| |
| # cargo-vet imports lock |
| |
| [[publisher.aho-corasick]] |
| version = "1.0.5" |
| when = "2023-08-29" |
| user-id = 189 |
| user-login = "BurntSushi" |
| user-name = "Andrew Gallant" |
| |
| [[publisher.anstream]] |
| version = "0.5.0" |
| when = "2023-08-24" |
| user-id = 6743 |
| user-login = "epage" |
| user-name = "Ed Page" |
| |
| [[publisher.anstyle]] |
| version = "1.0.2" |
| when = "2023-08-23" |
| user-id = 6743 |
| user-login = "epage" |
| user-name = "Ed Page" |
| |
| [[publisher.anstyle-parse]] |
| version = "0.2.1" |
| when = "2023-06-20" |
| user-id = 6743 |
| user-login = "epage" |
| user-name = "Ed Page" |
| |
| [[publisher.anstyle-wincon]] |
| version = "2.1.0" |
| when = "2023-08-24" |
| user-id = 6743 |
| user-login = "epage" |
| user-name = "Ed Page" |
| |
| [[publisher.bstr]] |
| version = "1.6.2" |
| when = "2023-08-30" |
| user-id = 189 |
| user-login = "BurntSushi" |
| user-name = "Andrew Gallant" |
| |
| [[publisher.byteorder]] |
| version = "1.4.3" |
| when = "2021-03-10" |
| user-id = 189 |
| user-login = "BurntSushi" |
| user-name = "Andrew Gallant" |
| |
| [[publisher.bytes]] |
| version = "1.4.0" |
| when = "2023-01-31" |
| user-id = 6741 |
| user-login = "Darksonn" |
| user-name = "Alice Ryhl" |
| |
| [[publisher.cfg-expr]] |
| version = "0.15.4" |
| when = "2023-07-28" |
| user-id = 52553 |
| user-login = "embark-studios" |
| |
| [[publisher.clap]] |
| version = "4.4.2" |
| when = "2023-08-31" |
| user-id = 6743 |
| user-login = "epage" |
| user-name = "Ed Page" |
| |
| [[publisher.clap_builder]] |
| version = "4.4.2" |
| when = "2023-08-31" |
| user-id = 6743 |
| user-login = "epage" |
| user-name = "Ed Page" |
| |
| [[publisher.clap_derive]] |
| version = "4.4.2" |
| when = "2023-08-31" |
| user-id = 6743 |
| user-login = "epage" |
| user-name = "Ed Page" |
| |
| [[publisher.clap_lex]] |
| version = "0.5.1" |
| when = "2023-08-24" |
| user-id = 6743 |
| user-login = "epage" |
| user-name = "Ed Page" |
| |
| [[publisher.core-foundation]] |
| version = "0.9.3" |
| when = "2022-02-07" |
| user-id = 5946 |
| user-login = "jrmuizel" |
| user-name = "Jeff Muizelaar" |
| |
| [[publisher.core-foundation-sys]] |
| version = "0.8.4" |
| when = "2023-04-03" |
| user-id = 5946 |
| user-login = "jrmuizel" |
| user-name = "Jeff Muizelaar" |
| |
| [[publisher.encoding_rs]] |
| version = "0.8.33" |
| when = "2023-08-23" |
| user-id = 4484 |
| user-login = "hsivonen" |
| user-name = "Henri Sivonen" |
| |
| [[publisher.filetime]] |
| version = "0.2.22" |
| when = "2023-08-05" |
| user-id = 1 |
| user-login = "alexcrichton" |
| user-name = "Alex Crichton" |
| |
| [[publisher.globset]] |
| version = "0.4.13" |
| when = "2023-08-05" |
| user-id = 189 |
| user-login = "BurntSushi" |
| user-name = "Andrew Gallant" |
| |
| [[publisher.itoa]] |
| version = "1.0.9" |
| when = "2023-07-15" |
| user-id = 3618 |
| user-login = "dtolnay" |
| user-name = "David Tolnay" |
| |
| [[publisher.jobserver]] |
| version = "0.1.26" |
| when = "2023-02-28" |
| user-id = 1 |
| user-login = "alexcrichton" |
| user-name = "Alex Crichton" |
| |
| [[publisher.krates]] |
| version = "0.15.1" |
| when = "2023-09-03" |
| user-id = 52553 |
| user-login = "embark-studios" |
| |
| [[publisher.kstring]] |
| version = "2.0.0" |
| when = "2022-03-29" |
| user-id = 6743 |
| user-login = "epage" |
| user-name = "Ed Page" |
| |
| [[publisher.linux-raw-sys]] |
| version = "0.4.5" |
| when = "2023-07-31" |
| user-id = 6825 |
| user-login = "sunfishcode" |
| user-name = "Dan Gohman" |
| |
| [[publisher.memchr]] |
| version = "2.6.2" |
| when = "2023-08-30" |
| user-id = 189 |
| user-login = "BurntSushi" |
| user-name = "Andrew Gallant" |
| |
| [[publisher.num_cpus]] |
| version = "1.16.0" |
| when = "2023-06-29" |
| user-id = 359 |
| user-login = "seanmonstar" |
| user-name = "Sean McArthur" |
| |
| [[publisher.paste]] |
| version = "1.0.14" |
| when = "2023-07-15" |
| user-id = 3618 |
| user-login = "dtolnay" |
| user-name = "David Tolnay" |
| |
| [[publisher.regex]] |
| version = "1.9.4" |
| when = "2023-08-26" |
| user-id = 189 |
| user-login = "BurntSushi" |
| user-name = "Andrew Gallant" |
| |
| [[publisher.regex-automata]] |
| version = "0.3.7" |
| when = "2023-08-26" |
| user-id = 189 |
| user-login = "BurntSushi" |
| user-name = "Andrew Gallant" |
| |
| [[publisher.regex-syntax]] |
| version = "0.7.5" |
| when = "2023-08-26" |
| user-id = 189 |
| user-login = "BurntSushi" |
| user-name = "Andrew Gallant" |
| |
| [[publisher.rustix]] |
| version = "0.38.11" |
| when = "2023-08-31" |
| user-id = 6825 |
| user-login = "sunfishcode" |
| user-name = "Dan Gohman" |
| |
| [[publisher.rustversion]] |
| version = "1.0.14" |
| when = "2023-07-15" |
| user-id = 3618 |
| user-login = "dtolnay" |
| user-name = "David Tolnay" |
| |
| [[publisher.ryu]] |
| version = "1.0.15" |
| when = "2023-07-15" |
| user-id = 3618 |
| user-login = "dtolnay" |
| user-name = "David Tolnay" |
| |
| [[publisher.same-file]] |
| version = "1.0.6" |
| when = "2020-01-11" |
| user-id = 189 |
| user-login = "BurntSushi" |
| user-name = "Andrew Gallant" |
| |
| [[publisher.scopeguard]] |
| version = "1.2.0" |
| when = "2023-07-17" |
| user-id = 2915 |
| user-login = "Amanieu" |
| user-name = "Amanieu d'Antras" |
| |
| [[publisher.serde]] |
| version = "1.0.188" |
| when = "2023-08-26" |
| user-id = 3618 |
| user-login = "dtolnay" |
| user-name = "David Tolnay" |
| |
| [[publisher.serde_derive]] |
| version = "1.0.188" |
| when = "2023-08-26" |
| user-id = 3618 |
| user-login = "dtolnay" |
| user-name = "David Tolnay" |
| |
| [[publisher.serde_json]] |
| version = "1.0.105" |
| when = "2023-08-15" |
| user-id = 3618 |
| user-login = "dtolnay" |
| user-name = "David Tolnay" |
| |
| [[publisher.serde_spanned]] |
| version = "0.6.3" |
| when = "2023-06-24" |
| user-id = 6743 |
| user-login = "epage" |
| user-name = "Ed Page" |
| |
| [[publisher.spdx]] |
| version = "0.10.2" |
| when = "2023-07-14" |
| user-id = 52553 |
| user-login = "embark-studios" |
| |
| [[publisher.syn]] |
| version = "1.0.109" |
| when = "2023-02-24" |
| user-id = 3618 |
| user-login = "dtolnay" |
| user-name = "David Tolnay" |
| |
| [[publisher.syn]] |
| version = "2.0.29" |
| when = "2023-08-17" |
| user-id = 3618 |
| user-login = "dtolnay" |
| user-name = "David Tolnay" |
| |
| [[publisher.target-lexicon]] |
| version = "0.12.11" |
| when = "2023-07-31" |
| user-id = 6825 |
| user-login = "sunfishcode" |
| user-name = "Dan Gohman" |
| |
| [[publisher.termcolor]] |
| version = "1.2.0" |
| when = "2023-01-15" |
| user-id = 189 |
| user-login = "BurntSushi" |
| user-name = "Andrew Gallant" |
| |
| [[publisher.toml]] |
| version = "0.7.6" |
| when = "2023-07-05" |
| user-id = 6743 |
| user-login = "epage" |
| user-name = "Ed Page" |
| |
| [[publisher.toml_edit]] |
| version = "0.19.14" |
| when = "2023-07-14" |
| user-id = 6743 |
| user-login = "epage" |
| user-name = "Ed Page" |
| |
| [[publisher.unicode-normalization]] |
| version = "0.1.22" |
| when = "2022-09-16" |
| user-id = 1139 |
| user-login = "Manishearth" |
| user-name = "Manish Goregaokar" |
| |
| [[publisher.unicode-width]] |
| version = "0.1.10" |
| when = "2022-09-13" |
| user-id = 1139 |
| user-login = "Manishearth" |
| user-name = "Manish Goregaokar" |
| |
| [[publisher.walkdir]] |
| version = "2.3.3" |
| when = "2023-03-16" |
| user-id = 189 |
| user-login = "BurntSushi" |
| user-name = "Andrew Gallant" |
| |
| [[publisher.winapi-util]] |
| version = "0.1.5" |
| when = "2020-04-20" |
| user-id = 189 |
| user-login = "BurntSushi" |
| user-name = "Andrew Gallant" |
| |
| [[publisher.winnow]] |
| version = "0.5.15" |
| when = "2023-08-24" |
| user-id = 6743 |
| user-login = "epage" |
| user-name = "Ed Page" |
| |
| [[audits.embark.wildcard-audits.cfg-expr]] |
| who = "Jake Shadle <[email protected]>" |
| criteria = "safe-to-deploy" |
| user-id = 52553 # embark-studios |
| start = "2020-01-01" |
| end = "2024-05-23" |
| notes = "Maintained by Embark. No unsafe usage or ambient capabilities" |
| |
| [[audits.embark.wildcard-audits.krates]] |
| who = "Jake Shadle <[email protected]>" |
| criteria = "safe-to-deploy" |
| user-id = 52553 # embark-studios |
| start = "2020-01-01" |
| end = "2024-05-23" |
| notes = """ |
| Maintained by Embark. |
| |
| No unsafe usage but does allow calling of cargo via the cargo_metadata crate |
| """ |
| |
| [[audits.embark.wildcard-audits.spdx]] |
| who = "Jake Shadle <[email protected]>" |
| criteria = "safe-to-deploy" |
| user-id = 52553 # embark-studios |
| start = "2020-01-01" |
| end = "2024-05-23" |
| notes = "Maintained by Embark. No unsafe usage or ambient capabilities" |
| |
| [[audits.embark.audits.cargo_metadata]] |
| who = "Johan Andersson <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.15.3 -> 0.15.4" |
| notes = "No notable changes" |
| |
| [[audits.embark.audits.cargo_metadata]] |
| who = "Johan Andersson <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.15.4 -> 0.17.0" |
| notes = "No notable changes" |
| |
| [[audits.embark.audits.colorchoice]] |
| who = "Johan Andersson <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "1.0.0" |
| notes = "No unsafe usage or ambient capabilities" |
| |
| [[audits.embark.audits.idna]] |
| who = "Johan Andersson <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.0 -> 0.4.0" |
| notes = "No unsafe usage or ambient capabilities" |
| |
| [[audits.embark.audits.similar]] |
| who = "Johan Andersson <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "2.2.1" |
| notes = "No unsafe usage or ambient capabilities" |
| |
| [[audits.embark.audits.tap]] |
| who = "Johan Andersson <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "1.0.1" |
| notes = "No unsafe usage or ambient capabilities" |
| |
| [[audits.embark.audits.tinyvec_macros]] |
| who = "Johan Andersson <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.1.0" |
| notes = "Inspected it and is a tiny crate with single safe macro" |
| |
| [[audits.embark.audits.toml_datetime]] |
| who = "Johan Andersson <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.6.1 -> 0.6.2" |
| notes = "No notable changes" |
| |
| [[audits.embark.audits.utf8parse]] |
| who = "Johan Andersson <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.2.1" |
| notes = "Single unsafe usage that looks sound, no ambient capabilities" |
| |
| [[audits.embark.audits.webpki-roots]] |
| who = "Johan Andersson <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.22.4" |
| notes = "Inspected it to confirm that it only contains data definitions and no runtime code" |
| |
| [[audits.embark.audits.yaml-rust]] |
| who = "Johan Andersson <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.4.5" |
| notes = "No unsafe usage or ambient capabilities" |
| |
| [[audits.firefox.wildcard-audits.core-foundation]] |
| who = "Bobby Holley <[email protected]>" |
| criteria = "safe-to-deploy" |
| user-id = 5946 # Jeff Muizelaar (jrmuizel) |
| start = "2019-03-29" |
| end = "2023-05-04" |
| renew = false |
| notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." |
| |
| [[audits.firefox.wildcard-audits.core-foundation-sys]] |
| who = "Bobby Holley <[email protected]>" |
| criteria = "safe-to-deploy" |
| user-id = 5946 # Jeff Muizelaar (jrmuizel) |
| start = "2020-10-14" |
| end = "2023-05-04" |
| renew = false |
| notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." |
| |
| [[audits.firefox.wildcard-audits.encoding_rs]] |
| who = "Henri Sivonen <[email protected]>" |
| criteria = "safe-to-deploy" |
| user-id = 4484 # Henri Sivonen (hsivonen) |
| start = "2019-02-26" |
| end = "2024-08-28" |
| notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ." |
| |
| [[audits.firefox.wildcard-audits.unicode-normalization]] |
| who = "Manish Goregaokar <[email protected]>" |
| criteria = "safe-to-deploy" |
| user-id = 1139 # Manish Goregaokar (Manishearth) |
| start = "2019-11-06" |
| end = "2024-05-03" |
| notes = "All code written or reviewed by Manish" |
| |
| [[audits.firefox.wildcard-audits.unicode-width]] |
| who = "Manish Goregaokar <[email protected]>" |
| criteria = "safe-to-deploy" |
| user-id = 1139 # Manish Goregaokar (Manishearth) |
| start = "2019-12-05" |
| end = "2024-05-03" |
| notes = "All code written or reviewed by Manish" |
| |
| [[audits.firefox.audits.autocfg]] |
| who = "Josh Stone <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "1.1.0" |
| notes = "All code written or reviewed by Josh Stone." |
| |
| [[audits.firefox.audits.block-buffer]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.10.2 -> 0.10.3" |
| |
| [[audits.firefox.audits.crossbeam-epoch]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.9.8 -> 0.9.10" |
| |
| [[audits.firefox.audits.crossbeam-epoch]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.9.10 -> 0.9.13" |
| |
| [[audits.firefox.audits.crossbeam-epoch]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.9.13 -> 0.9.14" |
| |
| [[audits.firefox.audits.crossbeam-queue]] |
| who = "Matthew Gregan <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.3.8" |
| |
| [[audits.firefox.audits.crossbeam-utils]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.8.8 -> 0.8.11" |
| |
| [[audits.firefox.audits.crossbeam-utils]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.8.11 -> 0.8.14" |
| |
| [[audits.firefox.audits.crypto-common]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.1.3 -> 0.1.6" |
| |
| [[audits.firefox.audits.digest]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.10.3 -> 0.10.6" |
| |
| [[audits.firefox.audits.fnv]] |
| who = "Bobby Holley <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "1.0.7" |
| notes = "Simple hasher implementation with no unsafe code." |
| |
| [[audits.firefox.audits.fs-err]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "2.8.1 -> 2.9.0" |
| |
| [[audits.firefox.audits.futures-channel]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.27 -> 0.3.28" |
| |
| [[audits.firefox.audits.futures-core]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.27 -> 0.3.28" |
| |
| [[audits.firefox.audits.futures-io]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.27 -> 0.3.28" |
| |
| [[audits.firefox.audits.futures-macro]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.21 -> 0.3.23" |
| |
| [[audits.firefox.audits.futures-macro]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.23 -> 0.3.25" |
| |
| [[audits.firefox.audits.futures-macro]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.25 -> 0.3.26" |
| |
| [[audits.firefox.audits.futures-macro]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.26 -> 0.3.28" |
| |
| [[audits.firefox.audits.futures-sink]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.27 -> 0.3.28" |
| |
| [[audits.firefox.audits.futures-task]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.21 -> 0.3.23" |
| |
| [[audits.firefox.audits.futures-task]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.23 -> 0.3.25" |
| |
| [[audits.firefox.audits.futures-task]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.25 -> 0.3.26" |
| |
| [[audits.firefox.audits.futures-task]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.26 -> 0.3.28" |
| |
| [[audits.firefox.audits.futures-util]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.21 -> 0.3.23" |
| |
| [[audits.firefox.audits.futures-util]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.23 -> 0.3.25" |
| |
| [[audits.firefox.audits.futures-util]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.25 -> 0.3.26" |
| |
| [[audits.firefox.audits.futures-util]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.26 -> 0.3.28" |
| |
| [[audits.firefox.audits.generic-array]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.14.5 -> 0.14.6" |
| |
| [[audits.firefox.audits.getrandom]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.2.6 -> 0.2.7" |
| |
| [[audits.firefox.audits.getrandom]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.2.7 -> 0.2.8" |
| |
| [[audits.firefox.audits.getrandom]] |
| who = "Yannis Juglaret <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.2.8 -> 0.2.9" |
| |
| [[audits.firefox.audits.goblin]] |
| who = "Jan-Erik Rediger <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.1.3 -> 0.5.4" |
| notes = "Several bugfixes since 2019. This version is also in use by Mozilla's crash reporting tooling, e.g. minidump-writer" |
| |
| [[audits.firefox.audits.goblin]] |
| who = "Gabriele Svelto <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.5.4 -> 0.6.0" |
| notes = "Mostly bug fixes and some added functionality" |
| |
| [[audits.firefox.audits.goblin]] |
| who = "Gabriele Svelto <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.6.0 -> 0.7.1" |
| |
| [[audits.firefox.audits.hashbrown]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.12.3" |
| notes = "This version is used in rust's libstd, so effectively we're already trusting it" |
| |
| [[audits.firefox.audits.heck]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.4.0 -> 0.4.1" |
| |
| [[audits.firefox.audits.indexmap]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.9.1 -> 1.9.2" |
| |
| [[audits.firefox.audits.libc]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.2.126 -> 0.2.132" |
| |
| [[audits.firefox.audits.libc]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.2.132 -> 0.2.138" |
| |
| [[audits.firefox.audits.libc]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.2.138 -> 0.2.139" |
| |
| [[audits.firefox.audits.linked-hash-map]] |
| who = "Aria Beingessner <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.5.4" |
| notes = "I own this crate (I am contain-rs) and 0.5.4 passes miri. This code is very old and used by lots of people, so I'm pretty confident in it, even though it's in maintenance-mode and missing some nice-to-have APIs." |
| |
| [[audits.firefox.audits.linked-hash-map]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-run" |
| delta = "0.5.4 -> 0.5.6" |
| |
| [[audits.firefox.audits.memoffset]] |
| who = "Gabriele Svelto <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.6.5 -> 0.7.1" |
| |
| [[audits.firefox.audits.memoffset]] |
| who = "Gabriele Svelto <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.8.0 -> 0.9.0" |
| |
| [[audits.firefox.audits.nom]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "7.1.1 -> 7.1.3" |
| |
| [[audits.firefox.audits.num-traits]] |
| who = "Josh Stone <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.2.15" |
| notes = "All code written or reviewed by Josh Stone." |
| |
| [[audits.firefox.audits.object]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.28.4 -> 0.30.0" |
| |
| [[audits.firefox.audits.object]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.30.0 -> 0.30.3" |
| |
| [[audits.firefox.audits.once_cell]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.16.0 -> 1.17.1" |
| |
| [[audits.firefox.audits.proc-macro2]] |
| who = "Nika Layzell <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "1.0.39" |
| notes = """ |
| `proc-macro2` acts as either a thin(-ish) wrapper around the std-provided |
| `proc_macro` crate, or as a fallback implementation of the crate, depending on |
| where it is used. |
| |
| If using this crate on older versions of rustc (1.56 and earlier), it will |
| temporarily replace the panic handler while initializing in order to detect if |
| it is running within a `proc_macro`, which could lead to surprising behaviour. |
| This should not be an issue for more recent compiler versions, which support |
| `proc_macro::is_available()`. |
| |
| The `proc-macro2` crate's fallback behaviour is not identical to the complex |
| behaviour of the rustc compiler (e.g. it does not perform unicode normalization |
| for identifiers), however it behaves well enough for its intended use-case |
| (tests and scripts processing rust code). |
| |
| `proc-macro2` does not use unsafe code, however exposes one `unsafe` API to |
| allow bypassing checks in the fallback implementation when constructing |
| `Literal` using `from_str_unchecked`. This was intended to only be used by the |
| `quote!` macro, however it has been removed |
| (https://github.com/dtolnay/quote/commit/f621fe64a8a501cae8e95ebd6848e637bbc79078), |
| and is likely completely unused. Even when used, this API shouldn't be able to |
| cause unsoundness. |
| """ |
| |
| [[audits.firefox.audits.proc-macro2]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.0.39 -> 1.0.43" |
| |
| [[audits.firefox.audits.proc-macro2]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.0.43 -> 1.0.49" |
| |
| [[audits.firefox.audits.proc-macro2]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.0.49 -> 1.0.51" |
| |
| [[audits.firefox.audits.rayon]] |
| who = "Josh Stone <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "1.5.3" |
| notes = "All code written or reviewed by Josh Stone or Niko Matsakis." |
| |
| [[audits.firefox.audits.rayon]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.5.3 -> 1.6.1" |
| |
| [[audits.firefox.audits.rayon-core]] |
| who = "Josh Stone <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "1.9.3" |
| notes = "All code written or reviewed by Josh Stone or Niko Matsakis." |
| |
| [[audits.firefox.audits.rayon-core]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.9.3 -> 1.10.1" |
| |
| [[audits.firefox.audits.rayon-core]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.10.1 -> 1.10.2" |
| |
| [[audits.firefox.audits.scroll]] |
| who = "Jan-Erik Rediger <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.10.2 -> 0.11.0" |
| notes = "Small changes to exposed traits, that look reasonable and have additional buffer boundary checks. No unsafe code touched." |
| |
| [[audits.firefox.audits.scroll_derive]] |
| who = "Jan-Erik Rediger <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.10.5 -> 0.11.0" |
| notes = "No code changes. Tagged together with its parent crate scroll." |
| |
| [[audits.firefox.audits.scroll_derive]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.11.0 -> 0.11.1" |
| |
| [[audits.firefox.audits.sha2]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.10.2 -> 0.10.6" |
| |
| [[audits.firefox.audits.time-core]] |
| who = "Kershaw Chang <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.1.0" |
| |
| [[audits.firefox.audits.typenum]] |
| who = "Mike Hommey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.15.0 -> 1.16.0" |
| |
| [[audits.firefox.audits.uluru]] |
| who = "Emilio Cobos Álvarez <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "3.0.0" |
| notes = """ |
| I've reviewed multiple patches in this crate, including the initial |
| implementation back in the day. It has no unsafe code at all nowadays. |
| """ |
| |
| [[audits.firefox.audits.unicode-bidi]] |
| who = "Makoto Kato <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.8 -> 0.3.13" |
| |
| [[audits.google.audits.version_check]] |
| who = "George Burgess IV <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.9.4" |
| aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" |
| |
| [[audits.isrg.audits.base64]] |
| who = "Tim Geoghegan <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.21.0 -> 0.21.1" |
| |
| [[audits.isrg.audits.base64]] |
| who = "Brandon Pitman <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.21.1 -> 0.21.2" |
| |
| [[audits.isrg.audits.base64]] |
| who = "David Cook <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.21.2 -> 0.21.3" |
| |
| [[audits.isrg.audits.block-buffer]] |
| who = "David Cook <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.9.0" |
| |
| [[audits.isrg.audits.digest]] |
| who = "David Cook <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.10.6 -> 0.10.7" |
| |
| [[audits.isrg.audits.getrandom]] |
| who = "Tim Geoghegan <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.2.9 -> 0.2.10" |
| notes = "These changes include some new `unsafe` code for the `emscripten` and `psvita` targets, but all it does is call `libc::getentropy`." |
| |
| [[audits.isrg.audits.libc]] |
| who = "Brandon Pitman <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.2.139 -> 0.2.141" |
| |
| [[audits.isrg.audits.num-traits]] |
| who = "David Cook <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.2.15 -> 0.2.16" |
| |
| [[audits.isrg.audits.once_cell]] |
| who = "David Cook <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.15.0 -> 1.16.0" |
| notes = """ |
| Changes to unsafe code in src/lib.rs, src/impl_std.rs, and src/imp_pl.rs are |
| functionally equivalent, and call unwrap_unchecked() on already-initialized |
| Options. The new implementation based on critical_section appears to be sound. |
| """ |
| |
| [[audits.isrg.audits.once_cell]] |
| who = "Brandon Pitman <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.17.1 -> 1.17.2" |
| |
| [[audits.isrg.audits.once_cell]] |
| who = "David Cook <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.17.2 -> 1.18.0" |
| |
| [[audits.isrg.audits.rayon]] |
| who = "Brandon Pitman <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.6.1 -> 1.7.0" |
| |
| [[audits.isrg.audits.rayon-core]] |
| who = "Brandon Pitman <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.10.2 -> 1.11.0" |
| |
| [[audits.isrg.audits.sha2]] |
| who = "David Cook <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.10.2" |
| |
| [[audits.isrg.audits.untrusted]] |
| who = "David Cook <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.7.1" |
| |
| [[audits.mozilla.audits.crossbeam-channel]] |
| who = "Jan-Erik Rediger <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.5.7 -> 0.5.8" |
| notes = "Reviewed the fix, previous versions indeed had were able to trigger a race condition" |
| aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" |
| |
| [[audits.mozilla.audits.lazy_static]] |
| who = "Nika Layzell <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "1.4.0" |
| notes = "I have read over the macros, and audited the unsafe code." |
| aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" |
| |
| [[audits.mozilla.audits.libc]] |
| who = "Jan-Erik Rediger <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.2.141 -> 0.2.146" |
| aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" |
| |
| [[audits.mozilla.audits.proc-macro2]] |
| who = "Jan-Erik Rediger <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.0.57 -> 1.0.59" |
| notes = "Enabled on Wasm" |
| aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" |
| |
| [[audits.mozilla.audits.proc-macro2]] |
| who = "Jan-Erik Rediger <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.0.63 -> 1.0.66" |
| notes = "Removed special support for some really old Rust versions" |
| aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" |
| |
| [[audits.wasmtime.audits.addr2line]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.17.0 -> 0.19.0" |
| notes = """ |
| This is a minor update for addr2line which looks to mainly update its |
| dependencies and refactor existing code to expose more functionality and such. |
| """ |
| |
| [[audits.wasmtime.audits.addr2line]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.19.0 -> 0.20.0" |
| notes = "This version brings support for split-dwarf which while it uses the filesystem is always done at the behest of the caller, so everything is as expected for this update." |
| |
| [[audits.wasmtime.audits.addr2line]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.20.0 -> 0.21.0" |
| notes = "This version bump updated some dependencies and optimized some internals. All looks good." |
| |
| [[audits.wasmtime.audits.adler]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "1.0.2" |
| notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm." |
| |
| [[audits.wasmtime.audits.base64]] |
| who = "Pat Hickey <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.21.0" |
| notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." |
| |
| [[audits.wasmtime.audits.block-buffer]] |
| who = "Benjamin Bouvier <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.9.0 -> 0.10.2" |
| |
| [[audits.wasmtime.audits.cargo_metadata]] |
| who = "Pat Hickey <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.15.3" |
| notes = "no build, no unsafe, inputs to cargo command are reasonably sanitized" |
| |
| [[audits.wasmtime.audits.cfg-if]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "1.0.0" |
| notes = "I am the author of this crate." |
| |
| [[audits.wasmtime.audits.codespan-reporting]] |
| who = "Jamey Sharp <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.11.1" |
| notes = "This library uses `forbid(unsafe_code)` and has no filesystem or network I/O." |
| |
| [[audits.wasmtime.audits.crypto-common]] |
| who = "Benjamin Bouvier <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.1.3" |
| |
| [[audits.wasmtime.audits.digest]] |
| who = "Benjamin Bouvier <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.9.0 -> 0.10.3" |
| |
| [[audits.wasmtime.audits.futures-channel]] |
| who = "Pat Hickey <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.3.27" |
| notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)" |
| |
| [[audits.wasmtime.audits.futures-core]] |
| who = "Pat Hickey <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.3.27" |
| notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." |
| |
| [[audits.wasmtime.audits.futures-io]] |
| who = "Pat Hickey <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.3.27" |
| |
| [[audits.wasmtime.audits.futures-sink]] |
| who = "Pat Hickey <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.3.27" |
| |
| [[audits.wasmtime.audits.gimli]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.26.1 -> 0.27.0" |
| notes = """ |
| This is a standard update to gimli for more DWARF support for more platforms, |
| more features, etc. Some minor `unsafe` code was added that does not appear |
| incorrect. Otherwise looks like someone probably ran clippy and/or rustfmt. |
| """ |
| |
| [[audits.wasmtime.audits.gimli]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.27.0 -> 0.27.3" |
| notes = "More support for more DWARF, nothing major in this update. Some small refactorings and updates to publication of the package but otherwise everything's in order." |
| |
| [[audits.wasmtime.audits.gimli]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.27.3 -> 0.28.0" |
| notes = """ |
| Still looks like a good DWARF-parsing crate, nothing major was added or deleted |
| and no `unsafe` code to review here. |
| """ |
| |
| [[audits.wasmtime.audits.hashbrown]] |
| who = "Chris Fallin <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.12.3 -> 0.13.1" |
| notes = "The diff looks plausible. Much of it is low-level memory-layout code and I can't be 100% certain without a deeper dive into the implementation logic, but nothing looks actively malicious." |
| |
| [[audits.wasmtime.audits.hashbrown]] |
| who = "Trevor Elliott <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.13.1 -> 0.13.2" |
| notes = "I read through the diff between v0.13.1 and v0.13.2, and verified that the changes made matched up with the changelog entries. There were very few changes between these two releases, and it was easy to verify what they did." |
| |
| [[audits.wasmtime.audits.heck]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.4.0" |
| notes = "Contains `forbid_unsafe` and only uses `std::fmt` from the standard library. Otherwise only contains string manipulation." |
| |
| [[audits.wasmtime.audits.idna]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.3.0" |
| notes = """ |
| This is a crate without unsafe code or usage of the standard library. The large |
| size of this crate comes from the large generated unicode tables file. This |
| crate is broadly used throughout the ecosystem and does not contain anything |
| suspicious. |
| """ |
| |
| [[audits.wasmtime.audits.libc]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.2.146 -> 0.2.147" |
| notes = "Only new type definitions and updating others for some platforms, no major changes" |
| |
| [[audits.wasmtime.audits.memoffset]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.7.1 -> 0.8.0" |
| notes = "This was a small update to the crate which has to do with Rust language features and compiler versions, no substantial changes." |
| |
| [[audits.wasmtime.audits.miniz_oxide]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.7.1" |
| notes = """ |
| This crate is a Rust implementation of zlib compression/decompression and has |
| been used by default by the Rust standard library for quite some time. It's also |
| a default dependency of the popular `backtrace` crate for decompressing debug |
| information. This crate forbids unsafe code and does not otherwise access system |
| resources. It's originally a port of the `miniz.c` library as well, and given |
| its own longevity should be relatively hardened against some of the more common |
| compression-related issues. |
| """ |
| |
| [[audits.wasmtime.audits.mio]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.8.6 -> 0.8.8" |
| notes = "Mostly OS portability updates along with some minor bugfixes." |
| |
| [[audits.wasmtime.audits.object]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.30.3 -> 0.31.1" |
| notes = "A large-ish update to the crate but nothing out of the ordering. Support for new formats like xcoff, new constants, minor refactorings, etc. Nothing out of the ordinary." |
| |
| [[audits.wasmtime.audits.object]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.31.1 -> 0.32.0" |
| notes = "Various new features and refactorings as one would expect from an object parsing crate, all looks good." |
| |
| [[audits.wasmtime.audits.openssl-probe]] |
| who = "Pat Hickey <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.1.5" |
| notes = "IO is only checking for the existence of paths in the filesystem" |
| |
| [[audits.wasmtime.audits.pin-utils]] |
| who = "Pat Hickey <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.1.0" |
| |
| [[audits.wasmtime.audits.proc-macro2]] |
| who = "Pat Hickey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.0.51 -> 1.0.57" |
| |
| [[audits.wasmtime.audits.proc-macro2]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.0.59 -> 1.0.63" |
| notes = """ |
| This is a routine update for new nightly features and new syntax popping up on |
| nightly, nothing out of the ordinary. |
| """ |
| |
| [[audits.wasmtime.audits.rustc-demangle]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.1.21" |
| notes = "I am the author of this crate." |
| |
| [[audits.wasmtime.audits.rustls-webpki]] |
| who = "Pat Hickey <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.100.1" |
| |
| [[audits.wasmtime.audits.rustls-webpki]] |
| who = "Pat Hickey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.100.1 -> 0.101.4" |
| |
| [[audits.wasmtime.audits.sct]] |
| who = "Pat Hickey <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.7.0" |
| notes = "no unsafe, no build, no ambient capabilities" |
| |
| [[audits.wasmtime.audits.smallvec]] |
| who = "Dan Gohman <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.8.0 -> 1.11.0" |
| notes = """ |
| The main change is the switch to use `NonNull<T>` internally instead of |
| `*mut T`. This seems reasonable, as `Vec` also never stores a null pointer, |
| and in particular the new `NonNull::new_unchecked`s look ok. |
| |
| Most of the rest of the changes are adding some new unstable features which |
| aren't enabled by default. |
| """ |
| |
| [[audits.wasmtime.audits.tinyvec]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "1.6.0" |
| notes = """ |
| This crate, while it implements collections, does so without `std::*` APIs and |
| without `unsafe`. Skimming the crate everything looks reasonable and what one |
| would expect from idiomatic safe collections in Rust. |
| """ |
| |
| [[audits.wasmtime.audits.tracing]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.1.34 -> 0.1.37" |
| notes = """ |
| A routine set of updates for the tracing crate this includes minor refactorings, |
| addition of benchmarks, some test updates, but overall nothing out of the |
| ordinary. |
| """ |
| |
| [[audits.wasmtime.audits.tracing-core]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.1.28 -> 0.1.31" |
| notes = """ |
| This is a relatively minor set of releases with minor refactorings and bug |
| fixes. Nothing fundamental was added in these changes. |
| """ |
| |
| [[audits.wasmtime.audits.try-lock]] |
| who = "Pat Hickey <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.2.4" |
| notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect" |
| |
| [[audits.wasmtime.audits.unicode-bidi]] |
| who = "Alex Crichton <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.3.8" |
| notes = """ |
| This crate has no unsafe code and does not use `std::*`. Skimming the crate it |
| does not attempt to out of the bounds of what it's already supposed to be doing. |
| """ |
| |
| [[audits.wasmtime.audits.want]] |
| who = "Pat Hickey <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.3.0" |
| |
| [[audits.wasmtime.audits.webpki-roots]] |
| who = "Pat Hickey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.22.4 -> 0.23.0" |
| |
| [[audits.wasmtime.audits.webpki-roots]] |
| who = "Pat Hickey <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.23.0 -> 0.25.2" |
| |
| [[audits.zcash.audits.block-buffer]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.10.3 -> 0.10.4" |
| notes = "Adds panics to prevent a block size of zero from causing unsoundness." |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.crossbeam-channel]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.5.6 -> 0.5.7" |
| notes = "Fixes wrapping overflows for large timeouts." |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.crossbeam-deque]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.8.2 -> 0.8.3" |
| notes = "No new code." |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.crossbeam-epoch]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.9.14 -> 0.9.15" |
| notes = "Bumps memoffset to 0.9, and unmarks some ARMv7r and Sony Vita targets as not having 64-bit atomics." |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.crossbeam-utils]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.8.14 -> 0.8.15" |
| notes = """ |
| - Fixes a wrapping overflow for large timeouts. |
| - Marks some BPF and Sony Vita targets as not having atomics. |
| """ |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.crossbeam-utils]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.8.15 -> 0.8.16" |
| notes = """ |
| - Fixes cache line alignment for some targets. |
| - Replaces `mem::replace` with `Option::take` inside `unsafe` blocks. |
| - Unmarks some ARMv7r and Sony Vita targets as not having 64-bit atomics. |
| """ |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.generic-array]] |
| who = "Sean Bowe <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.14.6 -> 0.14.7" |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.hashbrown]] |
| who = "Daira Emma Hopwood <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.13.2 -> 0.14.0" |
| notes = """ |
| There is some additional use of unsafe code but the changes in this crate looked plausible. |
| There is a new default dependency on the `allocator-api2` crate, which itself has quite a lot of unsafe code. |
| Many previously undocumented safety requirements have been documented. |
| """ |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.http]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.2.8 -> 0.2.9" |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.hyper]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.14.25 -> 0.14.26" |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.hyper]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.14.26 -> 0.14.27" |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.indexmap]] |
| who = "Sean Bowe <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "1.9.2 -> 1.9.3" |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.ipnet]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "2.5.0 -> 2.7.1" |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.ipnet]] |
| who = "Sean Bowe <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "2.7.1 -> 2.7.2" |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.ipnet]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "2.7.2 -> 2.8.0" |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.mio]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.8.2 -> 0.8.4" |
| notes = """ |
| Migrates from winapi to windows-sys. The changes to API usage look reasonable |
| based on what I've seen in other uses of the windows-sys crate. Unsafe code |
| falls into two categories: |
| - Usage of `mem::zeroed()`, which doesn't look obviously wrong. The |
| `..unsafe { mem::zeroed() }` in `sys::unix::selector::kqueue` looks weird |
| but AFAICT is saying \"take any unspecified fields from an instance of this |
| struct that has been zero-initialized\", which is fine for integer fields. It |
| would be nice if there was documentation to this effect (explaining why this |
| is done instead of `..Default::default()`). |
| - Calls to Windows API methods. These are either pre-existing (and altered for |
| the differences in the crate abstractions), or newly added in logic that |
| appears to be copied from miow 0.3.6 (I scanned this by eye and didn't see |
| any noteworthy changes other than handling windows-sys API differences). |
| """ |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.mio]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.8.4 -> 0.8.5" |
| notes = "The only unsafe changes are in epoll_create1 failure cases. Usage of epoll_create and fcntl looks fine; it is vulnerable to a race condition in multithreaded programs that fork child processes, but epoll_create1 is how you avoid this problem. See the discussion of the O_CLOEXEC flag in the open(2) man page for details." |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.mio]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.8.5 -> 0.8.6" |
| notes = """ |
| New `unsafe` usages: |
| - `NonZeroU8::new_unchecked`: I verified the constant is non-zero. |
| - Additional `syscall!(close(socket))` calls before returning errors. |
| """ |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.parking_lot]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.11.2 -> 0.12.1" |
| notes = "Most `unsafe {}` changes were to reduce the scope of the unsafe blocks. I didn't closely review the migration to the asm! macro but it looks reasonable." |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.rustc-demangle]] |
| who = "Sean Bowe <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.1.21 -> 0.1.22" |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.rustc-demangle]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.1.22 -> 0.1.23" |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.sha2]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.10.6 -> 0.10.7" |
| notes = """ |
| The new `unsafe` assembly backend only uses aarch64 intrinsics, via their typed |
| Rust APIs (aside from the SHA2-specific intrinsics that are not in Rust yet). I |
| did not perform a cryptographic review, but the code to load from and store into |
| the function arguments looks correct. |
| """ |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.time-core]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.1.0 -> 0.1.1" |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.tinyvec_macros]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.1.0 -> 0.1.1" |
| notes = "Adds `#![forbid(unsafe_code)]` and license files." |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.toml_datetime]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| version = "0.5.1" |
| notes = "Crate has `#![forbid(unsafe_code)]`, no `unwrap / expect / panic`, no ambient capabilities." |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.toml_datetime]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.5.1 -> 0.6.1" |
| notes = "Fixes a bug in parsing negative minutes in datetime string offsets." |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.toml_datetime]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.6.2 -> 0.6.3" |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.want]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.3.0 -> 0.3.1" |
| notes = """ |
| Migrates to `try-lock 0.2.4` to replace some unsafe APIs that were not marked |
| `unsafe` (but that were being used safely). |
| """ |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
| |
| [[audits.zcash.audits.wyz]] |
| who = "Jack Grigg <[email protected]>" |
| criteria = "safe-to-deploy" |
| delta = "0.5.0 -> 0.5.1" |
| notes = "Only change to unsafe code is to extract a drop impl into a method. I note however that most of the changes in the published 0.5.1 are not present in the v0.5.1 tag on the GitHub repository." |
| aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
