4.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.cap-primitives]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.4.0 -> 3.4.1" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.cap-rand]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -6214,6 +6695,24 @@ delta = "1.0.1 -> 1.0.14" notes = "The Bytecode Alliance is the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.cap-rand]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.2.0 -> 3.3.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.cap-rand]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.3.0 -> 3.4.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.cap-rand]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.4.0 -> 3.4.1" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.cap-std]] who = "Dan Gohman " criteria = "safe-to-deploy" @@ -6228,6 +6727,13 @@ version = "1.0.1" notes = "The Bytecode Alliance is the author of this crate" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.cap-std]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +delta = "0.26.0 -> 0.26.1" +notes = "No changes, only version bump" +aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + [[audits.cap-std]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -6243,11 +6749,22 @@ notes = "The Bytecode Alliance is the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.cap-std]] -who = "Johan Andersson " +who = "Dan Gohman " criteria = "safe-to-deploy" -delta = "0.26.0 -> 0.26.1" -notes = "No changes, only version bump" -aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" +delta = "3.2.0 -> 3.3.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.cap-std]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.3.0 -> 3.4.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.cap-std]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.4.0 -> 3.4.1" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.cap-tempfile]] who = "Dan Gohman " @@ -6298,6 +6815,24 @@ delta = "1.0.5 -> 1.0.14" notes = "The Bytecode Alliance is the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.cap-time-ext]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.2.0 -> 3.3.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.cap-time-ext]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.3.0 -> 3.4.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.cap-time-ext]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.4.0 -> 3.4.1" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.capnp]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -6307,6 +6842,19 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.cargo-config2]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "0.1.27" +notes = """ +Contains no unsafe code and does not appear to abuse any powerful capabilities +such as filesystem access. +""" +aggregated-from = [ + "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.cargo-lock]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -6323,6 +6871,16 @@ version = "0.1.2" notes = "no build, no ambient capabilities, no unsafe" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.cargo_metadata]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +version = "0.15.2" +notes = "I reviewed the whole code base. Parser for the output of cargo-metadata, relying mostly on serde. No unsafe code used." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.cargo_metadata]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -6331,11 +6889,22 @@ notes = "no build, no unsafe, inputs to cargo command are reasonably sanitized" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.cargo_metadata]] -who = "Alex Crichton " +who = "Nika Layzell " criteria = "safe-to-deploy" -delta = "0.17.0 -> 0.18.1" -notes = "No major changes, no unsafe code here." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +delta = "0.14.2 -> 0.15.2" +aggregated-from = [ + "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.cargo_metadata]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.15.2 -> 0.15.3" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[audits.cargo_metadata]] who = "Johan Andersson " @@ -6352,32 +6921,11 @@ notes = "No notable changes" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" [[audits.cargo_metadata]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -version = "0.15.2" -notes = "I reviewed the whole code base. Parser for the output of cargo-metadata, relying mostly on serde. No unsafe code used." -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.cargo_metadata]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.15.2 -> 0.15.3" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.cargo_metadata]] -who = "Nika Layzell " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.14.2 -> 0.15.2" -aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +delta = "0.17.0 -> 0.18.1" +notes = "No major changes, no unsafe code here." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.case]] who = "Johan Andersson " @@ -6386,6 +6934,15 @@ version = "1.0.0" notes = "No unsafe usage or ambient capabilities. Stable for 4+ years" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" +[[audits.cast]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.3.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.cast]] who = "Alex Crichton " criteria = "safe-to-run" @@ -6398,15 +6955,6 @@ due to the major version bump. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.cast]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.3.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.castaway]] who = "Andrew Brown " criteria = "safe-to-deploy" @@ -6423,41 +6971,26 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.cc]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -version = "1.0.73" -notes = "I am the author of this crate." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.cc]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "1.0.83 -> 1.1.6" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.cc]] -who = "George Burgess IV " +[[audits.cbindgen]] +who = "Hung-Hsien Chen " criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "1.0.79" +delta = "0.24.5 -> 0.27.0" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.cc]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.79 -> 1.0.82" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.0.73" +notes = "I am the author of this crate." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.cc]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.82 -> 1.0.83" +version = "1.0.79" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", @@ -6482,12 +7015,21 @@ aggregated-from = [ ] [[audits.cc]] -who = "Daira-Emma Hopwood " -criteria = "safe-to-deploy" -delta = "1.0.94 -> 1.0.97" +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.79 -> 1.0.82" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.cc]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.82 -> 1.0.83" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.cc]] @@ -6511,6 +7053,30 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.cc]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.0.83 -> 1.1.6" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.cc]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "1.0.94 -> 1.0.97" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.cc]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "1.1.6 -> 1.1.13" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.cexpr]] who = "George Burgess IV " criteria = "does-not-implement-crypto" @@ -6547,13 +7113,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.cfg-if]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -version = "1.0.0" -notes = "I am the author of this crate." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.cfg-if]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] @@ -6564,23 +7123,17 @@ aggregated-from = [ ] [[audits.cfg-if]] -who = "Android Legacy" -criteria = "safe-to-run" +who = "Alex Crichton " +criteria = "safe-to-deploy" version = "1.0.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +notes = "I am the author of this crate." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.cfg-if]] -who = "George Burgess IV " -criteria = "ub-risk-0" +who = "Conrad Ludgate " +criteria = "safe-to-deploy" version = "1.0.0" -notes = "`rg -i unsafe` resulted in zero hits for this package." -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.cfg-if]] who = "Lukasz Anforowicz " @@ -6598,10 +7151,23 @@ aggregated-from = [ ] [[audits.cfg-if]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" +who = "Android Legacy" +criteria = "safe-to-run" version = "1.0.0" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.cfg-if]] +who = "George Burgess IV " +criteria = "ub-risk-0" +version = "1.0.0" +notes = "`rg -i unsafe` resulted in zero hits for this package." +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.cfg_aliases]] who = "Johan Andersson " @@ -6619,12 +7185,32 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.cfg_aliases]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.1.1 -> 0.2.1" +notes = "Very minor changes." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.cgl]] +who = "Sotaro Ikeda " +criteria = "safe-to-deploy" +version = "0.3.2" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.chacha20]] -who = "Joshua Liebow-Feeser " -criteria = ["safe-to-deploy", "ub-risk-2"] -delta = "0.8.1 -> 0.9.0" +who = "" +criteria = "ub-risk-2" +version = "0.9.1" +notes = "Reviewed in CL 640124703" aggregated-from = [ - "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] @@ -6638,6 +7224,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.chacha20]] +who = "Joshua Liebow-Feeser " +criteria = ["safe-to-deploy", "ub-risk-2"] +delta = "0.8.1 -> 0.9.0" +aggregated-from = [ + "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.chacha20]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -6831,6 +7426,19 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.cipher]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "0.4.4" +notes = "Most unsafe is hidden by `inout` dependency; only remaining unsafe is raw-splitting a slice and an unreachable hint. Older versions of this regularly reach ~150k daily downloads." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.cipher]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +version = "0.4.4" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.cipher]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -6851,11 +7459,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.cipher]] -who = "Conrad Ludgate " +[[audits.circular]] +who = "Alex Franchuk " criteria = "safe-to-deploy" -version = "0.4.4" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +version = "0.3.0" +notes = "No dependencies. Unsafe code is necessary to provide functionality and was manually verified to be correct." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[audits.clang-sys]] who = "Android Legacy" @@ -6876,15 +7488,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.clang-sys]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.6.0 -> 1.6.1" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.clang-sys]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -6903,6 +7506,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.clang-sys]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.6.0 -> 1.6.1" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.clang-sys]] who = "Erich Gubler " criteria = "safe-to-deploy" @@ -6962,24 +7574,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.clap]] -who = "Ying Hsu " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "4.5.4" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.clap]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "4.0.32 -> 4.1.14" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.clap]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -7004,6 +7598,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.clap]] +who = "Ying Hsu " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "4.5.4" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.clap]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] @@ -7018,6 +7621,21 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.clap]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "4.0.32 -> 4.1.14" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.clap]] +who = "Brandon Pitman " +criteria = "safe-to-run" +delta = "4.1.14 -> 4.3.0" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[audits.clap]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -7027,6 +7645,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.clap]] +who = "Jack Grigg " +criteria = "safe-to-run" +delta = "4.4.14 -> 4.4.18" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.clap]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -7115,18 +7742,32 @@ aggregated-from = [ ] [[audits.clap]] -who = "Brandon Pitman " -criteria = "safe-to-run" -delta = "4.1.14 -> 4.3.0" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +who = "danakj " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "4.5.15 -> 4.5.17" +notes = "Minor code change and toml changes." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.clap]] -who = "Jack Grigg " -criteria = "safe-to-run" -delta = "4.4.14 -> 4.4.18" +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "4.5.17 -> 4.5.18" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.clap]] +who = "danakj " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "4.5.18 -> 4.5.20" +notes = "Trivial changes" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.clap-verbosity-flag]] @@ -7151,15 +7792,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.clap_builder]] -who = "Ying Hsu " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "4.5.2" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.clap_builder]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -7184,6 +7816,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.clap_builder]] +who = "Ying Hsu " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "4.5.2" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.clap_builder]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] @@ -7197,6 +7838,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.clap_builder]] +who = "Brandon Pitman " +criteria = "safe-to-run" +delta = "4.1.14 -> 4.3.0" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[audits.clap_builder]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -7215,6 +7862,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.clap_builder]] +who = "Jack Grigg " +criteria = "safe-to-run" +delta = "4.5.0 -> 4.4.18" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.clap_builder]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -7262,18 +7918,32 @@ aggregated-from = [ ] [[audits.clap_builder]] -who = "Brandon Pitman " -criteria = "safe-to-run" -delta = "4.1.14 -> 4.3.0" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +who = "danakj " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "4.5.15 -> 4.5.17" +notes = "No new unsafe, net, fs" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.clap_builder]] -who = "Jack Grigg " -criteria = "safe-to-run" -delta = "4.5.0 -> 4.4.18" +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "4.5.17 -> 4.5.18" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.clap_builder]] +who = "danakj " +criteria = ["safe-to-run", "does-not-implement-crypto", "ub-risk-0"] +delta = "4.5.18 -> 4.5.20" +notes = "No new unsafe" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.clap_conf]] @@ -7349,20 +8019,17 @@ aggregated-from = [ ] [[audits.clap_lex]] -who = "Ying Hsu " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.7.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.clap_lex]] -who = "George Burgess IV " -criteria = "does-not-implement-crypto" -delta = "0.4.1 -> 0.2.4" +who = "Ben Saunders " +criteria = ["ub-risk-3", "does-not-implement-crypto"] +version = "0.5.0" +notes = """ +Reviewed in CL 559377426 +Issues: + - Unsound transmutes from OsStr to [u8] (https://github.com/clap-rs/clap/issues/5280) + - (optional) Incorrect safety comment (https://github.com/clap-rs/clap/pull/5281) +""" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] @@ -7381,48 +8048,47 @@ aggregated-from = [ ] [[audits.clap_lex]] -who = "Lukasz Anforowicz " +who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.6.0 -> 0.7.0" +version = "0.7.0" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.clap_lex]] -who = "Adrian Taylor " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.7.0 -> 0.7.1" +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.0 -> 0.2.2" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.clap_lex]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.7.1 -> 0.7.2" -notes = "No `.rs` changes in the delta." +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.2 -> 0.2.4" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.clap_lex]] -who = "Ben Saunders " -criteria = ["ub-risk-3", "does-not-implement-crypto"] -version = "0.5.0" -notes = """ -Reviewed in CL 559377426 -Issues: - - Unsound transmutes from OsStr to [u8] (https://github.com/clap-rs/clap/issues/5280) - - (optional) Incorrect safety comment (https://github.com/clap-rs/clap/pull/5281) -""" +who = "George Burgess IV " +criteria = "does-not-implement-crypto" +delta = "0.4.1 -> 0.2.4" aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.clap_lex]] +who = "Brandon Pitman " +criteria = "safe-to-run" +delta = "0.4.1 -> 0.5.0" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[audits.clap_lex]] who = "Manish Goregaokar " criteria = "ub-risk-3" @@ -7439,27 +8105,31 @@ aggregated-from = [ ] [[audits.clap_lex]] -who = "Brandon Pitman " -criteria = "safe-to-run" -delta = "0.4.1 -> 0.5.0" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.6.0 -> 0.7.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.clap_lex]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.2.0 -> 0.2.2" +who = "Adrian Taylor " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.7.0 -> 0.7.1" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.clap_lex]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.2.2 -> 0.2.4" +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.7.1 -> 0.7.2" +notes = "No `.rs` changes in the delta." aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.clearscreen]] @@ -7519,6 +8189,26 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.clubcard]] +who = "John M. Schanck " +criteria = "safe-to-deploy" +version = "0.3.1" +notes = "This crate is maintained by the CryptoEng team at Mozilla and it contains no unsafe code." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.clubcard-crlite]] +who = "John M. Schanck " +criteria = "safe-to-deploy" +version = "0.2.1" +notes = "This crate is maintained by the CryptoEng team at Mozilla and it contains no unsafe code." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.cmac]] who = "David Cook " criteria = "safe-to-deploy" @@ -7751,6 +8441,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.console]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.15.0 -> 0.15.8" +notes = "Lots of internal refactorings for new features and such, nothing major out of place." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.console]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -7806,6 +8503,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.constant_time_eq]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.3.1" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.convert_case]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -7996,13 +8702,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.cpp_demangle]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.3.5 -> 0.4.3" -notes = "No substantive changes to `unsafe` code and otherwise all looks good." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.cpp_demangle]] who = "Hidenori Kobayashi " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -8012,14 +8711,11 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.cpufeatures]] +[[audits.cpp_demangle]] who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.2.2 -> 0.2.7" -notes = """ -This is a minor update that looks to add some more detected CPU features and -various other minor portability fixes such as MIRI support. -""" +delta = "0.3.5 -> 0.4.3" +notes = "No substantive changes to `unsafe` code and otherwise all looks good." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.cpufeatures]] @@ -8031,15 +8727,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.cpufeatures]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.2.8 -> 0.2.9" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.cpufeatures]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -8050,41 +8737,51 @@ aggregated-from = [ ] [[audits.cpufeatures]] -who = "Mike Hommey " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.2.4 -> 0.2.5" +delta = "0.2.2 -> 0.2.5" +notes = "Unsafe changes just introduce `#[inline(never)]` wrappers." aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.cpufeatures]] -who = "Gabriele Svelto " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.2.7 -> 0.2.8" -notes = "This release contains a single fix for an issue that affected Firefox" +delta = "0.2.2 -> 0.2.7" +notes = """ +This is a minor update that looks to add some more detected CPU features and +various other minor portability fixes such as MIRI support. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.cpufeatures]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.4 -> 0.2.5" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.cpufeatures]] -who = "Jack Grigg " +who = "Sean Bowe " criteria = "safe-to-deploy" -delta = "0.2.2 -> 0.2.5" -notes = "Unsafe changes just introduce `#[inline(never)]` wrappers." +delta = "0.2.5 -> 0.2.6" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.cpufeatures]] -who = "Sean Bowe " +who = "Gabriele Svelto " criteria = "safe-to-deploy" -delta = "0.2.5 -> 0.2.6" +delta = "0.2.7 -> 0.2.8" +notes = "This release contains a single fix for an issue that affected Firefox" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.cpufeatures]] @@ -8096,6 +8793,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.cpufeatures]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.2.8 -> 0.2.9" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.cpufeatures]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -8119,6 +8825,19 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.cpufeatures]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.13 -> 0.2.14" +notes = """ +New `unsafe` block is to call `sysctlbyname` to detect DIT on Apple ARM64, which +is done in the same way as existing target feature checks on that arch. +""" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.crash-context]] who = "Gabriele Svelto " criteria = "safe-to-deploy" @@ -8207,6 +8926,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.crc32fast]] +who = "Manish Goregaokar " +criteria = "ub-risk-2" +version = "1.3.2" +notes = "Reviewed in CL 558895300" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.crc32fast]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] @@ -8222,16 +8951,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.crc32fast]] -who = "Manish Goregaokar " -criteria = "ub-risk-2" -version = "1.3.2" -notes = "Reviewed in CL 558895300" -aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.crc32fast]] who = "Alex Franchuk " criteria = "safe-to-deploy" @@ -8303,6 +9022,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.critical-section]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.1.2 -> 1.2.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.cros-codecs]] who = "Alexandre Courbot " criteria = "does-not-implement-crypto" @@ -8366,18 +9094,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.crossbeam-channel]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.5.4 -> 0.5.8" -notes = """ -This diff does what it says on the tin for this version range, notably fixing a -race condition, improving handling of durations, and additionally swapping out a -spin lock with a lock from the standard library. Minor bits of `unsafe` code -are modified but that's expected given the nature of this crate. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.crossbeam-channel]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -8387,15 +9103,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.crossbeam-channel]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.5.7 -> 0.5.8" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.crossbeam-channel]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -8406,51 +9113,62 @@ aggregated-from = [ ] [[audits.crossbeam-channel]] -who = "Jan-Erik Rediger " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.5.7 -> 0.5.8" -notes = "Reviewed the fix, previous versions indeed had were able to trigger a race condition" +delta = "0.5.4 -> 0.5.8" +notes = """ +This diff does what it says on the tin for this version range, notably fixing a +race condition, improving handling of durations, and additionally swapping out a +spin lock with a lock from the standard library. Minor bits of `unsafe` code +are modified but that's expected given the nature of this crate. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.crossbeam-channel]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.5.6 -> 0.5.7" +notes = "Fixes wrapping overflows for large timeouts." aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.crossbeam-channel]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -delta = "0.5.8 -> 0.5.11" +delta = "0.5.7 -> 0.5.8" +notes = "Reviewed the fix, previous versions indeed had were able to trigger a race condition" aggregated-from = [ "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.crossbeam-channel]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -delta = "0.5.11 -> 0.5.12" -notes = "Minimal change fixing a memory leak." +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.5.7 -> 0.5.8" aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.crossbeam-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.5.6 -> 0.5.7" -notes = "Fixes wrapping overflows for large timeouts." +delta = "0.5.8 -> 0.5.9" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.crossbeam-channel]] -who = "Jack Grigg " +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -delta = "0.5.8 -> 0.5.9" +delta = "0.5.8 -> 0.5.11" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.crossbeam-channel]] @@ -8466,6 +9184,25 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.crossbeam-channel]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "0.5.11 -> 0.5.12" +notes = "Minimal change fixing a memory leak." +aggregated-from = [ + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.crossbeam-channel]] +who = "Glenn Watson " +criteria = "safe-to-deploy" +delta = "0.5.12 -> 0.5.13" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.crossbeam-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -8523,19 +9260,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.crossbeam-epoch]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.9.9 -> 0.9.15" -notes = """ -In general crossbeam has quite a lot of unsafe code as it's a primitive tool for -concurrency but this update isn't adding any extra unsafe than there already -was and all the updates here are related to odds-and-ends maintenance. In -other words everything is as one would expect from a minor update for this -crate. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.crossbeam-epoch]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -8545,15 +9269,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.crossbeam-epoch]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.9.14 -> 0.9.15" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.crossbeam-epoch]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -8564,18 +9279,22 @@ aggregated-from = [ ] [[audits.crossbeam-epoch]] -who = "Mike Hommey " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.9.10 -> 0.9.13" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +delta = "0.9.9 -> 0.9.15" +notes = """ +In general crossbeam has quite a lot of unsafe code as it's a primitive tool for +concurrency but this update isn't adding any extra unsafe than there already +was and all the updates here are related to odds-and-ends maintenance. In +other words everything is as one would expect from a minor update for this +crate. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.crossbeam-epoch]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.9.13 -> 0.9.14" +delta = "0.9.10 -> 0.9.13" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", @@ -8591,6 +9310,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.crossbeam-epoch]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.9.13 -> 0.9.14" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.crossbeam-epoch]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -8601,6 +9329,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.crossbeam-epoch]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.9.14 -> 0.9.15" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.crossbeam-epoch]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -8611,6 +9348,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.crossbeam-epoch]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.9.15 -> 0.9.18" +notes = "Nontrivial update but mostly around dependencies and how `unsafe` code is managed. Everything looks the same shape as before." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.crossbeam-epoch]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -8651,15 +9395,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.crossbeam-utils]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.8.15 -> 0.8.16" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.crossbeam-utils]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -8669,6 +9404,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.crossbeam-utils]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.8.10 -> 0.8.11" +notes = "No changes of substance, only minor updates around how `unsafe` code is managed but it's all trivially the same as before" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.crossbeam-utils]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -8679,13 +9421,16 @@ aggregated-from = [ ] [[audits.crossbeam-utils]] -who = "Alex Franchuk " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.8.19 -> 0.8.20" -notes = "Minor changes." +delta = "0.8.14 -> 0.8.15" +notes = """ +- Fixes a wrapping overflow for large timeouts. +- Marks some BPF and Sony Vita targets as not having atomics. +""" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.crossbeam-utils]] @@ -8700,10 +9445,11 @@ aggregated-from = [ [[audits.crossbeam-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.8.14 -> 0.8.15" +delta = "0.8.15 -> 0.8.16" notes = """ -- Fixes a wrapping overflow for large timeouts. -- Marks some BPF and Sony Vita targets as not having atomics. +- Fixes cache line alignment for some targets. +- Replaces `mem::replace` with `Option::take` inside `unsafe` blocks. +- Unmarks some ARMv7r and Sony Vita targets as not having 64-bit atomics. """ aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", @@ -8711,17 +9457,12 @@ aggregated-from = [ ] [[audits.crossbeam-utils]] -who = "Jack Grigg " -criteria = "safe-to-deploy" +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.8.15 -> 0.8.16" -notes = """ -- Fixes cache line alignment for some targets. -- Replaces `mem::replace` with `Option::take` inside `unsafe` blocks. -- Unmarks some ARMv7r and Sony Vita targets as not having 64-bit atomics. -""" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.crossbeam-utils]] @@ -8754,6 +9495,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.crossbeam-utils]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.8.19 -> 0.8.20" +notes = "Minor changes." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.crossterm]] who = "Ben Saunders " criteria = ["ub-risk-3", "does-not-implement-crypto"] @@ -8794,15 +9545,6 @@ criteria = "safe-to-deploy" version = "0.1.3" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.crypto-common]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.1.3 -> 0.1.6" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.crypto-common]] who = "Jack Grigg " criteria = ["crypto-reviewed", "safe-to-deploy"] @@ -8813,6 +9555,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.crypto-common]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.1.6" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.cssparser]] who = "Emilio Cobos Álvarez " criteria = "safe-to-deploy" @@ -9018,6 +9769,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.ctrlc]] +who = "Taylor Cramer " +criteria = "ub-risk-3" +version = "3.4.0" +notes = "Reviewed in CL 587904024" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.ctrlc]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -9045,16 +9806,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.ctrlc]] -who = "Taylor Cramer " -criteria = "ub-risk-3" -version = "3.4.0" -notes = "Reviewed in CL 587904024" -aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.cty]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -9418,6 +10169,127 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.cxx]] +who = "danakj@chromium.org" +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "1.0.110" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.cxx]] +who = "Lukasz Anforowicz " +criteria = "does-not-implement-crypto" +version = "1.0.117" +notes = """ +Grepped for \"crypt\", \"cipher\" - there were no hits +(except for benign hits in `MODULE.bazel.lock`) +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.cxx]] +who = "danakj " +criteria = "does-not-implement-crypto" +version = "1.0.122" +notes = """ +safe-to-deploy and ub-risk-2 are provided by exemption. +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.cxx]] +who = "Daira Hopwood " +criteria = "safe-to-deploy" +delta = "1.0.68 -> 1.0.72" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.cxx]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.72 -> 1.0.76" +notes = "Impls Unpin for SharedPtr and UniquePtr. The rationale makes sense." +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.cxx]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.76 -> 1.0.78" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.cxx]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "1.0.78 -> 1.0.79" +notes = """ +This release changes the result of the `cxxbridge` `exception` call to return +a struct containing both the pointer to an error message and its length, +instead of just the raw `*const u8`. +""" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.cxx]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.79 -> 1.0.83" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.cxx]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.83 -> 1.0.91" +notes = """ +- Buildscript change is only to bump MSRV. +- Only change to C++ side is to fix a memory leak. +""" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.cxx]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.91 -> 1.0.92" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.cxx]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.92 -> 1.0.94" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.cxx]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -9436,6 +10308,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.cxx]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.95 -> 1.0.97" +notes = "Adds some C++ static_casts to fix MSVC warnings." +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.cxx]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -9445,6 +10327,19 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.cxx]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.97 -> 1.0.107" +notes = """ +New `unsafe` blocks are to implement `CxxVector::new` (exposing `std::vector::new`). The +remaining changes to `unsafe` code are removing uses of the wrapping `attr!` macro. +""" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.cxx]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -9455,42 +10350,32 @@ aggregated-from = [ ] [[audits.cxx]] -who = "danakj@chromium.org" -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "1.0.110" -notes = """ -Reviewed in https://crrev.com/c/5171063 - -Previously reviewed during security review and the audit is grandparented in. -""" +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.107 -> 1.0.111" +notes = "Build script change is to look for `src/cxx.cc` in the same folder as `include/cxx.h`." aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.cxx]] -who = "Lukasz Anforowicz " -criteria = "does-not-implement-crypto" -version = "1.0.117" -notes = """ -Grepped for \"crypt\", \"cipher\" - there were no hits -(except for benign hits in `MODULE.bazel.lock`) -""" +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.111 -> 1.0.113" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.cxx]] -who = "danakj " -criteria = "does-not-implement-crypto" -version = "1.0.122" -notes = """ -safe-to-deploy and ub-risk-2 are provided by exemption. -""" +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.113 -> 1.0.122" +notes = "Build script changes only affect lints." aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.cxx]] @@ -9532,123 +10417,14 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.cxx]] -who = "Dustin J. Mitchell " -criteria = "does-not-implement-crypto" -delta = "1.0.123 -> 1.0.124" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.cxx]] -who = "Lukasz Anforowicz " -criteria = "does-not-implement-crypto" -delta = "1.0.124 -> 1.0.126" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.cxx]] -who = "Daira Hopwood " -criteria = "safe-to-deploy" -delta = "1.0.68 -> 1.0.72" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.cxx]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.72 -> 1.0.76" -notes = "Impls Unpin for SharedPtr and UniquePtr. The rationale makes sense." -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.cxx]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.76 -> 1.0.78" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.cxx]] -who = "Kris Nuttycombe " -criteria = "safe-to-deploy" -delta = "1.0.78 -> 1.0.79" -notes = """ -This release changes the result of the `cxxbridge` `exception` call to return -a struct containing both the pointer to an error message and its length, -instead of just the raw `*const u8`. -""" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.cxx]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.79 -> 1.0.83" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.cxx]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.83 -> 1.0.91" -notes = """ -- Buildscript change is only to bump MSRV. -- Only change to C++ side is to fix a memory leak. -""" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.cxx]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.91 -> 1.0.92" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.cxx]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.92 -> 1.0.94" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.cxx]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.95 -> 1.0.97" -notes = "Adds some C++ static_casts to fix MSVC warnings." -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.97 -> 1.0.107" +delta = "1.0.122 -> 1.0.124" notes = """ -New `unsafe` blocks are to implement `CxxVector::new` (exposing `std::vector::new`). The -remaining changes to `unsafe` code are removing uses of the wrapping `attr!` macro. +- Change to `build.rs` is to use `error_in_core` rustc feature. +- Change to `cxx.cc` uses the same technique for `char` as is already in use for + `isize` to check if it is an alias for `[u]int8_t`. """ aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", @@ -9656,42 +10432,30 @@ aggregated-from = [ ] [[audits.cxx]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.107 -> 1.0.111" -notes = "Build script change is to look for `src/cxx.cc` in the same folder as `include/cxx.h`." -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.cxx]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.111 -> 1.0.113" +who = "Dustin J. Mitchell " +criteria = "does-not-implement-crypto" +delta = "1.0.123 -> 1.0.124" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.cxx]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.113 -> 1.0.122" -notes = "Build script changes only affect lints." +who = "Lukasz Anforowicz " +criteria = "does-not-implement-crypto" +delta = "1.0.124 -> 1.0.126" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.122 -> 1.0.124" +delta = "1.0.126 -> 1.0.128" notes = """ -- Change to `build.rs` is to use `error_in_core` rustc feature. -- Change to `cxx.cc` uses the same technique for `char` as is already in use for - `isize` to check if it is an alias for `[u]int8_t`. +`unsafe` changes are to copy the `SyncUnsafeCell` type from nightly Rust. It is +used as the ZST `SyncUnsafeCell>` to fix an LLVM miscompilation. """ aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", @@ -9852,6 +10616,24 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.cxxbridge-cmd]] +who = "danakj " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.126 -> 1.0.128" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.cxxbridge-cmd]] +who = "Liza Burakova " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.128 -> 1.0.129" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.cxxbridge-flags]] who = "Android Legacy" criteria = "safe-to-run" @@ -9900,42 +10682,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.cxxbridge-flags]] -who = "George Burgess IV " -criteria = ["does-not-implement-crypto", "safe-to-deploy"] -delta = "1.0.92 -> 1.0.94" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.cxxbridge-flags]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.94 -> 1.0.97" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.cxxbridge-flags]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.97 -> 1.0.106" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.cxxbridge-flags]] -who = "George Burgess IV " -criteria = ["does-not-implement-crypto", "safe-to-deploy"] -delta = "1.0.106 -> 1.0.107" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.cxxbridge-flags]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -9960,35 +10706,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.cxxbridge-flags]] -who = "Adrian Taylor " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] -delta = "1.0.122 -> 1.0.123" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.cxxbridge-flags]] -who = "Dustin J. Mitchell " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] -delta = "1.0.123 -> 1.0.124" -notes = "No changes in this delta" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.cxxbridge-flags]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] -delta = "1.0.124 -> 1.0.126" -notes = "No changes in this delta" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.cxxbridge-flags]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -10053,6 +10770,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.cxxbridge-flags]] +who = "George Burgess IV " +criteria = ["does-not-implement-crypto", "safe-to-deploy"] +delta = "1.0.92 -> 1.0.94" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -10062,6 +10788,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.cxxbridge-flags]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.94 -> 1.0.97" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -10080,6 +10815,24 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.cxxbridge-flags]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.97 -> 1.0.106" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.cxxbridge-flags]] +who = "George Burgess IV " +criteria = ["does-not-implement-crypto", "safe-to-deploy"] +delta = "1.0.106 -> 1.0.107" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -10107,46 +10860,57 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.cxxbridge-macro]] -who = "Android Legacy" -criteria = "safe-to-run" -version = "1.0.42" +[[audits.cxxbridge-flags]] +who = "Adrian Taylor " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.0.122 -> 1.0.123" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.cxxbridge-macro]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "1.0.92" +[[audits.cxxbridge-flags]] +who = "Dustin J. Mitchell " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.0.123 -> 1.0.124" +notes = "No changes in this delta" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.cxxbridge-macro]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.92 -> 1.0.94" +[[audits.cxxbridge-flags]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.0.124 -> 1.0.126" +notes = "No changes in this delta" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.cxxbridge-macro]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.94 -> 1.0.97" +[[audits.cxxbridge-flags]] +who = "danakj " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.0.126 -> 1.0.128" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.cxxbridge-flags]] +who = "Liza Burakova " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.0.128 -> 1.0.129" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.cxxbridge-macro]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.97 -> 1.0.106" +who = "Android Legacy" +criteria = "safe-to-run" +version = "1.0.42" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", @@ -10155,7 +10919,7 @@ aggregated-from = [ [[audits.cxxbridge-macro]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.106 -> 1.0.107" +version = "1.0.92" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", @@ -10175,33 +10939,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.cxxbridge-macro]] -who = "Adrian Taylor " -criteria = "does-not-implement-crypto" -delta = "1.0.122 -> 1.0.123" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.cxxbridge-macro]] -who = "Dustin J. Mitchell " -criteria = "does-not-implement-crypto" -delta = "1.0.123 -> 1.0.124" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.cxxbridge-macro]] -who = "Lukasz Anforowicz " -criteria = "does-not-implement-crypto" -delta = "1.0.124 -> 1.0.126" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.cxxbridge-macro]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -10289,6 +11026,24 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.cxxbridge-macro]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.92 -> 1.0.94" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.cxxbridge-macro]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.94 -> 1.0.97" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -10298,6 +11053,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.cxxbridge-macro]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.97 -> 1.0.106" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -10308,6 +11072,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.cxxbridge-macro]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.106 -> 1.0.107" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -10342,6 +11115,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.cxxbridge-macro]] +who = "Adrian Taylor " +criteria = "does-not-implement-crypto" +delta = "1.0.122 -> 1.0.123" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -10352,6 +11134,33 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.cxxbridge-macro]] +who = "Dustin J. Mitchell " +criteria = "does-not-implement-crypto" +delta = "1.0.123 -> 1.0.124" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.cxxbridge-macro]] +who = "Lukasz Anforowicz " +criteria = "does-not-implement-crypto" +delta = "1.0.124 -> 1.0.126" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.cxxbridge-macro]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.126 -> 1.0.128" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.d3d12]] who = "Jim Blandy " criteria = "safe-to-deploy" @@ -10431,6 +11240,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.darling]] +who = "Ben Dean-Kawamura " +criteria = "safe-to-deploy" +delta = "0.20.1 -> 0.20.10" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.darling]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -10467,6 +11285,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.darling_core]] +who = "Ben Dean-Kawamura " +criteria = "safe-to-deploy" +delta = "0.20.1 -> 0.20.10" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.darling_core]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -10503,6 +11330,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.darling_macro]] +who = "Ben Dean-Kawamura " +criteria = "safe-to-deploy" +delta = "0.20.1 -> 0.20.10" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.darling_macro]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -10765,13 +11601,6 @@ version = "1.1.4" notes = "I am the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.derive_arbitrary]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "1.3.0 -> 1.3.1" -notes = "This updates `syn` to 2.x.x, nothing else in this diff." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.derive_arbitrary]] who = "Mike Hommey " criteria = "safe-to-run" @@ -10808,6 +11637,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.derive_arbitrary]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.3.0 -> 1.3.1" +notes = "This updates `syn` to 2.x.x, nothing else in this diff." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.derive_arbitrary]] who = "Mike Hommey " criteria = "safe-to-run" @@ -10872,12 +11708,6 @@ criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.3" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.digest]] -who = "David Cook " -criteria = "safe-to-deploy" -delta = "0.10.6 -> 0.10.7" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - [[audits.digest]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -10887,6 +11717,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.digest]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.10.6 -> 0.10.7" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[audits.diplomat]] who = "Makoto Kato " criteria = "safe-to-deploy" @@ -11214,6 +12050,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.easy-smt]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.2.2" +notes = "This crate is authored by trusted Bytecode Alliance members." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.ecdsa]] who = "Joshua Liebow-Feeser " criteria = ["safe-to-deploy", "ub-risk-2"] @@ -11346,18 +12189,28 @@ notes = "Minor sane unsafe usage and no new ambient capabilities" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" [[audits.either]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "1.8.1" +who = "David Cook " +criteria = "safe-to-deploy" +version = "1.6.1" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.either]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.6.1" +notes = """ +Straightforward crate providing the Either enum and trait implementations with +no unsafe code. +""" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.either]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.8.1 -> 1.9.0" +version = "1.8.1" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", @@ -11372,49 +12225,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.either]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.9.0 -> 1.10.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.either]] -who = "Adrian Taylor " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.10.0 -> 1.11.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.either]] -who = "Dustin J. Mitchell " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.11.0 -> 1.12.0" -notes = "Only changes the MSRV and adds a (safe) trait specialization." -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.either]] -who = "Adrian Taylor " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.12.0 -> 1.13.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.either]] -who = "David Cook " -criteria = "safe-to-deploy" -version = "1.6.1" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - [[audits.either]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -11434,52 +12244,61 @@ aggregated-from = [ ] [[audits.either]] -who = "Mike Hommey " +who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.8.0 -> 1.8.1" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.either]] -who = "Nika Layzell " +who = "Mike Hommey " criteria = "safe-to-deploy" -version = "1.6.1" -notes = """ -Straightforward crate providing the Either enum and trait implementations with -no unsafe code. -""" +delta = "1.8.0 -> 1.8.1" aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.either]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +delta = "1.8.1 -> 1.9.0" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.either]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.11.0 -> 1.13.0" +delta = "1.8.1 -> 1.9.0" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.either]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.8.0 -> 1.8.1" +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.8.1 -> 1.9.0" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.either]] -who = "Jack Grigg " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "1.8.1 -> 1.9.0" +delta = "1.8.1 -> 1.13.0" +notes = "More utilities and such for the `Either` type, no `unsafe` code." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.either]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.9.0 -> 1.10.0" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.either]] @@ -11492,10 +12311,41 @@ aggregated-from = [ ] [[audits.either]] -who = "Conrad Ludgate " +who = "Adrian Taylor " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.10.0 -> 1.11.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.either]] +who = "Dustin J. Mitchell " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.11.0 -> 1.12.0" +notes = "Only changes the MSRV and adds a (safe) trait specialization." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.either]] +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.8.1 -> 1.9.0" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +delta = "1.11.0 -> 1.13.0" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.either]] +who = "Adrian Taylor " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.12.0 -> 1.13.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.elliptic-curve]] who = "Joshua Liebow-Feeser " @@ -11572,6 +12422,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.encoding_rs]] +who = "Henri Sivonen " +criteria = "safe-to-deploy" +version = "0.8.31" +notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.encoding_rs]] who = "Manish Goregaokar " criteria = "ub-risk-3" @@ -11586,16 +12446,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.encoding_rs]] -who = "Henri Sivonen " -criteria = "safe-to-deploy" -version = "0.8.31" -notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ." -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.encoding_rs]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -11772,6 +12622,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.enumn]] +who = "Alexandre Courbot " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.1.12 -> 0.1.14" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.enumset]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -11826,15 +12685,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.env_logger]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.9.3 -> 0.8.4" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.env_logger]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -11844,6 +12694,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.env_logger]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.9.3 -> 0.8.4" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.env_logger]] who = "Nicolas Silva " criteria = "safe-to-deploy" @@ -11869,6 +12728,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.equivalent]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +version = "1.0.1" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.equivalent]] who = "George Burgess IV " criteria = "ub-risk-0" @@ -11888,26 +12753,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.equivalent]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "1.0.1" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - -[[audits.errno]] -who = "Dan Gohman " -criteria = "safe-to-deploy" -version = "0.3.0" -notes = "This crate uses libc and windows-sys APIs to get and set the raw OS error value." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.errno]] -who = "Dan Gohman " -criteria = "safe-to-deploy" -delta = "0.3.0 -> 0.3.1" -notes = "Just a dependency version bump and a bug fix for redox" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.errno]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -11917,6 +12762,23 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.errno]] +who = "Ben Saunders " +criteria = ["ub-risk-2", "does-not-implement-crypto"] +version = "0.2.8" +notes = "Reviewed in CL 567624402" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.errno]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +version = "0.3.0" +notes = "This crate uses libc and windows-sys APIs to get and set the raw OS error value." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.errno]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -11936,31 +12798,34 @@ aggregated-from = [ ] [[audits.errno]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.3.1" +notes = "Just a dependency version bump and a bug fix for redox" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.errno]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" delta = "0.3.1 -> 0.3.2" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.errno]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.3.2 -> 0.3.3" +delta = "0.3.1 -> 0.3.2" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.errno]] -who = "Ben Saunders " -criteria = ["ub-risk-2", "does-not-implement-crypto"] -version = "0.2.8" -notes = "Reviewed in CL 567624402" +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.1 -> 0.3.3" aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.errno]] @@ -11973,29 +12838,29 @@ aggregated-from = [ ] [[audits.errno]] -who = "Daira-Emma Hopwood " -criteria = "safe-to-deploy" -delta = "0.3.8 -> 0.3.9" +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.3.2 -> 0.3.3" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.errno]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.3.1 -> 0.3.3" +delta = "0.3.3 -> 0.3.8" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.errno]] -who = "Jack Grigg " +who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" -delta = "0.3.3 -> 0.3.8" +delta = "0.3.8 -> 0.3.9" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -12009,10 +12874,10 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.errno]] +[[audits.errno-dragonfly]] who = "Conrad Ludgate " criteria = "safe-to-deploy" -delta = "0.3.1 -> 0.3.2" +version = "0.1.2" aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.errno-dragonfly]] @@ -12028,12 +12893,6 @@ criteria = "safe-to-run" version = "0.1.2" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" -[[audits.errno-dragonfly]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "0.1.2" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.error-chain]] who = "ChromeOS" criteria = "safe-to-run" @@ -12100,6 +12959,15 @@ criteria = "safe-to-deploy" version = "2.1.0" aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +[[audits.exitcode]] +who = "Gwendal Grignou " +criteria = ["safe-to-run", "crypto-safe"] +version = "1.1.2" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.ext-trait]] who = "Howard Yang " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -12173,6 +13041,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.fallible-iterator]] +who = "Hidenori Kobayashi " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.3.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.fallible-iterator]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -12184,15 +13061,6 @@ anything like that, all looks good. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.fallible-iterator]] -who = "Hidenori Kobayashi " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.3.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.fallible_collections]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -12250,16 +13118,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.fastrand]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "2.0.0 -> 2.0.1" -notes = """ -This update had a few doc updates but no otherwise-substantial source code -updates. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.fastrand]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] @@ -12314,6 +13172,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.fastrand]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.9.0 -> 2.0.0" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.fastrand]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -12323,6 +13190,34 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.fastrand]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "2.0.0 -> 2.0.1" +notes = """ +This update had a few doc updates but no otherwise-substantial source code +updates. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.fastrand]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "2.0.0 -> 2.0.1" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.fastrand]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "2.0.1 -> 2.0.2" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.fastrand]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -12353,7 +13248,7 @@ aggregated-from = [ [[audits.fastrand]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.9.0 -> 2.0.0" +delta = "2.0.2 -> 2.1.0" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", @@ -12362,28 +13257,19 @@ aggregated-from = [ [[audits.fastrand]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "2.0.0 -> 2.0.1" +delta = "2.1.0 -> 2.1.1" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.fastrand]] -who = "Daira-Emma Hopwood " -criteria = "safe-to-deploy" -delta = "2.0.1 -> 2.0.2" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.fastrand]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "2.0.2 -> 2.1.0" +[[audits.fd-lock]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "2.0.0" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.fd-lock]] @@ -12393,29 +13279,6 @@ version = "3.0.9" notes = "This crate uses unsafe to make Windows syscalls, to borrow an Fd with an appropriate lifetime, and to zero a windows API structure that appears to have a valid representation with zeroed memory." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.fd-lock]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -delta = "3.0.9 -> 3.0.10" -notes = "Just a dependency version bump" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.fd-lock]] -who = "Dan Gohman " -criteria = "safe-to-deploy" -delta = "3.0.10 -> 3.0.12" -notes = "Just a dependency version bump" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.fd-lock]] -who = "ChromeOS" -criteria = "safe-to-run" -version = "2.0.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.fd-lock]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -12425,6 +13288,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.fd-lock]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "3.0.9 -> 3.0.10" +notes = "Just a dependency version bump" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.fd-lock]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -12443,6 +13313,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.fd-lock]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "3.0.10 -> 3.0.12" +notes = "Just a dependency version bump" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.fd-lock]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" @@ -12476,6 +13353,25 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.fdeflate]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "0.3.4 -> 0.3.5" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.fdeflate]] +who = "Dustin J. Mitchell " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "0.3.5 -> 0.3.6" +notes = "No unsafe, no crypto, mysterious tables replaced with const expressions" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.fdt]] who = "Manish Goregaokar " criteria = "ub-risk-2" @@ -12535,6 +13431,26 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.fend-core]] +who = "Dustin J. Mitchell " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.5.1 -> 1.5.2" +notes = "No unsafe, no crypto" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.fend-core]] +who = "danakj " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.5.2 -> 1.5.3" +notes = "No new unsafe, fs, net." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.ff]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -12671,15 +13587,6 @@ delta = "0.1.5 -> 0.1.6" notes = "Just a dependency version bump" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.filetime]] -who = "Bastian Kersting " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.2.22" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.filetime]] who = "Manish Goregaokar " criteria = ["ub-risk-3", "does-not-implement-crypto"] @@ -12690,6 +13597,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.filetime]] +who = "Bastian Kersting " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.2.22" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.filetime_win]] who = "Nick Alexander " criteria = "safe-to-deploy" @@ -12764,15 +13680,6 @@ criteria = "safe-to-run" version = "1.2.0" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" -[[audits.fixedbitset]] -who = "ChromeOS" -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.4.2" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.fixedbitset]] who = "Manish Goregaokar " criteria = "ub-risk-3" @@ -12783,6 +13690,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.fixedbitset]] +who = "ChromeOS" +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.4.2" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.fixedvec]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -12800,30 +13716,37 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.flate2]] -who = "Andrew Brown " -criteria = "safe-to-deploy" -delta = "1.0.26 -> 1.0.28" -notes = "No new `unsafe` and no large changes in function. This diff is mostly refactoring with a lot of docs, CI, test changes. Adds some defensive clearing out of certain variables as a safeguard." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.flatbuffers]] +who = "Taylor Cramer " +criteria = "ub-risk-1" +version = "23.5.26" +notes = "Reviewed in CL 638739860" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.flate2]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "1.0.26" +who = "Manish Goregaokar " +criteria = "ub-risk-4" +version = "1.0.24" +notes = """ +Reviewed in CL 558916134 +Issues found: + - Uninitialized memory: https://github.com/rust-lang/flate2-rs/pull/373 +Minor code quality suggestions: + - Defense in depth on dangling pointers (https://github.com/rust-lang/flate2-rs/issues/379) + - set_len usage relies on tricky undocumented invariants (incidentally fixed by PR #373) +""" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.flate2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.26 -> 1.0.27" -notes = """ -There is a CRC implementation in here, but those are not considered crypto. -Further, it's only used in tests internal to this crate. -""" +version = "1.0.26" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", @@ -12868,33 +13791,21 @@ aggregated-from = [ ] [[audits.flate2]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] -delta = "1.0.30 -> 1.0.31" -notes = """ -Only benign changes: - -* Comment-only changes in `.rs` files -* Also changing dependency version in `Cargo.toml`, but this is for `any_zlib` - feature which is not used in Chromium (i.e. this is a *partial* audit - see - the previous audit notes for 1.0.30) -""" +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.24 -> 1.0.25" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.flate2]] who = "Manish Goregaokar " criteria = "ub-risk-4" -version = "1.0.24" +delta = "1.0.24 -> 1.0.27" notes = """ -Reviewed in CL 558916134 -Issues found: - - Uninitialized memory: https://github.com/rust-lang/flate2-rs/pull/373 -Minor code quality suggestions: - - Defense in depth on dangling pointers (https://github.com/rust-lang/flate2-rs/issues/379) - - set_len usage relies on tricky undocumented invariants (incidentally fixed by PR #373) +Reviewed in CL 572611911 +Same review as previous """ aggregated-from = [ "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", @@ -12902,22 +13813,39 @@ aggregated-from = [ ] [[audits.flate2]] -who = "Manish Goregaokar " -criteria = "ub-risk-4" -delta = "1.0.24 -> 1.0.27" +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.25 -> 1.0.26" +notes = "Few dep updates, internal refactorings" +aggregated-from = [ + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.flate2]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.26 -> 1.0.27" notes = """ -Reviewed in CL 572611911 -Same review as previous +There is a CRC implementation in here, but those are not considered crypto. +Further, it's only used in tests internal to this crate. """ aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.flate2]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +delta = "1.0.26 -> 1.0.28" +notes = "No new `unsafe` and no large changes in function. This diff is mostly refactoring with a lot of docs, CI, test changes. Adds some defensive clearing out of certain variables as a safeguard." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.flate2]] who = "Manish Goregaokar " criteria = "ub-risk-3" -version = "1.0.28" +delta = "1.0.27 -> 1.0.28" notes = """ Reviewed in CL 573223148 Issues from previous review (#379, #220) fixed (PRs #380, #373). @@ -12928,32 +13856,74 @@ aggregated-from = [ ] [[audits.flate2]] -who = "Mike Hommey " +who = "Alex Franchuk " criteria = "safe-to-deploy" -delta = "1.0.24 -> 1.0.25" +delta = "1.0.28 -> 1.0.30" +notes = "Some new unsafe code, however it has been verified and there are unit tests as well." aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.flate2]] -who = "Alex Franchuk " -criteria = "safe-to-deploy" -delta = "1.0.28 -> 1.0.30" -notes = "Some new unsafe code, however it has been verified and there are unit tests as well." +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.30 -> 1.0.31" +notes = """ +WARNING: This certification is a result of a **partial** audit. The +`any_zlib` code has **not** been audited. See the audit of 1.0.30 for +more details. + +Only benign changes: + +* Comment-only changes in `.rs` files +* Also changing dependency version in `Cargo.toml`, but this is for `any_zlib` + feature which is not used in Chromium (i.e. this is a *partial* audit - see + the previous audit notes for 1.0.30) +""" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.flate2]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -delta = "1.0.25 -> 1.0.26" -notes = "Few dep updates, internal refactorings" +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.31 -> 1.0.33" +notes = """ +WARNING: This certification is a result of a **partial** audit. The +`any_zlib` code has **not** been audited. See the audit of 1.0.30 for +more details. + +This delta audit has been reviewed in https://crrev.com/c/5811890 +The delta can be seen at https://diff.rs/flate2/1.0.31/1.0.33 +The delta bumps up `miniz_oxide` dependency to `0.8.0` +The delta also contains some changes to `src/ffi/c.rs` which is *NOT* used by Chromium +and therefore hasn't been covered by this partial audit. +""" aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.flate2]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.33 -> 1.0.34" +notes = """ +WARNING: This certification is a result of a **partial** audit. The +`any_zlib` code has **not** been audited. See the audit of 1.0.30 for +more details. + +The delta can be seen at https://diff.rs/flate2/1.0.33/1.0.34 +The delta bumps up `libz-rs-sys` dependency from `0.2.1` to `0.3.0` +The delta in `lib.rs` only tweaks comments and has no code changes. +The delta also contains some changes to `src/ffi/c.rs` which is *NOT* used by Chromium +and therefore hasn't been covered by this partial audit. +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.fleetspeak]] @@ -13059,6 +14029,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.fnv]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.0.7" +notes = "Simple hasher implementation with no unsafe code." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.fnv]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -13073,16 +14053,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.fnv]] -who = "Bobby Holley " -criteria = "safe-to-deploy" -version = "1.0.7" -notes = "Simple hasher implementation with no unsafe code." -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.font-types]] who = "Lukasz Anforowicz " criteria = ["ub-risk-0", "safe-to-deploy", "does-not-implement-crypto"] @@ -13100,6 +14070,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.font-types]] +who = "Augie Fackler " +criteria = ["ub-risk-1", "does-not-implement-crypto"] +version = "0.5.0" +notes = "Reviewed in CL 617547813" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.font-types]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] @@ -13164,7 +14144,7 @@ aggregated-from = [ [[audits.font-types]] who = "Dominik Röttsches " -criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-1"] +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "0.5.5 -> 0.6.0" notes = "This change comprises changes to understand larger GlyphId and compatibility with older Mac TrueType fonts. No unsafe code is introduced." aggregated-from = [ @@ -13173,12 +14153,32 @@ aggregated-from = [ ] [[audits.font-types]] -who = "Augie Fackler " -criteria = ["ub-risk-1", "does-not-implement-crypto"] -version = "0.5.0" -notes = "Reviewed in CL 617547813" +who = "Dominik Röttsches " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] +delta = "0.6.0 -> 0.7.1" +notes = "No new unsafe, mostly changes about int24 as a new OpenType type, and moving Pen from Skrifa." aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.font-types]] +who = "Dominik Röttsches " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] +delta = "0.7.1 -> 0.7.2" +notes = "Explicit inlining of some type conversion. No new unsafe." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.font-types]] +who = "Dominik Röttsches " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] +delta = "0.7.2 -> 0.7.3" +notes = "Wrapping math for Fixed type, no new unsafe." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] @@ -13260,15 +14260,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.form_urlencoded]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.1.0 -> 1.2.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.form_urlencoded]] who = "Valentin Gosu " criteria = "safe-to-deploy" @@ -13278,6 +14269,21 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.form_urlencoded]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +delta = "1.1.0 -> 1.2.0" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + +[[audits.form_urlencoded]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.1.0 -> 1.2.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.form_urlencoded]] who = "Valentin Gosu " criteria = "safe-to-deploy" @@ -13287,12 +14293,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.form_urlencoded]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -delta = "1.1.0 -> 1.2.0" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.fpe]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -13379,13 +14379,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.futures]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.3.27" -notes = "There are no definitions in this crate, just exports of definitions from child crates." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.futures]] who = "Android Legacy" criteria = "safe-to-run" @@ -13395,6 +14388,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.futures]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" +notes = "There are no definitions in this crate, just exports of definitions from child crates." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.futures]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] @@ -13468,13 +14468,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.futures-channel]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.3.27" -notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.futures-channel]] who = "Android Legacy" criteria = "safe-to-run" @@ -13484,6 +14477,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.futures-channel]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" +notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.futures-channel]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -13512,49 +14512,40 @@ aggregated-from = [ ] [[audits.futures-channel]] -who = "Mike Hommey " +who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" +notes = "Atomics usage in `Stream::size_hint` impls looks fine." aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.futures-channel]] -who = "Bobby Holley " -criteria = "safe-to-deploy" -delta = "0.3.27 -> 0.3.26" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.futures-channel]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.3.27 -> 0.3.28" +delta = "0.3.25 -> 0.3.26" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.futures-channel]] -who = "Jack Grigg " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.3.25 -> 0.3.26" -notes = "Atomics usage in `Stream::size_hint` impls looks fine." +delta = "0.3.26 -> 0.3.27" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.futures-channel]] -who = "Jack Grigg " +who = "Bobby Holley " criteria = "safe-to-deploy" -delta = "0.3.26 -> 0.3.27" +delta = "0.3.27 -> 0.3.26" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.futures-channel]] @@ -13567,6 +14558,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.futures-channel]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.28" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.futures-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -13576,6 +14576,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.futures-channel]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.3.28 -> 0.3.31" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.futures-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -13586,13 +14595,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.futures-core]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.3.27" -notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.futures-core]] who = "Android Legacy" criteria = "safe-to-run" @@ -13602,6 +14604,19 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.futures-core]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +version = "0.3.21" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + +[[audits.futures-core]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" +notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.futures-core]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -13621,58 +14636,55 @@ aggregated-from = [ ] [[audits.futures-core]] -who = "Mike Hommey " +who = "Conrad Ludgate " criteria = "safe-to-deploy" -delta = "0.3.23 -> 0.3.25" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +delta = "0.3.21 -> 0.3.28" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.futures-core]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.3.25 -> 0.3.26" +delta = "0.3.23 -> 0.3.25" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.futures-core]] -who = "Bobby Holley " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.3.27 -> 0.3.26" +delta = "0.3.25 -> 0.3.26" +notes = "Adds optional dependency on `portable-atomic 1` that can be enabled to replace `core::sync::atomic`." aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.futures-core]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.3.27 -> 0.3.28" +delta = "0.3.25 -> 0.3.26" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.futures-core]] -who = "Jack Grigg " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.3.25 -> 0.3.26" -notes = "Adds optional dependency on `portable-atomic 1` that can be enabled to replace `core::sync::atomic`." +delta = "0.3.26 -> 0.3.27" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.futures-core]] -who = "Jack Grigg " +who = "Bobby Holley " criteria = "safe-to-deploy" -delta = "0.3.26 -> 0.3.27" +delta = "0.3.27 -> 0.3.26" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.futures-core]] @@ -13688,6 +14700,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.futures-core]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.28" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.futures-core]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -13697,6 +14718,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.futures-core]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.3.28 -> 0.3.31" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.futures-core]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -13707,25 +14737,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.futures-core]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "0.3.21" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - -[[audits.futures-core]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -delta = "0.3.21 -> 0.3.28" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - -[[audits.futures-executor]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.3.27" -notes = "Unsafe used to implement the unpark mutex, which is well commented and not obviously incorrect. Like with futures-channel I wouldn't be able to certify it as correct without formal methods." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.futures-executor]] who = "Android Legacy" criteria = "safe-to-run" @@ -13735,6 +14746,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.futures-executor]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" +notes = "Unsafe used to implement the unpark mutex, which is well commented and not obviously incorrect. Like with futures-channel I wouldn't be able to certify it as correct without formal methods." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.futures-executor]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -13798,12 +14816,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.futures-io]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.3.27" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.futures-io]] who = "Android Legacy" criteria = "safe-to-run" @@ -13813,6 +14825,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.futures-io]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.futures-io]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -13876,6 +14894,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.futures-io]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.3.28 -> 0.3.31" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.futures-macro]] who = "Android Legacy" criteria = "safe-to-run" @@ -13939,6 +14966,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.futures-macro]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.3.28 -> 0.3.31" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.futures-macro]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -13954,12 +14990,6 @@ criteria = "safe-to-deploy" version = "0.1.0" aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" -[[audits.futures-sink]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.3.27" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.futures-sink]] who = "Android Legacy" criteria = "safe-to-run" @@ -13969,6 +14999,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.futures-sink]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.futures-sink]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -14023,6 +15059,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.futures-sink]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.3.28 -> 0.3.31" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.futures-sink]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -14041,6 +15086,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.futures-task]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +version = "0.3.21" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.futures-task]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -14059,6 +15110,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.futures-task]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +delta = "0.3.21 -> 0.3.28" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.futures-task]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -14069,49 +15126,49 @@ aggregated-from = [ ] [[audits.futures-task]] -who = "Mike Hommey " +who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.futures-task]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.3.26 -> 0.3.28" +delta = "0.3.25 -> 0.3.26" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.futures-task]] -who = "Jack Grigg " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.3.25 -> 0.3.26" +delta = "0.3.26 -> 0.3.27" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.futures-task]] -who = "Jack Grigg " +who = "Daira Emma Hopwood " criteria = "safe-to-deploy" -delta = "0.3.26 -> 0.3.27" +delta = "0.3.26 -> 0.3.28" +notes = "Dependency updates, and an MSRV update to Rust 1.56." aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.futures-task]] -who = "Daira Emma Hopwood " +who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.26 -> 0.3.28" -notes = "Dependency updates, and an MSRV update to Rust 1.56." aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.futures-task]] @@ -14133,6 +15190,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.futures-task]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.3.28 -> 0.3.31" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.futures-task]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -14143,18 +15209,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.futures-task]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "0.3.21" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - -[[audits.futures-task]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -delta = "0.3.21 -> 0.3.28" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.futures-timer]] who = "Conrad Ludgate " criteria = "safe-to-run" @@ -14205,35 +15259,35 @@ aggregated-from = [ ] [[audits.futures-util]] -who = "Mike Hommey " +who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" +notes = """ +Changes to `unsafe` usage are to split `Either::project` into `Either::as_pin_ref` and +`Either::as_pin_mut`. The new code follows the old code's pattern, and also now has SAFETY +documentation. +""" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.futures-util]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.3.26 -> 0.3.28" +delta = "0.3.25 -> 0.3.26" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.futures-util]] -who = "Jack Grigg " +who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.3.25 -> 0.3.26" -notes = """ -Changes to `unsafe` usage are to split `Either::project` into `Either::as_pin_ref` and -`Either::as_pin_mut`. The new code follows the old code's pattern, and also now has SAFETY -documentation. -""" +delta = "0.3.26 -> 0.3.28" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.futures-util]] @@ -14264,6 +15318,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.futures-util]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.3.28 -> 0.3.31" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.futures-util]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -14350,12 +15413,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.generic-array]] -who = "David Cook " -criteria = "safe-to-run" -delta = "0.14.6 -> 0.13.3" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - [[audits.generic-array]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -14365,6 +15422,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.generic-array]] +who = "David Cook " +criteria = "safe-to-run" +delta = "0.14.6 -> 0.13.3" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[audits.generic-array]] who = "Sean Bowe " criteria = "safe-to-deploy" @@ -14426,31 +15489,10 @@ aggregated-from = [ ] [[audits.getrandom]] -who = "Lukasz Anforowicz " -criteria = "does-not-implement-crypto" -delta = "0.2.11 -> 0.2.12" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.getrandom]] -who = "Adrian Taylor " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.2.12 -> 0.2.14" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.getrandom]] -who = "danakj " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.2.14 -> 0.2.15" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +who = "David Cook " +criteria = "safe-to-run" +delta = "0.2.2 -> 0.1.16" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.getrandom]] who = "David Koloski " @@ -14463,91 +15505,36 @@ aggregated-from = [ ] [[audits.getrandom]] -who = "David Cook " -criteria = "safe-to-run" -delta = "0.2.2 -> 0.1.16" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - -[[audits.getrandom]] -who = "Tim Geoghegan " -criteria = "safe-to-deploy" -delta = "0.2.9 -> 0.2.10" -notes = "These changes include some new `unsafe` code for the `emscripten` and `psvita` targets, but all it does is call `libc::getentropy`." -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - -[[audits.getrandom]] -who = "Brandon Pitman " -criteria = "safe-to-deploy" -delta = "0.2.10 -> 0.2.11" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - -[[audits.getrandom]] -who = "David Cook " -criteria = "safe-to-deploy" -delta = "0.2.11 -> 0.2.12" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - -[[audits.getrandom]] -who = "David Cook " -criteria = "safe-to-deploy" -delta = "0.2.12 -> 0.2.14" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - -[[audits.getrandom]] -who = "David Cook " -criteria = "safe-to-deploy" -delta = "0.2.14 -> 0.2.15" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - -[[audits.getrandom]] -who = "Mike Hommey " +who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.6 -> 0.2.7" +notes = """ +Checked that getrandom::wasi::getrandom_inner matches wasi::random_get. +Checked that getrandom::util_libc::Weak lock ordering matches std::sys::unix::weak::DlsymWeak. +""" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.getrandom]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.2.7 -> 0.2.8" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.getrandom]] -who = "Yannis Juglaret " -criteria = "safe-to-deploy" -delta = "0.2.8 -> 0.2.9" +delta = "0.2.6 -> 0.2.7" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.getrandom]] -who = "Simon Friedberger " +who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.2.10 -> 0.2.11" +delta = "0.2.7 -> 0.2.8" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.getrandom]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.2.6 -> 0.2.7" -notes = """ -Checked that getrandom::wasi::getrandom_inner matches wasi::random_get. -Checked that getrandom::util_libc::Weak lock ordering matches std::sys::unix::weak::DlsymWeak. -""" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - [[audits.getrandom]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -14595,6 +15582,82 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.getrandom]] +who = "Yannis Juglaret " +criteria = "safe-to-deploy" +delta = "0.2.8 -> 0.2.9" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.getrandom]] +who = "Tim Geoghegan " +criteria = "safe-to-deploy" +delta = "0.2.9 -> 0.2.10" +notes = "These changes include some new `unsafe` code for the `emscripten` and `psvita` targets, but all it does is call `libc::getentropy`." +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.getrandom]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.2.10 -> 0.2.11" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.getrandom]] +who = "Simon Friedberger " +criteria = "safe-to-deploy" +delta = "0.2.10 -> 0.2.11" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.getrandom]] +who = "Lukasz Anforowicz " +criteria = "does-not-implement-crypto" +delta = "0.2.11 -> 0.2.12" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.getrandom]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.2.11 -> 0.2.12" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.getrandom]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.2.12 -> 0.2.14" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.getrandom]] +who = "Adrian Taylor " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.2.12 -> 0.2.14" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.getrandom]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.2.14 -> 0.2.15" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.getrandom]] +who = "danakj " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.2.14 -> 0.2.15" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.ghash]] who = "David Cook " criteria = "safe-to-deploy" @@ -14628,6 +15691,47 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.gif]] +who = "Ben Saunders " +criteria = "ub-risk-1" +version = "0.12.1" +notes = "Reviewed in CL 637680029" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.gimli]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.27.2" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.gimli]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.27.3" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.gimli]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.30.0" +notes = """ +Unsafe code blocks are sound. Minimal dependencies used. No use of +side-effectful std functions. +""" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.gimli]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -14639,6 +15743,15 @@ incorrect. Otherwise looks like someone probably ran clippy and/or rustfmt. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.gimli]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.27.0 -> 0.27.2" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.gimli]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -14646,6 +15759,15 @@ delta = "0.27.0 -> 0.27.3" notes = "More support for more DWARF, nothing major in this update. Some small refactorings and updates to publication of the package but otherwise everything's in order." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.gimli]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.27.2 -> 0.27.3" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.gimli]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -14656,38 +15778,20 @@ and no `unsafe` code to review here. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.gimli]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.28.0 -> 0.29.0" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.gimli]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.27.2" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.gimli]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.27.3" +delta = "0.27.3 -> 0.28.0" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.gimli]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.27.3 -> 0.28.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.28.0 -> 0.29.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.gimli]] who = "Hidenori Kobayashi " @@ -14699,22 +15803,11 @@ aggregated-from = [ ] [[audits.gimli]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.27.0 -> 0.27.2" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.gimli]] -who = "Jack Grigg " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.27.2 -> 0.27.3" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "0.29.0 -> 0.31.0" +notes = "Various updates here and there, nothing too major, what you'd expect from a DWARF parsing crate." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.ginepro]] who = "Conrad Ludgate " @@ -14800,6 +15893,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.gix-index]] +who = "Manish Goregaokar " +criteria = "ub-risk-2" +delta = "0.27.1 -> 0.33.0" +notes = "Reviewed in CL 636423069" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.gix-pack]] who = "Taylor Cramer " criteria = "ub-risk-4" @@ -14882,6 +15985,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.gix-tempfile]] +who = "Manish Goregaokar " +criteria = "ub-risk-3" +delta = "11.0.1 -> 14.0.0" +notes = "Reviewed in CL 636941982" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.gleam]] who = "Jamie Nicol " criteria = "safe-to-deploy" @@ -14891,12 +16004,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.glob]] -who = "Jamey Sharp " -criteria = "safe-to-deploy" -delta = "0.3.1 -> 0.3.0" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.glob]] who = "Android Legacy" criteria = "safe-to-run" @@ -14915,6 +16022,20 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.glob]] +who = "danakj " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +version = "0.3.1" +notes = """ +No unsafe. The crate's purpose is to find files based on a glob, so it +uses the fs module for that and returns lists of paths. There's no net +usage or crypto. +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.glob]] who = "George Burgess IV " criteria = "ub-risk-0" @@ -14934,6 +16055,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.glob]] +who = "Jamey Sharp " +criteria = "safe-to-deploy" +delta = "0.3.1 -> 0.3.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.glsl]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -14958,6 +16085,16 @@ version = "1.2.0" notes = "No unsafe usage or ambient capabilities" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" +[[audits.goblin]] +who = "Ben Saunders " +criteria = "ub-risk-1" +version = "0.8.0" +notes = "Reviewed in CL 642006818" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.goblin]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" @@ -14997,6 +16134,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.goblin]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.8.0" +notes = "MSRV bump, no unsafe changes" +aggregated-from = [ + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.goblin]] who = "Alexandre Lissy " criteria = "safe-to-deploy" @@ -15008,12 +16155,12 @@ aggregated-from = [ ] [[audits.goblin]] -who = "Jan-Erik Rediger " +who = "Alex Franchuk " criteria = "safe-to-deploy" -delta = "0.7.1 -> 0.8.0" -notes = "MSRV bump, no unsafe changes" +delta = "0.8.1 -> 0.8.2" +notes = "Removes the TE feature/functionality, otherwise no meaningful changes." aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] @@ -15265,20 +16412,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.h2]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.3.19 -> 0.4.0" -notes = "A number of changes but nothing adding new `unsafe` or anything outside the purview of what this crate already manages." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.h2]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.4.0 -> 0.4.2" -notes = "Minor updates and fixes in this version bump, nothing major." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.h2]] who = "ChromeOS" criteria = "safe-to-run" @@ -15297,6 +16430,24 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.h2]] +who = "Mike Hommey " +criteria = "safe-to-run" +delta = "0.3.13 -> 0.3.14" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.h2]] +who = "Mike Hommey " +criteria = "safe-to-run" +delta = "0.3.14 -> 0.3.15" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.h2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -15315,6 +16466,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.h2]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.3.19 -> 0.4.0" +notes = "A number of changes but nothing adding new `unsafe` or anything outside the purview of what this crate already manages." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.h2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -15333,6 +16491,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.h2]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "0.3.21 -> 0.3.26" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.h2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -15343,39 +16510,33 @@ aggregated-from = [ ] [[audits.h2]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "0.3.13 -> 0.3.14" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.h2]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "0.3.14 -> 0.3.15" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.h2]] -who = "Daira-Emma Hopwood " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.3.21 -> 0.3.26" +delta = "0.3.26 -> 0.4.5" aggregated-from = [ "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.h2]] -who = "Jack Grigg " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.3.26 -> 0.4.5" +delta = "0.4.0 -> 0.4.2" +notes = "Minor updates and fixes in this version bump, nothing major." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.half]] +who = "John M. Schanck " +criteria = "safe-to-deploy" +version = "1.8.2" +notes = """ +This crate contains unsafe code for bitwise casts to/from binary16 floating-point +format. I've reviewed these and found no issues. There are no uses of ambient +capabilities. +""" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.half]] @@ -15414,20 +16575,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.half]] -who = "John M. Schanck " -criteria = "safe-to-deploy" -version = "1.8.2" -notes = """ -This crate contains unsafe code for bitwise casts to/from binary16 floating-point -format. I've reviewed these and found no issues. There are no uses of ambient -capabilities. -""" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.half]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" @@ -15448,6 +16595,25 @@ version = "0.1.11" notes = "No unsafe usage or ambient capabilities" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" +[[audits.hashbrown]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +version = "0.12.3" +notes = "This version is used in rust's libstd, so effectively we're already trusting it" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.hashbrown]] +who = "Nicholas Bishop " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.13.2" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.hashbrown]] who = "Chris Fallin " criteria = "safe-to-deploy" @@ -15463,12 +16629,17 @@ notes = "I read through the diff between v0.13.1 and v0.13.2, and verified that aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.hashbrown]] -who = "Nicholas Bishop " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.13.2" +who = "Daira Emma Hopwood " +criteria = "safe-to-deploy" +delta = "0.13.2 -> 0.14.0" +notes = """ +There is some additional use of unsafe code but the changes in this crate looked plausible. +There is a new default dependency on the `allocator-api2` crate, which itself has quite a lot of unsafe code. +Many previously undocumented safety requirements have been documented. +""" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.hashbrown]] @@ -15480,16 +16651,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.hashbrown]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -version = "0.12.3" -notes = "This version is used in rust's libstd, so effectively we're already trusting it" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.hashbrown]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -15500,20 +16661,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.hashbrown]] -who = "Daira Emma Hopwood " -criteria = "safe-to-deploy" -delta = "0.13.2 -> 0.14.0" -notes = """ -There is some additional use of unsafe code but the changes in this crate looked plausible. -There is a new default dependency on the `allocator-api2` crate, which itself has quite a lot of unsafe code. -Many previously undocumented safety requirements have been documented. -""" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - [[audits.hashlink]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -15598,13 +16745,6 @@ version = "0.4.0" notes = "Contains `forbid_unsafe` and only uses `std::fmt` from the standard library. Otherwise only contains string manipulation." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.heck]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.4.1 -> 0.5.0" -notes = "Minor changes for a `no_std` upgrade but otherwise everything looks as expected." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.heck]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -15614,6 +16754,22 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.heck]] +who = "Lukasz Anforowicz " +criteria = ["ub-risk-0", "safe-to-deploy", "does-not-implement-crypto"] +version = "0.4.1" +notes = """ +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` +and there were no hits. + +`heck` (version `0.3.3`) has been added to Chromium in +https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057 +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.heck]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -15632,6 +16788,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.heck]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.4.0 -> 0.4.1" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.heck]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -15642,25 +16807,22 @@ aggregated-from = [ ] [[audits.heck]] -who = "Lukasz Anforowicz " -criteria = ["ub-risk-0", "safe-to-deploy", "does-not-implement-crypto"] -version = "0.4.1" -notes = """ -Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` -and there were no hits. +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.4.1 -> 0.5.0" +notes = "Minor changes for a `no_std` upgrade but otherwise everything looks as expected." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -`heck` (version `0.3.3`) has been added to Chromium in -https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057 -""" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +[[audits.hermit-abi]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +version = "0.1.19" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" -[[audits.heck]] +[[audits.hermit-abi]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.4.0 -> 0.4.1" +delta = "0.1.19 -> 0.2.6" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", @@ -15678,15 +16840,6 @@ criteria = "safe-to-run" delta = "0.2.6 -> 0.3.1" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" -[[audits.hermit-abi]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.1.19 -> 0.2.6" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.hermit-abi]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -15705,21 +16858,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.hermit-abi]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "0.1.19" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - -[[audits.hex]] -who = "ChromeOS" -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.4.3" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.hex]] who = "Simon Friedberger " criteria = "safe-to-deploy" @@ -15729,17 +16867,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.hex-literal]] -who = "danakj@chromium.org" +[[audits.hex]] +who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.4.1" -notes = """ -Reviewed in https://crrev.com/c/5171063 - -Previously reviewed during security review and the audit is grandparented in. -""" +version = "0.4.3" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] @@ -15755,6 +16888,20 @@ criteria = "safe-to-run" version = "0.4.0" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +[[audits.hex-literal]] +who = "danakj@chromium.org" +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.4.1" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.hex-literal]] who = "Tim Geoghegan " criteria = "safe-to-run" @@ -15770,6 +16917,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.hmac]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.12.1" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[audits.hmac]] who = "Joshua Liebow-Feeser " criteria = ["safe-to-deploy", "ub-risk-2"] @@ -15779,18 +16932,19 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.hmac]] -who = "David Cook " -criteria = "safe-to-deploy" -version = "0.12.1" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - [[audits.home]] -who = "Alex Crichton " -criteria = "safe-to-run" -delta = "0.5.3 -> 0.5.9" -notes = "No major changes, just some internal refactorings." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "0.5.3" +notes = """ +Crate with straightforward code for determining the user's HOME directory. Only +unsafe code is used to invoke the Windows SHGetFolderPathW API to get the +profile directory when the USERPROFILE environment variable is unavailable. +""" +aggregated-from = [ + "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[audits.home]] who = "Manish Goregaokar " @@ -15802,6 +16956,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.home]] +who = "Alex Crichton " +criteria = "safe-to-run" +delta = "0.5.3 -> 0.5.9" +notes = "No major changes, just some internal refactorings." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.home]] who = "Augie Fackler " criteria = ["ub-risk-2", "does-not-implement-crypto"] @@ -15813,17 +16974,17 @@ aggregated-from = [ ] [[audits.home]] -who = "Nika Layzell " +who = "Jack Grigg " criteria = "safe-to-deploy" -version = "0.5.3" +delta = "0.5.5 -> 0.5.9" notes = """ -Crate with straightforward code for determining the user's HOME directory. Only -unsafe code is used to invoke the Windows SHGetFolderPathW API to get the -profile directory when the USERPROFILE environment variable is unavailable. +`unsafe` changes are to switch Windows logic from `SHGetFolderPathW` to +`SHGetKnownFolderPath`. I checked that the parameters and return values were +being handled correctly per the Windows documentation. """ aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.hoot]] @@ -15888,13 +17049,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.http]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.2.9 -> 1.0.0" -notes = "Minor changes leading up to the 1.0.0 release and nothing fundamentally new here." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.http]] who = "ChromeOS" criteria = "safe-to-run" @@ -15923,6 +17077,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.http]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.8 -> 0.2.9" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.http]] who = "Mike Hommey " criteria = "safe-to-run" @@ -15933,13 +17096,11 @@ aggregated-from = [ ] [[audits.http]] -who = "Jack Grigg " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.2.8 -> 0.2.9" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "0.2.9 -> 1.0.0" +notes = "Minor changes leading up to the 1.0.0 release and nothing fundamentally new here." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.http]] who = "Daira-Emma Hopwood " @@ -15960,17 +17121,14 @@ aggregated-from = [ ] [[audits.http-body]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "1.0.0-rc.2" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.http-body]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "1.0.0-rc.2 -> 1.0.0" -notes = "Only minor changes made for a stable release." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +who = "Erick Tryzelaar " +criteria = ["ub-risk-2", "safe-to-run"] +version = "0.4.4" +notes = "Reviewed on https://fxrev.dev/611683" +aggregated-from = [ + "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.http-body]] who = "George Burgess IV " @@ -15981,6 +17139,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.http-body]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +version = "0.4.5" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.http-body]] who = "ChromeOS" criteria = "safe-to-run" @@ -15991,39 +17155,36 @@ aggregated-from = [ ] [[audits.http-body]] -who = "Erick Tryzelaar " -criteria = ["ub-risk-2", "safe-to-run"] -version = "0.4.4" -notes = "Reviewed on https://fxrev.dev/611683" -aggregated-from = [ - "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "1.0.0-rc.2" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.http-body]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.0 -> 1.0.1" +delta = "0.4.5 -> 0.4.6" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.http-body]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.0.0-rc.2 -> 1.0.0" +notes = "Only minor changes made for a stable release." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.http-body]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.4.5 -> 0.4.6" +delta = "1.0.0 -> 1.0.1" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.http-body]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "0.4.5" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.http-body-util]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -16135,17 +17296,6 @@ criteria = "safe-to-deploy" delta = "1.0.2 -> 1.0.3" aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" -[[audits.hyper]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "1.0.0-rc.3 -> 1.0.1" -notes = """ -Quite a few changes here relative to the last RC but everything is related to -refactorings and such. No new fundamental addition of functionality or -substantially new unsafe code. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.hyper]] who = "ChromeOS" criteria = "safe-to-run" @@ -16212,15 +17362,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.hyper]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "0.14.23 -> 0.14.24" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.hyper]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -16234,6 +17375,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.hyper]] +who = "Mike Hommey " +criteria = "safe-to-run" +delta = "0.14.23 -> 0.14.24" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.hyper]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -16261,6 +17411,17 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.hyper]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.0.0-rc.3 -> 1.0.1" +notes = """ +Quite a few changes here relative to the last RC but everything is related to +refactorings and such. No new fundamental addition of functionality or +substantially new unsafe code. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.hyper-timeout]] who = "George Burgess IV " criteria = "does-not-implement-crypto" @@ -16308,6 +17469,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.iana-time-zone]] +who = "ChromeOS" +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.1.53" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.iana-time-zone]] who = "Dan Gohman " criteria = "safe-to-deploy" @@ -16318,15 +17488,6 @@ the bindings checked into the repo. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.iana-time-zone]] -who = "ChromeOS" -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.1.53" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.iana-time-zone]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -16740,13 +17901,6 @@ suspicious. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.idna]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -delta = "0.3.0 -> 0.4.0" -notes = "No unsafe usage or ambient capabilities" -aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" - [[audits.idna]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -16766,6 +17920,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.idna]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.4.0" +notes = "No unsafe usage or ambient capabilities" +aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + [[audits.idna]] who = "Valentin Gosu " criteria = "safe-to-deploy" @@ -16794,15 +17955,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.image]] -who = "Chih-Yao Chuang " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.23.14 -> 0.24.8" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.image]] who = "Taylor Cramer " criteria = "ub-risk-2" @@ -16813,6 +17965,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.image]] +who = "Chih-Yao Chuang " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.23.14 -> 0.24.8" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.imara-diff]] who = "Taylor Cramer " criteria = "ub-risk-4" @@ -16873,14 +18034,25 @@ aggregated-from = [ ] [[audits.indexmap]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.9.3 -> 2.1.0" +who = "Taylor Cramer " +criteria = "ub-risk-2" +version = "2.2.6" +notes = "Reviewed in CL 629033781" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.indexmap]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.8.1 -> 1.9.1" +notes = "I'm satisfied that the assertion guarding the new unsafe block is correct." +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.indexmap]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -16900,22 +18072,21 @@ aggregated-from = [ ] [[audits.indexmap]] -who = "Jack Grigg " +who = "Sean Bowe " criteria = "safe-to-deploy" -delta = "1.8.1 -> 1.9.1" -notes = "I'm satisfied that the assertion guarding the new unsafe block is correct." +delta = "1.9.2 -> 1.9.3" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.indexmap]] -who = "Sean Bowe " -criteria = "safe-to-deploy" -delta = "1.9.2 -> 1.9.3" +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.9.3 -> 2.1.0" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.indexmap]] @@ -17092,6 +18263,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.inout]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "0.1.3" +notes = "A part of RustCrypto/utils, this crate is designed to handle unsafe buffers and carefully documents the safety concerns throughout. Older versions of this tally up to ~130k daily downloads." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.inout]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -17175,6 +18353,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.intrusive-collections]] +who = "Taylor Cramer " +criteria = "ub-risk-3" +version = "0.9.6" +notes = "Reviewed in CL 638226392" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.inventory]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -17229,25 +18417,17 @@ delta = "0.17.2 -> 0.17.4" notes = "Just a dependency version bump" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.io-lifetimes]] +[[audits.io-extras]] who = "Dan Gohman " criteria = "safe-to-deploy" -version = "1.0.3" -notes = "I am the author of this crate." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.io-lifetimes]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -delta = "1.0.3 -> 1.0.5" -notes = "The Bytecode Alliance is the author of this crate." +delta = "0.18.2 -> 0.18.3" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.io-lifetimes]] who = "Dan Gohman " criteria = "safe-to-deploy" -delta = "1.0.5 -> 1.0.10" -notes = "I am the maintainer of this crate." +version = "1.0.3" +notes = "I am the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.io-lifetimes]] @@ -17269,12 +18449,26 @@ aggregated-from = [ ] [[audits.io-lifetimes]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "1.0.3 -> 1.0.5" +notes = "The Bytecode Alliance is the author of this crate." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.io-lifetimes]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "1.0.5 -> 1.0.10" +notes = "I am the maintainer of this crate." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.io-lifetimes]] +who = "Jack Grigg " +criteria = "safe-to-deploy" delta = "1.0.10 -> 1.0.11" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.io-lifetimes]] @@ -17284,12 +18478,12 @@ delta = "1.0.10 -> 1.0.11" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.io-lifetimes]] -who = "Jack Grigg " -criteria = "safe-to-deploy" +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.10 -> 1.0.11" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.io-uring]] @@ -17346,6 +18540,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.ipnet]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "2.9.0 -> 2.10.0" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.is-terminal]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -17360,6 +18563,15 @@ version = "0.4.1" notes = "Contains only unsafe code for interacting with the crate's intended purpose." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.is-terminal]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.4.2" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.is-terminal]] who = "Dan Gohman " criteria = "safe-to-deploy" @@ -17380,20 +18592,17 @@ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/m [[audits.is-terminal]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.4.2" +delta = "0.4.2 -> 0.4.9" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.is-terminal]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.4.2 -> 0.4.9" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +delta = "0.4.7 -> 0.4.9" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.is-terminal]] who = "Daira-Emma Hopwood " @@ -17404,12 +18613,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.is-terminal]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -delta = "0.4.7 -> 0.4.9" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.is_ci]] who = "Nika Layzell " criteria = "safe-to-deploy" @@ -17420,16 +18623,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.itertools]] -who = "Nick Fitzgerald " -criteria = "safe-to-deploy" -delta = "0.10.5 -> 0.12.1" -notes = """ -Minimal `unsafe` usage. Few blocks that existed looked reasonable. Does what it -says on the tin: lots of iterators. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.itertools]] who = "ChromeOS" criteria = "safe-to-run" @@ -17448,15 +18641,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.itertools]] -who = "Yu-An Wang " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.10.5 -> 0.11.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.itertools]] who = "agl@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -17481,12 +18665,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.itertools]] -who = "David Cook " -criteria = "safe-to-run" -delta = "0.10.5 -> 0.11.0" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - [[audits.itertools]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -17496,37 +18674,44 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.itoa]] -who = "Android Legacy" +[[audits.itertools]] +who = "David Cook " criteria = "safe-to-run" -version = "0.4.7" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +delta = "0.10.5 -> 0.11.0" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" -[[audits.itoa]] -who = "ChromeOS" +[[audits.itertools]] +who = "Yu-An Wang " criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "1.0.5" +delta = "0.10.5 -> 0.11.0" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.itertools]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +delta = "0.10.5 -> 0.12.1" +notes = """ +Minimal `unsafe` usage. Few blocks that existed looked reasonable. Does what it +says on the tin: lots of iterators. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.itoa]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.5 -> 1.0.6" +who = "Android Legacy" +criteria = "safe-to-run" +version = "0.4.7" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.itoa]] -who = "George Burgess IV " +who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.6 -> 1.0.9" +version = "1.0.5" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", @@ -17551,20 +18736,13 @@ aggregated-from = [ ] [[audits.itoa]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] -delta = "1.0.10 -> 1.0.11" -notes = """ -Straightforward diff between 1.0.10 and 1.0.11 - only 3 commits: - -* Bumping up the version -* A touch up of comments -* And my own PR to make `unsafe` blocks more granular: - https://github.com/dtolnay/itoa/pull/42 -""" +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.1 -> 1.0.3" +notes = "Update makes no changes to code." aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.itoa]] @@ -17586,22 +18764,21 @@ aggregated-from = [ ] [[audits.itoa]] -who = "Jack Grigg " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.1 -> 1.0.3" -notes = "Update makes no changes to code." +delta = "1.0.5 -> 1.0.6" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.itoa]] -who = "Jack Grigg " -criteria = "safe-to-deploy" +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.5 -> 1.0.6" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.itoa]] @@ -17613,6 +18790,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.itoa]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.6 -> 1.0.9" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.itoa]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -17622,6 +18808,30 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.itoa]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.10 -> 1.0.11" +notes = """ +Straightforward diff between 1.0.10 and 1.0.11 - only 3 commits: + +* Bumping up the version +* A touch up of comments +* And my own PR to make `unsafe` blocks more granular: + https://github.com/dtolnay/itoa/pull/42 +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.ittapi]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "0.3.3" +notes = "Lots of unsafe code for calling into C FFI functions, looks pretty simple and sound though. No ambient capabilities" +aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + [[audits.ittapi]] who = "Andrew Brown " criteria = "safe-to-deploy" @@ -17641,11 +18851,15 @@ criteria = "safe-to-deploy" delta = "0.3.4 -> 0.4.0" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.ittapi]] +[[audits.ittapi-sys]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.3.3" -notes = "Lots of unsafe code for calling into C FFI functions, looks pretty simple and sound though. No ambient capabilities" +notes = """ +Builds C/asm dependency which this review has not audited in detail, but is well established from Intel. +Exposes FFI types & functions generated through bindgen. No other logic. +No ambient capabilities +""" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" [[audits.ittapi-sys]] @@ -17667,17 +18881,6 @@ criteria = "safe-to-deploy" delta = "0.3.4 -> 0.4.0" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.ittapi-sys]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -version = "0.3.3" -notes = """ -Builds C/asm dependency which this review has not audited in detail, but is well established from Intel. -Exposes FFI types & functions generated through bindgen. No other logic. -No ambient capabilities -""" -aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" - [[audits.jiter]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] @@ -17700,9 +18903,9 @@ aggregated-from = [ [[audits.jj_cli]] who = "Taylor Cramer " -criteria = "ub-risk-2" -version = "0.11.0" -notes = "Reviewed in CL 586453800" +criteria = "ub-risk-1" +version = "0.8.0" +notes = "Reviewed in CL 558944141" aggregated-from = [ "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", @@ -17710,9 +18913,9 @@ aggregated-from = [ [[audits.jj_cli]] who = "Taylor Cramer " -criteria = "ub-risk-1" -version = "0.8.0" -notes = "Reviewed in CL 558944141" +criteria = "ub-risk-2" +version = "0.11.0" +notes = "Reviewed in CL 586453800" aggregated-from = [ "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", @@ -17778,12 +18981,6 @@ https://github.com/signalapp/libsignal/blob/main/rust/bridge/jni/Cargo.toml """ aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" -[[audits.jobserver]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.1.25 -> 0.1.32" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.jobserver]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -17802,14 +18999,11 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.js-sys]] -who = "Daira-Emma Hopwood " +[[audits.jobserver]] +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.3.65 -> 0.3.66" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "0.1.25 -> 0.1.32" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.js-sys]] who = "Jack Grigg " @@ -17849,6 +19043,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.js-sys]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "0.3.65 -> 0.3.66" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.js-sys]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -17897,15 +19100,19 @@ version = "0.1.2" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.keccak]] -who = "Brandon Pitman " -criteria = "safe-to-deploy" -delta = "0.1.2 -> 0.1.3" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +who = "Manish Goregaokar " +criteria = "ub-risk-2" +version = "0.1.5" +notes = "Reviewed in CL 636605237" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.keccak]] who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "0.1.3 -> 0.1.4" +delta = "0.1.2 -> 0.1.3" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.keccak]] @@ -17917,6 +19124,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.keccak]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.1.4" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[audits.kernlog]] who = "Matthias Kaehlcke " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -17991,6 +19204,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.kvm-ioctls]] +who = "Manish Goregaokar " +criteria = "ub-risk-3" +delta = "0.15.0 -> 0.17.0" +notes = "Reviewed in CL 634689649" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.lazy_static]] who = "George Burgess IV " criteria = "does-not-implement-crypto" @@ -18001,12 +19224,19 @@ aggregated-from = [ ] [[audits.lazy_static]] -who = "Android Legacy" -criteria = "safe-to-run" +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +version = "1.4.0" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + +[[audits.lazy_static]] +who = "Nika Layzell " +criteria = "safe-to-deploy" version = "1.4.0" +notes = "I have read over the macros, and audited the unsafe code." aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.lazy_static]] @@ -18026,6 +19256,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.lazy_static]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "1.4.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.lazy_static]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] @@ -18036,22 +19275,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.lazy_static]] -who = "Nika Layzell " -criteria = "safe-to-deploy" -version = "1.4.0" -notes = "I have read over the macros, and audited the unsafe code." -aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.lazy_static]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "1.4.0" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.lazycell]] who = "George Burgess IV " criteria = "does-not-implement-crypto" @@ -18070,6 +19293,24 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.leak]] +who = "Sotaro Ikeda " +criteria = "safe-to-deploy" +version = "0.1.2" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.leaky-cow]] +who = "Sotaro Ikeda " +criteria = "safe-to-deploy" +version = "0.1.1" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.leb128]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" @@ -18180,6 +19421,46 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.libc]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "0.2.86" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.libc]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.2.146" +notes = """ +Much like the getrandom crate, this exports interfaces to APIs which perform +crypto, but does not implement any crypto itself. +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.libc]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.126 -> 0.2.132" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.libc]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.132 -> 0.2.138" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.libc]] who = "Dan Gohman " criteria = "safe-to-deploy" @@ -18198,98 +19479,79 @@ files in the correspond to match. aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.libc]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.2.146 -> 0.2.147" -notes = "Only new type definitions and updating others for some platforms, no major changes" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.libc]] -who = "Alex Crichton " +who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.2.148 -> 0.2.149" -notes = "Lots of new functions and constants for new platforms and nothing out of the ordinary for what one would expect of the `libc` crate." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +delta = "0.2.138 -> 0.2.139" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[audits.libc]] -who = "Dan Gohman " +who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "0.2.149 -> 0.2.151" -notes = "More new functions, types, and constants, as is usual for the `libc` crate, as well as various minor code cleanups." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +delta = "0.2.139 -> 0.2.141" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.libc]] -who = "Alex Crichton " +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -delta = "0.2.151 -> 0.2.153" -notes = "More bindings for more platforms. I have not verified that everything is exactly as-is on the platform as specified but nothing major is otherwise introduced as part of this bump." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.libc]] -who = "Android Legacy" -criteria = "safe-to-run" -version = "0.2.86" +delta = "0.2.141 -> 0.2.146" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.libc]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.2.146" -notes = """ -Much like the getrandom crate, this exports interfaces to APIs which perform -crypto, but does not implement any crypto itself. -""" +who = "David Koloski " +criteria = ["safe-to-deploy", "ub-risk-2"] +delta = "0.2.142 -> 0.2.149" +notes = "Audited at https://fxrev.dev/932979" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.libc]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] +who = "Alex Crichton " +criteria = "safe-to-deploy" delta = "0.2.146 -> 0.2.147" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +notes = "Only new type definitions and updating others for some platforms, no major changes" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.libc]] -who = "Daniel Verkamp " +who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.2.147 -> 0.2.153" +delta = "0.2.146 -> 0.2.147" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.libc]] -who = "David Koloski " -criteria = ["safe-to-deploy", "ub-risk-2"] -delta = "0.2.142 -> 0.2.149" -notes = "Audited at https://fxrev.dev/932979" +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.147 -> 0.2.148" aggregated-from = [ - "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.libc]] -who = "Ben Saunders " -criteria = "ub-risk-4" -delta = "0.2.150 -> 0.2.153" -notes = "Reviewed in CL 622219230" +who = "Daniel Verkamp " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.2.147 -> 0.2.153" aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.libc]] -who = "Brandon Pitman " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.2.139 -> 0.2.141" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +delta = "0.2.148 -> 0.2.149" +notes = "Lots of new functions and constants for new platforms and nothing out of the ordinary for what one would expect of the `libc` crate." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.libc]] who = "Brandon Pitman " @@ -18298,49 +19560,50 @@ delta = "0.2.149 -> 0.2.150" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.libc]] -who = "Mike Hommey " +who = "Dan Gohman " criteria = "safe-to-deploy" -delta = "0.2.126 -> 0.2.132" +delta = "0.2.149 -> 0.2.151" +notes = "More new functions, types, and constants, as is usual for the `libc` crate, as well as various minor code cleanups." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.libc]] +who = "Ben Saunders " +criteria = "ub-risk-4" +delta = "0.2.150 -> 0.2.153" +notes = "Reviewed in CL 622219230" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.libc]] -who = "Mike Hommey " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.2.132 -> 0.2.138" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +delta = "0.2.151 -> 0.2.153" +notes = "More bindings for more platforms. I have not verified that everything is exactly as-is on the platform as specified but nothing major is otherwise introduced as part of this bump." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.libc]] -who = "Mike Hommey " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.2.138 -> 0.2.139" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +delta = "0.2.153 -> 0.2.158" +notes = "More platforms, more definitions, more headers, it's still just `libc`" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.libc]] -who = "Mike Hommey " +who = "Alex Franchuk " criteria = "safe-to-deploy" -delta = "0.2.147 -> 0.2.148" +delta = "0.2.154 -> 0.2.158" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.libc]] -who = "Jan-Erik Rediger " +who = "Dan Gohman " criteria = "safe-to-deploy" -delta = "0.2.141 -> 0.2.146" -aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +delta = "0.2.158 -> 0.2.161" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.libdbus-sys]] who = "ChromeOS Legacy" @@ -18379,6 +19642,25 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.libfuzzer-sys]] +who = "ChromeOS" +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.4.4" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.libfuzzer-sys]] +who = "Ben Saunders " +criteria = ["ub-risk-1", "does-not-implement-crypto"] +version = "0.4.7" +notes = "Reviewed in CL 564731033" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.libfuzzer-sys]] who = "Nick Fitzgerald " criteria = "safe-to-run" @@ -18393,15 +19675,6 @@ delta = "0.4.4 -> 0.4.5" notes = "I am the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.libfuzzer-sys]] -who = "ChromeOS" -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.4.4" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.libfuzzer-sys]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -18411,22 +19684,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.libfuzzer-sys]] -who = "Ben Saunders " -criteria = ["ub-risk-1", "does-not-implement-crypto"] -version = "0.4.7" -notes = "Reviewed in CL 564731033" -aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.libloading]] -who = "Iceber Gu " -criteria = "safe-to-deploy" -delta = "0.7.3 -> 0.8.1" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.libloading]] who = "Android Legacy" criteria = "safe-to-run" @@ -18455,6 +19712,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.libloading]] +who = "Chia-I Wu " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.8.5" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.libloading]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -18464,6 +19730,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.libloading]] +who = "Iceber Gu " +criteria = "safe-to-deploy" +delta = "0.7.3 -> 0.8.1" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.libloading]] who = "Erich Gubler " criteria = "safe-to-deploy" @@ -18473,6 +19745,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.libm]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +version = "0.2.6" +notes = "This crate uses unsafe block, but this doesn't have network and file access. I audited code." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.libm]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -18484,6 +19766,15 @@ as expected. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.libm]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.2 -> 0.2.5" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.libm]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -18494,33 +19785,20 @@ updated math algorithms. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.libm]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -version = "0.2.6" -notes = "This crate uses unsafe block, but this doesn't have network and file access. I audited code." -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.libm]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.2.2 -> 0.2.5" +delta = "0.2.5 -> 0.2.6" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.libm]] -who = "Jack Grigg " +who = "Conrad Ludgate " criteria = "safe-to-deploy" -delta = "0.2.5 -> 0.2.6" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "0.2.6 -> 0.2.4" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.libm]] who = "Jack Grigg " @@ -18532,12 +19810,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.libm]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -delta = "0.2.6 -> 0.2.4" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.libredox]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -18604,13 +19876,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.libtest-mimic]] -who = "Alex Crichton " -criteria = "safe-to-run" -delta = "0.6.1 -> 0.7.0" -notes = "Only minor changes with new flags and such, no major updates to `unsafe` or anything outside of a test framework." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.libtest-mimic]] who = "Dennis Kempin " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -18630,6 +19895,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.libtest-mimic]] +who = "Alex Crichton " +criteria = "safe-to-run" +delta = "0.6.1 -> 0.7.0" +notes = "Only minor changes with new flags and such, no major updates to `unsafe` or anything outside of a test framework." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.libusb1-sys]] who = "Benjamin Gordon " criteria = "does-not-implement-crypto" @@ -18860,15 +20132,6 @@ version = "0.3.3" notes = "I am the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.linux-raw-sys]] -who = "Ying Hsu " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.4.13" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.linux-raw-sys]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] @@ -18879,6 +20142,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.linux-raw-sys]] +who = "Ying Hsu " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.4.13" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.linux-raw-sys]] who = "Brandon Pitman " criteria = "safe-to-run" @@ -18979,13 +20251,13 @@ aggregated-from = [ ] [[audits.lock_api]] -who = "Taylor Cramer " -criteria = "ub-risk-2" -delta = "0.4.9 -> 0.4.10" -notes = "Reviewed in CL 563851550" +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.4.7 -> 0.4.9" +notes = "The unsafe changes fix soundness bugs. The unsafe additions in the new ArcMutexGuard::into_arc method seem fine, but it should probably have used ManuallyDrop instead of mem::forget." aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.lock_api]] @@ -18998,21 +20270,21 @@ aggregated-from = [ ] [[audits.lock_api]] -who = "Daira-Emma Hopwood " -criteria = "safe-to-run" -delta = "0.4.11 -> 0.4.12" +who = "Taylor Cramer " +criteria = "ub-risk-2" +delta = "0.4.9 -> 0.4.10" +notes = "Reviewed in CL 563851550" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.lock_api]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.4.7 -> 0.4.9" -notes = "The unsafe changes fix soundness bugs. The unsafe additions in the new ArcMutexGuard::into_arc method seem fine, but it should probably have used ManuallyDrop instead of mem::forget." +who = "Daira-Emma Hopwood " +criteria = "safe-to-run" +delta = "0.4.11 -> 0.4.12" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -19026,62 +20298,56 @@ aggregated-from = [ ] [[audits.log]] -who = "ChromeOS" -criteria = ["safe-to-run", "does-not-implement-crypto"] +who = "Mike Hommey " +criteria = "safe-to-deploy" version = "0.4.17" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.log]] -who = "George Burgess IV " +who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.4.17 -> 0.4.20" +version = "0.4.17" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.log]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.4.20 -> 0.4.21" -notes = """ -I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. I also skimmed -through the 0.4.20 => 0.4.21 delta and there was no new crypto-related code AFAICT. -""" +who = "Ben Saunders " +criteria = ["ub-risk-1", "does-not-implement-crypto"] +version = "0.4.20" +notes = "Reviewed in CL 563853923" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.log]] -who = "Adrian Taylor " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.4.21 -> 0.4.22" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +who = "danakj " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +version = "0.4.22" +notes = """ +Unsafe review in https://docs.google.com/document/d/1IXQbD1GhTRqNHIGxq6yy7qHqxeO4CwN5noMFXnqyDIM/edit?usp=sharing -[[audits.log]] -who = "Ben Saunders " -criteria = ["ub-risk-1", "does-not-implement-crypto"] -version = "0.4.20" -notes = "Reviewed in CL 563853923" +Unsafety is generally very well-documented, with one exception, which we +describe in the review doc. +""" aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.log]] -who = "Mike Hommey " +who = "Jack Grigg " criteria = "safe-to-deploy" -version = "0.4.17" +delta = "0.4.16 -> 0.4.17" +notes = "I confirmed that the unsafe transmutes are fine; NonZeroU128 and NonZeroI128 are `#[repr(transparent)]` wrappers around u128 and i128 respectively." aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.log]] @@ -19095,32 +20361,37 @@ aggregated-from = [ ] [[audits.log]] -who = "Kagami Sascha Rosylight " -criteria = "safe-to-deploy" -delta = "0.4.18 -> 0.4.20" -notes = "Only cfg attribute and internal macro changes and module refactorings" +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.4.17 -> 0.4.20" aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.log]] -who = "Jack Grigg " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.4.16 -> 0.4.17" -notes = "I confirmed that the unsafe transmutes are fine; NonZeroU128 and NonZeroI128 are `#[repr(transparent)]` wrappers around u128 and i128 respectively." +delta = "0.4.18 -> 0.4.19" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.log]] -who = "Jack Grigg " +who = "Conrad Ludgate " criteria = "safe-to-deploy" -delta = "0.4.18 -> 0.4.19" +delta = "0.4.18 -> 0.4.20" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + +[[audits.log]] +who = "Kagami Sascha Rosylight " +criteria = "safe-to-deploy" +delta = "0.4.18 -> 0.4.20" +notes = "Only cfg attribute and internal macro changes and module refactorings" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.log]] @@ -19142,9 +20413,38 @@ aggregated-from = [ ] [[audits.log]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.4.20 -> 0.4.21" +notes = """ +I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. I also skimmed +through the 0.4.20 => 0.4.21 delta and there was no new crypto-related code AFAICT. +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.log]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.4.20 -> 0.4.22" +notes = "Mostly updates around the key-value implementation of this crate, but nothing out of place." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.log]] +who = "Adrian Taylor " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.4.21 -> 0.4.22" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.log-panics]] who = "Conrad Ludgate " criteria = "safe-to-deploy" -delta = "0.4.18 -> 0.4.20" +version = "2.0.0" aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.log-panics]] @@ -19156,12 +20456,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.log-panics]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "2.0.0" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.loom]] who = "David Koloski " criteria = "safe-to-run" @@ -19212,13 +20506,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.mach2]] -who = "Nick Fitzgerald " -criteria = "safe-to-deploy" -delta = "0.4.1 -> 0.4.2" -notes = "It does unsafe FFI bindings, as expected. I didn't check the FFI bindings against the C headers." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.mach2]] who = "Gabriele Svelto " criteria = "safe-to-deploy" @@ -19228,6 +20515,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.mach2]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +delta = "0.4.1 -> 0.4.2" +notes = "It does unsafe FFI bindings, as expected. I didn't check the FFI bindings against the C headers." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.macro_rules_attribute]] who = "Conrad Ludgate " criteria = "safe-to-run" @@ -19351,22 +20645,22 @@ aggregated-from = [ ] [[audits.md-5]] -who = "David Koloski " -criteria = ["safe-to-deploy", "ub-risk-1"] +who = "Dana Keeler " +criteria = "safe-to-deploy" version = "0.10.5" -notes = "Reviewed on https://fxrev.dev/712372." aggregated-from = [ - "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.md-5]] -who = "Dana Keeler " -criteria = "safe-to-deploy" +who = "David Koloski " +criteria = ["safe-to-deploy", "ub-risk-1"] version = "0.10.5" +notes = "Reviewed on https://fxrev.dev/712372." aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.memchr]] @@ -19396,24 +20690,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.memchr]] -who = "Ying Hsu " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "2.7.2" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.memchr]] -who = "Dustin J. Mitchell " -criteria = "does-not-implement-crypto" -delta = "2.7.2 -> 2.7.4" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.memchr]] who = "Manish Goregaokar " criteria = ["ub-risk-2", "does-not-implement-crypto"] @@ -19428,12 +20704,12 @@ aggregated-from = [ ] [[audits.memchr]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "2.7.2 -> 2.7.4" +who = "Ying Hsu " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "2.7.2" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.memchr]] @@ -19468,6 +20744,24 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.memchr]] +who = "Dustin J. Mitchell " +criteria = "does-not-implement-crypto" +delta = "2.7.2 -> 2.7.4" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.memchr]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "2.7.2 -> 2.7.4" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.memfd]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -19566,20 +20860,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.memoffset]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.7.1 -> 0.8.0" -notes = "This was a small update to the crate which has to do with Rust language features and compiler versions, no substantial changes." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.memoffset]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.8.0 -> 0.9.0" -notes = "No major changes in the crate, mostly updates to use new nightly Rust features." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.memoffset]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -19590,50 +20870,55 @@ aggregated-from = [ ] [[audits.memoffset]] -who = "Dennis Kempin " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.6.5 -> 0.7.1" +who = "Taylor Cramer " +criteria = "ub-risk-3" +version = "0.9.0" +notes = "Reviewed in CL 555491937" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.memoffset]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.7.1 -> 0.8.0" +who = "Gabriele Svelto " +criteria = "safe-to-deploy" +delta = "0.6.5 -> 0.7.1" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.memoffset]] -who = "George Burgess IV " +who = "Dennis Kempin " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.8.0 -> 0.9.0" +delta = "0.6.5 -> 0.7.1" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.memoffset]] -who = "Taylor Cramer " -criteria = "ub-risk-3" -version = "0.9.0" -notes = "Reviewed in CL 555491937" +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.8.0" +notes = "This was a small update to the crate which has to do with Rust language features and compiler versions, no substantial changes." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.memoffset]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.7.1 -> 0.8.0" aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.memoffset]] -who = "Gabriele Svelto " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.6.5 -> 0.7.1" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +delta = "0.8.0 -> 0.9.0" +notes = "No major changes in the crate, mostly updates to use new nightly Rust features." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.memoffset]] who = "Gabriele Svelto " @@ -19658,6 +20943,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.memoffset]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.8.0 -> 0.9.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.memory_units]] who = "Alex Crichton " criteria = "safe-to-run" @@ -20019,6 +21313,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.minidump-writer]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.8.9 -> 0.10.1" +notes = "Crate written and reviewed by mozilla employees." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.minifier]] who = "Manish Goregaokar " criteria = "ub-risk-4" @@ -20047,6 +21351,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.miniz_oxide]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.6.2" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.miniz_oxide]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -20062,6 +21375,34 @@ compression-related issues. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.miniz_oxide]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +version = "0.7.4" +notes = ''' +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` +and there were no hits, except for some mentions of "unsafe" in the `README.md` +and in a comment in `src/deflate/core.rs`. The comment discusses whether a +function should be treated as unsafe, but there is no actual `unsafe` code, so +the crate meets the `ub-risk-0` criteria. + +Note that some additional, internal notes about an older version of this crate +can be found at go/image-crate-chromium-security-review. +''' +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.miniz_oxide]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.4.4 -> 0.3.7" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.miniz_oxide]] who = "Alex Crichton " criteria = "safe-to-run" @@ -20074,18 +21415,18 @@ changes. aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.miniz_oxide]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.6.2" +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.5.3 -> 0.6.2" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.miniz_oxide]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.4.4 -> 0.3.7" +delta = "0.5.4 -> 0.4.4" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", @@ -20094,7 +21435,7 @@ aggregated-from = [ [[audits.miniz_oxide]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.5.4 -> 0.4.4" +delta = "0.6.2 -> 0.5.4" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", @@ -20103,34 +21444,42 @@ aggregated-from = [ [[audits.miniz_oxide]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.6.2 -> 0.5.4" +delta = "0.6.2 -> 0.7.1" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.miniz_oxide]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.6.2 -> 0.7.1" +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.7.2" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.miniz_oxide]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.8.0" +notes = "Minor updates, using new Rust features like `const`, no major changes." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.miniz_oxide]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] -version = "0.7.4" +delta = "0.7.4 -> 0.8.0" notes = ''' -Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` -and there were no hits, except for some mentions of "unsafe" in the `README.md` -and in a comment in `src/deflate/core.rs`. The comment discusses whether a -function should be treated as unsafe, but there is no actual `unsafe` code, so -the crate meets the `ub-risk-0` criteria. +This delta audit has been reviewed in https://crrev.com/c/5811890 -Note that some additional, internal notes about an older version of this crate -can be found at go/image-crate-chromium-security-review. +The delta can be inspected at https://diff.rs/miniz_oxide/0.7.4/0.8.0 +and is fairly small (changes related to `const fn` and to `adler2` +switch). + +I've grepped for `-i cipher`, `-i crypto`, `\bfs\b`, `\bnet\b`, and +`\bunsafe\b`. There were no hits (except for comments in `core.rs` +and in `Readme.md`). ''' aggregated-from = [ "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", @@ -20138,22 +21487,11 @@ aggregated-from = [ ] [[audits.miniz_oxide]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.5.3 -> 0.6.2" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.miniz_oxide]] -who = "Daira-Emma Hopwood " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.7.1 -> 0.7.2" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "0.8.0 -> 0.7.4" +notes = "Very few changes here, only minor updates here and there." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.minreq]] who = "Daira-Emma Hopwood " @@ -20179,13 +21517,6 @@ criteria = "safe-to-deploy" version = "0.1.1" aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" -[[audits.mio]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.8.6 -> 0.8.8" -notes = "Mostly OS portability updates along with some minor bugfixes." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.mio]] who = "Android Legacy" criteria = "safe-to-run" @@ -20213,16 +21544,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.mio]] -who = "David Koloski " -criteria = ["safe-to-deploy", "ub-risk-2"] -delta = "0.8.5 -> 0.8.9" -notes = "Audited at https://fxrev.dev/946305" -aggregated-from = [ - "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.mio]] who = "Bobby Holley " criteria = "safe-to-run" @@ -20241,15 +21562,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.mio]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.8.8 -> 1.0.1" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.mio]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -20298,6 +21610,23 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.mio]] +who = "David Koloski " +criteria = ["safe-to-deploy", "ub-risk-2"] +delta = "0.8.5 -> 0.8.9" +notes = "Audited at https://fxrev.dev/946305" +aggregated-from = [ + "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.mio]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.8.6 -> 0.8.8" +notes = "Mostly OS portability updates along with some minor bugfixes." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.mio]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -20307,6 +21636,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.mio]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.8.8 -> 1.0.1" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.mio]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -20504,6 +21842,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.naga]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "22.0.0 -> 23.0.0" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.nalgebra]] who = "Brandon Pitman " criteria = "safe-to-run" @@ -20678,38 +22025,12 @@ aggregated-from = [ ] [[audits.nix]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.23.1 -> 0.23.2" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.nix]] -who = "Dennis Kempin " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.25.0 -> 0.26.2" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.nix]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.26.2 -> 0.27.1" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.nix]] -who = "Daniel Verkamp " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.27.1 -> 0.28.0" +who = "Taylor Cramer " +criteria = "ub-risk-2" +version = "0.26.2" +notes = "Reviewed in CL 552861153" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] @@ -20736,29 +22057,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.nix]] -who = "Manish Goregaokar " -criteria = "ub-risk-3" -delta = "0.26.1 -> 0.28.0" -notes = """ -Reviewed in CL 622222105 -(The rating differs from the previous once since I feel that the crate needs much more safety comments) -""" -aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.nix]] -who = "Taylor Cramer " -criteria = "ub-risk-2" -version = "0.26.2" -notes = "Reviewed in CL 552861153" -aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.nix]] who = "Gabriele Svelto " criteria = "safe-to-deploy" @@ -20770,40 +22068,36 @@ aggregated-from = [ ] [[audits.nix]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.25.0 -> 0.25.1" +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.23.1 -> 0.23.2" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.nix]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.25.1 -> 0.26.2" +delta = "0.25.0 -> 0.25.1" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.nix]] -who = "Gabriele Svelto " -criteria = "safe-to-deploy" -delta = "0.26.2 -> 0.27.1" +who = "Dennis Kempin " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.25.0 -> 0.26.2" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.nix]] -who = "Alex Franchuk " +who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.27.1 -> 0.28.0" -notes = """ -Many new features and bugfixes. Obviously there's a lot of unsafe code calling -libc, but the usage looks correct. -""" +delta = "0.25.1 -> 0.26.2" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", @@ -20819,6 +22113,19 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.nix]] +who = "Manish Goregaokar " +criteria = "ub-risk-3" +delta = "0.26.1 -> 0.28.0" +notes = """ +Reviewed in CL 622222105 +(The rating differs from the previous once since I feel that the crate needs much more safety comments) +""" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.nix]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -20836,6 +22143,55 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.nix]] +who = "Gabriele Svelto " +criteria = "safe-to-deploy" +delta = "0.26.2 -> 0.27.1" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.nix]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.26.2 -> 0.27.1" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.nix]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.27.1 -> 0.28.0" +notes = """ +Many new features and bugfixes. Obviously there's a lot of unsafe code calling +libc, but the usage looks correct. +""" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.nix]] +who = "Daniel Verkamp " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.27.1 -> 0.28.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.nix]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.28.0 -> 0.29.0" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.no-std-compat]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -20986,12 +22342,6 @@ criteria = "safe-to-deploy" delta = "0.4.0 -> 0.2.1" aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" -[[audits.num-bigint]] -who = "David Cook " -criteria = "safe-to-deploy" -delta = "0.4.3 -> 0.4.4" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - [[audits.num-bigint]] who = "Josh Stone " criteria = "safe-to-deploy" @@ -21012,6 +22362,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.num-bigint]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.4.3 -> 0.4.4" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[audits.num-bigint]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -21045,15 +22401,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.num-complex]] -who = "Li-Yu Yu " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.2.4 -> 0.4.4" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.num-complex]] who = "Josh Stone " criteria = "safe-to-deploy" @@ -21064,6 +22411,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.num-complex]] +who = "Li-Yu Yu " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.2.4 -> 0.4.4" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.num-conv]] who = "Alex Franchuk " criteria = "safe-to-deploy" @@ -21095,15 +22451,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.num-derive]] -who = "Android Legacy" -criteria = "safe-to-run" -version = "0.3.3" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.num-derive]] who = "Josh Stone " criteria = "safe-to-deploy" @@ -21114,6 +22461,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.num-derive]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "0.3.3" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.num-derive]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -21132,12 +22488,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.num-integer]] -who = "David Cook " -criteria = "safe-to-deploy" -delta = "0.1.45 -> 0.1.46" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - [[audits.num-integer]] who = "Josh Stone " criteria = "safe-to-deploy" @@ -21158,6 +22508,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.num-integer]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.1.45 -> 0.1.46" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[audits.num-iter]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] @@ -21167,6 +22523,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.num-iter]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "0.1.43" +notes = "All code written or reviewed by Josh Stone." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.num-iter]] who = "George Burgess IV " criteria = "ub-risk-0" @@ -21189,16 +22555,6 @@ criteria = "safe-to-deploy" delta = "0.1.44 -> 0.1.45" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" -[[audits.num-iter]] -who = "Josh Stone " -criteria = "safe-to-deploy" -version = "0.1.43" -notes = "All code written or reviewed by Josh Stone." -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.num-macros]] who = "Josh Stone " criteria = "safe-to-deploy" @@ -21209,12 +22565,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.num-rational]] -who = "Brandon Pitman " -criteria = "safe-to-deploy" -delta = "0.4.1 -> 0.4.2" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - [[audits.num-rational]] who = "Josh Stone " criteria = "safe-to-deploy" @@ -21225,12 +22575,11 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.num-traits]] -who = "Andrew Brown " +[[audits.num-rational]] +who = "Brandon Pitman " criteria = "safe-to-deploy" -version = "0.2.19" -notes = "As advertised: a numeric library. The only `unsafe` is from some float-to-int conversions, which seems expected." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +delta = "0.4.1 -> 0.4.2" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.num-traits]] who = "Android Legacy" @@ -21242,29 +22591,46 @@ aggregated-from = [ ] [[audits.num-traits]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] +who = "Josh Stone " +criteria = "safe-to-deploy" version = "0.2.15" +notes = "All code written or reviewed by Josh Stone." aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.num-traits]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.2.15 -> 0.2.16" +version = "0.2.15" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.num-traits]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "0.2.19" +notes = "As advertised: a numeric library. The only `unsafe` is from some float-to-int conversions, which seems expected." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.num-traits]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.2.15 -> 0.2.16" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +[[audits.num-traits]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.2.15 -> 0.2.16" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.num-traits]] who = "Ameer Ghani " criteria = "safe-to-deploy" @@ -21283,23 +22649,6 @@ criteria = "safe-to-deploy" delta = "0.2.18 -> 0.2.19" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" -[[audits.num-traits]] -who = "Josh Stone " -criteria = "safe-to-deploy" -version = "0.2.15" -notes = "All code written or reviewed by Josh Stone." -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.num_cpus]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "1.15.0 -> 1.16.0" -notes = "Some minor platform updates but no major change to any code." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.num_cpus]] who = "George Burgess IV " criteria = "does-not-implement-crypto" @@ -21328,23 +22677,30 @@ aggregated-from = [ ] [[audits.num_cpus]] -who = "Mike Hommey " +who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.14.0 -> 1.15.0" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.num_cpus]] -who = "Jack Grigg " +who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.14.0 -> 1.15.0" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.num_cpus]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.15.0 -> 1.16.0" +notes = "Some minor platform updates but no major change to any code." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.num_cpus]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -21384,6 +22740,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.num_enum_derive]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.5.7" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.num_enum_derive]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -21404,15 +22769,6 @@ criteria = "safe-to-deploy" delta = "0.6.1 -> 0.7.0" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" -[[audits.num_enum_derive]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.5.7" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.num_enum_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -21470,46 +22826,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.object]] -who = "Chris Fallin " -criteria = "safe-to-deploy" -delta = "0.29.0 -> 0.30.1" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.object]] -who = "Jamey Sharp " -criteria = "safe-to-deploy" -delta = "0.30.1 -> 0.30.3" -notes = """ -No unsafe blocks or I/O in the diff. The only changes clearly implement what -the changelog says is new in these versions. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.object]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.30.3 -> 0.31.1" -notes = "A large-ish update to the crate but nothing out of the ordering. Support for new formats like xcoff, new constants, minor refactorings, etc. Nothing out of the ordinary." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.object]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.31.1 -> 0.32.0" -notes = "Various new features and refactorings as one would expect from an object parsing crate, all looks good." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.object]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.32.0 -> 0.33.0" -notes = """ -No `unsafe` code in this update. Lots of changes but all -object-file-format-related, everything looks good. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.object]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -21520,33 +22836,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.object]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.30.3 -> 0.30.4" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.object]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.30.3 -> 0.31.1" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.object]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.31.1 -> 0.32.1" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.object]] who = "Manish Goregaokar " criteria = "ub-risk-1" @@ -21566,6 +22855,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.object]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +delta = "0.29.0 -> 0.30.1" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.object]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -21584,6 +22879,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.object]] +who = "Jamey Sharp " +criteria = "safe-to-deploy" +delta = "0.30.1 -> 0.30.3" +notes = """ +No unsafe blocks or I/O in the diff. The only changes clearly implement what +the changelog says is new in these versions. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.object]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -21602,6 +22907,47 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.object]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.30.3 -> 0.30.4" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.object]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.30.3 -> 0.31.1" +notes = "A large-ish update to the crate but nothing out of the ordering. Support for new formats like xcoff, new constants, minor refactorings, etc. Nothing out of the ordinary." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.object]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.30.3 -> 0.31.1" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.object]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.31.1 -> 0.32.0" +notes = "Various new features and refactorings as one would expect from an object parsing crate, all looks good." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.object]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.31.1 -> 0.32.1" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.object]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -21611,6 +22957,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.object]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.32.0 -> 0.33.0" +notes = """ +No `unsafe` code in this update. Lots of changes but all +object-file-format-related, everything looks good. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.object]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -21620,6 +22976,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.object]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.33.0 -> 0.36.4" +notes = "Hardly any new unsafe code, no new dependencies nor side-effectful std functions. Plenty of new tests." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.ogg]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -21627,12 +22993,6 @@ version = "0.9.0" notes = "No unsafe usage (forbidden) or ambient capabilities" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" -[[audits.once_cell]] -who = "Chris Fallin " -criteria = "safe-to-deploy" -delta = "1.16.0 -> 1.17.0" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.once_cell]] who = "crosvm" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -21652,12 +23012,21 @@ aggregated-from = [ ] [[audits.once_cell]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.17.0 -> 1.18.0" +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.12.0 -> 1.13.1" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.once_cell]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.13.1 -> 1.16.0" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.once_cell]] @@ -21677,12 +23046,49 @@ Options. The new implementation based on critical_section appears to be sound. """ aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +[[audits.once_cell]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +delta = "1.16.0 -> 1.17.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.once_cell]] who = "David Cook " criteria = "safe-to-deploy" delta = "1.16.0 -> 1.17.0" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +[[audits.once_cell]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.16.0 -> 1.17.1" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.once_cell]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.17.0 -> 1.17.1" +notes = """ +Small refactor that reduces the overall amount of `unsafe` code. The new strict provenance +approach looks reasonable. +""" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.once_cell]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.17.0 -> 1.18.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.once_cell]] who = "Brandon Pitman " criteria = "safe-to-deploy" @@ -21702,45 +23108,21 @@ delta = "1.18.0 -> 1.19.0" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.once_cell]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.12.0 -> 1.13.1" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.once_cell]] -who = "Mike Hommey " +who = "David Cook " criteria = "safe-to-deploy" -delta = "1.13.1 -> 1.16.0" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +delta = "1.19.0 -> 1.20.1" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.once_cell]] -who = "Mike Hommey " +who = "Erich Gubler " criteria = "safe-to-deploy" -delta = "1.16.0 -> 1.17.1" +delta = "1.20.1 -> 1.20.2" +notes = "This update works around a Cargo bug that forces the addition of `portable-atomic` into a lockfile, which we have never needed to use." aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.once_cell]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.17.0 -> 1.17.1" -notes = """ -Small refactor that reduces the overall amount of `unsafe` code. The new strict provenance -approach looks reasonable. -""" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - [[audits.oneshot]] who = "Ben Dean-Kawamura " criteria = "safe-to-deploy" @@ -21805,6 +23187,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.opaque-debug]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +version = "0.3.0" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.opaque-debug]] who = "David Cook " criteria = "safe-to-deploy" @@ -21820,12 +23208,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.opaque-debug]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "0.3.0" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.open-enum]] who = "Howard Yang " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -21844,12 +23226,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.openssl-macros]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.1.0" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.openssl-macros]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] @@ -21859,6 +23235,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.openssl-macros]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.1.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.openssl-macros]] who = "George Burgess IV " criteria = "ub-risk-0" @@ -21922,6 +23304,13 @@ criteria = "safe-to-deploy" delta = "0.6.0 -> 0.7.2" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.openvino]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +delta = "0.7.2 -> 0.8.0" +notes = "No new unsafe functionality, just brings in openvino-sys changes and other minor improvements." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.openvino-finder]] who = "Matthew Tamayo-Rios " criteria = "safe-to-deploy" @@ -21949,6 +23338,13 @@ criteria = "safe-to-deploy" delta = "0.6.0 -> 0.7.2" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.openvino-finder]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +delta = "0.7.2 -> 0.8.0" +notes = "No logic changes in version bump." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.openvino-sys]] who = "Matthew Tamayo-Rios " criteria = "safe-to-deploy" @@ -21976,6 +23372,13 @@ criteria = "safe-to-deploy" delta = "0.6.0 -> 0.7.2" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.openvino-sys]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +delta = "0.7.2 -> 0.8.0" +notes = "This diff simply re-generates slightly newer C headers with a slightly newer version of bindgen." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.ordered-float]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -22047,15 +23450,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.os_str_bytes]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "6.4.1 -> 6.5.1" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.os_str_bytes]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -22074,6 +23468,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.os_str_bytes]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "6.4.1 -> 6.5.1" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.overload]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -22282,6 +23685,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.parking_lot]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.11.2 -> 0.12.1" +notes = "Most `unsafe {}` changes were to reduce the scope of the unsafe blocks. I didn't closely review the migration to the asm! macro but it looks reasonable." +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.parking_lot]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -22309,16 +23722,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.parking_lot]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.11.2 -> 0.12.1" -notes = "Most `unsafe {}` changes were to reduce the scope of the unsafe blocks. I didn't closely review the migration to the asm! macro but it looks reasonable." -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - [[audits.parking_lot_core]] who = "Android Legacy" criteria = "safe-to-run" @@ -22337,15 +23740,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.parking_lot_core]] -who = "Daira-Emma Hopwood " -criteria = "safe-to-run" -delta = "0.9.9 -> 0.9.10" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - [[audits.parking_lot_core]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -22373,6 +23767,25 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.parking_lot_core]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-run" +delta = "0.9.9 -> 0.9.10" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.parquet]] +who = "Manish Goregaokar " +criteria = "ub-risk-4" +version = "51.0.0" +notes = "Reviewed in CL 642798209" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.password-hash]] who = "Joshua Liebow-Feeser " criteria = ["safe-to-deploy", "ub-risk-2"] @@ -22454,6 +23867,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.pbkdf2]] +who = "Jack Grigg " +criteria = ["safe-to-deploy", "crypto-reviewed"] +delta = "0.9.0 -> 0.10.1" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.pbkdf2]] who = "Joshua Liebow-Feeser " criteria = ["safe-to-deploy", "ub-risk-2"] @@ -22463,12 +23885,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.pbkdf2]] -who = "Jack Grigg " -criteria = ["safe-to-deploy", "crypto-reviewed"] -delta = "0.9.0 -> 0.10.1" +[[audits.pczt]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +version = "0.0.0" +notes = "Initial empty crate release." aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -22492,13 +23915,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.peeking_take_while]] -who = "Nick Fitzgerald " -criteria = "safe-to-deploy" -version = "1.0.0" -notes = "I am the author of this crate." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.peeking_take_while]] who = "George Burgess IV " criteria = "does-not-implement-crypto" @@ -22517,6 +23933,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.peeking_take_while]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +version = "1.0.0" +notes = "I am the author of this crate." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.peeking_take_while]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -22527,6 +23950,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.percent-encoding]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +version = "2.1.0" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.percent-encoding]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -22548,13 +23977,10 @@ aggregated-from = [ ] [[audits.percent-encoding]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "2.2.0 -> 2.3.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +delta = "2.1.0 -> 2.3.0" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.percent-encoding]] who = "Valentin Gosu " @@ -22565,6 +23991,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.percent-encoding]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "2.2.0 -> 2.3.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.percent-encoding]] who = "Valentin Gosu " criteria = "safe-to-deploy" @@ -22574,18 +24009,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.percent-encoding]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "2.1.0" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - -[[audits.percent-encoding]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -delta = "2.1.0 -> 2.3.0" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.perf-event-open-sys]] who = "Taylor Cramer " criteria = "ub-risk-2" @@ -22642,15 +24065,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.petgraph]] -who = "ChromeOS" -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.6.2" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.petgraph]] who = "Taylor Cramer " criteria = "ub-risk-3" @@ -22666,13 +24080,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.phf]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.10.1 -> 0.11.2" +[[audits.petgraph]] +who = "ChromeOS" +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.6.2" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.phf]] @@ -22689,43 +24103,34 @@ aggregated-from = [ ] [[audits.phf]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.11.1 -> 0.11.2" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.phf_codegen]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.10.0 -> 0.11.2" +delta = "0.10.1 -> 0.11.2" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.phf_codegen]] -who = "Jack Grigg " +[[audits.phf]] +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.8.0 -> 0.11.1" -notes = "New codegen and changes to existing codegen look fine." +delta = "0.11.1 -> 0.11.2" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.phf_codegen]] -who = "Jack Grigg " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.11.1 -> 0.11.2" +delta = "0.8.0 -> 0.11.1" +notes = "New codegen and changes to existing codegen look fine." aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.phf_generator]] +[[audits.phf_codegen]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.0 -> 0.11.2" @@ -22734,26 +24139,26 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.phf_generator]] -who = "Jack Grigg " +[[audits.phf_codegen]] +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.8.0 -> 0.11.1" -notes = "Just dependency and edition bumps and code formatting." +delta = "0.11.1 -> 0.11.2" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.phf_generator]] -who = "Jack Grigg " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.11.1 -> 0.11.2" +delta = "0.8.0 -> 0.11.1" +notes = "Just dependency and edition bumps and code formatting." aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.phf_macros]] +[[audits.phf_generator]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.0 -> 0.11.2" @@ -22762,7 +24167,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.phf_shared]] +[[audits.phf_generator]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.11.1 -> 0.11.2" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.phf_macros]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.0 -> 0.11.2" @@ -22785,6 +24199,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.phf_shared]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.10.0 -> 0.11.2" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.phf_shared]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -22866,13 +24289,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.pin-project-lite]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.2.13 -> 0.2.14" -notes = "No substantive changes in this update" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.pin-project-lite]] who = "Android Legacy" criteria = "safe-to-run" @@ -22901,6 +24317,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.pin-project-lite]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.9 -> 0.2.13" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.pin-project-lite]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-2"] @@ -22912,30 +24337,28 @@ aggregated-from = [ ] [[audits.pin-project-lite]] -who = "Mike Hommey " +who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.2.13 -> 0.2.14" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +notes = "No substantive changes in this update" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.pin-project-lite]] -who = "Jack Grigg " +who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" -delta = "0.2.9 -> 0.2.13" +delta = "0.2.13 -> 0.2.14" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.pin-project-lite]] -who = "Daira-Emma Hopwood " +who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.13 -> 0.2.14" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.pin-utils]] @@ -23010,16 +24433,6 @@ version = "0.3.25" notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.pkg-config]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.3.26 -> 0.3.29" -notes = """ -No `unsafe` additions or anything outside of the purview of the crate in this -change. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.pkg-config]] who = "Alexandre Courbot " criteria = "does-not-implement-crypto" @@ -23047,6 +24460,22 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.pkg-config]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +delta = "0.3.26 -> 0.3.27" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + +[[audits.pkg-config]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.3.26 -> 0.3.29" +notes = """ +No `unsafe` additions or anything outside of the purview of the crate in this +change. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.pkg-config]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -23056,12 +24485,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.pkg-config]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -delta = "0.3.26 -> 0.3.27" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.plane-split]] who = "Nicolas Silva " criteria = "safe-to-deploy" @@ -23161,6 +24584,61 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.png]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "0.17.13 -> 0.17.14" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.polars]] +who = "Manish Goregaokar " +criteria = "ub-risk-0" +version = "0.38.3" +notes = """ +Reviewed in CL 645917709 +No unsafe code outside of tests. +""" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.polars-io]] +who = "Manish Goregaokar " +criteria = "ub-risk-4" +version = "0.38.3" +notes = """ +Reviewed in CL 645900171 +No actual unsoundness was found, however this crate was rather hard to review, with a lot of usages of unsafe in the CSV parser that seemed gratuitous, and uncommented. Rating can be lowered when someone can find the time to review this. +""" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.polars-row]] +who = "Augie Fackler " +criteria = "ub-risk-3" +version = "0.38.3" +notes = "Reviewed in CL 644011025" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.polars-utils]] +who = "Augie Fackler " +criteria = ["ub-risk-2", "does-not-implement-crypto"] +version = "0.38.3" +notes = "Reviewed in CL 636679479" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.pollster]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -23208,16 +24686,6 @@ version = "0.2.5" notes = "No unsafe usage or ambient capabilities. Only type definitions & conversions" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" -[[audits.powerfmt]] -who = "Taylor Cramer " -criteria = "ub-risk-1" -version = "0.2.0" -notes = "Reviewed in CL 578897702" -aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.powerfmt]] who = "Alex Franchuk " criteria = "safe-to-deploy" @@ -23231,6 +24699,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.powerfmt]] +who = "Taylor Cramer " +criteria = "ub-risk-1" +version = "0.2.0" +notes = "Reviewed in CL 578897702" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.ppv-lite86]] who = "Android Legacy" criteria = "safe-to-run" @@ -23263,6 +24741,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.ppv-lite86]] +who = "danakj " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.2.17 -> 0.2.20" +notes = "Using zerocopy to reduce unsafe usage." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.precomputed-hash]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -23459,6 +24947,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.proc-macro-error-attr]] +who = "David Cook " +criteria = "safe-to-run" +version = "1.0.4" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[audits.proc-macro-error-attr]] who = "George Burgess IV " criteria = "ub-risk-0" @@ -23469,12 +24963,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.proc-macro-error-attr]] -who = "David Cook " -criteria = "safe-to-run" -version = "1.0.4" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - [[audits.proc-macro-hack]] who = "George Burgess IV " criteria = "does-not-implement-crypto" @@ -23530,22 +25018,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.proc-macro2]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -delta = "1.0.51 -> 1.0.57" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.proc-macro2]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "1.0.59 -> 1.0.63" -notes = """ -This is a routine update for new nightly features and new syntax popping up on -nightly, nothing out of the ordinary. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.proc-macro2]] who = "Android Legacy" criteria = "safe-to-run" @@ -23564,6 +25036,39 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.proc-macro2]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.0.39" +notes = """ +`proc-macro2` acts as either a thin(-ish) wrapper around the std-provided +`proc_macro` crate, or as a fallback implementation of the crate, depending on +where it is used. + +If using this crate on older versions of rustc (1.56 and earlier), it will +temporarily replace the panic handler while initializing in order to detect if +it is running within a `proc_macro`, which could lead to surprising behaviour. +This should not be an issue for more recent compiler versions, which support +`proc_macro::is_available()`. + +The `proc-macro2` crate's fallback behaviour is not identical to the complex +behaviour of the rustc compiler (e.g. it does not perform unicode normalization +for identifiers), however it behaves well enough for its intended use-case +(tests and scripts processing rust code). + +`proc-macro2` does not use unsafe code, however exposes one `unsafe` API to +allow bypassing checks in the fallback implementation when constructing +`Literal` using `from_str_unchecked`. This was intended to only be used by the +`quote!` macro, however it has been removed +(https://github.com/dtolnay/quote/commit/f621fe64a8a501cae8e95ebd6848e637bbc79078), +and is likely completely unused. Even when used, this API shouldn't be able to +cause unsoundness. +""" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.proc-macro2]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -23573,6 +25078,21 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.proc-macro2]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +version = "1.0.78" +notes = """ +Grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits +(except for a benign \"fs\" hit in a doc comment) + +Notes from the `unsafe` review can be found in https://crrev.com/c/5385745. +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.proc-macro2]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -23582,6 +25102,57 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.proc-macro2]] +who = "Daira Hopwood " +criteria = "safe-to-deploy" +delta = "1.0.37 -> 1.0.41" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.proc-macro2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.39 -> 1.0.43" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.proc-macro2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.43 -> 1.0.49" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.proc-macro2]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "1.0.49 -> 1.0.47" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.proc-macro2]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.49 -> 1.0.51" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.proc-macro2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.49 -> 1.0.51" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.proc-macro2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -23591,6 +25162,36 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.proc-macro2]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.51 -> 1.0.52" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.proc-macro2]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "1.0.51 -> 1.0.57" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.proc-macro2]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.0.52 -> 1.0.54" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.proc-macro2]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.54 -> 1.0.56" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.proc-macro2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -23600,6 +25201,35 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.proc-macro2]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.57 -> 1.0.59" +notes = "Enabled on Wasm" +aggregated-from = [ + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.proc-macro2]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.59 -> 1.0.60" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.proc-macro2]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.0.59 -> 1.0.63" +notes = """ +This is a routine update for new nightly features and new syntax popping up on +nightly, nothing out of the ordinary. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.proc-macro2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -23609,6 +25239,25 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.proc-macro2]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.63 -> 1.0.66" +notes = "Removed special support for some really old Rust versions" +aggregated-from = [ + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.proc-macro2]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.66 -> 1.0.67" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.proc-macro2]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -23619,18 +25268,12 @@ aggregated-from = [ ] [[audits.proc-macro2]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] -version = "1.0.78" -notes = """ -Grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits -(except for a benign \"fs\" hit in a doc comment) - -Notes from the `unsafe` review can be found in https://crrev.com/c/5385745. -""" +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.67 -> 1.0.70" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.proc-macro2]] @@ -23656,6 +25299,34 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.proc-macro2]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.70 -> 1.0.71" +notes = """ +New `unsafe` blocks are all inside `unsafe fn`s, and are added to make the +safety contracts in the code clearer (instead of using the `unsafe fn`'s +implicit `unsafe` block). +""" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.proc-macro2]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.71 -> 1.0.74" +notes = """ +Build script changes are to replace `RUSTFLAGS` string parsing with a probe file +that is compiled with whatever `RUSTC` is set to (but the build script already +relies on the `RUSTC` environment variable for inspecting the compiler version). +""" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.proc-macro2]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] @@ -23674,6 +25345,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.proc-macro2]] +who = "Hung-Hsien Chen " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.79 -> 1.0.86" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.proc-macro2]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] @@ -23684,6 +25364,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.proc-macro2]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "1.0.81 -> 1.0.82" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.proc-macro2]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] @@ -23739,195 +25428,36 @@ aggregated-from = [ ] [[audits.proc-macro2]] -who = "David Cook " -criteria = "safe-to-deploy" -delta = "1.0.49 -> 1.0.47" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - -[[audits.proc-macro2]] -who = "Brandon Pitman " -criteria = "safe-to-deploy" -delta = "1.0.52 -> 1.0.54" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - -[[audits.proc-macro2]] -who = "Nika Layzell " -criteria = "safe-to-deploy" -version = "1.0.39" -notes = """ -`proc-macro2` acts as either a thin(-ish) wrapper around the std-provided -`proc_macro` crate, or as a fallback implementation of the crate, depending on -where it is used. - -If using this crate on older versions of rustc (1.56 and earlier), it will -temporarily replace the panic handler while initializing in order to detect if -it is running within a `proc_macro`, which could lead to surprising behaviour. -This should not be an issue for more recent compiler versions, which support -`proc_macro::is_available()`. - -The `proc-macro2` crate's fallback behaviour is not identical to the complex -behaviour of the rustc compiler (e.g. it does not perform unicode normalization -for identifiers), however it behaves well enough for its intended use-case -(tests and scripts processing rust code). - -`proc-macro2` does not use unsafe code, however exposes one `unsafe` API to -allow bypassing checks in the fallback implementation when constructing -`Literal` using `from_str_unchecked`. This was intended to only be used by the -`quote!` macro, however it has been removed -(https://github.com/dtolnay/quote/commit/f621fe64a8a501cae8e95ebd6848e637bbc79078), -and is likely completely unused. Even when used, this API shouldn't be able to -cause unsoundness. -""" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.proc-macro2]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.39 -> 1.0.43" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.proc-macro2]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.43 -> 1.0.49" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.proc-macro2]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.49 -> 1.0.51" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.proc-macro2]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -delta = "1.0.57 -> 1.0.59" -notes = "Enabled on Wasm" -aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.proc-macro2]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -delta = "1.0.63 -> 1.0.66" -notes = "Removed special support for some really old Rust versions" -aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.proc-macro2]] -who = "Daira-Emma Hopwood " -criteria = "safe-to-deploy" -delta = "1.0.81 -> 1.0.82" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.proc-macro2]] -who = "Daira Hopwood " -criteria = "safe-to-deploy" -delta = "1.0.37 -> 1.0.41" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.proc-macro2]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.49 -> 1.0.51" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.proc-macro2]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.51 -> 1.0.52" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.proc-macro2]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.54 -> 1.0.56" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.proc-macro2]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.59 -> 1.0.60" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.proc-macro2]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.66 -> 1.0.67" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - -[[audits.proc-macro2]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.67 -> 1.0.70" +who = "danakj " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.86 -> 1.0.87" +notes = "No new unsafe interactions." aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.proc-macro2]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.70 -> 1.0.71" +who = "Liza Burakova ", @@ -25113,6 +26698,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.rayon]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.5.3 -> 1.6.1" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.rayon]] who = "Brandon Pitman " criteria = "safe-to-deploy" @@ -25143,30 +26737,39 @@ criteria = "safe-to-deploy" delta = "1.9.0 -> 1.10.0" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" -[[audits.rayon]] +[[audits.rayon-core]] who = "Josh Stone " criteria = "safe-to-deploy" -version = "1.5.3" +version = "1.9.3" notes = "All code written or reviewed by Josh Stone or Niko Matsakis." aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.rayon]] +[[audits.rayon-core]] +who = "Ameer Ghani " +criteria = "safe-to-deploy" +version = "1.12.1" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.rayon-core]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "1.5.3 -> 1.6.1" +delta = "1.9.3 -> 1.10.1" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.rayon-core]] -who = "Ameer Ghani " +who = "Mike Hommey " criteria = "safe-to-deploy" -version = "1.12.1" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +delta = "1.10.1 -> 1.10.2" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[audits.rayon-core]] who = "Brandon Pitman " @@ -25186,32 +26789,14 @@ criteria = "safe-to-deploy" delta = "1.11.0 -> 1.12.0" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" -[[audits.rayon-core]] -who = "Josh Stone " -criteria = "safe-to-deploy" -version = "1.9.3" -notes = "All code written or reviewed by Josh Stone or Niko Matsakis." -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.rayon-core]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.9.3 -> 1.10.1" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.rayon-core]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.10.1 -> 1.10.2" +[[audits.read-fonts]] +who = "Taylor Cramer " +criteria = "ub-risk-1" +version = "0.15.6" +notes = "Reviewed in CL 611302616" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.read-fonts]] @@ -25265,7 +26850,7 @@ aggregated-from = [ [[audits.read-fonts]] who = "Dominik Röttsches " -criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-0"] +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.19.3 -> 0.20.0" notes = """ Contains changes for: @@ -25282,12 +26867,51 @@ aggregated-from = [ ] [[audits.read-fonts]] -who = "Taylor Cramer " -criteria = "ub-risk-1" -version = "0.15.6" -notes = "Reviewed in CL 611302616" +who = "Dominik Röttsches " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "0.20.0 -> 0.22.0" +notes = "Changes for incremental font transfer, Ankr, Feat tables, and support for getting access to the SVG document from the SVG table, as well as Avar2." aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.read-fonts]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "0.22.0 -> 0.22.1" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.read-fonts]] +who = "Dominik Röttsches " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "0.22.1 -> 0.22.3" +notes = "Support for the hdmx table, inlining optimizations. Crate has no unsafe code." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.read-fonts]] +who = "Dominik Röttsches " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "0.22.3 -> 0.23.0" +notes = "More lenient parsing of CFF fonts with invalid BlueValues, incremental font transfer implementation of glyph keyed patching. No unsafe code in crate." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.read-fonts]] +who = "Dominik Röttsches " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "0.23.0 -> 0.23.2" +notes = "Some IFT changes, and better compatibility with empty PrivateDict in CFF." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] @@ -25479,15 +27103,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.regex]] -who = "Ying Hsu " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "1.10.4" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.regex]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -25503,40 +27118,11 @@ aggregated-from = [ ] [[audits.regex]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.10.2 -> 1.10.3" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.regex]] -who = "Dustin J. Mitchell " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.10.3 -> 1.10.4" -notes = "Docs changes only." -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.regex]] -who = "Adrian Taylor " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.10.4 -> 1.10.5" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.regex]] -who = "Lukasz Anforowicz " +who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.10.5 -> 1.10.6" -notes = "The delta has minimal changes in `pattern.rs`." +version = "1.10.4" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] @@ -25559,21 +27145,21 @@ aggregated-from = [ ] [[audits.regex]] -who = "Mike Hommey " +who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.7.0 -> 1.7.1" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.regex]] -who = "Jack Grigg " +who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.7.0 -> 1.7.1" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.regex]] @@ -25594,6 +27180,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.regex]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.10.2 -> 1.10.3" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.regex]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -25603,6 +27198,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.regex]] +who = "Dustin J. Mitchell " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.10.3 -> 1.10.4" +notes = "Docs changes only." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.regex]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -25612,64 +27217,64 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.regex-automata]] -who = "Ying Hsu " +[[audits.regex]] +who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.4.6" +delta = "1.10.4 -> 1.10.5" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.regex-automata]] -who = "danakj@chromium.org" +[[audits.regex]] +who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.4.3" -notes = """ -Reviewed in https://crrev.com/c/5171063 - -Previously reviewed during security review and the audit is grandparented in. -""" +delta = "1.10.5 -> 1.10.6" +notes = "The delta has minimal changes in `pattern.rs`." aggregated-from = [ "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.regex-automata]] +[[audits.regex]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.4.3 -> 0.4.5" +delta = "1.10.6 -> 1.11.0" aggregated-from = [ "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.regex-automata]] -who = "danakj " +[[audits.regex]] +who = "Liza Burakova " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.4.5 -> 0.4.6" -notes = "Reviewed in https://crrev.com/c/5362200" +delta = "1.11.0 -> 1.11.1" aggregated-from = [ "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.regex-automata]] -who = "Adrian Taylor " +who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.4.6 -> 0.4.7" +version = "0.4.3" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" aggregated-from = [ "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.regex-automata]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.4.6 -> 0.4.7" +who = "Ying Hsu " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.4.6" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.regex-automata]] @@ -25685,6 +27290,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.regex-automata]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.4.3 -> 0.4.5" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.regex-automata]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -25694,19 +27308,47 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.regex-syntax]] -who = "Android Legacy" -criteria = "safe-to-run" -version = "0.6.25" +[[audits.regex-automata]] +who = "danakj " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.4.5 -> 0.4.6" +notes = "Reviewed in https://crrev.com/c/5362200" aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.regex-syntax]] -who = "Ying Hsu " +[[audits.regex-automata]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.4.6 -> 0.4.7" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.regex-automata]] +who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.8.3" +delta = "0.4.6 -> 0.4.7" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.regex-automata]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.4.7 -> 0.4.8" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.regex-syntax]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "0.6.25" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", @@ -25727,20 +27369,11 @@ aggregated-from = [ ] [[audits.regex-syntax]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.8.2 -> 0.8.3" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.regex-syntax]] -who = "Adrian Taylor " +who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.8.3 -> 0.8.4" +version = "0.8.3" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] @@ -25762,15 +27395,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.regex-syntax]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.8.3 -> 0.8.4" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - [[audits.regex-syntax]] who = "Sean Bowe " criteria = "safe-to-deploy" @@ -25807,6 +27431,42 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.regex-syntax]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.8.2 -> 0.8.3" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.regex-syntax]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.8.3 -> 0.8.4" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.regex-syntax]] +who = "Adrian Taylor " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.8.3 -> 0.8.4" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.regex-syntax]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.8.4 -> 0.8.5" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.regex_automata]] who = "Taylor Cramer " criteria = "ub-risk-1" @@ -25817,6 +27477,34 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.region]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "2.2.0 -> 3.0.2" +notes = """ +This release brings a number of refactorings and new platforms to be supported +in the crate. Lots of `unsafe` code because that's what the crate is +fundamentally doing, managing virtual memory. That being said it's all largely +the same as before where it's all as expected and the `unsafe` has to do with +managing OS APIs. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.relative-path]] +who = "danakj " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +version = "1.9.3" +notes = """ +There is no net or fs usage, no crypto. +There is unsafe to convert pointers from str to RelativePath, where the latter +is a transparent wrapper around str so the pointer will be to a valid +type/value always. +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.reqwest-middleware]] who = "Conrad Ludgate " criteria = "safe-to-deploy" @@ -25835,6 +27523,15 @@ criteria = "safe-to-deploy" version = "0.2.2" aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +[[audits.retain_mut]] +who = "Gwendal Grignou " +criteria = ["safe-to-run", "crypto-safe"] +version = "0.1.7" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.retry-policies]] who = "Conrad Ludgate " criteria = "safe-to-deploy" @@ -25988,6 +27685,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.rstest]] +who = "danakj " +criteria = ["safe-to-run", "does-not-implement-crypto", "ub-risk-0"] +delta = "0.17.0 -> 0.22.0" +notes = "No new unsafe. fs and net usage, but only in its own tests." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.rstest_macros]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -26002,6 +27709,22 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.rstest_macros]] +who = "danakj " +criteria = ["safe-to-run", "does-not-implement-crypto", "ub-risk-0"] +version = "0.22.0" +notes = """ +There is no fs or net usage directly, though there is fs +usage through the glob crate to get lists of files if the user +asks for it in their macro. + +There is no unsafe. Scanned through all the code. +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.rstest_reuse]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto", "ub-risk-0"] @@ -26016,6 +27739,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.rstest_reuse]] +who = "danakj " +criteria = ["safe-to-run", "does-not-implement-crypto", "ub-risk-0"] +delta = "0.5.0 -> 0.7.0" +notes = "No new unsafe, looked through the changes which were minimal." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.rtic-core]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -26199,19 +27932,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.rustc-demangle]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -version = "0.1.21" -notes = "I am the author of this crate." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.rustc-demangle]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.1.21 -> 0.1.24" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.rustc-demangle]] who = "Android Legacy" criteria = "safe-to-run" @@ -26221,6 +27941,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.rustc-demangle]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.1.21" +notes = "I am the author of this crate." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.rustc-demangle]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -26236,38 +27963,41 @@ aggregated-from = [ ] [[audits.rustc-demangle]] -who = "danakj " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.1.23 -> 0.1.24" +who = "Sean Bowe " +criteria = "safe-to-deploy" +delta = "0.1.21 -> 0.1.22" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.rustc-demangle]] -who = "Daira-Emma Hopwood " +who = "Conrad Ludgate " criteria = "safe-to-deploy" -delta = "0.1.23 -> 0.1.24" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "0.1.21 -> 0.1.23" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.rustc-demangle]] -who = "Sean Bowe " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.1.21 -> 0.1.22" +delta = "0.1.21 -> 0.1.24" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.rustc-demangle]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.1.22 -> 0.1.23" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.rustc-demangle]] -who = "Jack Grigg " +who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" -delta = "0.1.22 -> 0.1.23" +delta = "0.1.23 -> 0.1.24" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -26281,10 +28011,13 @@ aggregated-from = [ ] [[audits.rustc-demangle]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -delta = "0.1.21 -> 0.1.23" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +who = "danakj " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.1.23 -> 0.1.24" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.rustc-demangle-capi]] who = "George Burgess IV " @@ -26305,6 +28038,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.rustc-hash]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = "Straightforward crate with no unsafe code, does what it says on the tin." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.rustc-hash]] who = "Android Legacy" criteria = "safe-to-run" @@ -26315,14 +28058,11 @@ aggregated-from = [ ] [[audits.rustc-hash]] -who = "Bobby Holley " +who = "Trevor Elliott " criteria = "safe-to-deploy" -version = "1.1.0" -notes = "Straightforward crate with no unsafe code, does what it says on the tin." -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +delta = "1.1.0 -> 2.0.0" +notes = "Chris Fallin reviewed this update with me, and we didn't find anything surprising. We did verify that the new constants did originate in the paper referenced." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.rustc-workspace-hack]] who = "Johan Andersson " @@ -26341,26 +28081,21 @@ aggregated-from = [ ] [[audits.rustc_version]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.2.3 -> 0.4.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.rustc_version]] -who = "danakj@chromium.org" -criteria = ["safe-to-run", "does-not-implement-crypto"] +who = "Jack Grigg " +criteria = "safe-to-deploy" version = "0.4.0" notes = """ -Reviewed in https://crrev.com/c/5171063 +Most of the crate is code to parse and validate the output of `rustc -vV`. The caller can +choose which `rustc` to use, or can use `rustc_version::{version, version_meta}` which will +try `$RUSTC` followed by `rustc`. -Previously reviewed during security review and the audit is grandparented in. +If an adversary can arbitrarily set the `$RUSTC` environment variable then this crate will +execute arbitrary code. But when this crate is used within a build script, `$RUSTC` should +be set correctly by `cargo`. """ aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.rustc_version]] @@ -26377,23 +28112,48 @@ aggregated-from = [ ] [[audits.rustc_version]] -who = "Jack Grigg " -criteria = "safe-to-deploy" +who = "danakj@chromium.org" +criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.0" notes = """ -Most of the crate is code to parse and validate the output of `rustc -vV`. The caller can -choose which `rustc` to use, or can use `rustc_version::{version, version_meta}` which will -try `$RUSTC` followed by `rustc`. +Reviewed in https://crrev.com/c/5171063 -If an adversary can arbitrarily set the `$RUSTC` environment variable then this crate will -execute arbitrary code. But when this crate is used within a build script, `$RUSTC` should -be set correctly by `cargo`. +Previously reviewed during security review and the audit is grandparented in. """ +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.rustc_version]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.2.3 -> 0.4.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.rustc_version]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.4.0 -> 0.4.1" +notes = "Changes to `Command` usage are to add support for `RUSTC_WRAPPER`." aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.rustc_version]] +who = "danakj " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.4.0 -> 0.4.1" +notes = "No unsafe, net or fs." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.rustdoc-json]] who = "Johan Andersson " criteria = "safe-to-run" @@ -26476,20 +28236,6 @@ version = "0.36.7" notes = "The Bytecode Alliance is the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.rustix]] -who = "Dan Gohman " -criteria = "safe-to-deploy" -version = "0.37.13" -notes = "The Bytecode Alliance is the author of this crate." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.rustix]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -delta = "0.36.7 -> 0.36.8" -notes = "The Bytecode Alliance is the author of this crate." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.rustix]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -26506,6 +28252,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.rustix]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +version = "0.37.13" +notes = "The Bytecode Alliance is the author of this crate." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.rustix]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -26515,6 +28268,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.rustix]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "0.36.7 -> 0.36.8" +notes = "The Bytecode Alliance is the author of this crate." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.rustix]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -26534,6 +28294,18 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.rustix]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "0.38.34 -> 0.38.37" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.rustix]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "0.38.37 -> 0.38.38" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.rustls]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -26547,13 +28319,6 @@ criteria = "safe-to-deploy" delta = "0.21.0 -> 0.21.6" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.rustls]] -who = "Andrew Brown " -criteria = "safe-to-deploy" -delta = "0.22.4 -> 0.23.7" -notes = "No new unsafe code." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.rustls]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -26599,6 +28364,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.rustls]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +delta = "0.22.4 -> 0.23.7" +notes = "No new unsafe code." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.rustls-pemfile]] who = "Conrad Ludgate " criteria = "safe-to-deploy" @@ -26617,6 +28389,21 @@ criteria = "safe-to-deploy" delta = "0.100.1 -> 0.101.4" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.rustversion]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.0.9" +notes = """ +This crate has a build-time component and procedural macro logic, which I looked +at enough to convince myself it wasn't going to do anything dramatically wrong. +I don't think logic bugs in the version parsing etc can realistically introduce +a security vulnerability. +""" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.rustversion]] who = "Lukasz Anforowicz " criteria = ["ub-risk-0", "safe-to-deploy", "does-not-implement-crypto"] @@ -26649,49 +28436,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.rustversion]] -who = "Adrian Taylor " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] -delta = "1.0.14 -> 1.0.15" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.rustversion]] -who = "danakj " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] -delta = "1.0.15 -> 1.0.16" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.rustversion]] -who = "Dustin J. Mitchell " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] -delta = "1.0.16 -> 1.0.17" -notes = "Just updates windows compat" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.rustversion]] -who = "Bobby Holley " -criteria = "safe-to-deploy" -version = "1.0.9" -notes = """ -This crate has a build-time component and procedural macro logic, which I looked -at enough to convince myself it wasn't going to do anything dramatically wrong. -I don't think logic bugs in the version parsing etc can realistically introduce -a security vulnerability. -""" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.rustversion]] who = "Mike Hommey " criteria = "safe-to-run" @@ -26701,6 +28445,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.rustversion]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +delta = "1.0.9 -> 1.0.14" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.rustversion]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" @@ -26711,6 +28461,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.rustversion]] +who = "Adrian Taylor " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.0.14 -> 1.0.15" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.rustversion]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -26720,6 +28479,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.rustversion]] +who = "danakj " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.0.15 -> 1.0.16" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.rustversion]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -26730,10 +28498,23 @@ aggregated-from = [ ] [[audits.rustversion]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -delta = "1.0.9 -> 1.0.14" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +who = "Dustin J. Mitchell " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.16 -> 1.0.17" +notes = "Just updates windows compat" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.rustversion]] +who = "Liza Burakova " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.17 -> 1.0.18" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.rustyline]] who = "ChromeOS" @@ -26814,15 +28595,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.ryu]] -who = "Daira-Emma Hopwood " -criteria = "safe-to-run" -delta = "1.0.17 -> 1.0.18" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - [[audits.ryu]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -26868,6 +28640,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.ryu]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-run" +delta = "1.0.17 -> 1.0.18" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.ryu-js]] who = "Ben Saunders " criteria = ["ub-risk-3", "does-not-implement-crypto"] @@ -26893,6 +28674,22 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.safemem]] +who = "Gwendal Grignou " +criteria = ["safe-to-run", "crypto-safe"] +version = "0.3.3" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.safetensors]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "0.3.3" +notes = "No unsafe, just a serialization library for tensors." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.same-file]] who = "George Burgess IV " criteria = "does-not-implement-crypto" @@ -26996,6 +28793,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.scroll]] +who = "Taylor Cramer " +criteria = "ub-risk-2" +version = "0.12.0" +notes = "Reviewed in CL 642006817" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.scroll]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" @@ -27026,21 +28833,21 @@ aggregated-from = [ ] [[audits.scroll_derive]] -who = "Mike Hommey " +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "0.11.0 -> 0.11.1" +notes = "Dependency syn v2 update only" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.scroll_derive]] -who = "Jan-Erik Rediger " +who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.11.0 -> 0.11.1" -notes = "Dependency syn v2 update only" aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] @@ -27102,12 +28909,25 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.semver]] -who = "Pat Hickey " +[[audits.selectors]] +who = "Emilio Cobos Álvarez " criteria = "safe-to-deploy" -version = "1.0.17" -notes = "plenty of unsafe pointer and vec tricks, but in well-structured and commented code that appears to be correct" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +delta = "0.22.0 -> 0.25.0" +notes = "First party Mozilla code." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.selectors]] +who = "Emilio Cobos Álvarez " +criteria = "safe-to-deploy" +delta = "0.25.0 -> 0.26.0" +notes = "First-party code." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[audits.semver]] who = "George Burgess IV " @@ -27118,6 +28938,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.semver]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "1.0.17" +notes = "plenty of unsafe pointer and vec tricks, but in well-structured and commented code that appears to be correct" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.semver]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -27132,33 +28959,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.semver]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.20 -> 1.0.21" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.semver]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.21 -> 1.0.22" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.semver]] -who = "danakj " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.22 -> 1.0.23" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.semver]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -27196,17 +28996,10 @@ aggregated-from = [ ] [[audits.semver]] -who = "Jack Grigg " +who = "Conrad Ludgate " criteria = "safe-to-deploy" -delta = "1.0.22 -> 1.0.23" -notes = """ -`build.rs` change is to enable checking for expected `#[cfg]` names if compiling -with Rust 1.80 or later. -""" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "1.0.17 -> 1.0.18" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.semver]] who = "Jack Grigg " @@ -27235,6 +29028,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.semver]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.20 -> 1.0.21" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.semver]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -27245,10 +29047,35 @@ aggregated-from = [ ] [[audits.semver]] -who = "Conrad Ludgate " +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.21 -> 1.0.22" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.semver]] +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.17 -> 1.0.18" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +delta = "1.0.22 -> 1.0.23" +notes = """ +`build.rs` change is to enable checking for expected `#[cfg]` names if compiling +with Rust 1.80 or later. +""" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.semver]] +who = "danakj " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.22 -> 1.0.23" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.semver-parser]] who = "George Burgess IV " @@ -27311,60 +29138,68 @@ aggregated-from = [ ] [[audits.serde]] -who = "Dustin J. Mitchell " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] -delta = "1.0.197 -> 1.0.198" +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.136 -> 1.0.143" +notes = "Bumps serde-derive and adds some constructors." aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.serde]] -who = "danakj " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] -delta = "1.0.198 -> 1.0.201" +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.137 -> 1.0.143" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.serde]] -who = "Dustin J. Mitchell " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] -delta = "1.0.201 -> 1.0.202" -notes = "Trivial changes" +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.143 -> 1.0.144" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.serde]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] -delta = "1.0.202 -> 1.0.203" -notes = "s/doc_cfg/docsrs/ + tuple_impls/tuple_impl_body-related changes" +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.143 -> 1.0.145" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.serde]] -who = "Adrian Taylor " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] -delta = "1.0.203 -> 1.0.204" +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.144 -> 1.0.151" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.serde]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] -delta = "1.0.204 -> 1.0.207" -notes = "The small change in `src/private/ser.rs` should have no impact on `ub-risk-2`." +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.150 -> 1.0.160" +notes = "Small API improvements, fixing broken code generation for edge cases and updating to syn v2" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.serde]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.151 -> 1.0.152" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.serde]] @@ -27386,100 +29221,115 @@ delta = "1.0.154 -> 1.0.155" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.serde]] -who = "Brandon Pitman " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.156 -> 1.0.159" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +delta = "1.0.155 -> 1.0.156" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] [[audits.serde]] who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "1.0.160 -> 1.0.162" +delta = "1.0.156 -> 1.0.159" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.serde]] -who = "David Cook " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.162 -> 1.0.163" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +delta = "1.0.159 -> 1.0.160" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] [[audits.serde]] who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "1.0.203 -> 1.0.204" +delta = "1.0.160 -> 1.0.162" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.serde]] -who = "Brandon Pitman " +who = "David Cook " criteria = "safe-to-deploy" -delta = "1.0.204 -> 1.0.207" +delta = "1.0.162 -> 1.0.163" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.serde]] -who = "Mike Hommey " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.137 -> 1.0.143" +delta = "1.0.163 -> 1.0.164" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.serde]] -who = "Mike Hommey " +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -delta = "1.0.143 -> 1.0.144" +delta = "1.0.163 -> 1.0.179" +notes = "Internal refactorings and some new trait implementations" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.serde]] -who = "Mike Hommey " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.144 -> 1.0.151" +delta = "1.0.179 -> 1.0.188" +notes = "Mostly a bunch of cleanups after bumping MSRV." aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.serde]] -who = "Mike Hommey " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.151 -> 1.0.152" +delta = "1.0.188 -> 1.0.193" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.serde]] -who = "Erich Gubler " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.198 -> 1.0.201" +delta = "1.0.193 -> 1.0.194" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.serde]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -delta = "1.0.150 -> 1.0.160" -notes = "Small API improvements, fixing broken code generation for edge cases and updating to syn v2" +who = "Dustin J. Mitchell " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.197 -> 1.0.198" aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde]] -who = "Jan-Erik Rediger " +who = "Erich Gubler " criteria = "safe-to-deploy" -delta = "1.0.163 -> 1.0.179" -notes = "Internal refactorings and some new trait implementations" +delta = "1.0.198 -> 1.0.201" aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.serde]] +who = "danakj " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.198 -> 1.0.201" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.serde]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -27490,77 +29340,98 @@ aggregated-from = [ ] [[audits.serde]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.136 -> 1.0.143" -notes = "Bumps serde-derive and adds some constructors." +who = "Dustin J. Mitchell " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.201 -> 1.0.202" +notes = "Trivial changes" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.143 -> 1.0.145" +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.202 -> 1.0.203" +notes = "s/doc_cfg/docsrs/ + tuple_impls/tuple_impl_body-related changes" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde]] -who = "Jack Grigg " +who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "1.0.155 -> 1.0.156" +delta = "1.0.203 -> 1.0.204" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.serde]] +who = "Adrian Taylor " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.203 -> 1.0.204" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde]] -who = "Jack Grigg " +who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "1.0.159 -> 1.0.160" +delta = "1.0.204 -> 1.0.207" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.serde]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.204 -> 1.0.207" +notes = "The small change in `src/private/ser.rs` should have no impact on `ub-risk-2`." aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.163 -> 1.0.164" +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.207 -> 1.0.209" +notes = """ +The delta carries fairly small changes in `src/private/de.rs` and +`src/private/ser.rs` (see https://crrev.com/c/5812194/2..5). AFAICT the +delta has no impact on the `unsafe`, `from_utf8_unchecked`-related parts +of the crate (in `src/de/format.rs` and `src/ser/impls.rs`). +""" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.179 -> 1.0.188" -notes = "Mostly a bunch of cleanups after bumping MSRV." +who = "Adrian Taylor " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.209 -> 1.0.210" +notes = "Almost no new code - just feature rearrangement" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.188 -> 1.0.193" +who = "Liza Burakova " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.210 -> 1.0.213" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.193 -> 1.0.194" +who = "Dustin J. Mitchell " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.213 -> 1.0.214" +notes = "No unsafe, no crypto" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde-tuple-vec-map]] @@ -27686,50 +29557,68 @@ aggregated-from = [ ] [[audits.serde_derive]] -who = "danakj " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] -delta = "1.0.197 -> 1.0.201" +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.136 -> 1.0.143" +notes = "Bumps syn, inverts some build flags." aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.serde_derive]] -who = "Dustin J. Mitchell " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] -delta = "1.0.201 -> 1.0.202" +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.137 -> 1.0.143" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.serde_derive]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] -delta = "1.0.202 -> 1.0.203" -notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits" +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.143 -> 1.0.144" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.serde_derive]] -who = "Adrian Taylor " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] -delta = "1.0.203 -> 1.0.204" +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.143 -> 1.0.145" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.serde_derive]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] -delta = "1.0.204 -> 1.0.207" -notes = 'Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits' +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.144 -> 1.0.151" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.serde_derive]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.150 -> 1.0.160" +notes = "Update of syn dependency and thus largely changes to adopt the newer API" +aggregated-from = [ + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.serde_derive]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.151 -> 1.0.152" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.serde_derive]] @@ -27751,97 +29640,102 @@ delta = "1.0.154 -> 1.0.155" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.serde_derive]] -who = "Brandon Pitman " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.156 -> 1.0.159" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +delta = "1.0.155 -> 1.0.156" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] [[audits.serde_derive]] who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "1.0.160 -> 1.0.162" +delta = "1.0.156 -> 1.0.159" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.serde_derive]] -who = "David Cook " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.162 -> 1.0.163" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +delta = "1.0.159 -> 1.0.160" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] [[audits.serde_derive]] who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "1.0.203 -> 1.0.204" +delta = "1.0.160 -> 1.0.162" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.serde_derive]] -who = "Brandon Pitman " +who = "David Cook " criteria = "safe-to-deploy" -delta = "1.0.204 -> 1.0.207" +delta = "1.0.162 -> 1.0.163" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.serde_derive]] -who = "Mike Hommey " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.137 -> 1.0.143" +delta = "1.0.163 -> 1.0.164" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.serde_derive]] -who = "Mike Hommey " +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -delta = "1.0.143 -> 1.0.144" +delta = "1.0.163 -> 1.0.179" +notes = "Internal refactorings and dependency updates" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.serde_derive]] -who = "Mike Hommey " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.144 -> 1.0.151" +delta = "1.0.179 -> 1.0.188" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.serde_derive]] -who = "Mike Hommey " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.151 -> 1.0.152" +delta = "1.0.188 -> 1.0.193" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.serde_derive]] -who = "Erich Gubler " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.198 -> 1.0.201" +delta = "1.0.193 -> 1.0.194" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.serde_derive]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -delta = "1.0.150 -> 1.0.160" -notes = "Update of syn dependency and thus largely changes to adopt the newer API" +who = "danakj " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.0.197 -> 1.0.201" aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde_derive]] -who = "Jan-Erik Rediger " +who = "Erich Gubler " criteria = "safe-to-deploy" -delta = "1.0.163 -> 1.0.179" -notes = "Internal refactorings and dependency updates" +delta = "1.0.198 -> 1.0.201" aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] @@ -27855,76 +29749,98 @@ aggregated-from = [ ] [[audits.serde_derive]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.136 -> 1.0.143" -notes = "Bumps syn, inverts some build flags." +who = "Dustin J. Mitchell " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.0.201 -> 1.0.202" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde_derive]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.143 -> 1.0.145" +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.0.202 -> 1.0.203" +notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde_derive]] -who = "Jack Grigg " +who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "1.0.155 -> 1.0.156" +delta = "1.0.203 -> 1.0.204" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.serde_derive]] +who = "Adrian Taylor " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.0.203 -> 1.0.204" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde_derive]] -who = "Jack Grigg " +who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "1.0.159 -> 1.0.160" +delta = "1.0.204 -> 1.0.207" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.serde_derive]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.0.204 -> 1.0.207" +notes = 'Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits' aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde_derive]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.163 -> 1.0.164" +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.0.207 -> 1.0.209" +notes = ''' +There are no code changes in this delta - see https://crrev.com/c/5812194/2..5 + +I've neverthless also grepped for `-i cipher`, `-i crypto`, `\bfs\b`, +`\bnet\b`, and `\bunsafe\b`. There were no hits. +''' aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde_derive]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.179 -> 1.0.188" +who = "Adrian Taylor " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.0.209 -> 1.0.210" +notes = "Almost no new code - just feature rearrangement" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde_derive]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.188 -> 1.0.193" +who = "Liza Burakova " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.0.210 -> 1.0.213" +notes = "Grepped for 'unsafe', 'crypt', 'cipher', 'fs', 'net' - there were no hits" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde_derive]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.193 -> 1.0.194" +who = "Dustin J. Mitchell " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "1.0.213 -> 1.0.214" +notes = "No changes to unsafe, no crypto" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.serde_jcs]] @@ -27978,113 +29894,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.serde_json]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.108 -> 1.0.111" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.serde_json]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.111 -> 1.0.113" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.serde_json]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.113 -> 1.0.114" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.serde_json]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.114 -> 1.0.115" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.serde_json]] -who = "Dustin J. Mitchell " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.115 -> 1.0.116" -notes = "No changes that affect safety to run, and no crypto" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.serde_json]] -who = "danakj " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.116 -> 1.0.117" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.serde_json]] -who = "Adrian Taylor " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.117 -> 1.0.120" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.serde_json]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.120 -> 1.0.122" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.serde_json]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.122 -> 1.0.124" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.serde_json]] -who = "Tim Geoghegan " -criteria = "safe-to-deploy" -delta = "1.0.91 -> 1.0.92" -notes = "The only changes are to doccomments, a dev-dependency and the project's CI workflow, so there should be no risk to dependents." -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - -[[audits.serde_json]] -who = "Brandon Pitman " -criteria = "safe-to-deploy" -delta = "1.0.92 -> 1.0.93" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - -[[audits.serde_json]] -who = "Brandon Pitman " -criteria = "safe-to-deploy" -delta = "1.0.93 -> 1.0.94" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - -[[audits.serde_json]] -who = "Brandon Pitman " -criteria = "safe-to-deploy" -delta = "1.0.94 -> 1.0.95" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - [[audits.serde_json]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -28112,6 +29921,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.serde_json]] +who = "Tim Geoghegan " +criteria = "safe-to-deploy" +delta = "1.0.91 -> 1.0.92" +notes = "The only changes are to doccomments, a dev-dependency and the project's CI workflow, so there should be no risk to dependents." +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[audits.serde_json]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -28122,22 +29938,22 @@ aggregated-from = [ ] [[audits.serde_json]] -who = "Daira-Emma Hopwood " -criteria = "safe-to-run" -delta = "1.0.116 -> 1.0.117" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.0.92 -> 1.0.93" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.serde_json]] -who = "Jack Grigg " +who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "1.0.117 -> 1.0.120" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "1.0.93 -> 1.0.94" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.serde_json]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.0.94 -> 1.0.95" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.serde_json]] who = "Jack Grigg " @@ -28202,6 +30018,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.serde_json]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.108 -> 1.0.111" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.serde_json]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -28211,6 +30036,43 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.serde_json]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.111 -> 1.0.113" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.serde_json]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.113 -> 1.0.114" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.serde_json]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.114 -> 1.0.115" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.serde_json]] +who = "Dustin J. Mitchell " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.115 -> 1.0.116" +notes = "No changes that affect safety to run, and no crypto" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.serde_json]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -28224,6 +30086,92 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.serde_json]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-run" +delta = "1.0.116 -> 1.0.117" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.serde_json]] +who = "danakj " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.116 -> 1.0.117" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.serde_json]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.117 -> 1.0.120" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.serde_json]] +who = "Adrian Taylor " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.117 -> 1.0.120" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.serde_json]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.120 -> 1.0.122" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.serde_json]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.122 -> 1.0.124" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.serde_json]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.124 -> 1.0.127" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.serde_json]] +who = "danakj " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.127 -> 1.0.128" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.serde_json]] +who = "Liza Burakova " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.128 -> 1.0.132" +notes = """ +Methods moved into new deserializer trait in de.rs. +New methods for converting Number to i128 or u128 in number.rs +No new unsafe changes. +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.serde_json_lenient]] who = "danakj@chromium.org" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] @@ -28307,6 +30255,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.serde_spanned]] +who = "Hung-Hsien Chen " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.6.7" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.serde_urlencoded]] who = "ChromeOS" criteria = "safe-to-run" @@ -28367,13 +30324,6 @@ criteria = "safe-to-run" version = "0.6.0" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" -[[audits.serial_test]] -who = "Johan Andersson " -criteria = "safe-to-run" -delta = "0.6.0 -> 0.8.0" -notes = "No unsafe and ambient capability with lock file creation is not exposed" -aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" - [[audits.serial_test]] who = "Max Lee " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -28383,17 +30333,17 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.serial_test_derive]] +[[audits.serial_test]] who = "Johan Andersson " criteria = "safe-to-run" -version = "0.6.0" +delta = "0.6.0 -> 0.8.0" +notes = "No unsafe and ambient capability with lock file creation is not exposed" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" [[audits.serial_test_derive]] who = "Johan Andersson " criteria = "safe-to-run" -delta = "0.6.0 -> 0.8.0" -notes = "No unsafe usage or ambient capabilities" +version = "0.6.0" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" [[audits.serial_test_derive]] @@ -28405,6 +30355,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.serial_test_derive]] +who = "Johan Andersson " +criteria = "safe-to-run" +delta = "0.6.0 -> 0.8.0" +notes = "No unsafe usage or ambient capabilities" +aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + [[audits.servo_arc]] who = "Emilio Cobos Álvarez " criteria = "safe-to-deploy" @@ -28415,6 +30372,26 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.servo_arc]] +who = "Emilio Cobos Álvarez " +criteria = "safe-to-deploy" +delta = "0.1.1 -> 0.3.0" +notes = "First-party Mozilla code." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.servo_arc]] +who = "Emilio Cobos Álvarez " +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.4.0" +notes = "First-party code." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.sfv]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -28435,22 +30412,22 @@ aggregated-from = [ ] [[audits.sha1]] -who = "David Koloski " -criteria = ["safe-to-deploy", "ub-risk-1"] +who = "Dana Keeler " +criteria = "safe-to-deploy" version = "0.10.5" -notes = "Reviewed on https://fxrev.dev/712371." aggregated-from = [ - "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.sha1]] -who = "Dana Keeler " -criteria = "safe-to-deploy" +who = "David Koloski " +criteria = ["safe-to-deploy", "ub-risk-1"] version = "0.10.5" +notes = "Reviewed on https://fxrev.dev/712371." aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.sha1]] @@ -28462,10 +30439,11 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.sha1_smol]] -who = "Alex Crichton " +[[audits.sha1]] +who = "Andrew Brown " criteria = "safe-to-deploy" -version = "1.0.1" +delta = "0.10.5 -> 0.10.6" +notes = "Only new code is some loongarch64 additions which include assembly code for that platform." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.sha1_smol]] @@ -28478,11 +30456,10 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.sha2]] -who = "Benjamin Bouvier " +[[audits.sha1_smol]] +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.9.9 -> 0.10.2" -notes = "This upgrade is mostly a code refactor, as far as I can tell. No new uses of unsafe nor any new ambient capabilities usage." +version = "1.0.1" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.sha2]] @@ -28491,6 +30468,13 @@ criteria = "safe-to-deploy" version = "0.10.2" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +[[audits.sha2]] +who = "Benjamin Bouvier " +criteria = "safe-to-deploy" +delta = "0.9.9 -> 0.10.2" +notes = "This upgrade is mostly a code refactor, as far as I can tell. No new uses of unsafe nor any new ambient capabilities usage." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.sha2]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -28527,12 +30511,6 @@ criteria = "safe-to-deploy" delta = "0.10.6 -> 0.10.7" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" -[[audits.sha3]] -who = "Brandon Pitman " -criteria = "safe-to-deploy" -delta = "0.10.7 -> 0.10.8" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - [[audits.sha3]] who = "Simon Friedberger " criteria = "safe-to-deploy" @@ -28542,6 +30520,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.sha3]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.10.7 -> 0.10.8" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[audits.sharded-slab]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -28614,15 +30598,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.shlex]] -who = "Daniel Verkamp " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.1.0 -> 1.3.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.shlex]] who = [ "Manish Goregaokar ", @@ -28639,6 +30614,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.shlex]] +who = "Daniel Verkamp " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.1.0 -> 1.3.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.shpool_pty]] who = "Ben Saunders " criteria = "ub-risk-4" @@ -28673,12 +30657,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.signal-hook-registry]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "1.4.1" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.signal-hook-registry]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -28688,6 +30666,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.signal-hook-registry]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "1.4.1" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.signature]] who = "Daira Emma Hopwood " criteria = "safe-to-deploy" @@ -28731,13 +30715,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.similar]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -version = "2.2.1" -notes = "No unsafe usage or ambient capabilities" -aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" - [[audits.similar]] who = "Nika Layzell " criteria = "safe-to-deploy" @@ -28751,6 +30728,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.similar]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "2.2.1" +notes = "No unsafe usage or ambient capabilities" +aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + [[audits.similar-asserts]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -28804,6 +30788,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.skrifa]] +who = "Augie Fackler " +criteria = ["ub-risk-2", "does-not-implement-crypto"] +version = "0.16.0" +notes = "Reviewed in CL 614825012" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.skrifa]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] @@ -28860,7 +30854,7 @@ aggregated-from = [ [[audits.skrifa]] who = "Dominik Röttsches " -criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-0"] +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.19.3 -> 0.20.0" notes = "Contains mainly preparatory autohint changes and data tables." aggregated-from = [ @@ -28869,21 +30863,63 @@ aggregated-from = [ ] [[audits.skrifa]] -who = "Augie Fackler " -criteria = ["ub-risk-2", "does-not-implement-crypto"] -version = "0.16.0" -notes = "Reviewed in CL 614825012" +who = "Dominik Röttsches " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "0.20.0 -> 0.22.0" +notes = "Changes for adding autohinting support. Crates forbids unsafe code." aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.slab]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.4.6" -notes = "provides a datastructure implemented using std's Vec. all uses of unsafe are just delegating to the underlying unsafe Vec methods." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.skrifa]] +who = "Lukasz Anforowicz " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "0.22.0 -> 0.22.1" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.skrifa]] +who = "Dominik Röttsches " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "0.22.1 -> 0.22.3" +notes = "Matching FreeType advances more closely, through usage of hdmx and other fixes. Path retrieval speedups." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.skrifa]] +who = "Dominik Röttsches " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "0.22.3 -> 0.23.0" +notes = "Incremental Font Transfer patchset implementation removed, important fixes for path retrievel from CFF fonts with empty PrivateDict." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.skrifa]] +who = "Dominik Röttsches " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "0.23.0 -> 0.24.0" +notes = "Skrifa updates for using wrapping arithmetic in CFF private dict parsing." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.skrifa]] +who = "Dominik Röttsches " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] +delta = "0.24.0 -> 0.24.1" +notes = "COLRv1 bounds fix, fixes for underflows/overflows." +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.slab]] who = "Android Legacy" @@ -28894,6 +30930,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.slab]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.4.6" +notes = "provides a datastructure implemented using std's Vec. all uses of unsafe are just delegating to the underlying unsafe Vec methods." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.slab]] who = "George Burgess IV " criteria = "does-not-implement-crypto" @@ -28984,20 +31027,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.smallvec]] -who = "Dan Gohman " -criteria = "safe-to-deploy" -delta = "1.8.0 -> 1.11.0" -notes = """ -The main change is the switch to use `NonNull` internally instead of -`*mut T`. This seems reasonable, as `Vec` also never stores a null pointer, -and in particular the new `NonNull::new_unchecked`s look ok. - -Most of the rest of the changes are adding some new unstable features which -aren't enabled by default. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.smallvec]] who = "Android Legacy" criteria = "safe-to-run" @@ -29026,6 +31055,20 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.smallvec]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "1.8.0 -> 1.11.0" +notes = """ +The main change is the switch to use `NonNull` internally instead of +`*mut T`. This seems reasonable, as `Vec` also never stores a null pointer, +and in particular the new `NonNull::new_unchecked`s look ok. + +Most of the rest of the changes are adding some new unstable features which +aren't enabled by default. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.smallvec]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -29035,6 +31078,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.smallvec]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.11.0 -> 1.13.2" +notes = "Mostly minor updates, the one semi-substantial update looks good." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.smallvec]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -29081,19 +31131,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.socket2]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.4.7 -> 0.4.9" -notes = "Minor OS compat updates but otherwise nothing major here." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.socket2]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.4.9 -> 0.4.4" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.socket2]] who = "Vovo Yang " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -29103,16 +31140,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.socket2]] -who = "David Koloski " -criteria = ["safe-to-deploy", "ub-risk-2"] -delta = "0.4.4 -> 0.5.5" -notes = "Reviewed at https://fxrev.dev/946307" -aggregated-from = [ - "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.socket2]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -29123,23 +31150,27 @@ aggregated-from = [ ] [[audits.socket2]] -who = "Kershaw Chang " -criteria = "safe-to-deploy" -delta = "0.5.5 -> 0.5.7" +who = "David Koloski " +criteria = ["safe-to-deploy", "ub-risk-2"] +delta = "0.4.4 -> 0.5.5" +notes = "Reviewed at https://fxrev.dev/946307" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.socket2]] -who = "Daira-Emma Hopwood " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.5.6 -> 0.5.7" -notes = "The new uses of unsafe to access getsockopt/setsockopt look reasonable." -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "0.4.7 -> 0.4.9" +notes = "Minor OS compat updates but otherwise nothing major here." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.socket2]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.4.9 -> 0.4.4" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.socket2]] who = "Jack Grigg " @@ -29176,6 +31207,25 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.socket2]] +who = "Kershaw Chang " +criteria = "safe-to-deploy" +delta = "0.5.5 -> 0.5.7" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.socket2]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "0.5.6 -> 0.5.7" +notes = "The new uses of unsafe to access getsockopt/setsockopt look reasonable." +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.speedate]] who = "Manish Goregaokar " criteria = "ub-risk-2" @@ -29276,13 +31326,10 @@ notes = "No dependencies and completely a compile-time crate as advertised. Uses aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.static_assertions]] -who = "ChromeOS" -criteria = ["safe-to-run", "does-not-implement-crypto"] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" version = "1.1.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.static_assertions]] who = "Lukasz Anforowicz " @@ -29305,10 +31352,13 @@ aggregated-from = [ ] [[audits.static_assertions]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" +who = "ChromeOS" +criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.0" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.statrs]] who = "David Cook " @@ -29371,6 +31421,20 @@ criteria = "safe-to-deploy" delta = "0.1.2 -> 0.1.3" aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +[[audits.strsim]] +who = "danakj@chromium.org" +criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-0"] +version = "0.10.0" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.strsim]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -29380,6 +31444,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.strsim]] +who = "Lukasz Anforowicz " +criteria = "ub-risk-0" +version = "0.11.0" +notes = "No `unsafe`" +aggregated-from = [ + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.strsim]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -29398,37 +31472,22 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.strsim]] -who = "danakj@chromium.org" -criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-0"] -version = "0.10.0" -notes = """ -Reviewed in https://crrev.com/c/5171063 - -Previously reviewed during security review and the audit is grandparented in. -""" -aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.strsim]] who = "Lukasz Anforowicz " -criteria = "ub-risk-0" -version = "0.11.0" -notes = "No `unsafe`" +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.10.0 -> 0.11.0" aggregated-from = [ "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.strsim]] -who = "Lukasz Anforowicz " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.10.0 -> 0.11.0" +who = "Ben Dean-Kawamura " +criteria = "safe-to-deploy" +delta = "0.10.0 -> 0.11.1" aggregated-from = [ - "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.strsim]] @@ -29440,6 +31499,18 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.strum]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +version = "0.19.5" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + +[[audits.strum]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +version = "0.23.0" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.strum]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -29461,18 +31532,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.strum]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "0.19.5" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - -[[audits.strum]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "0.23.0" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.strum_macros]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -29494,6 +31553,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.subtle]] +who = "Simon Friedberger " +criteria = "safe-to-deploy" +version = "2.5.0" +notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.subtle]] who = "David Cook " criteria = "safe-to-deploy" @@ -29506,16 +31575,6 @@ criteria = "safe-to-deploy" delta = "2.5.0 -> 2.6.1" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" -[[audits.subtle]] -who = "Simon Friedberger " -criteria = "safe-to-deploy" -version = "2.5.0" -notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation." -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.svd-parser]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -29594,12 +31653,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.syn]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -delta = "1.0.92 -> 2.0.16" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.syn]] who = "Android Legacy" criteria = "safe-to-run" @@ -29627,51 +31680,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.syn]] -who = "Ying Hsu " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "2.0.58" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.syn]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.0.107 -> 2.0.14" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.syn]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "2.0.14 -> 2.0.18" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.syn]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "2.0.18 -> 2.0.28" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.syn]] -who = "Daniel Verkamp " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "2.0.28 -> 2.0.38" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.syn]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -29697,10 +31705,28 @@ aggregated-from = [ ] [[audits.syn]] -who = "Brandon Pitman " +who = "Ying Hsu " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "2.0.58" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.syn]] +who = "Daira Hopwood " criteria = "safe-to-deploy" -delta = "1.0.104 -> 2.0.11" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +delta = "1.0.91 -> 1.0.98" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.syn]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "1.0.92 -> 2.0.16" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.syn]] who = "Mike Hommey " @@ -29721,55 +31747,52 @@ aggregated-from = [ ] [[audits.syn]] -who = "Jan-Erik Rediger " +who = "Sean Bowe " criteria = "safe-to-deploy" -delta = "2.0.18 -> 2.0.26" -notes = "Dependency update & internal refactorings" +delta = "1.0.102 -> 1.0.104" aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.syn]] -who = "Daira-Emma Hopwood " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "2.0.53 -> 2.0.60" +delta = "1.0.102 -> 1.0.107" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.syn]] -who = "Daira-Emma Hopwood " +who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "2.0.60 -> 2.0.63" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "1.0.104 -> 2.0.11" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.syn]] -who = "Daira Hopwood " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.91 -> 1.0.98" +delta = "1.0.107 -> 1.0.109" +notes = "Fixes string literal parsing to only skip specified whitespace characters." aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.syn]] -who = "Sean Bowe " -criteria = "safe-to-deploy" -delta = "1.0.102 -> 1.0.104" +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.0.107 -> 2.0.14" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.syn]] -who = "Jack Grigg " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.102 -> 1.0.107" +delta = "2.0.11 -> 2.0.13" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", @@ -29778,38 +31801,47 @@ aggregated-from = [ [[audits.syn]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.107 -> 1.0.109" -notes = "Fixes string literal parsing to only skip specified whitespace characters." +delta = "2.0.13 -> 2.0.15" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.syn]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "2.0.11 -> 2.0.13" +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "2.0.14 -> 2.0.18" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.syn]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "2.0.13 -> 2.0.15" +delta = "2.0.15 -> 2.0.18" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.syn]] -who = "Jack Grigg " +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -delta = "2.0.15 -> 2.0.18" +delta = "2.0.18 -> 2.0.26" +notes = "Dependency update & internal refactorings" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.syn]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "2.0.18 -> 2.0.28" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.syn]] @@ -29821,6 +31853,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.syn]] +who = "Daniel Verkamp " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "2.0.28 -> 2.0.38" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.syn]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -29871,6 +31912,33 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.syn]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "2.0.53 -> 2.0.60" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.syn]] +who = "Hung-Hsien Chen " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "2.0.58 -> 2.0.77" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.syn]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "2.0.60 -> 2.0.63" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.sync_wrapper]] who = "ChromeOS" criteria = "safe-to-run" @@ -29940,6 +32008,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.sys-locale]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.3.1" +notes = "Succinct and easily-verified unsafe code." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.syslog]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -30010,15 +32088,6 @@ version = "1.0.1" notes = "No unsafe usage or ambient capabilities" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" -[[audits.tar]] -who = "Bastian Kersting " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.4.40" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.tar]] who = "Taylor Cramer " criteria = "ub-risk-2" @@ -30029,23 +32098,26 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.tar]] +who = "Bastian Kersting " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.4.40" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.task-local-extensions]] who = "Conrad Ludgate " criteria = "safe-to-deploy" version = "0.1.1" aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" -[[audits.tempfile]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -delta = "3.3.0 -> 3.5.0" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.tempfile]] -who = "Alex Crichton " +[[audits.tch]] +who = "Andrew Brown " criteria = "safe-to-deploy" -delta = "3.5.0 -> 3.6.0" -notes = "Dependency updates and new optimized trait implementations, but otherwise everything looks normal." +version = "0.17.0" +notes = "Since this uses the generated functions from torch-sys, it has many (~3k) instances of unsafe; this is expected." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.tempfile]] @@ -30067,46 +32139,41 @@ aggregated-from = [ ] [[audits.tempfile]] -who = "Mike Hommey " +who = "Pat Hickey " criteria = "safe-to-deploy" -delta = "3.6.0 -> 3.8.0" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +delta = "3.3.0 -> 3.5.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.tempfile]] -who = "Mike Hommey " +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -delta = "3.8.0 -> 3.9.0" +delta = "3.4.0 -> 3.5.0" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.tempfile]] -who = "Mike Hommey " +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "3.9.0 -> 3.10.1" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +delta = "3.5.0 -> 3.6.0" +notes = "Dependency updates and new optimized trait implementations, but otherwise everything looks normal." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.tempfile]] -who = "Jan-Erik Rediger " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "3.4.0 -> 3.5.0" +delta = "3.5.0 -> 3.6.0" +notes = "New `build.rs` file uses `autocfg` crate to conditionally enable new trait impls." aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.tempfile]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "3.5.0 -> 3.6.0" -notes = "New `build.rs` file uses `autocfg` crate to conditionally enable new trait impls." +who = "Daira-Emma Hopwood " +criteria = "safe-to-run" +delta = "3.5.0 -> 3.12.0" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", @@ -30121,6 +32188,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.tempfile]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "3.6.0 -> 3.8.0" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.tempfile]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -30130,6 +32206,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.tempfile]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "3.8.0 -> 3.9.0" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.tempfile]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -30148,6 +32233,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.tempfile]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "3.9.0 -> 3.10.1" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.termcolor]] who = "Android Legacy" criteria = "safe-to-run" @@ -30190,6 +32284,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.termcolor]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.1.3 -> 1.2.0" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.termcolor]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -30199,14 +32302,19 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.termcolor]] -who = "Mike Hommey " +[[audits.terminal_size]] +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "1.1.3 -> 1.2.0" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +delta = "0.1.17 -> 0.2.6" +notes = "Minor updates around using some utilities from the standard library, nothing major." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.terminal_size]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.2.6 -> 0.3.0" +notes = "Minor updates here, nothing major." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.terminfo]] who = "Jack Grigg " @@ -30254,6 +32362,20 @@ criteria = "safe-to-deploy" version = "0.2.11" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.test-log]] +who = "Alex Crichton " +criteria = "safe-to-run" +delta = "0.2.11 -> 0.2.16" +notes = "Crate implementation was moved to a `*-macros` crate, crate is very small as a result." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[audits.test-log-macros]] +who = "Alex Crichton " +criteria = "safe-to-run" +version = "0.2.16" +notes = "Simple procedural macro copied from its previous source." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.testing_logger]] who = "Christoph Schlosser " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -30281,6 +32403,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.textwrap]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +version = "0.15.0" +aggregated-from = [ + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.textwrap]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -30335,15 +32466,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.textwrap]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -version = "0.15.0" -aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.tfhe]] who = "Taylor Cramer " criteria = "ub-risk-3" @@ -30386,13 +32508,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.thiserror]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -version = "1.0.40" -notes = "Wrapper over implementation crate, found no unsafe or ambient capabilities used" -aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" - [[audits.thiserror]] who = "Android Legacy" criteria = "safe-to-run" @@ -30402,6 +32517,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.thiserror]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "1.0.40" +notes = "Wrapper over implementation crate, found no unsafe or ambient capabilities used" +aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + [[audits.thiserror]] who = "Abhishek Pandit-Subedi " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -30421,22 +32543,14 @@ aggregated-from = [ ] [[audits.thiserror]] -who = "Brandon Pitman " -criteria = "safe-to-deploy" -delta = "1.0.38 -> 1.0.39" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - -[[audits.thiserror]] -who = "Brandon Pitman " -criteria = "safe-to-deploy" -delta = "1.0.39 -> 1.0.40" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - -[[audits.thiserror]] -who = "Brandon Pitman " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.40 -> 1.0.43" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +delta = "1.0.30 -> 1.0.32" +notes = "Bumps thiserror-impl, no code changes." +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] [[audits.thiserror]] who = "Mike Hommey " @@ -30448,60 +32562,47 @@ aggregated-from = [ ] [[audits.thiserror]] -who = "Mike Hommey " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.32 -> 1.0.38" +delta = "1.0.32 -> 1.0.37" +notes = "The new build script invokes rustc to determine whether it supports the Provider API. The only side-effect is it overwrites `$OUT_DIR/probe.rs`, which is fine because it is unique to the thiserror package." aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.thiserror]] -who = "Daira-Emma Hopwood " +who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "1.0.58 -> 1.0.60" +delta = "1.0.32 -> 1.0.38" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.thiserror]] -who = "Jack Grigg " +who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "1.0.60 -> 1.0.61" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "1.0.38 -> 1.0.39" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.thiserror]] -who = "Jack Grigg " +who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "1.0.61 -> 1.0.63" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "1.0.39 -> 1.0.40" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.thiserror]] -who = "Jack Grigg " +who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "1.0.30 -> 1.0.32" -notes = "Bumps thiserror-impl, no code changes." -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "1.0.40 -> 1.0.43" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.thiserror]] -who = "Jack Grigg " +who = "Conrad Ludgate " criteria = "safe-to-deploy" -delta = "1.0.32 -> 1.0.37" -notes = "The new build script invokes rustc to determine whether it supports the Provider API. The only side-effect is it overwrites `$OUT_DIR/probe.rs`, which is fine because it is unique to the thiserror package." -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "1.0.40 -> 1.0.47" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.thiserror]] who = "Jack Grigg " @@ -30555,17 +32656,37 @@ aggregated-from = [ ] [[audits.thiserror]] -who = "Conrad Ludgate " +who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" -delta = "1.0.40 -> 1.0.47" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +delta = "1.0.58 -> 1.0.60" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] -[[audits.thiserror-impl]] -who = "Johan Andersson " +[[audits.thiserror]] +who = "Jack Grigg " criteria = "safe-to-deploy" -version = "1.0.40" -notes = "Found no unsafe or ambient capabilities used" -aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" +delta = "1.0.60 -> 1.0.61" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.thiserror]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.61 -> 1.0.63" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.thiserror]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.0.63 -> 1.0.64" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.thiserror-impl]] who = "Android Legacy" @@ -30576,6 +32697,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.thiserror-impl]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "1.0.40" +notes = "Found no unsafe or ambient capabilities used" +aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + [[audits.thiserror-impl]] who = "Abhishek Pandit-Subedi " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -30595,22 +32723,14 @@ aggregated-from = [ ] [[audits.thiserror-impl]] -who = "Brandon Pitman " -criteria = "safe-to-deploy" -delta = "1.0.38 -> 1.0.39" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - -[[audits.thiserror-impl]] -who = "Brandon Pitman " -criteria = "safe-to-deploy" -delta = "1.0.39 -> 1.0.40" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - -[[audits.thiserror-impl]] -who = "Brandon Pitman " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.40 -> 1.0.43" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +delta = "1.0.30 -> 1.0.32" +notes = "Only change is to refine an error message." +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] [[audits.thiserror-impl]] who = "Mike Hommey " @@ -30621,6 +32741,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.thiserror-impl]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.32 -> 1.0.37" +notes = "Proc macro changes migrating to the Provider API look fine." +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.thiserror-impl]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -30631,47 +32761,51 @@ aggregated-from = [ ] [[audits.thiserror-impl]] -who = "Daira-Emma Hopwood " +who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "1.0.58 -> 1.0.60" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "1.0.38 -> 1.0.39" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.thiserror-impl]] -who = "Jack Grigg " +who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "1.0.60 -> 1.0.61" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "1.0.39 -> 1.0.40" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.thiserror-impl]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.0.40 -> 1.0.43" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[audits.thiserror-impl]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +delta = "1.0.40 -> 1.0.47" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.thiserror-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.61 -> 1.0.63" +delta = "1.0.43 -> 1.0.48" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.thiserror-impl]] -who = "Jack Grigg " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.30 -> 1.0.32" -notes = "Only change is to refine an error message." +delta = "1.0.48 -> 1.0.51" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.thiserror-impl]] -who = "Jack Grigg " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.32 -> 1.0.37" -notes = "Proc macro changes migrating to the Provider API look fine." +delta = "1.0.51 -> 1.0.52" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", @@ -30680,53 +32814,53 @@ aggregated-from = [ [[audits.thiserror-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.43 -> 1.0.48" +delta = "1.0.52 -> 1.0.56" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.thiserror-impl]] -who = "Jack Grigg " +who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" -delta = "1.0.48 -> 1.0.51" +delta = "1.0.56 -> 1.0.58" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.thiserror-impl]] -who = "Jack Grigg " +who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" -delta = "1.0.51 -> 1.0.52" +delta = "1.0.58 -> 1.0.60" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.thiserror-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.52 -> 1.0.56" +delta = "1.0.60 -> 1.0.61" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.thiserror-impl]] -who = "Daira-Emma Hopwood " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.56 -> 1.0.58" +delta = "1.0.61 -> 1.0.63" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.thiserror-impl]] -who = "Conrad Ludgate " +who = "Brandon Pitman " criteria = "safe-to-deploy" -delta = "1.0.40 -> 1.0.47" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +delta = "1.0.63 -> 1.0.64" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[audits.thread_local]] who = "Pat Hickey " @@ -30844,20 +32978,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.time]] -who = "Alex Franchuk " -criteria = "safe-to-deploy" -delta = "0.3.23 -> 0.3.36" -notes = """ -There's a bit of new unsafe code that is self-imposed because they now assert -that ordinals are non-zero. All unsafe code was checked to ensure that the -invariants claimed were true. -""" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.time]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -30872,6 +32992,20 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.time]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.3.23 -> 0.3.36" +notes = """ +There's a bit of new unsafe code that is self-imposed because they now assert +that ordinals are non-zero. All unsafe code was checked to ensure that the +invariants claimed were true. +""" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.time]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -30913,6 +33047,21 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.time-core]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +delta = "0.1.0 -> 0.1.1" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + +[[audits.time-core]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.1.0 -> 0.1.1" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.time-core]] who = "Kershaw Chang " criteria = "safe-to-deploy" @@ -30934,27 +33083,21 @@ aggregated-from = [ [[audits.time-core]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.1.0 -> 0.1.1" +delta = "0.1.1 -> 0.1.2" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.time-core]] -who = "Jack Grigg " +[[audits.time-macros]] +who = "Kershaw Chang " criteria = "safe-to-deploy" -delta = "0.1.1 -> 0.1.2" +version = "0.2.6" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.time-core]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -delta = "0.1.0 -> 0.1.1" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.time-macros]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] @@ -30966,12 +33109,12 @@ aggregated-from = [ ] [[audits.time-macros]] -who = "Kershaw Chang " +who = "Jack Grigg " criteria = "safe-to-deploy" -version = "0.2.6" +delta = "0.2.4 -> 0.2.6" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.time-macros]] @@ -30992,24 +33135,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.time-macros]] -who = "Alex Franchuk " -criteria = "safe-to-deploy" -delta = "0.2.10 -> 0.2.18" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.time-macros]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.2.4 -> 0.2.6" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - [[audits.time-macros]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -31046,6 +33171,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.time-macros]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.2.10 -> 0.2.18" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.time-macros]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -31213,6 +33347,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.tinyvec_macros]] +who = "George Burgess IV " +criteria = ["does-not-implement-crypto", "safe-to-deploy"] +version = "0.1.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.tinyvec_macros]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -31231,15 +33374,6 @@ version = "0.1.0" notes = "Inspected it and is a tiny crate with single safe macro" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" -[[audits.tinyvec_macros]] -who = "George Burgess IV " -criteria = ["does-not-implement-crypto", "safe-to-deploy"] -version = "0.1.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.tinyvec_macros]] who = "George Burgess IV " criteria = "ub-risk-0" @@ -31250,6 +33384,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.tinyvec_macros]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +delta = "0.1.0 -> 0.1.1" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.tinyvec_macros]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -31260,22 +33400,25 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.tinyvec_macros]] -who = "Conrad Ludgate " +[[audits.to_shmem]] +who = "Emilio Cobos Álvarez " criteria = "safe-to-deploy" -delta = "0.1.0 -> 0.1.1" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +version = "0.1.0" +notes = "First-party mozilla code." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] -[[audits.tokio]] -who = "Alex Crichton " +[[audits.to_shmem_derive]] +who = "Emilio Cobos Álvarez " criteria = "safe-to-deploy" -delta = "1.18.1 -> 1.18.4" -notes = """ -This looks to be a minor release primarily to fix a security-related Windows -issue plus some reorganization around lazy initialization. Altogether nothing -amiss here. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +version = "0.1.0" +notes = "It's all first-party Mozilla code recently published to crates.io" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[audits.tokio]] who = "Android Legacy" @@ -31295,6 +33438,17 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.tokio]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.18.1 -> 1.18.4" +notes = """ +This looks to be a minor release primarily to fix a security-related Windows +issue plus some reorganization around lazy initialization. Altogether nothing +amiss here. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.tokio]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-2"] @@ -31358,13 +33512,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.tokio-macros]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "1.7.0 -> 2.1.0" -notes = "A number of updates to parsed syntax and such but nothing unexpected and entirely what one would expect a Rust procedural macro to do." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.tokio-macros]] who = "Android Legacy" criteria = "safe-to-run" @@ -31383,6 +33530,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.tokio-macros]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.7.0 -> 2.1.0" +notes = "A number of updates to parsed syntax and such but nothing unexpected and entirely what one would expect a Rust procedural macro to do." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.tokio-macros]] who = "Mike Hommey " criteria = "safe-to-run" @@ -31425,16 +33579,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.tokio-stream]] -who = "David Koloski " -criteria = ["safe-to-deploy", "ub-risk-0"] -delta = "0.1.11 -> 0.1.14" -notes = "Reviewed on https://fxrev.dev/907732." -aggregated-from = [ - "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.tokio-stream]] who = "Mike Hommey " criteria = "safe-to-run" @@ -31453,6 +33597,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.tokio-stream]] +who = "David Koloski " +criteria = ["safe-to-deploy", "ub-risk-0"] +delta = "0.1.11 -> 0.1.14" +notes = "Reviewed on https://fxrev.dev/907732." +aggregated-from = [ + "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.tokio-stream]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -31462,13 +33616,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.tokio-util]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.7.4" -notes = "Alex Crichton audited the safety of src/sync/reusable_box.rs, I audited the remainder of the crate." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.tokio-util]] who = "ChromeOS" criteria = "safe-to-run" @@ -31478,6 +33625,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.tokio-util]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.7.4" +notes = "Alex Crichton audited the safety of src/sync/reusable_box.rs, I audited the remainder of the crate." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.tokio-util]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -31487,13 +33641,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.toml]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -version = "0.7.4" -notes = "No unsafe usage or ambient capabilities" -aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" - [[audits.toml]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -31503,6 +33650,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.toml]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "0.7.4" +notes = "No unsafe usage or ambient capabilities" +aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + [[audits.toml]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -31530,12 +33684,14 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.toml_datetime]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -delta = "0.6.1 -> 0.6.2" -notes = "No notable changes" -aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" +[[audits.toml]] +who = "Hung-Hsien Chen " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.5.10 -> 0.8.19" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] [[audits.toml_datetime]] who = "Jack Grigg " @@ -31547,6 +33703,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.toml_datetime]] +who = "Hung-Hsien Chen " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.6.8" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.toml_datetime]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -31557,6 +33722,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.toml_datetime]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +delta = "0.6.1 -> 0.6.2" +notes = "No notable changes" +aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + [[audits.toml_datetime]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -31574,12 +33746,22 @@ notes = """ Reviewed in CL 628398549 Issues found: - Better documented safety: https://github.com/toml-rs/toml/pull/720 + - Unclear on mll_quotes and mlb_quotes being safe """ aggregated-from = [ "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.toml_edit]] +who = "Hung-Hsien Chen " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.22.20" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.toml_edit]] who = "Sean Bowe " criteria = "safe-to-deploy" @@ -31693,6 +33875,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.torch-sys]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "0.17.0" +notes = "Intrinsically unsafe since it wraps the FFI to the libtorch library; it also has a complex `build.rs` to download and link the binaries for the system. This crate seems to be the accepted solution for interfacing with PyTorch from Rust (1m+ crate downloads all time)." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.tower]] who = "ChromeOS" criteria = "safe-to-run" @@ -31720,6 +33909,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.tower-layer]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +version = "0.3.1" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.tower-layer]] who = "ChromeOS" criteria = "safe-to-run" @@ -31732,13 +33927,13 @@ aggregated-from = [ [[audits.tower-layer]] who = "Conrad Ludgate " criteria = "safe-to-deploy" -version = "0.3.1" +delta = "0.3.1 -> 0.3.2" aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" -[[audits.tower-layer]] +[[audits.tower-service]] who = "Conrad Ludgate " criteria = "safe-to-deploy" -delta = "0.3.1 -> 0.3.2" +version = "0.3.1" aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.tower-service]] @@ -31759,6 +33954,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.tower-service]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +delta = "0.3.1 -> 0.3.2" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.tower-service]] who = "Mike Hommey " criteria = "safe-to-run" @@ -31768,29 +33969,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.tower-service]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "0.3.1" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - -[[audits.tower-service]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -delta = "0.3.1 -> 0.3.2" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - -[[audits.tracing]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.1.34 -> 0.1.37" -notes = """ -A routine set of updates for the tracing crate this includes minor refactorings, -addition of benchmarks, some test updates, but overall nothing out of the -ordinary. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.tracing]] who = "ChromeOS" criteria = "safe-to-run" @@ -31800,6 +33978,20 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.tracing]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.1.37" +notes = """ +There's only one unsafe impl, and its purpose is to ensure correct behavior by +creating a non-Send marker type (it has nothing to do with soundness). All +dependencies make sense, and no side-effectful std functions are used. +""" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.tracing]] who = "Taylor Cramer " criteria = "ub-risk-4" @@ -31814,6 +34006,17 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.tracing]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.1.34 -> 0.1.37" +notes = """ +A routine set of updates for the tracing crate this includes minor refactorings, +addition of benchmarks, some test updates, but overall nothing out of the +ordinary. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.tracing]] who = "Mike Hommey " criteria = "safe-to-run" @@ -31845,13 +34048,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.tracing-attributes]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.1.21 -> 0.1.26" -notes = "This range notably updated `syn` to 2.x.x and otherwise adds a few features here and there but nothing out of the ordering for a procedural macro." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.tracing-attributes]] who = "ChromeOS" criteria = "safe-to-run" @@ -31861,6 +34057,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.tracing-attributes]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.1.24" +notes = "No unsafe code, macros extensively tested and produce reasonable code." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.tracing-attributes]] who = "Mike Hommey " criteria = "safe-to-run" @@ -31870,6 +34076,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.tracing-attributes]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.1.21 -> 0.1.26" +notes = "This range notably updated `syn` to 2.x.x and otherwise adds a few features here and there but nothing out of the ordering for a procedural macro." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.tracing-attributes]] who = "Mike Hommey " criteria = "safe-to-run" @@ -31916,14 +34129,10 @@ aggregated-from = [ ] [[audits.tracing-core]] -who = "Alex Crichton " +who = "Conrad Ludgate " criteria = "safe-to-deploy" -delta = "0.1.28 -> 0.1.31" -notes = """ -This is a relatively minor set of releases with minor refactorings and bug -fixes. Nothing fundamental was added in these changes. -""" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +version = "0.1.27" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.tracing-core]] who = "ChromeOS" @@ -31935,13 +34144,17 @@ aggregated-from = [ ] [[audits.tracing-core]] -who = "David Koloski " -criteria = ["safe-to-deploy", "ub-risk-2"] -delta = "0.1.21 -> 0.1.31" -notes = "Reviewed on https://fxrev.dev/906816" +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.1.30" +notes = """ +Most unsafe code is in implementing non-std sync primitives. Unsafe impls are +logically correct and justified in comments, and unsafe code is sound and +justified in comments. +""" aggregated-from = [ - "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[audits.tracing-core]] @@ -31955,12 +34168,12 @@ aggregated-from = [ ] [[audits.tracing-core]] -who = "Manish Goregaokar " -criteria = "ub-risk-2" -delta = "0.1.30 -> 0.1.32" -notes = "Reviewed in CL 573852436" +who = "David Koloski " +criteria = ["safe-to-deploy", "ub-risk-2"] +delta = "0.1.21 -> 0.1.31" +notes = "Reviewed on https://fxrev.dev/906816" aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] @@ -31973,6 +34186,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.tracing-core]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.1.28 -> 0.1.31" +notes = """ +This is a relatively minor set of releases with minor refactorings and bug +fixes. Nothing fundamental was added in these changes. +""" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.tracing-core]] who = "Mike Hommey " criteria = "safe-to-run" @@ -31996,6 +34219,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.tracing-core]] +who = "Manish Goregaokar " +criteria = "ub-risk-2" +delta = "0.1.30 -> 0.1.32" +notes = "Reviewed in CL 573852436" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.tracing-core]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -32005,12 +34238,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.tracing-core]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "0.1.27" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.tracing-error]] who = "Conrad Ludgate " criteria = "safe-to-deploy" @@ -32026,6 +34253,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.tracing-futures]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +version = "0.2.5" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.tracing-futures]] who = "ChromeOS" criteria = "safe-to-run" @@ -32035,12 +34268,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.tracing-futures]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -version = "0.2.5" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.tracing-log]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -32051,6 +34278,12 @@ ecosystem. There's one `unsafe` block in this crate and it's well-scoped. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.tracing-log]] +who = "Conrad Ludgate " +criteria = "safe-to-run" +version = "0.1.3" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.tracing-log]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] @@ -32061,18 +34294,22 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.tracing-log]] -who = "Conrad Ludgate " -criteria = "safe-to-run" -version = "0.1.3" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.tracing-subscriber]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.17" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.tracing-subscriber]] +who = "David Koloski " +criteria = ["safe-to-deploy", "ub-risk-2"] +delta = "0.3.1 -> 0.3.15" +notes = "Reviewed on https://fxrev.dev/907708" +aggregated-from = [ + "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.tracing-subscriber]] who = "Alex Crichton " criteria = "safe-to-run" @@ -32084,16 +34321,6 @@ business as usual for minor updates in this crate. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.tracing-subscriber]] -who = "David Koloski " -criteria = ["safe-to-deploy", "ub-risk-2"] -delta = "0.3.1 -> 0.3.15" -notes = "Reviewed on https://fxrev.dev/907708" -aggregated-from = [ - "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.tracing-subscriber]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -32142,15 +34369,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.transpose]] -who = "George Burgess IV " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "0.2.2 -> 0.2.3" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.transpose]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] @@ -32161,6 +34379,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.transpose]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.2.2 -> 0.2.3" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.triomphe]] who = "Taylor Cramer " criteria = ["ub-risk-3", "does-not-implement-crypto"] @@ -32185,13 +34412,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.try-lock]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.2.4" -notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.try-lock]] who = "ChromeOS" criteria = "safe-to-run" @@ -32211,13 +34431,11 @@ aggregated-from = [ ] [[audits.try-lock]] -who = "Mike Hommey " -criteria = "safe-to-run" -delta = "0.2.3 -> 0.2.4" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.2.4" +notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.try-lock]] who = "Jack Grigg " @@ -32229,6 +34447,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.try-lock]] +who = "Mike Hommey " +criteria = "safe-to-run" +delta = "0.2.3 -> 0.2.4" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.try-lock]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -32433,6 +34660,24 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.uefi]] +who = "Andre Braga " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.29.0 -> 0.31.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.uefi]] +who = "Andre Braga " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.31.0 -> 0.32.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.uefi-macros]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -32478,6 +34723,24 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.uefi-macros]] +who = "Andre Braga " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.14.0 -> 0.15.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.uefi-macros]] +who = "Andre Braga " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.15.0 -> 0.16.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.uefi-raw]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -32523,6 +34786,24 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.uefi-raw]] +who = "Andre Braga " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.6.0 -> 0.7.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.uefi-raw]] +who = "Andre Braga " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.7.0 -> 0.8.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.uefi-services]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -32858,10 +35139,13 @@ aggregated-from = [ ] [[audits.unicode-ident]] -who = "Pat Hickey " +who = "Daira Hopwood " criteria = "safe-to-deploy" -version = "1.0.8" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +version = "1.0.2" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] [[audits.unicode-ident]] who = "ChromeOS" @@ -32872,6 +35156,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.unicode-ident]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "1.0.8" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.unicode-ident]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] @@ -32891,12 +35181,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.unicode-ident]] -who = "David Cook " -criteria = "safe-to-deploy" -delta = "1.0.2 -> 1.0.3" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - [[audits.unicode-ident]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -32915,6 +35199,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.unicode-ident]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "1.0.2 -> 1.0.3" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[audits.unicode-ident]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -32924,6 +35214,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.unicode-ident]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.6 -> 1.0.8" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.unicode-ident]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" @@ -32935,37 +35234,38 @@ aggregated-from = [ ] [[audits.unicode-ident]] -who = "Daira Hopwood " +who = "Conrad Ludgate " criteria = "safe-to-deploy" -version = "1.0.2" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] +delta = "1.0.9 -> 1.0.11" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.unicode-ident]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.6 -> 1.0.8" +delta = "1.0.9 -> 1.0.12" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.unicode-ident]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.9 -> 1.0.12" +who = "Dustin J. Mitchell " +criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] +delta = "1.0.12 -> 1.0.13" +notes = "Lots of table updates, and tables are assumed correct with unsafe `.get_unchecked()`, so ub-risk-2 is appropriate" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.unicode-ident]] -who = "Conrad Ludgate " +[[audits.unicode-linebreak]] +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -delta = "1.0.9 -> 1.0.11" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +version = "0.1.5" +aggregated-from = [ + "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[audits.unicode-linebreak]] who = "Lukasz Anforowicz " @@ -32984,15 +35284,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.unicode-linebreak]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -version = "0.1.5" -aggregated-from = [ - "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.unicode-normalization]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -33112,6 +35403,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.unicode-width]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.1.9 -> 0.1.10" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.unicode-width]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -33131,12 +35431,12 @@ aggregated-from = [ ] [[audits.unicode-width]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.1.9 -> 0.1.10" +who = "Lukasz Anforowicz " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "0.1.13 -> 0.1.14" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] [[audits.unicode-xid]] @@ -33223,6 +35523,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.unicode-xid]] +who = "Jim Blandy " +criteria = "safe-to-deploy" +delta = "0.2.5 -> 0.2.6" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.unicode_ident]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -33598,12 +35907,6 @@ criteria = "safe-to-deploy" version = "0.4.1" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" -[[audits.universal-hash]] -who = "David Cook " -criteria = "safe-to-deploy" -delta = "0.5.0 -> 0.5.1" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - [[audits.universal-hash]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -33614,6 +35917,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.universal-hash]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.5.0 -> 0.5.1" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[audits.untrusted]] who = "David Cook " criteria = "safe-to-deploy" @@ -33759,13 +36068,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.utf8parse]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -version = "0.2.1" -notes = "Single unsafe usage that looks sound, no ambient capabilities" -aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" - [[audits.utf8parse]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -33776,13 +36078,11 @@ aggregated-from = [ ] [[audits.utf8parse]] -who = "Ying Hsu " -criteria = ["safe-to-run", "does-not-implement-crypto"] +who = "Johan Andersson " +criteria = "safe-to-deploy" version = "0.2.1" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] +notes = "Single unsafe usage that looks sound, no ambient capabilities" +aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" [[audits.utf8parse]] who = "David Koloski " @@ -33794,6 +36094,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.utf8parse]] +who = "Ying Hsu " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.2.1" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.utf8parse]] who = "Augie Fackler " criteria = "ub-risk-3" @@ -33823,15 +36132,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.uuid]] -who = "Daniel Verkamp " -criteria = ["safe-to-run", "does-not-implement-crypto"] -delta = "1.3.0 -> 1.8.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.uuid]] who = "Gabriele Svelto " criteria = "safe-to-deploy" @@ -33860,6 +36160,24 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.uuid]] +who = "Daniel Verkamp " +criteria = ["safe-to-run", "does-not-implement-crypto"] +delta = "1.3.0 -> 1.8.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.v4l2r]] +who = "Alexandre Courbot " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.0.4" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.valuable]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -33876,13 +36194,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.vcpkg]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.2.15" -notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.vcpkg]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -33892,6 +36203,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.vcpkg]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.2.15" +notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.vec1]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -34006,6 +36324,34 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.virtio-media]] +who = "Alexandre Courbot " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.0.3" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.virtio-media]] +who = "Alexandre Courbot " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.0.4" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + +[[audits.virtio-queue]] +who = "Augie Fackler " +criteria = "ub-risk-2" +delta = "0.9.0 -> 0.12.0" +notes = "Reviewed in CL 634659048" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.virtiofsd]] who = "Manish Goregaokar " criteria = ["ub-risk-3", "does-not-implement-crypto"] @@ -34020,14 +36366,27 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.visibility]] +who = "Kris Nuttycombe " +criteria = ["safe-to-deploy", "license-reviewed"] +version = "0.1.1" +notes = """ +- Crate has no unsafe code, and sets `#![forbid(unsafe_code)]`. +- Crate has no powerful imports, and exclusively provides a proc macro + that safely malleates a visibility modifier. +""" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.vm-memory]] who = "Manish Goregaokar " -criteria = "ub-risk-3" +criteria = "ub-risk-2" version = "0.12.1" notes = """ Reviewed in CL 556862067 -Issues found: - - https://github.com/rust-vmm/vm-memory/issues/250 +Issues from previous review fixed """ aggregated-from = [ "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", @@ -34036,11 +36395,12 @@ aggregated-from = [ [[audits.vm-memory]] who = "Manish Goregaokar " -criteria = "ub-risk-2" +criteria = "ub-risk-3" version = "0.12.1" notes = """ Reviewed in CL 556862067 -Issues from previous review fixed +Issues found: + - https://github.com/rust-vmm/vm-memory/issues/250 """ aggregated-from = [ "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", @@ -34080,6 +36440,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.void]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.0.2" +notes = "Very small crate, just hosts the Void type for easier cross-crate interfacing." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.void]] who = "George Burgess IV " criteria = "ub-risk-0" @@ -34095,16 +36465,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.void]] -who = "Bobby Holley " -criteria = "safe-to-deploy" -version = "1.0.2" -notes = "Very small crate, just hosts the Void type for easier cross-crate interfacing." -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.volatile]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -34136,6 +36496,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.vsock]] +who = "Eri Sawada " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.5.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.vte]] who = "Manish Goregaokar " criteria = "ub-risk-4" @@ -34222,13 +36591,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.walkdir]] -who = "Andrew Brown " -criteria = "safe-to-deploy" -delta = "2.3.2 -> 2.3.3" -notes = "No significant changes: minor refactoring and removes the need to use `winapi`." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.walkdir]] who = "Android Legacy" criteria = "safe-to-run" @@ -34256,6 +36618,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.walkdir]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +delta = "2.3.2 -> 2.3.3" +notes = "No significant changes: minor refactoring and removes the need to use `winapi`." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.walkdir]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" @@ -34265,12 +36634,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.want]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.3.0" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.want]] who = "George Burgess IV " criteria = "does-not-implement-crypto" @@ -34280,6 +36643,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.want]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.0" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.want]] who = "ChromeOS" criteria = "safe-to-run" @@ -34289,6 +36658,12 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.want]] +who = "Conrad Ludgate " +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.3.1" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[audits.want]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -34302,12 +36677,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.want]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -delta = "0.3.0 -> 0.3.1" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.warp]] who = "Mike Hommey " criteria = "safe-to-run" @@ -34330,6 +36699,16 @@ version = "0.6.0" notes = "This crate contains `unsafe` code due to its purpose: it wraps up `witx-bindgen`-generated code that calls the raw wasi-nn API." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.wasm-bindgen]] +who = "" +criteria = "ub-risk-2" +version = "0.2.92" +notes = "Reviewed in CL 643989424" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.wasm-bindgen-backend]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -34349,20 +36728,20 @@ aggregated-from = [ ] [[audits.wasm-bindgen-macro]] -who = "Daira-Emma Hopwood " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.2.88 -> 0.2.89" +delta = "0.2.87 -> 0.2.89" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.wasm-bindgen-macro]] -who = "Jack Grigg " +who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" -delta = "0.2.87 -> 0.2.89" +delta = "0.2.88 -> 0.2.89" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -34393,18 +36772,18 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.wasm-bindgen-shared]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -delta = "0.2.83 -> 0.2.80" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[audits.wasm-bindgen-shared]] who = "David Cook " criteria = "safe-to-deploy" version = "0.2.83" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +[[audits.wasm-bindgen-shared]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "0.2.83 -> 0.2.80" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.wasm-bindgen-shared]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -34496,6 +36875,16 @@ delta = "0.1.10 -> 0.1.11" notes = "This is quite a small update which only adds a small bit of offset-related functionality." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.wasm-encoder]] +who = "Ryan Hunt " +criteria = "safe-to-deploy" +version = "0.7.0" +notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. This has no unsafe code and uses no ambient capabilities." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.wasm-encoder]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -34573,23 +36962,6 @@ version = "0.25.0" notes = "The Bytecode Alliance is the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.wasm-encoder]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.19.0 -> 0.19.1" -notes = "The Bytecode Alliance is the author of this crate." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.wasm-encoder]] -who = "Ryan Hunt " -criteria = "safe-to-deploy" -version = "0.7.0" -notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. This has no unsafe code and uses no ambient capabilities." -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.wasm-encoder]] who = "Ryan Hunt " criteria = "safe-to-deploy" @@ -34618,6 +36990,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.wasm-encoder]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.19.0 -> 0.19.1" +notes = "The Bytecode Alliance is the author of this crate." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.wasm-encoder]] who = "Ryan Hunt " criteria = "safe-to-deploy" @@ -34725,6 +37104,16 @@ version = "0.11.2" notes = "The Bytecode Alliance is the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.wasm-smith]] +who = "Ryan Hunt " +criteria = "safe-to-deploy" +version = "0.11.2" +notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. I've vetted the one instance of unsafe code." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.wasm-smith]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -34809,16 +37198,6 @@ version = "0.12.5" notes = "The Bytecode Alliance is the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.wasm-smith]] -who = "Ryan Hunt " -criteria = "safe-to-deploy" -version = "0.11.2" -notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. I've vetted the one instance of unsafe code." -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.wasm-smith]] who = "Yury Delendik " criteria = "safe-to-run" @@ -34906,6 +37285,16 @@ version = "0.87.0" notes = "The Bytecode Alliance is the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.wasmparser]] +who = "Ryan Hunt " +criteria = "safe-to-deploy" +version = "0.87.0" +notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. I've vetted the one instance of unsafe code." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.wasmparser]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -34997,16 +37386,6 @@ version = "0.102.0" notes = "The Bytecode Alliance is the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.wasmparser]] -who = "Ryan Hunt " -criteria = "safe-to-deploy" -version = "0.87.0" -notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. I've vetted the one instance of unsafe code." -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.wasmparser]] who = "Yury Delendik " criteria = "safe-to-deploy" @@ -35151,6 +37530,25 @@ version = "44.0.0" notes = "The Bytecode Alliance is the author of this crate" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[audits.wast]] +who = "Ryan Hunt " +criteria = "safe-to-deploy" +version = "44.0.0" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + +[[audits.wast]] +who = "Ryan Hunt " +criteria = "safe-to-deploy" +version = "44.0.0" +notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. wast has no unsafe code and the only ambient capability it uses is to read the full contents of a file that is given to it." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.wast]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -35228,25 +37626,6 @@ version = "55.0.0" notes = "The Bytecode Alliance is the author of this crate." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.wast]] -who = "Ryan Hunt " -criteria = "safe-to-deploy" -version = "44.0.0" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[audits.wast]] -who = "Ryan Hunt " -criteria = "safe-to-deploy" -version = "44.0.0" -notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. wast has no unsafe code and the only ambient capability it uses is to read the full contents of a file that is given to it." -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[audits.wast]] who = "Yury Delendik " criteria = "safe-to-deploy" @@ -35378,6 +37757,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.webpki-roots]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "0.22.4" +notes = "Inspected it to confirm that it only contains data definitions and no runtime code" +aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + [[audits.webpki-roots]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -35385,17 +37771,16 @@ delta = "0.22.4 -> 0.23.0" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.webpki-roots]] -who = "Pat Hickey " +who = "Conrad Ludgate " criteria = "safe-to-deploy" -delta = "0.23.0 -> 0.25.2" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +delta = "0.23.0 -> 0.24.0" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[audits.webpki-roots]] -who = "Johan Andersson " +who = "Pat Hickey " criteria = "safe-to-deploy" -version = "0.22.4" -notes = "Inspected it to confirm that it only contains data definitions and no runtime code" -aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" +delta = "0.23.0 -> 0.25.2" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[audits.webpki-roots]] who = "Daira-Emma Hopwood " @@ -35407,12 +37792,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.webpki-roots]] -who = "Conrad Ludgate " -criteria = "safe-to-deploy" -delta = "0.23.0 -> 0.24.0" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - [[audits.webrtc-sdp]] who = "Byron Campen " criteria = "safe-to-deploy" @@ -35431,6 +37810,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.webrtc-sdp]] +who = "na-g " +criteria = "safe-to-deploy" +delta = "0.3.11 -> 0.3.13" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.weedle2]] who = "Travis Long " criteria = "safe-to-deploy" @@ -35554,6 +37942,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.wgpu-core]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "22.0.0 -> 23.0.0" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.wgpu-hal]] who = "Dzmitry Malyshau " criteria = "safe-to-deploy" @@ -35657,6 +38054,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.wgpu-hal]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "22.0.0 -> 23.0.0" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.wgpu-types]] who = "Dzmitry Malyshau " criteria = "safe-to-deploy" @@ -35760,6 +38166,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.wgpu-types]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "22.0.0 -> 23.0.0" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.whatsys]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -35784,20 +38199,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.which]] -who = "Alex Crichton " -criteria = "safe-to-run" -delta = "4.4.0 -> 5.0.0" -notes = "Only one `unsafe` block, it's what a `which` crate is expected to be." -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[audits.which]] -who = "Johan Andersson " -criteria = "safe-to-run" -version = "4.4.0" -notes = "Small build-time crate to find path of binary. Single unsafe usage, file system access, both look sound" -aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" - [[audits.which]] who = "Android Legacy" criteria = "safe-to-run" @@ -35825,6 +38226,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.which]] +who = "Johan Andersson " +criteria = "safe-to-run" +version = "4.4.0" +notes = "Small build-time crate to find path of binary. Single unsafe usage, file system access, both look sound" +aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + [[audits.which]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -35848,6 +38256,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.which]] +who = "Alex Crichton " +criteria = "safe-to-run" +delta = "4.4.0 -> 5.0.0" +notes = "Only one `unsafe` block, it's what a `which` crate is expected to be." +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[audits.which]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -35861,6 +38276,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.which]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "6.0.1 -> 6.0.3" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.winapi]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -35889,6 +38313,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.winapi-util]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-run" +delta = "0.1.6 -> 0.1.8" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.winapi-util]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -35908,15 +38341,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[audits.winapi-util]] -who = "Daira-Emma Hopwood " -criteria = "safe-to-run" -delta = "0.1.6 -> 0.1.8" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - [[audits.windows-implement]] who = "Andrew Brown " criteria = "safe-to-deploy" @@ -36030,6 +38454,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.winnow]] +who = "Hung-Hsien Chen " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.6.18" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.winnow]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -36219,6 +38652,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.xattr]] +who = "Bastian Kersting " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "1.0.1" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.xattr]] who = "Andrew Brown " criteria = "safe-to-deploy" @@ -36233,15 +38675,6 @@ delta = "1.2.0 -> 1.3.1" notes = "Minor changes to MacOS-specific code." aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.xattr]] -who = "Bastian Kersting " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "1.0.1" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.xdg]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -36251,6 +38684,19 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.xlsynth]] +who = "Manish Goregaokar " +criteria = "ub-risk-3" +version = "0.0.11" +notes = """ +Reviewed in CL 644646753 +- Uses dlsym for FFI, could use more safety docs separating dlsym unsafety from C API unsafety +""" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.xmldecl]] who = "Henri Sivonen " criteria = "safe-to-deploy" @@ -36317,6 +38763,19 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.yoke]] +who = "Luca Versari " +criteria = ["ub-risk-2", "does-not-implement-crypto"] +version = "0.7.4" +notes = """ +Reviewed in https://github.com/unicode-org/icu4x/pull/5046 +Review performed as PR: https://github.com/unicode-org/icu4x/pull/5046. Minor docs improvements, plus known currently-unsolvable issue around potential future noalias UB (https://github.com/unicode-org/icu4x/issues/2095) +""" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.yoke]] who = "Makoto Kato " criteria = "safe-to-deploy" @@ -36363,6 +38822,65 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[audits.zcash_address]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "0.3.2 -> 0.4.0" +notes = "This release contains no unsafe code and consists soley of added convenience methods." +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.zcash_encoding]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "0.2.0 -> 0.2.1" +notes = "This release adds minor convenience methods and involves no unsafe code." +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.zcash_keys]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "0.2.0 -> 0.3.0" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.zcash_primitives]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "0.15.1 -> 0.16.0" +notes = "The primary change here is the switch from the `hdwallet` dependency to using `bip32`." +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.zcash_proofs]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "0.15.0 -> 0.16.0" +notes = "This release involves only updates of previously-vetted dependencies." +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[audits.zerocopy]] +who = "Manish Goregaokar " +criteria = "ub-risk-2" +version = "0.6.1" +notes = "Reviewed in CL 592374439" +aggregated-from = [ + "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.zerocopy]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -36372,6 +38890,22 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.zerocopy]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.7.32" +notes = """ +This crate is `no_std` so doesn't use any side-effectful std functions. It +contains quite a lot of `unsafe` code, however. I verified portions of this. It +also has a large, thorough test suite. The project claims to run tests with +Miri to have stronger soundness checks, and also claims to use formal +verification tools to prove correctness. +""" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.zerocopy]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -36409,29 +38943,12 @@ aggregated-from = [ ] [[audits.zerocopy]] -who = "Manish Goregaokar " -criteria = "ub-risk-2" -version = "0.6.1" -notes = "Reviewed in CL 592374439" -aggregated-from = [ - "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - -[[audits.zerocopy]] -who = "Alex Franchuk " +who = "Jack Grigg " criteria = "safe-to-deploy" -version = "0.7.32" -notes = """ -This crate is `no_std` so doesn't use any side-effectful std functions. It -contains quite a lot of `unsafe` code, however. I verified portions of this. It -also has a large, thorough test suite. The project claims to run tests with -Miri to have stronger soundness checks, and also claims to use formal -verification tools to prove correctness. -""" +delta = "0.7.31 -> 0.7.32" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.zerocopy]] @@ -36443,15 +38960,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.zerocopy]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.7.31 -> 0.7.32" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - [[audits.zerocopy-derive]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -36461,6 +38969,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] +[[audits.zerocopy-derive]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.7.32" +notes = "Clean, safe macros for zerocopy." +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[audits.zerocopy-derive]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -36489,13 +39007,12 @@ aggregated-from = [ ] [[audits.zerocopy-derive]] -who = "Alex Franchuk " +who = "Jack Grigg " criteria = "safe-to-deploy" -version = "0.7.32" -notes = "Clean, safe macros for zerocopy." +delta = "0.7.31 -> 0.7.32" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[audits.zerocopy-derive]] @@ -36507,15 +39024,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[audits.zerocopy-derive]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.7.31 -> 0.7.32" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - [[audits.zerofrom]] who = "Makoto Kato " criteria = "safe-to-deploy" @@ -36554,15 +39062,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[audits.zeroize]] -who = "Daira-Emma Hopwood " -criteria = "safe-to-deploy" -delta = "1.6.0 -> 1.7.0" -aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", -] - [[audits.zeroize]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -36582,6 +39081,15 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[audits.zeroize]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "1.6.0 -> 1.7.0" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[audits.zeroize_derive]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -36759,6 +39267,15 @@ criteria = "safe-to-run" delta = "7.0.0 -> 7.0.1" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +[[audits.zstd]] +who = "Matt Turner " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.13.0" +aggregated-from = [ + "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", + "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", +] + [[audits.zstd]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -36769,10 +39286,10 @@ refactorings of what was there prior. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.zstd]] +[[audits.zstd-safe]] who = "Matt Turner " criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "0.13.0" +version = "7.0.0" aggregated-from = [ "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", @@ -36789,15 +39306,6 @@ the standard library `io::Cursor` type. """ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[audits.zstd-safe]] -who = "Matt Turner " -criteria = ["safe-to-run", "does-not-implement-crypto"] -version = "7.0.0" -aggregated-from = [ - "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT", - "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", -] - [[audits.zstd-sys]] who = "Matt Turner " criteria = ["safe-to-run", "does-not-implement-crypto"] @@ -36808,13 +39316,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml", ] -[[trusted.aho-corasick]] -criteria = "safe-to-deploy" -user-id = 189 -start = "2019-03-28" -end = "2024-07-15" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[trusted.aho-corasick]] criteria = "safe-to-deploy" user-id = 189 @@ -36825,18 +39326,18 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[trusted.anstream]] +[[trusted.aho-corasick]] criteria = "safe-to-deploy" -user-id = 6743 -start = "2023-03-16" -end = "2024-07-14" +user-id = 189 +start = "2019-03-28" +end = "2024-07-15" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[trusted.anstyle]] +[[trusted.anstream]] criteria = "safe-to-deploy" user-id = 6743 -start = "2022-05-18" -end = "2024-07-14" +start = "2023-03-16" +end = "2025-09-20" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.anstyle]] @@ -36849,6 +39350,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[trusted.anstyle]] +criteria = "safe-to-deploy" +user-id = 6743 +start = "2022-05-18" +end = "2025-09-20" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[trusted.anstyle-parse]] criteria = "safe-to-deploy" user-id = 6743 @@ -36867,7 +39375,7 @@ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/m criteria = "safe-to-deploy" user-id = 6743 start = "2023-03-08" -end = "2024-07-14" +end = "2025-09-20" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.anyhow]] @@ -36877,13 +39385,6 @@ start = "2019-10-05" end = "2024-09-01" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[trusted.async-trait]] -criteria = "safe-to-deploy" -user-id = 3618 -start = "2019-07-23" -end = "2024-07-06" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[trusted.async-trait]] criteria = "safe-to-deploy" user-id = 3618 @@ -36894,6 +39395,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[trusted.async-trait]] +criteria = "safe-to-deploy" +user-id = 3618 +start = "2019-07-23" +end = "2024-07-06" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[trusted.atomic]] criteria = "safe-to-deploy" user-id = 2915 @@ -36946,6 +39454,13 @@ start = "2023-08-07" end = "2024-08-19" aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +[[trusted.backtrace]] +criteria = "safe-to-deploy" +user-id = 539 +start = "2024-03-21" +end = "2025-09-20" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[trusted.backtrace]] criteria = "safe-to-deploy" user-id = 2915 @@ -36967,7 +39482,7 @@ aggregated-from = [ criteria = "safe-to-deploy" user-id = 169181 start = "2022-07-22" -end = "2024-09-21" +end = "2025-10-02" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", @@ -36984,8 +39499,11 @@ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/m criteria = "safe-to-deploy" user-id = 189 start = "2019-06-09" -end = "2024-07-15" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +end = "2024-05-03" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[trusted.byteorder]] criteria = "safe-to-deploy" @@ -36998,17 +39516,7 @@ aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/sup criteria = "safe-to-deploy" user-id = 189 start = "2019-06-09" -end = "2024-05-03" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - -[[trusted.bytes]] -criteria = "safe-to-deploy" -user-id = 6741 -start = "2021-01-11" -end = "2025-02-15" +end = "2024-07-15" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.bytes]] @@ -37021,6 +39529,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[trusted.bytes]] +criteria = "safe-to-deploy" +user-id = 6741 +start = "2021-01-11" +end = "2025-02-15" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[trusted.cap-fs-ext]] criteria = "safe-to-deploy" user-id = 6825 @@ -37084,24 +39599,17 @@ aggregated-from = [ criteria = "safe-to-deploy" user-id = 6743 start = "2021-12-08" -end = "2024-07-06" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - -[[trusted.clap]] -criteria = "safe-to-deploy" -user-id = 6743 -start = "2021-12-08" -end = "2024-06-02" +end = "2025-08-21" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[trusted.clap_builder]] +[[trusted.clap]] criteria = "safe-to-deploy" user-id = 6743 -start = "2023-03-28" -end = "2024-07-14" +start = "2021-12-08" +end = "2025-09-20" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.clap_builder]] @@ -37114,40 +39622,54 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[trusted.clap_derive]] +[[trusted.clap_builder]] criteria = "safe-to-deploy" user-id = 6743 -start = "2021-12-08" -end = "2024-07-06" +start = "2023-03-28" +end = "2025-09-20" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[trusted.clap_complete]] +criteria = "safe-to-deploy" +user-id = 6743 +start = "2021-12-31" +end = "2025-09-25" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.clap_derive]] criteria = "safe-to-deploy" user-id = 6743 start = "2021-12-08" -end = "2024-06-02" +end = "2025-08-21" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[trusted.clap_lex]] +[[trusted.clap_derive]] criteria = "safe-to-deploy" user-id = 6743 -start = "2022-04-15" -end = "2024-07-06" +start = "2021-12-08" +end = "2025-09-20" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.clap_lex]] criteria = "safe-to-deploy" user-id = 6743 start = "2022-04-15" -end = "2024-06-02" +end = "2025-08-21" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[trusted.clap_lex]] +criteria = "safe-to-deploy" +user-id = 6743 +start = "2022-04-15" +end = "2025-09-20" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[trusted.cpp_demangle]] criteria = "safe-to-deploy" user-id = 696 @@ -37259,13 +39781,27 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[trusted.env_filter]] +criteria = "safe-to-deploy" +user-id = 6743 +start = "2024-01-19" +end = "2025-09-20" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[trusted.env_logger]] +criteria = "safe-to-deploy" +user-id = 6743 +start = "2022-11-24" +end = "2025-09-20" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[trusted.equihash]] criteria = "safe-to-deploy" user-id = 6289 start = "2020-06-26" -end = "2025-04-22" +end = "2024-09-21" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -37273,9 +39809,9 @@ aggregated-from = [ criteria = "safe-to-deploy" user-id = 6289 start = "2020-06-26" -end = "2024-09-21" +end = "2025-04-22" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -37317,9 +39853,9 @@ aggregated-from = [ criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 6289 start = "2021-09-22" -end = "2025-04-22" +end = "2024-09-21" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -37327,9 +39863,9 @@ aggregated-from = [ criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 6289 start = "2021-09-22" -end = "2024-09-21" +end = "2025-04-22" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -37354,13 +39890,6 @@ start = "2019-04-23" end = "2025-02-15" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[trusted.flate2]] -criteria = "safe-to-deploy" -user-id = 4333 -start = "2020-09-30" -end = "2025-02-15" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[trusted.flate2]] criteria = "safe-to-deploy" user-id = 4333 @@ -37371,6 +39900,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[trusted.flate2]] +criteria = "safe-to-deploy" +user-id = 4333 +start = "2020-09-30" +end = "2025-02-15" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[trusted.fs-set-times]] criteria = "safe-to-deploy" user-id = 6825 @@ -37392,9 +39928,9 @@ aggregated-from = [ criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 1244 start = "2022-05-10" -end = "2025-04-22" +end = "2024-09-21" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -37402,9 +39938,9 @@ aggregated-from = [ criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 1244 start = "2022-05-10" -end = "2024-09-21" +end = "2025-04-22" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -37412,9 +39948,9 @@ aggregated-from = [ criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 199950 start = "2023-02-24" -end = "2025-04-22" +end = "2024-09-21" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -37422,9 +39958,9 @@ aggregated-from = [ criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 199950 start = "2023-02-24" -end = "2024-09-21" +end = "2025-04-22" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -37432,9 +39968,9 @@ aggregated-from = [ criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 1244 start = "2022-05-10" -end = "2025-04-22" +end = "2024-09-21" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -37442,9 +39978,9 @@ aggregated-from = [ criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 1244 start = "2022-05-10" -end = "2024-09-21" +end = "2025-04-22" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -37465,6 +40001,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[trusted.hashbrown]] +criteria = "safe-to-deploy" +user-id = 2915 +start = "2019-04-02" +end = "2025-09-12" +aggregated-from = [ + "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[trusted.headers]] criteria = "safe-to-deploy" user-id = 359 @@ -37487,11 +40033,11 @@ aggregated-from = [ [[trusted.incrementalmerkletree]] criteria = "safe-to-deploy" -user-id = 6289 -start = "2021-12-17" -end = "2025-04-22" +user-id = 1244 +start = "2021-06-24" +end = "2024-09-21" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -37507,11 +40053,11 @@ aggregated-from = [ [[trusted.incrementalmerkletree]] criteria = "safe-to-deploy" -user-id = 169181 -start = "2023-02-28" -end = "2025-04-22" +user-id = 6289 +start = "2021-12-17" +end = "2024-09-21" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -37519,19 +40065,19 @@ aggregated-from = [ criteria = "safe-to-deploy" user-id = 6289 start = "2021-12-17" -end = "2024-09-21" +end = "2025-04-22" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[trusted.incrementalmerkletree]] criteria = "safe-to-deploy" -user-id = 1244 -start = "2021-06-24" -end = "2024-09-21" +user-id = 169181 +start = "2023-02-28" +end = "2025-04-22" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -37539,12 +40085,42 @@ aggregated-from = [ criteria = "safe-to-deploy" user-id = 169181 start = "2023-02-28" -end = "2024-09-21" +end = "2025-10-02" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[trusted.incrementalmerkletree-testing]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-09-25" +end = "2025-10-02" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[trusted.incrementalmerkletree-testing]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-09-25" +end = "2025-10-02" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[trusted.indexmap]] +criteria = "safe-to-deploy" +user-id = 539 +start = "2020-01-15" +end = "2024-05-05" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[trusted.indexmap]] criteria = "safe-to-deploy" user-id = 539 @@ -37556,9 +40132,9 @@ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/m criteria = "safe-to-deploy" user-id = 539 start = "2020-01-15" -end = "2024-05-05" +end = "2025-09-12" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] @@ -37620,12 +40196,22 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[trusted.is_terminal_polyfill]] +criteria = "safe-to-deploy" +user-id = 6743 +start = "2024-05-02" +end = "2025-09-20" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[trusted.itoa]] criteria = "safe-to-deploy" user-id = 3618 start = "2019-05-02" -end = "2024-07-06" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +end = "2024-04-25" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[trusted.itoa]] criteria = "safe-to-deploy" @@ -37638,11 +40224,8 @@ aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/sup criteria = "safe-to-deploy" user-id = 3618 start = "2019-05-02" -end = "2024-04-25" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +end = "2024-07-06" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.jobserver]] criteria = "safe-to-deploy" @@ -37665,8 +40248,11 @@ aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/sup criteria = "safe-to-deploy" user-id = 2915 start = "2021-01-27" -end = "2024-07-06" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +end = "2024-05-05" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[trusted.libc]] criteria = "safe-to-deploy" @@ -37677,20 +40263,17 @@ aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/sup [[trusted.libc]] criteria = "safe-to-deploy" -user-id = 51017 -start = "2020-03-17" -end = "2025-05-06" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +user-id = 2915 +start = "2021-01-27" +end = "2024-07-06" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.libc]] criteria = "safe-to-deploy" -user-id = 2915 -start = "2021-01-27" -end = "2024-05-05" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +user-id = 51017 +start = "2020-03-17" +end = "2024-08-19" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[trusted.libc]] criteria = "safe-to-deploy" @@ -37706,8 +40289,8 @@ aggregated-from = [ criteria = "safe-to-deploy" user-id = 51017 start = "2020-03-17" -end = "2024-08-19" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +end = "2025-05-06" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[trusted.libm]] criteria = "safe-to-deploy" @@ -37730,6 +40313,16 @@ start = "2019-03-10" end = "2024-08-19" aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +[[trusted.libz-rs-sys]] +criteria = "safe-to-deploy" +user-id = 1303 +start = "2024-02-23" +end = "2024-09-01" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[trusted.linux-raw-sys]] criteria = "safe-to-deploy" user-id = 6825 @@ -37737,6 +40330,13 @@ start = "2021-06-12" end = "2024-07-14" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[trusted.linux-raw-sys]] +criteria = "safe-to-deploy" +user-id = 6825 +start = "2021-06-12" +end = "2024-08-19" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" + [[trusted.linux-raw-sys]] criteria = "safe-to-deploy" user-id = 6825 @@ -37757,20 +40357,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[trusted.linux-raw-sys]] -criteria = "safe-to-deploy" -user-id = 6825 -start = "2021-06-12" -end = "2024-08-19" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - -[[trusted.lock_api]] -criteria = "safe-to-deploy" -user-id = 2915 -start = "2019-05-04" -end = "2024-07-06" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[trusted.lock_api]] criteria = "safe-to-deploy" user-id = 2915 @@ -37781,11 +40367,11 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[trusted.memchr]] +[[trusted.lock_api]] criteria = "safe-to-deploy" -user-id = 189 -start = "2019-07-07" -end = "2024-07-15" +user-id = 2915 +start = "2019-05-04" +end = "2024-07-06" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.memchr]] @@ -37795,6 +40381,13 @@ start = "2019-07-07" end = "2024-06-08" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +[[trusted.memchr]] +criteria = "safe-to-deploy" +user-id = 189 +start = "2019-07-07" +end = "2024-07-15" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[trusted.memchr]] criteria = "safe-to-deploy" user-id = 189 @@ -37850,26 +40443,46 @@ aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/sup criteria = "safe-to-deploy" user-id = 359 start = "2019-06-10" -end = "2024-06-08" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +end = "2024-04-25" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[trusted.num_cpus]] criteria = "safe-to-deploy" user-id = 359 start = "2019-06-10" -end = "2024-04-25" +end = "2024-06-08" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[[trusted.orchard]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-08-12" +end = "2025-08-12" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[trusted.orchard]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-08-12" +end = "2025-10-02" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[trusted.orchard]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] -user-id = 6289 -start = "2021-01-07" -end = "2025-04-22" +user-id = 1244 +start = "2022-10-19" +end = "2024-09-21" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -37895,11 +40508,21 @@ aggregated-from = [ [[trusted.orchard]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] -user-id = 1244 -start = "2022-10-19" -end = "2024-09-21" +user-id = 6289 +start = "2021-01-07" +end = "2025-04-22" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[trusted.orchard]] +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +user-id = 169181 +start = "2024-08-12" +end = "2025-08-12" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -37913,13 +40536,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[trusted.parking_lot]] -criteria = "safe-to-deploy" -user-id = 2915 -start = "2019-05-04" -end = "2024-07-06" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[trusted.parking_lot]] criteria = "safe-to-deploy" user-id = 2915 @@ -37930,7 +40546,7 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[trusted.parking_lot_core]] +[[trusted.parking_lot]] criteria = "safe-to-deploy" user-id = 2915 start = "2019-05-04" @@ -37947,12 +40563,22 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[trusted.parking_lot_core]] +criteria = "safe-to-deploy" +user-id = 2915 +start = "2019-05-04" +end = "2024-07-06" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[trusted.paste]] criteria = "safe-to-deploy" user-id = 3618 start = "2019-03-19" -end = "2024-07-06" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +end = "2024-04-25" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[trusted.paste]] criteria = "safe-to-deploy" @@ -37965,11 +40591,8 @@ aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/sup criteria = "safe-to-deploy" user-id = 3618 start = "2019-03-19" -end = "2024-04-25" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +end = "2024-07-06" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.prettyplease]] criteria = "safe-to-deploy" @@ -37992,8 +40615,11 @@ aggregated-from = [ criteria = "safe-to-deploy" user-id = 3618 start = "2019-04-23" -end = "2025-05-06" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +end = "2024-05-30" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[trusted.proc-macro2]] criteria = "safe-to-deploy" @@ -38006,11 +40632,8 @@ aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/sup criteria = "safe-to-deploy" user-id = 3618 start = "2019-04-23" -end = "2024-05-30" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +end = "2025-05-06" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.pulley-interpreter]] criteria = "safe-to-deploy" @@ -38023,8 +40646,11 @@ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/m criteria = "safe-to-deploy" user-id = 3618 start = "2019-04-09" -end = "2024-07-11" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +end = "2024-05-30" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[trusted.quote]] criteria = "safe-to-deploy" @@ -38037,18 +40663,18 @@ aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/sup criteria = "safe-to-deploy" user-id = 3618 start = "2019-04-09" -end = "2024-05-30" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +end = "2024-07-11" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.regex]] criteria = "safe-to-deploy" user-id = 189 start = "2019-02-27" -end = "2024-07-15" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +end = "2024-05-03" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[trusted.regex]] criteria = "safe-to-deploy" @@ -38061,11 +40687,8 @@ aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/sup criteria = "safe-to-deploy" user-id = 189 start = "2019-02-27" -end = "2024-05-03" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +end = "2024-07-15" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.regex-automata]] criteria = "safe-to-deploy" @@ -38088,8 +40711,11 @@ aggregated-from = [ criteria = "safe-to-deploy" user-id = 189 start = "2019-03-30" -end = "2024-07-15" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +end = "2024-05-03" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[trusted.regex-syntax]] criteria = "safe-to-deploy" @@ -38102,11 +40728,8 @@ aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/sup criteria = "safe-to-deploy" user-id = 189 start = "2019-03-30" -end = "2024-05-03" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +end = "2024-07-15" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.ring]] criteria = "safe-to-deploy" @@ -38130,11 +40753,11 @@ end = "2024-07-14" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.rustix]] -criteria = "safe-to-run" +criteria = "safe-to-deploy" user-id = 6825 start = "2021-10-29" -end = "2024-11-21" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +end = "2024-08-19" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[trusted.rustix]] criteria = "safe-to-deploy" @@ -38157,11 +40780,11 @@ aggregated-from = [ ] [[trusted.rustix]] -criteria = "safe-to-deploy" +criteria = "safe-to-run" user-id = 6825 start = "2021-10-29" -end = "2024-08-19" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" +end = "2024-11-21" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[trusted.rusty_paserk]] criteria = "safe-to-deploy" @@ -38174,8 +40797,11 @@ aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/suppl criteria = "safe-to-deploy" user-id = 3618 start = "2019-05-02" -end = "2024-07-06" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +end = "2024-04-25" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[trusted.ryu]] criteria = "safe-to-deploy" @@ -38188,7 +40814,14 @@ aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/sup criteria = "safe-to-deploy" user-id = 3618 start = "2019-05-02" -end = "2024-04-25" +end = "2024-07-06" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[trusted.same-file]] +criteria = "safe-to-deploy" +user-id = 189 +start = "2019-07-16" +end = "2024-05-03" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", @@ -38201,14 +40834,14 @@ start = "2019-07-16" end = "2024-07-15" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[trusted.same-file]] +[[trusted.sapling-crypto]] criteria = "safe-to-deploy" -user-id = 189 -start = "2019-07-16" -end = "2024-05-03" +user-id = 169181 +start = "2024-08-12" +end = "2025-08-12" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[trusted.sapling-crypto]] @@ -38221,6 +40854,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[trusted.sapling-crypto]] +criteria = ["safe-to-deploy", "crypto-reviewed"] +user-id = 169181 +start = "2024-08-12" +end = "2025-10-02" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[trusted.sapling-crypto]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 @@ -38231,12 +40874,45 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[trusted.sapling-crypto]] +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +user-id = 169181 +start = "2024-08-12" +end = "2025-08-12" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[trusted.schemerz]] +criteria = "safe-to-deploy" +user-id = 6289 +start = "2024-10-15" +end = "2025-10-15" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[trusted.schemerz-rusqlite]] +criteria = "safe-to-deploy" +user-id = 6289 +start = "2024-10-15" +end = "2025-10-15" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[trusted.scopeguard]] criteria = "safe-to-deploy" user-id = 2915 start = "2020-02-16" -end = "2024-07-06" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +end = "2024-05-05" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[trusted.scopeguard]] criteria = "safe-to-deploy" @@ -38249,11 +40925,8 @@ aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/sup criteria = "safe-to-deploy" user-id = 2915 start = "2020-02-16" -end = "2024-05-05" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +end = "2024-07-06" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.serde]] criteria = "safe-to-deploy" @@ -38262,6 +40935,16 @@ start = "2019-03-01" end = "2024-07-06" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[trusted.serde]] +criteria = "safe-to-deploy" +user-id = 3618 +start = "2019-03-01" +end = "2025-05-31" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[trusted.serde]] criteria = "safe-to-deploy" user-id = 3618 @@ -38273,9 +40956,9 @@ aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/sup criteria = "safe-to-deploy" user-id = 3618 start = "2019-03-01" -end = "2025-05-31" +end = "2025-09-12" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] @@ -38296,6 +40979,16 @@ start = "2019-03-01" end = "2024-07-06" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[trusted.serde_derive]] +criteria = "safe-to-deploy" +user-id = 3618 +start = "2019-03-01" +end = "2025-05-31" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[trusted.serde_derive]] criteria = "safe-to-deploy" user-id = 3618 @@ -38307,9 +41000,9 @@ aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/sup criteria = "safe-to-deploy" user-id = 3618 start = "2019-03-01" -end = "2025-05-31" +end = "2025-09-12" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] @@ -38317,25 +41010,25 @@ aggregated-from = [ criteria = "safe-to-deploy" user-id = 3618 start = "2019-02-28" -end = "2024-07-06" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +end = "2024-04-25" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[trusted.serde_json]] criteria = "safe-to-deploy" user-id = 3618 start = "2019-02-28" -end = "2025-07-01" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +end = "2024-07-06" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.serde_json]] criteria = "safe-to-deploy" user-id = 3618 start = "2019-02-28" -end = "2024-04-25" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +end = "2025-07-01" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[trusted.serde_repr]] criteria = "safe-to-deploy" @@ -38354,6 +41047,16 @@ start = "2023-01-20" end = "2025-02-12" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[trusted.serde_spanned]] +criteria = "safe-to-deploy" +user-id = 6743 +start = "2023-01-20" +end = "2025-09-12" +aggregated-from = [ + "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[trusted.serde_yaml]] criteria = "safe-to-deploy" user-id = 3618 @@ -38395,19 +41098,29 @@ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/m criteria = "safe-to-deploy" user-id = 3618 start = "2019-03-01" -end = "2024-06-08" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +end = "2025-07-04" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[trusted.syn]] criteria = "safe-to-deploy" user-id = 3618 start = "2019-03-01" -end = "2025-07-04" +end = "2025-09-12" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[trusted.syn]] +criteria = "safe-to-deploy" +user-id = 3618 +start = "2019-03-01" +end = "2025-11-04" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[trusted.system-interface]] criteria = "safe-to-deploy" user-id = 6825 @@ -38422,13 +41135,6 @@ start = "2019-03-04" end = "2025-02-15" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[trusted.target-lexicon]] -criteria = "safe-to-deploy" -user-id = 6825 -start = "2019-03-06" -end = "2024-07-14" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[trusted.target-lexicon]] criteria = "safe-to-deploy" user-id = 696 @@ -38436,11 +41142,11 @@ start = "2024-07-30" end = "2025-07-30" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[trusted.termcolor]] +[[trusted.target-lexicon]] criteria = "safe-to-deploy" -user-id = 189 -start = "2019-06-04" -end = "2024-07-15" +user-id = 6825 +start = "2019-03-06" +end = "2024-07-14" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.termcolor]] @@ -38453,19 +41159,19 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[trusted.thiserror]] +[[trusted.termcolor]] criteria = "safe-to-deploy" -user-id = 3618 -start = "2019-10-09" -end = "2024-07-06" +user-id = 189 +start = "2019-06-04" +end = "2024-07-15" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.thiserror]] criteria = "safe-to-deploy" user-id = 3618 start = "2019-10-09" -end = "2024-07-25" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +end = "2024-07-06" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.thiserror]] criteria = "safe-to-deploy" @@ -38477,19 +41183,19 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[trusted.thiserror-impl]] +[[trusted.thiserror]] criteria = "safe-to-deploy" user-id = 3618 start = "2019-10-09" -end = "2024-07-06" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +end = "2025-11-04" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[trusted.thiserror-impl]] criteria = "safe-to-deploy" user-id = 3618 start = "2019-10-09" -end = "2024-07-25" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +end = "2024-07-06" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.thiserror-impl]] criteria = "safe-to-deploy" @@ -38501,6 +41207,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[trusted.thiserror-impl]] +criteria = "safe-to-deploy" +user-id = 3618 +start = "2019-10-09" +end = "2025-11-04" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[trusted.thread_local]] criteria = "safe-to-deploy" user-id = 2915 @@ -38548,6 +41261,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[trusted.toml]] +criteria = "safe-to-deploy" +user-id = 1 +start = "2019-05-16" +end = "2024-05-06" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[trusted.toml]] criteria = "safe-to-deploy" user-id = 1 @@ -38562,20 +41285,27 @@ start = "2022-12-14" end = "2025-02-12" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[trusted.toml]] +[[trusted.toml_datetime]] criteria = "safe-to-deploy" -user-id = 1 -start = "2019-05-16" -end = "2024-05-06" +user-id = 6743 +start = "2022-10-21" +end = "2025-02-12" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[trusted.toml_datetime]] +criteria = "safe-to-deploy" +user-id = 6743 +start = "2022-10-21" +end = "2025-09-12" aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[trusted.toml_datetime]] +[[trusted.toml_edit]] criteria = "safe-to-deploy" user-id = 6743 -start = "2022-10-21" +start = "2021-09-13" end = "2025-02-12" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" @@ -38583,8 +41313,11 @@ aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/m criteria = "safe-to-deploy" user-id = 6743 start = "2021-09-13" -end = "2025-02-12" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +end = "2025-09-12" +aggregated-from = [ + "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[trusted.unicode-ident]] criteria = "safe-to-deploy" @@ -38596,13 +41329,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[trusted.walkdir]] -criteria = "safe-to-deploy" -user-id = 189 -start = "2019-06-09" -end = "2024-07-15" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[trusted.walkdir]] criteria = "safe-to-deploy" user-id = 189 @@ -38613,6 +41339,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[trusted.walkdir]] +criteria = "safe-to-deploy" +user-id = 189 +start = "2019-06-09" +end = "2024-07-15" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[trusted.warp]] criteria = "safe-to-deploy" user-id = 359 @@ -38623,13 +41356,6 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[trusted.wasi]] -criteria = "safe-to-deploy" -user-id = 1 -start = "2020-06-03" -end = "2024-06-08" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" - [[trusted.wasi]] criteria = "safe-to-deploy" user-id = 1 @@ -38640,6 +41366,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] +[[trusted.wasi]] +criteria = "safe-to-deploy" +user-id = 1 +start = "2020-06-03" +end = "2024-06-08" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [[trusted.wasi-cap-std-sync]] criteria = "safe-to-deploy" user-id = 73222 @@ -38656,13 +41389,6 @@ end = "2024-05-26" notes = "Maintained by Bytecode Alliance that we (Embark) are part of and we trust their review & release process on https://github.com/bytecodealliance/wasmtime" aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" -[[trusted.wasm-bindgen]] -criteria = "safe-to-deploy" -user-id = 1 -start = "2019-03-04" -end = "2024-07-14" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" - [[trusted.wasm-bindgen]] criteria = "safe-to-deploy" user-id = 1 @@ -38670,7 +41396,7 @@ start = "2019-03-04" end = "2024-06-08" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" -[[trusted.wasm-bindgen-backend]] +[[trusted.wasm-bindgen]] criteria = "safe-to-deploy" user-id = 1 start = "2019-03-04" @@ -38684,7 +41410,7 @@ start = "2019-03-04" end = "2024-06-08" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" -[[trusted.wasm-bindgen-macro]] +[[trusted.wasm-bindgen-backend]] criteria = "safe-to-deploy" user-id = 1 start = "2019-03-04" @@ -38698,7 +41424,7 @@ start = "2019-03-04" end = "2024-06-08" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" -[[trusted.wasm-bindgen-macro-support]] +[[trusted.wasm-bindgen-macro]] criteria = "safe-to-deploy" user-id = 1 start = "2019-03-04" @@ -38712,6 +41438,13 @@ start = "2019-03-04" end = "2024-06-08" aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +[[trusted.wasm-bindgen-macro-support]] +criteria = "safe-to-deploy" +user-id = 1 +start = "2019-03-04" +end = "2024-07-14" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[trusted.wasm-bindgen-shared]] criteria = "safe-to-deploy" user-id = 1 @@ -38879,8 +41612,11 @@ aggregated-from = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosyste criteria = "safe-to-deploy" user-id = 189 start = "2020-01-11" -end = "2024-07-15" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +end = "2024-05-03" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] [[trusted.winapi-util]] criteria = "safe-to-deploy" @@ -38893,7 +41629,14 @@ aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/sup criteria = "safe-to-deploy" user-id = 189 start = "2020-01-11" -end = "2024-05-03" +end = "2024-07-15" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[[trusted.windows]] +criteria = "safe-to-deploy" +user-id = 64539 +start = "2021-01-15" +end = "2025-01-30" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", @@ -38906,11 +41649,11 @@ start = "2021-01-15" end = "2025-01-30" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[trusted.windows]] +[[trusted.windows-core]] criteria = "safe-to-deploy" user-id = 64539 -start = "2021-01-15" -end = "2025-01-30" +start = "2021-11-15" +end = "2024-09-20" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", @@ -38923,20 +41666,20 @@ start = "2021-11-15" end = "2025-01-02" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[trusted.windows-core]] +[[trusted.windows-implement]] criteria = "safe-to-deploy" user-id = 64539 -start = "2021-11-15" -end = "2024-09-20" +start = "2022-01-27" +end = "2025-07-29" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] -[[trusted.windows-implement]] +[[trusted.windows-interface]] criteria = "safe-to-deploy" user-id = 64539 -start = "2022-01-27" +start = "2022-02-18" end = "2025-07-29" aggregated-from = [ "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", @@ -38950,16 +41693,6 @@ start = "2022-02-18" end = "2025-08-07" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" -[[trusted.windows-interface]] -criteria = "safe-to-deploy" -user-id = 64539 -start = "2022-02-18" -end = "2025-07-29" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] - [[trusted.windows-result]] criteria = "safe-to-deploy" user-id = 64539 @@ -38984,43 +41717,43 @@ aggregated-from = [ criteria = "safe-to-deploy" user-id = 64539 start = "2021-11-15" -end = "2024-06-17" -aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +end = "2024-06-20" +aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [[trusted.windows-sys]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-11-15" -end = "2024-06-20" -aggregated-from = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" +end = "2024-06-21" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] [[trusted.windows-sys]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-11-15" -end = "2024-09-12" -aggregated-from = [ - "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", - "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", -] +end = "2024-08-19" +aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" [[trusted.windows-sys]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-11-15" -end = "2025-04-22" +end = "2024-09-12" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", - "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", ] [[trusted.windows-sys]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-11-15" -end = "2024-06-21" +end = "2025-04-22" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -39028,14 +41761,7 @@ aggregated-from = [ criteria = "safe-to-deploy" user-id = 64539 start = "2021-11-15" -end = "2024-08-19" -aggregated-from = "https://raw.githubusercontent.com/atuinsh/atuin/vetting/supply-chain/audits.toml" - -[[trusted.windows-targets]] -criteria = "safe-to-deploy" -user-id = 64539 -start = "2022-09-09" -end = "2024-06-17" +end = "2025-09-20" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.windows-targets]] @@ -39065,11 +41791,11 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[trusted.windows_aarch64_gnullvm]] +[[trusted.windows-targets]] criteria = "safe-to-deploy" user-id = 64539 -start = "2022-09-01" -end = "2024-06-17" +start = "2022-09-09" +end = "2025-09-20" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.windows_aarch64_gnullvm]] @@ -39099,11 +41825,11 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[trusted.windows_aarch64_msvc]] +[[trusted.windows_aarch64_gnullvm]] criteria = "safe-to-deploy" user-id = 64539 -start = "2021-11-05" -end = "2024-06-17" +start = "2022-09-01" +end = "2025-09-20" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.windows_aarch64_msvc]] @@ -39133,11 +41859,11 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[trusted.windows_i686_gnu]] +[[trusted.windows_aarch64_msvc]] criteria = "safe-to-deploy" user-id = 64539 -start = "2021-10-28" -end = "2024-06-17" +start = "2021-11-05" +end = "2025-09-20" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.windows_i686_gnu]] @@ -39167,6 +41893,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[trusted.windows_i686_gnu]] +criteria = "safe-to-deploy" +user-id = 64539 +start = "2021-10-28" +end = "2025-09-20" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[trusted.windows_i686_gnullvm]] criteria = "safe-to-deploy" user-id = 64539 @@ -39187,11 +41920,11 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[trusted.windows_i686_msvc]] +[[trusted.windows_i686_gnullvm]] criteria = "safe-to-deploy" user-id = 64539 -start = "2021-10-27" -end = "2024-06-17" +start = "2024-04-02" +end = "2025-09-20" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.windows_i686_msvc]] @@ -39221,11 +41954,11 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[trusted.windows_x86_64_gnu]] +[[trusted.windows_i686_msvc]] criteria = "safe-to-deploy" user-id = 64539 -start = "2021-10-28" -end = "2024-06-17" +start = "2021-10-27" +end = "2025-09-20" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.windows_x86_64_gnu]] @@ -39255,11 +41988,11 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[trusted.windows_x86_64_gnullvm]] +[[trusted.windows_x86_64_gnu]] criteria = "safe-to-deploy" user-id = 64539 -start = "2022-09-01" -end = "2024-06-17" +start = "2021-10-28" +end = "2025-09-20" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.windows_x86_64_gnullvm]] @@ -39289,11 +42022,11 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[trusted.windows_x86_64_msvc]] +[[trusted.windows_x86_64_gnullvm]] criteria = "safe-to-deploy" user-id = 64539 -start = "2021-10-27" -end = "2024-06-17" +start = "2022-09-01" +end = "2025-09-20" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [[trusted.windows_x86_64_msvc]] @@ -39323,6 +42056,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[trusted.windows_x86_64_msvc]] +criteria = "safe-to-deploy" +user-id = 64539 +start = "2021-10-27" +end = "2025-09-20" +aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [[trusted.winnow]] criteria = "safe-to-deploy" user-id = 6743 @@ -39330,6 +42070,16 @@ start = "2023-02-22" end = "2025-02-12" aggregated-from = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[[trusted.winnow]] +criteria = "safe-to-deploy" +user-id = 6743 +start = "2023-02-22" +end = "2025-09-12" +aggregated-from = [ + "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +] + [[trusted.winx]] criteria = "safe-to-deploy" user-id = 6825 @@ -39354,6 +42104,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[trusted.zcash_address]] +criteria = "safe-to-deploy" +user-id = 1244 +start = "2022-10-19" +end = "2024-09-21" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[trusted.zcash_address]] criteria = "safe-to-deploy" user-id = 1244 @@ -39364,6 +42124,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[trusted.zcash_address]] +criteria = "safe-to-deploy" +user-id = 6289 +start = "2021-03-07" +end = "2025-03-18" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[trusted.zcash_address]] criteria = "safe-to-deploy" user-id = 6289 @@ -39376,19 +42146,19 @@ aggregated-from = [ [[trusted.zcash_address]] criteria = "safe-to-deploy" -user-id = 1244 -start = "2022-10-19" -end = "2024-09-21" +user-id = 169181 +start = "2024-08-20" +end = "2025-08-26" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[trusted.zcash_address]] criteria = "safe-to-deploy" -user-id = 6289 -start = "2021-03-07" -end = "2025-03-18" +user-id = 169181 +start = "2024-08-20" +end = "2025-08-26" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", @@ -39404,6 +42174,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[trusted.zcash_client_sqlite]] +criteria = "safe-to-deploy" +user-id = 6289 +start = "2020-06-25" +end = "2025-10-22" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[trusted.zcash_client_sqlite]] criteria = "safe-to-deploy" user-id = 169181 @@ -39418,9 +42198,9 @@ aggregated-from = [ criteria = "safe-to-deploy" user-id = 1244 start = "2022-10-19" -end = "2025-04-22" +end = "2024-09-21" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -39428,9 +42208,9 @@ aggregated-from = [ criteria = "safe-to-deploy" user-id = 1244 start = "2022-10-19" -end = "2024-09-21" +end = "2025-04-22" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -39448,16 +42228,16 @@ aggregated-from = [ criteria = "safe-to-deploy" user-id = 1244 start = "2020-03-04" -end = "2025-04-22" +end = "2024-09-21" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[trusted.zcash_history]] criteria = "safe-to-deploy" -user-id = 6289 -start = "2024-03-01" +user-id = 1244 +start = "2020-03-04" end = "2025-04-22" aggregated-from = [ "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", @@ -39466,9 +42246,9 @@ aggregated-from = [ [[trusted.zcash_history]] criteria = "safe-to-deploy" -user-id = 1244 -start = "2020-03-04" -end = "2024-09-21" +user-id = 6289 +start = "2024-03-01" +end = "2025-03-18" aggregated-from = [ "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", @@ -39478,9 +42258,9 @@ aggregated-from = [ criteria = "safe-to-deploy" user-id = 6289 start = "2024-03-01" -end = "2025-03-18" +end = "2025-04-22" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -39498,9 +42278,9 @@ aggregated-from = [ criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 169181 start = "2023-03-22" -end = "2025-04-22" +end = "2024-09-21" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] @@ -39508,22 +42288,52 @@ aggregated-from = [ criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 169181 start = "2023-03-22" -end = "2024-09-21" +end = "2025-04-22" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[trusted.zcash_primitives]] -criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +criteria = "safe-to-deploy" user-id = 6289 start = "2021-03-26" -end = "2025-04-22" +end = "2025-10-02" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[trusted.zcash_primitives]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-08-20" +end = "2025-08-26" aggregated-from = [ "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[trusted.zcash_primitives]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-08-20" +end = "2025-08-26" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[trusted.zcash_primitives]] +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +user-id = 1244 +start = "2019-10-08" +end = "2024-09-21" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[trusted.zcash_primitives]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 1244 @@ -39546,24 +42356,44 @@ aggregated-from = [ [[trusted.zcash_primitives]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] -user-id = 1244 -start = "2019-10-08" -end = "2024-09-21" +user-id = 6289 +start = "2021-03-26" +end = "2025-04-22" aggregated-from = [ - "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] [[trusted.zcash_proofs]] -criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +criteria = "safe-to-deploy" user-id = 6289 start = "2021-03-26" -end = "2025-04-22" +end = "2025-10-02" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + +[[trusted.zcash_proofs]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-08-20" +end = "2025-08-26" aggregated-from = [ "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[trusted.zcash_proofs]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-08-20" +end = "2025-08-26" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[trusted.zcash_proofs]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 @@ -39574,10 +42404,10 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[trusted.zcash_protocol]] -criteria = "safe-to-deploy" -user-id = 169181 -start = "2024-01-27" +[[trusted.zcash_proofs]] +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +user-id = 6289 +start = "2021-03-26" end = "2025-04-22" aggregated-from = [ "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", @@ -39594,10 +42424,10 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[trusted.zcash_spec]] -criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] -user-id = 6289 -start = "2023-12-07" +[[trusted.zcash_protocol]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-01-27" end = "2025-04-22" aggregated-from = [ "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", @@ -39614,10 +42444,10 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] -[[trusted.zip32]] -criteria = "safe-to-deploy" +[[trusted.zcash_spec]] +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 -start = "2023-12-06" +start = "2023-12-07" end = "2025-04-22" aggregated-from = [ "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", @@ -39634,6 +42464,16 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] +[[trusted.zip32]] +criteria = "safe-to-deploy" +user-id = 6289 +start = "2023-12-06" +end = "2025-04-22" +aggregated-from = [ + "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", + "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", +] + [[trusted.zip321]] criteria = "safe-to-deploy" user-id = 169181 @@ -39643,3 +42483,13 @@ aggregated-from = [ "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml", "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml", ] + +[[trusted.zlib-rs]] +criteria = "safe-to-deploy" +user-id = 1303 +start = "2024-02-23" +end = "2024-09-01" +aggregated-from = [ + "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml", + "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml", +]