diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7b76b706..977fa9a6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -86,7 +86,7 @@ jobs: name: Vet Dependencies runs-on: ubuntu-latest env: - CARGO_VET_VERSION: 0.9.1 + CARGO_VET_VERSION: 0.10.1 steps: - uses: actions/checkout@v4 - uses: dtolnay/rust-toolchain@stable diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 47639e67..4614c960 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -1,7 +1,10 @@ # cargo-vet audits file -[audits] +[[audits.num_enum_derive]] +who = "Gwen Lg " +criteria = "safe-to-deploy" +delta = "0.7.2 -> 0.7.3" [[trusted.byteorder]] criteria = "safe-to-deploy" @@ -11,7 +14,7 @@ end = "2024-06-08" [[trusted.bytes]] criteria = "safe-to-deploy" -user-id = 6741 # Alice Ryhl (Darksonn) +user-id = 6741 start = "2021-01-11" end = "2024-06-08" @@ -209,7 +212,7 @@ end = "2024-06-14" [[trusted.smallvec]] criteria = "safe-to-deploy" -user-id = 2017 # Matt Brubeck (mbrubeck) +user-id = 2017 start = "2019-10-28" end = "2024-06-08" diff --git a/supply-chain/config.toml b/supply-chain/config.toml index f88ce1fd..8bc30ce2 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -2,9 +2,12 @@ # cargo-vet config file [cargo-vet] -version = "0.9" +version = "0.10" -[imports.embark] +[imports.actix] +url = "https://raw.githubusercontent.com/actix/supply-chain/main/audits.toml" + +[imports.embark-studios] url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" [imports.fermyon] @@ -51,10 +54,6 @@ audit-as-crates-io = false criteria = [] notes = "Not used, Redox OS-only" -[policy.redox_users] -criteria = [] -notes = "Not used, Redox OS-only" - [policy.wasi] criteria = [] notes = "Not used, unsupported target" @@ -136,11 +135,11 @@ version = "0.15.1" criteria = "safe-to-deploy" [[exemptions.calloop]] -version = "0.12.3" +version = "0.13.0" criteria = "safe-to-deploy" [[exemptions.calloop-wayland-source]] -version = "0.2.0" +version = "0.3.0" criteria = "safe-to-deploy" [[exemptions.cesu8]] diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 21659ec4..dcc7fc6a 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -2,8 +2,8 @@ # cargo-vet imports lock [[publisher.bumpalo]] -version = "3.14.0" -when = "2023-09-14" +version = "3.16.0" +when = "2024-04-08" user-id = 696 user-login = "fitzgen" user-name = "Nick Fitzgerald" @@ -15,33 +15,12 @@ user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" -[[publisher.bytes]] -version = "1.5.0" -when = "2023-09-07" -user-id = 6741 -user-login = "Darksonn" -user-name = "Alice Ryhl" - [[publisher.cfg-expr]] -version = "0.15.6" -when = "2024-01-02" +version = "0.15.8" +when = "2024-04-10" user-id = 52553 user-login = "embark-studios" -[[publisher.clap]] -version = "4.4.14" -when = "2024-01-08" -user-id = 6743 -user-login = "epage" -user-name = "Ed Page" - -[[publisher.clap_builder]] -version = "4.4.14" -when = "2024-01-08" -user-id = 6743 -user-login = "epage" -user-name = "Ed Page" - [[publisher.core-foundation]] version = "0.9.3" when = "2022-02-07" @@ -49,13 +28,6 @@ user-id = 5946 user-login = "jrmuizel" user-name = "Jeff Muizelaar" -[[publisher.core-foundation-sys]] -version = "0.8.4" -when = "2023-04-03" -user-id = 5946 -user-login = "jrmuizel" -user-name = "Jeff Muizelaar" - [[publisher.core-graphics]] version = "0.22.3" when = "2021-11-02" @@ -71,8 +43,8 @@ user-login = "jdm" user-name = "Josh Matthews" [[publisher.enumn]] -version = "0.1.13" -when = "2024-01-02" +version = "0.1.12" +when = "2023-09-02" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" @@ -85,12 +57,19 @@ user-login = "cuviper" user-name = "Josh Stone" [[publisher.itoa]] -version = "1.0.10" -when = "2023-12-09" +version = "1.0.11" +when = "2024-03-26" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" +[[publisher.jobserver]] +version = "0.1.25" +when = "2022-09-23" +user-id = 1 +user-login = "alexcrichton" +user-name = "Alex Crichton" + [[publisher.js-sys]] version = "0.3.66" when = "2023-11-27" @@ -106,61 +85,40 @@ user-login = "sunfishcode" user-name = "Dan Gohman" [[publisher.lock_api]] -version = "0.4.11" -when = "2023-10-17" +version = "0.4.12" +when = "2024-04-25" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.memchr]] -version = "2.7.1" -when = "2023-12-28" +version = "2.5.0" +when = "2022-04-30" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.parking_lot]] -version = "0.12.1" -when = "2022-05-31" +version = "0.12.3" +when = "2024-05-24" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.parking_lot_core]] -version = "0.9.9" -when = "2023-10-17" +version = "0.9.10" +when = "2024-04-25" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" -[[publisher.proc-macro2]] -version = "1.0.76" -when = "2024-01-06" -user-id = 3618 -user-login = "dtolnay" -user-name = "David Tolnay" - [[publisher.rayon]] -version = "1.8.0" -when = "2023-09-20" -user-id = 539 -user-login = "cuviper" -user-name = "Josh Stone" - -[[publisher.rayon-core]] -version = "1.12.0" -when = "2023-09-20" +version = "1.10.0" +when = "2024-03-24" user-id = 539 user-login = "cuviper" user-name = "Josh Stone" -[[publisher.regex]] -version = "1.8.4" -when = "2023-06-05" -user-id = 189 -user-login = "BurntSushi" -user-name = "Andrew Gallant" - [[publisher.rustix]] version = "0.38.28" when = "2023-12-09" @@ -169,29 +127,29 @@ user-login = "sunfishcode" user-name = "Dan Gohman" [[publisher.ryu]] -version = "1.0.16" -when = "2023-12-09" +version = "1.0.18" +when = "2024-05-07" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde]] -version = "1.0.195" -when = "2024-01-06" +version = "1.0.203" +when = "2024-05-25" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_derive]] -version = "1.0.195" -when = "2024-01-06" +version = "1.0.203" +when = "2024-05-25" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_json]] -version = "1.0.111" -when = "2024-01-04" +version = "1.0.117" +when = "2024-05-08" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" @@ -203,13 +161,6 @@ user-id = 6743 user-login = "epage" user-name = "Ed Page" -[[publisher.smallvec]] -version = "1.11.2" -when = "2023-11-09" -user-id = 2017 -user-login = "mbrubeck" -user-name = "Matt Brubeck" - [[publisher.syn]] version = "2.0.48" when = "2024-01-04" @@ -232,8 +183,22 @@ user-login = "dtolnay" user-name = "David Tolnay" [[publisher.unicode-segmentation]] -version = "1.10.1" -when = "2023-01-31" +version = "1.12.0" +when = "2024-09-13" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + +[[publisher.unicode-width]] +version = "0.1.14" +when = "2024-09-19" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + +[[publisher.unicode-xid]] +version = "0.2.6" +when = "2024-09-19" user-id = 1139 user-login = "Manishearth" user-name = "Manish Goregaokar" @@ -288,8 +253,8 @@ user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.winapi-util]] -version = "0.1.6" -when = "2023-09-20" +version = "0.1.8" +when = "2024-04-25" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" @@ -469,7 +434,9 @@ user-id = 6743 user-login = "epage" user-name = "Ed Page" -[[audits.embark.wildcard-audits.cfg-expr]] +[audits.actix.audits] + +[[audits.embark-studios.wildcard-audits.cfg-expr]] who = "Jake Shadle " criteria = "safe-to-deploy" user-id = 52553 # embark-studios @@ -477,25 +444,19 @@ start = "2020-01-01" end = "2024-05-23" notes = "Maintained by Embark. No unsafe usage or ambient capabilities" -[[audits.embark.audits.cfg_aliases]] +[[audits.embark-studios.audits.cfg_aliases]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.1.1" notes = "No unsafe usage or ambient capabilities" -[[audits.embark.audits.epaint]] +[[audits.embark-studios.audits.epaint]] who = "Johan Andersson " criteria = "safe-to-deploy" violation = "<0.20.0" notes = "Specified crate license does not include licenses of embedded fonts if using default features or the `default_fonts` feature. Tracked in: https://github.com/emilk/egui/issues/2321" -[[audits.embark.audits.idna]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -delta = "0.3.0 -> 0.4.0" -notes = "No unsafe usage or ambient capabilities" - -[[audits.embark.audits.jni]] +[[audits.embark-studios.audits.jni]] who = "Robert Bragg " criteria = "safe-to-deploy" version = "0.21.1" @@ -544,76 +505,41 @@ https://github.com/signalapp/libsignal/blob/main/rust/bridge/jni/Cargo.toml code may expose the JVM to invalid booleans with undefined behaviour """ -[[audits.embark.audits.natord]] +[[audits.embark-studios.audits.natord]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.9" notes = "Inspected and it is a tiny crate with no unsafe or system interactions, just string comparisons" -[[audits.embark.audits.ndk-context]] +[[audits.embark-studios.audits.ndk-context]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.1.1" notes = "Tiny crate that initializes Android with FFI, looks sane. No other ambient capabilities" -[[audits.embark.audits.nohash-hasher]] +[[audits.embark-studios.audits.nohash-hasher]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.2.0" notes = "Tiny crate with no dependencies, no unsafe, and no ambient capabilities" -[[audits.embark.audits.num_enum]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -version = "0.5.11" -notes = "No unsafe usage or ambient capabilities" - -[[audits.embark.audits.num_enum]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -delta = "0.5.11 -> 0.6.1" -notes = "Minor changes" - -[[audits.embark.audits.num_enum]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -delta = "0.6.1 -> 0.7.0" - -[[audits.embark.audits.num_enum_derive]] +[[audits.embark-studios.audits.num_enum_derive]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.5.11" notes = "Proc macro that generates some unsafe code for conversion but looks sound, no ambient capabilities" -[[audits.embark.audits.num_enum_derive]] +[[audits.embark-studios.audits.num_enum_derive]] who = "Johan Andersson " criteria = "safe-to-deploy" delta = "0.5.11 -> 0.6.1" notes = "Minor changes" -[[audits.embark.audits.num_enum_derive]] +[[audits.embark-studios.audits.num_enum_derive]] who = "Johan Andersson " criteria = "safe-to-deploy" delta = "0.6.1 -> 0.7.0" -[[audits.embark.audits.tinyvec_macros]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -version = "0.1.0" -notes = "Inspected it and is a tiny crate with single safe macro" - -[[audits.embark.audits.vec1]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -version = "1.10.1" -notes = "No unsafe usage or ambient capabilities" - -[[audits.embark.audits.version-compare]] -who = "Johan Andersson " -criteria = "safe-to-deploy" -version = "0.1.1" -notes = "No unsafe usage or ambient capabilities" - [[audits.fermyon.audits.oorandom]] who = "Radu Matei " criteria = "safe-to-run" @@ -628,15 +554,6 @@ end = "2023-05-04" renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." -[[audits.firefox.wildcard-audits.core-foundation-sys]] -who = "Bobby Holley " -criteria = "safe-to-deploy" -user-id = 5946 # Jeff Muizelaar (jrmuizel) -start = "2020-10-14" -end = "2023-05-04" -renew = false -notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." - [[audits.firefox.wildcard-audits.core-graphics]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -660,7 +577,23 @@ who = "Manish Goregaokar " criteria = "safe-to-deploy" user-id = 1139 # Manish Goregaokar (Manishearth) start = "2019-05-15" -end = "2024-05-03" +end = "2026-02-01" +notes = "All code written or reviewed by Manish" + +[[audits.firefox.wildcard-audits.unicode-width]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2019-12-05" +end = "2026-02-01" +notes = "All code written or reviewed by Manish" + +[[audits.firefox.wildcard-audits.unicode-xid]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2019-07-25" +end = "2026-02-01" notes = "All code written or reviewed by Manish" [[audits.firefox.audits.ahash]] @@ -673,23 +606,54 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.68 -> 1.0.69" -[[audits.firefox.audits.autocfg]] -who = "Josh Stone " +[[audits.firefox.audits.bit-set]] +who = "Teodor Tanasoaia " criteria = "safe-to-deploy" -version = "1.1.0" -notes = "All code written or reviewed by Josh Stone." +delta = "0.5.3 -> 0.6.0" + +[[audits.firefox.audits.bit-set]] +who = "Jim Blandy " +criteria = "safe-to-deploy" +delta = "0.6.0 -> 0.8.0" + +[[audits.firefox.audits.bit-vec]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.6.3" +notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." + +[[audits.firefox.audits.bit-vec]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "0.6.3 -> 0.7.0" + +[[audits.firefox.audits.bit-vec]] +who = "Jim Blandy " +criteria = "safe-to-deploy" +delta = "0.7.0 -> 0.8.0" [[audits.firefox.audits.cc]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.73 -> 1.0.78" +[[audits.firefox.audits.cfg_aliases]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.1.1 -> 0.2.1" +notes = "Very minor changes." + [[audits.firefox.audits.core-foundation]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" delta = "0.9.3 -> 0.9.4" notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." +[[audits.firefox.audits.core-foundation]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.9.4 -> 0.10.0" + [[audits.firefox.audits.core-graphics]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" @@ -706,6 +670,11 @@ criteria = "safe-to-deploy" delta = "0.1.2 -> 0.1.3" notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." +[[audits.firefox.audits.crossbeam-channel]] +who = "Glenn Watson " +criteria = "safe-to-deploy" +delta = "0.5.12 -> 0.5.13" + [[audits.firefox.audits.crossbeam-utils]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -716,11 +685,42 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.8.11 -> 0.8.14" +[[audits.firefox.audits.crossbeam-utils]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.8.19 -> 0.8.20" +notes = "Minor changes." + +[[audits.firefox.audits.crossbeam-utils]] +who = "Lars Eggert " +criteria = "safe-to-deploy" +delta = "0.8.20 -> 0.8.21" + +[[audits.firefox.audits.deranged]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.3.11" +notes = """ +This crate contains a decent bit of `unsafe` code, however all internal +unsafety is verified with copious assertions (many are compile-time), and +otherwise the unsafety is documented and left to the caller to verify. +""" + [[audits.firefox.audits.document-features]] who = "Erich Gubler " criteria = "safe-to-deploy" version = "0.2.8" +[[audits.firefox.audits.document-features]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.2.8 -> 0.2.9" + +[[audits.firefox.audits.document-features]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.2.9 -> 0.2.10" + [[audits.firefox.audits.enum-map]] who = "Kershaw Chang " criteria = "safe-to-deploy" @@ -731,11 +731,6 @@ who = "Kershaw Chang " criteria = "safe-to-deploy" version = "0.17.0" -[[audits.firefox.audits.errno]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.3.1 -> 0.3.3" - [[audits.firefox.audits.foreign-types]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" @@ -761,35 +756,90 @@ who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "1.2.0 -> 1.2.1" -[[audits.firefox.audits.half]] -who = "John M. Schanck " +[[audits.firefox.audits.icu_collections]] +who = "Makoto Kato " criteria = "safe-to-deploy" -version = "1.8.2" -notes = """ -This crate contains unsafe code for bitwise casts to/from binary16 floating-point -format. I've reviewed these and found no issues. There are no uses of ambient -capabilities. -""" +version = "1.2.0" +notes = "This crate is used by ICU4X for internal data structure. There is no fileaccess and network access. This uses unsafe block, but we confirm data is valid before." -[[audits.firefox.audits.heck]] -who = "Mike Hommey " +[[audits.firefox.audits.icu_collections]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +delta = "1.2.0 -> 1.4.0" + +[[audits.firefox.audits.icu_collections]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +delta = "1.4.0 -> 1.5.0" + +[[audits.firefox.audits.icu_locid]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +version = "1.2.0" +notes = "This has unsafe block to handle ascii string in utf-8 string. I've vetted the one instance of unsafe code." + +[[audits.firefox.audits.icu_locid]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +delta = "1.2.0 -> 1.4.0" + +[[audits.firefox.audits.icu_locid]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +delta = "1.4.0 -> 1.5.0" + +[[audits.firefox.audits.icu_normalizer]] +who = "Henri Sivonen " criteria = "safe-to-deploy" -delta = "0.4.0 -> 0.4.1" +version = "1.5.0" +notes = "I, Henri Sivonen, am the principal author of this crate." + +[[audits.firefox.audits.icu_normalizer_data]] +who = "Henri Sivonen " +criteria = "safe-to-deploy" +version = "1.5.0" + +[[audits.firefox.audits.icu_properties]] +who = "Jonathan Kew " +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "This is used by ICU4X for character property lookup. The few (4) usages of unsafe have comments clarifying their safety." + +[[audits.firefox.audits.icu_properties]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +delta = "1.4.0 -> 1.5.0" + +[[audits.firefox.audits.icu_properties_data]] +who = "Jonathan Kew " +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "Compile-time static data for the icu_properties crate." + +[[audits.firefox.audits.icu_properties_data]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +delta = "1.4.0 -> 1.5.0" -[[audits.firefox.audits.idna]] +[[audits.firefox.audits.idna_adapter]] who = "Valentin Gosu " criteria = "safe-to-deploy" -delta = "0.4.0 -> 0.5.0" +version = "1.2.0" -[[audits.firefox.audits.litrs]] +[[audits.firefox.audits.libloading]] who = "Erich Gubler " criteria = "safe-to-deploy" -version = "0.4.1" +delta = "0.7.4 -> 0.8.3" -[[audits.firefox.audits.log]] -who = "Mike Hommey " +[[audits.firefox.audits.libloading]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.8.3 -> 0.8.6" + +[[audits.firefox.audits.litrs]] +who = "Erich Gubler " criteria = "safe-to-deploy" -version = "0.4.17" +version = "0.4.1" [[audits.firefox.audits.malloc_buf]] who = "Bobby Holley " @@ -812,97 +862,551 @@ who = "Gabriele Svelto " criteria = "safe-to-deploy" delta = "0.6.5 -> 0.7.1" -[[audits.firefox.audits.num-traits]] -who = "Josh Stone " +[[audits.firefox.audits.metal]] +who = "Jim Blandy " criteria = "safe-to-deploy" -version = "0.2.15" -notes = "All code written or reviewed by Josh Stone." +version = "0.23.1" +notes = "This audit treats Dzmitry Malyshau (kvark) as a trusted reviewer." -[[audits.firefox.audits.percent-encoding]] -who = "Valentin Gosu " +[[audits.firefox.audits.metal]] +who = "Jim Blandy " criteria = "safe-to-deploy" -delta = "2.2.0 -> 2.3.0" +delta = "0.23.1 -> 0.24.0" +notes = "This audit treats Dzmitry Malyshau (kvark) as a trusted reviewer." -[[audits.firefox.audits.percent-encoding]] -who = "Valentin Gosu " +[[audits.firefox.audits.metal]] +who = "Teodor Tanasoaia " criteria = "safe-to-deploy" -delta = "2.3.0 -> 2.3.1" +delta = "0.24.0 -> 0.25.0" -[[audits.firefox.audits.raw-window-handle]] -who = "Jim Blandy " +[[audits.firefox.audits.metal]] +who = "Erich Gubler " criteria = "safe-to-deploy" -version = "0.5.0" -notes = "I looked through all the sources of the v0.5.0 crate." +delta = "0.25.0 -> 0.26.0" -[[audits.firefox.audits.raw-window-handle]] -who = "Mike Hommey " +[[audits.firefox.audits.metal]] +who = "Nicolas Silva , Jim Blandy " criteria = "safe-to-deploy" -delta = "0.5.0 -> 0.5.2" +delta = "0.26.0 -> 0.27.0" -[[audits.firefox.audits.raw-window-handle]] -who = "Nicolas Silva " +[[audits.firefox.audits.metal]] +who = "Erich Gubler " criteria = "safe-to-deploy" -delta = "0.5.2 -> 0.6.0" +delta = "0.27.0 -> 0.28.0" +notes = "No significantly changed functionality. Some warnings resolved, bumped `core-graphics-types`, newer versions of Metal supported." -[[audits.firefox.audits.ron]] -who = "Mike Hommey " +[[audits.firefox.audits.metal]] +who = "Erich Gubler " criteria = "safe-to-deploy" -delta = "0.8.0 -> 0.8.1" +delta = "0.28.0 -> 0.29.0" -[[audits.firefox.audits.time-core]] -who = "Kershaw Chang " +[[audits.firefox.audits.metal]] +who = "Erich Gubler " criteria = "safe-to-deploy" -version = "0.1.0" +delta = "0.29.0 -> 0.30.0" -[[audits.firefox.audits.unicode-bidi]] -who = "Makoto Kato " +[[audits.firefox.audits.metal]] +who = "Erich Gubler " criteria = "safe-to-deploy" -delta = "0.3.8 -> 0.3.13" +delta = "0.30.0 -> 0.31.0" -[[audits.firefox.audits.unicode-bidi]] -who = "Jonathan Kew " +[[audits.firefox.audits.naga]] +who = "Dzmitry Malyshau " criteria = "safe-to-deploy" -delta = "0.3.13 -> 0.3.14" -notes = "I am the author of the bulk of the upstream changes in this version, and also checked the remaining post-0.3.13 changes." +version = "0.8.0" +notes = """ +This crate, up through the indicated version, was written or reviewed +by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left +Mozilla at the beginning of February 2022. This audit statement was +collected by Jim Blandy, a Mozilla employee, over email in July 2022: +Dzmitry was shown, and agreed to, the 'safe-to-deploy' text. +""" -[[audits.firefox.audits.url]] -who = "Valentin Gosu " +[[audits.firefox.audits.naga]] +who = "Jim Blandy " criteria = "safe-to-deploy" -version = "2.4.0" +delta = "0.8.0 -> 0.9.0" -[[audits.firefox.audits.url]] -who = "Valentin Gosu " +[[audits.firefox.audits.naga]] +who = "Jim Blandy " criteria = "safe-to-deploy" -delta = "2.4.0 -> 2.4.1" +delta = "0.9.0 -> 0.10.0" -[[audits.firefox.audits.url]] -who = "Valentin Gosu " +[[audits.firefox.audits.naga]] +who = "Nicolas Silva " criteria = "safe-to-deploy" -delta = "2.4.1 -> 2.5.0" +delta = "0.10.0 -> 0.11.0" -[[audits.google.audits.aho-corasick]] -who = "danakj@chromium.org" +[[audits.firefox.audits.naga]] +who = "Nicolas Silva " criteria = "safe-to-deploy" -version = "1.1.2" -notes = """ -Reviewed in https://crrev.com/c/5171063 - -Previously reviewed during security review and the audit is grandparented in. -""" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +delta = "0.11.0 -> 0.12.0" -[[audits.google.audits.anstyle]] -who = "Yu-An Wang " +[[audits.firefox.audits.naga]] +who = "Nicolas Silva " criteria = "safe-to-deploy" -version = "1.0.4" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +delta = "0.12.0 -> 0.13.0" -[[audits.google.audits.anyhow]] -who = "ChromeOS" +[[audits.firefox.audits.naga]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +delta = "0.13.0 -> 0.14.0" + +[[audits.firefox.audits.naga]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.14.0 -> 0.19.2" + +[[audits.firefox.audits.naga]] +who = [ + "Jim Blandy ", + "Nicolas Silva ", + "Erich Gubler ", + "Teodor Tanasoaia ", +] +criteria = "safe-to-deploy" +delta = "0.19.2 -> 0.20.0" + +[[audits.firefox.audits.naga]] +who = "Jim Blandy " +criteria = "safe-to-deploy" +delta = "0.20.0 -> 22.0.0" + +[[audits.firefox.audits.naga]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "22.0.0 -> 23.0.0" + +[[audits.firefox.audits.naga]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "23.0.0 -> 23.1.0" + +[[audits.firefox.audits.naga]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "23.1.0 -> 24.0.0" + +[[audits.firefox.audits.num-conv]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.1.0" +notes = """ +Very straightforward, simple crate. No dependencies, unsafe, extern, +side-effectful std functions, etc. +""" + +[[audits.firefox.audits.once_cell]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "1.20.1 -> 1.20.2" +notes = "This update works around a Cargo bug that forces the addition of `portable-atomic` into a lockfile, which we have never needed to use." + +[[audits.firefox.audits.percent-encoding]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +delta = "2.2.0 -> 2.3.0" + +[[audits.firefox.audits.percent-encoding]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +delta = "2.3.0 -> 2.3.1" + +[[audits.firefox.audits.powerfmt]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.2.0" +notes = """ +A tiny bit of unsafe code to implement functionality that isn't in stable rust +yet, but it's all valid. Otherwise it's a pretty simple crate. +""" + +[[audits.firefox.audits.raw-window-handle]] +who = "Jim Blandy " +criteria = "safe-to-deploy" +version = "0.5.0" +notes = "I looked through all the sources of the v0.5.0 crate." + +[[audits.firefox.audits.raw-window-handle]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.5.0 -> 0.5.2" + +[[audits.firefox.audits.raw-window-handle]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +delta = "0.5.2 -> 0.6.0" + +[[audits.firefox.audits.raw-window-handle]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.6.0 -> 0.6.2" + +[[audits.firefox.audits.ron]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.8.1" + +[[audits.firefox.audits.rustc-hash]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = "Straightforward crate with no unsafe code, does what it says on the tin." + +[[audits.firefox.audits.rustc-hash]] +who = "Ben Dean-Kawamura " +criteria = "safe-to-deploy" +delta = "1.1.0 -> 2.1.1" +notes = "Simple hashing crate, no unsafe code." + +[[audits.firefox.audits.shlex]] +who = "Max Inden " +criteria = "safe-to-deploy" +delta = "1.1.0 -> 1.3.0" + +[[audits.firefox.audits.strum]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "0.25.0 -> 0.26.3" + +[[audits.firefox.audits.strum_macros]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "0.25.3 -> 0.26.4" + +[[audits.firefox.audits.time-core]] +who = "Kershaw Chang " +criteria = "safe-to-deploy" +version = "0.1.0" + +[[audits.firefox.audits.time-core]] +who = "Kershaw Chang " +criteria = "safe-to-deploy" +delta = "0.1.0 -> 0.1.1" + +[[audits.firefox.audits.time-core]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.1.1 -> 0.1.2" + +[[audits.firefox.audits.tracing]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.1.37" +notes = """ +There's only one unsafe impl, and its purpose is to ensure correct behavior by +creating a non-Send marker type (it has nothing to do with soundness). All +dependencies make sense, and no side-effectful std functions are used. +""" + +[[audits.firefox.audits.tracing]] +who = "Mark Hammond " +criteria = "safe-to-deploy" +delta = "0.1.37 -> 0.1.41" + +[[audits.firefox.audits.tracing-core]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.1.30" +notes = """ +Most unsafe code is in implementing non-std sync primitives. Unsafe impls are +logically correct and justified in comments, and unsafe code is sound and +justified in comments. +""" + +[[audits.firefox.audits.tracing-core]] +who = "Mark Hammond " +criteria = "safe-to-deploy" +delta = "0.1.30 -> 0.1.33" + +[[audits.firefox.audits.unicode-bidi]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +delta = "0.3.8 -> 0.3.13" + +[[audits.firefox.audits.unicode-bidi]] +who = "Jonathan Kew " +criteria = "safe-to-deploy" +delta = "0.3.13 -> 0.3.14" +notes = "I am the author of the bulk of the upstream changes in this version, and also checked the remaining post-0.3.13 changes." + +[[audits.firefox.audits.url]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +version = "2.4.0" + +[[audits.firefox.audits.url]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +delta = "2.4.0 -> 2.4.1" + +[[audits.firefox.audits.url]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +delta = "2.4.1 -> 2.5.0" + +[[audits.firefox.audits.url]] +who = "Henri Sivonen " +criteria = "safe-to-deploy" +delta = "2.5.0 -> 2.5.1" + +[[audits.firefox.audits.url]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +delta = "2.5.1 -> 2.5.4" + +[[audits.firefox.audits.utf16_iter]] +who = "Henri Sivonen " +criteria = "safe-to-deploy" +version = "1.0.5" +notes = "I, Henri Sivonen, wrote this crate." + +[[audits.firefox.audits.wgpu-types]] +who = "Dzmitry Malyshau " +criteria = "safe-to-deploy" +version = "0.12.0" +notes = """ +This crate, up through the indicated version, was written or reviewed +by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left +Mozilla at the beginning of February 2022. This audit statement was +collected by Jim Blandy, a Mozilla employee, over email in July 2022: +Dzmitry was shown, and agreed to, the 'safe-to-deploy' text. +""" + +[[audits.firefox.audits.wgpu-types]] +who = "Jim Blandy " +criteria = "safe-to-deploy" +delta = "0.12.0 -> 0.13.0" + +[[audits.firefox.audits.wgpu-types]] +who = "Jim Blandy " +criteria = "safe-to-deploy" +delta = "0.13.0 -> 0.14.0" +notes = "Audit by Erich Gubler, Jim Blandy, Nicolas Silva, and Teodor Tanasoaia." + +[[audits.firefox.audits.wgpu-types]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +delta = "0.14.0 -> 0.15.0" + +[[audits.firefox.audits.wgpu-types]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +delta = "0.15.0 -> 0.16.0" + +[[audits.firefox.audits.wgpu-types]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +delta = "0.16.0 -> 0.17.0" + +[[audits.firefox.audits.wgpu-types]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +delta = "0.17.0 -> 0.18.0" + +[[audits.firefox.audits.wgpu-types]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.18.0 -> 0.19.2" + +[[audits.firefox.audits.wgpu-types]] +who = [ + "Jim Blandy ", + "Nicolas Silva ", + "Erich Gubler ", + "Teodor Tanasoaia ", +] +criteria = "safe-to-deploy" +delta = "0.19.2 -> 0.20.0" + +[[audits.firefox.audits.wgpu-types]] +who = "Jim Blandy " +criteria = "safe-to-deploy" +delta = "0.20.0 -> 22.0.0" + +[[audits.firefox.audits.wgpu-types]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "22.0.0 -> 23.0.0" + +[[audits.firefox.audits.wgpu-types]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "23.0.0 -> 24.0.0" + +[[audits.firefox.audits.write16]] +who = "Henri Sivonen " +criteria = "safe-to-deploy" +version = "1.0.0" +notes = "I, Henri Sivonen, wrote this (safe-code-only) crate." + +[[audits.firefox.audits.zerovec]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +version = "0.9.4" +notes = "This crate is zero-copy data structure implmentation. Although this uses unsafe block in several code, it requires for zero-copy. And this has a comment in code why this uses unsafe and I audited code." + +[[audits.firefox.audits.zerovec]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +delta = "0.9.4 -> 0.10.1" + +[[audits.firefox.audits.zerovec]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +delta = "0.10.1 -> 0.10.2" + +[[audits.firefox.audits.zerovec]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.10.2 -> 0.10.4" + +[[audits.google.audits.adler2]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "2.0.0" +notes = ''' +This audit has been reviewed in https://crrev.com/c/5811890 + +The crate is fairly easy to read thanks to its small size and rich comments. + +I've grepped for `-i cipher`, `-i crypto`, `\bfs\b`, `\bnet\b`, and +`\bunsafe\b`. There were no hits (except for a comment in `README.md` +and `lib.rs` pointing out "Zero `unsafe`"). +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.aho-corasick]] +who = "Ying Hsu " +criteria = "safe-to-deploy" +version = "1.1.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.android_system_properties]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +version = "0.1.5" +notes = "Android system API FFI" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.anstyle]] +who = "Yu-An Wang " +criteria = "safe-to-deploy" +version = "1.0.4" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.anstyle]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.4 -> 1.0.6" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.anstyle]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.6 -> 1.0.7" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.anstyle]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.7 -> 1.0.8" +notes = "Only Cargo.toml changes in the 1.0.7 => 1.0.8 delta." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.anstyle]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.8 -> 1.0.9" +notes = "No changes" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.anstyle]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.9 -> 1.0.10" +notes = "Minor changes related to `write_str`." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.anyhow]] +who = "ChromeOS" criteria = "safe-to-deploy" version = "1.0.68" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.anyhow]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.75 -> 1.0.79" +notes = """ +1.0.75 has been previously audited as \"safe-to-run\", +\"does-not-implement-crypto\" - see +https://github.com/google/rust-crate-audits/blob/c2d49cb6e80bb817f569debecf846161dcebd88c/audits.toml#L277-L305 +The \"1.0.75 -> 1.0.79\" delta meets the same criteria. + +This is an incremental/delta audit - we don't claim any particular `ub-risk-N` +level for the baseline or for the final version. OTOH note that additional +uses of `unsafe` have been reviewed in https://crrev.com/c/5178771 and the +**delta** was evaluated as `ub-risk-3` - no known unsoundness but: +* Little safety comments to explain why a particular usage of `unsafe` + is safe and/or necessary +* Safety analysis couldn't be done locally, but required considering the + whole crate (e.g. checking if the public `Ref.ptr` is mutated anywhere) +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.anyhow]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.82 -> 1.0.83" +notes = "No change to UB-risk profile either." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.anyhow]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.83 -> 1.0.86" +notes = "Delta only updates the ensure macro implementation, still safe to run, no crypto" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.anyhow]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.86 -> 1.0.87" +notes = "Minimal changes, mostly renaming std to core for a type" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.anyhow]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.87 -> 1.0.89" +notes = "No safety-related changes in this delta" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.anyhow]] +who = "Liza Burakova " +criteria = "safe-to-deploy" +delta = "1.0.89 -> 1.0.91" +notes = "Minimal changes" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.anyhow]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.91 -> 1.0.93" +notes = """ +`ensure!` macro tweaks to handle +https://github.com/rust-lang/rfcs/blob/master/text/2582-raw-reference-mir-operator.md +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.anyhow]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.93 -> 1.0.94" +notes = "No behavioral changes" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.argh]] who = "ChromeOS" criteria = "safe-to-deploy" @@ -939,40 +1443,114 @@ criteria = "safe-to-deploy" delta = "0.1.10 -> 0.1.12" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.arrayvec]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "0.7.6" +notes = ''' +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'` and there were +no hits, except for some `net` usage in tests. + +The crate has quite a few bits of `unsafe` Rust. The audit comments can be +found in https://chromium-review.googlesource.com/c/chromium/src/+/6187726/2 +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.ash]] +who = "Chia-I Wu " +criteria = "safe-to-deploy" +version = "0.38.0+1.3.281" +notes = "Vulkan binding mostly generated from vk.xml" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.autocfg]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "Contains no unsafe" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.bit-set]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.5.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.bitflags]] +who = "Justin Green " +criteria = "safe-to-deploy" +version = "2.6.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.bitflags]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" -version = "2.4.2" +delta = "2.6.0 -> 2.8.0" +notes = "No changes related to `unsafe impl ... bytemuck` pieces from `src/external.rs`." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.bitflags]] +who = "Daniel Cheng " +criteria = "safe-to-deploy" +delta = "2.8.0 -> 2.9.0" +notes = "Adds a straightforward clear() function, but no new unsafe code." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.bytemuck_derive]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.6.0" notes = """ -Audit notes: - -* I've checked for any discussion in Google-internal cl/546819168 (where audit - of version 2.3.3 happened) -* `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]` -* There are 2 cases of `unsafe` in `src/external.rs` but they seem to be - correct in a straightforward way - they just propagate the marker trait's - impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type -* Additional discussion and/or notes may be found in https://crrev.com/c/5238056 +Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no +hits except for 8 occurrences of `unsafe`. Additional `unsafe` review comments +can be found in https://crrev.com/c/5445719. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.bitflags]] -who = "Adrian Taylor " +[[audits.google.audits.bytemuck_derive]] +who = "Lukasz Anforowicz " criteria = "safe-to-deploy" -delta = "2.4.2 -> 2.5.0" +delta = "1.6.0 -> 1.6.1" +notes = """ +No behavior/code changes AFAICT - only adding +`#[allow(clippy::multiple_bound_locations)]`, doc comments, and making +some cosmetic changes in non-`.rs` files. +""" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.bitflags]] -who = "Adrian Taylor " +[[audits.google.audits.bytemuck_derive]] +who = "danakj " criteria = "safe-to-deploy" -delta = "2.5.0 -> 2.6.0" -notes = "The changes from the previous version are negligible and thus it retains the same properties." +delta = "1.6.1 -> 1.7.0" +notes = """ +Added support for Zeroable enums, which requires them to be represented as an integer and to have 0 as one of their values. + +Other trivial/formatting changes. +""" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.bytemuck_derive]] -who = "Bastian Kersting " +who = "Lukasz Anforowicz " criteria = "safe-to-deploy" -version = "1.5.0" +delta = "1.7.0 -> 1.7.1" +notes = """ +No impact on safety AFAICT - the delta only specifies a new attribute for +`proc_macro_derive` to work around re-export issues described at +https://github.com/Lokathor/bytemuck/issues/159 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.bytemuck_derive]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.7.1 -> 1.8.0" +notes = "Unsafe review: https://crrev.com/c/5921014" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.bytes]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.cast]] @@ -987,10 +1565,132 @@ criteria = "safe-to-deploy" version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.ciborium]] +who = "Daniel Verkamp " +criteria = "safe-to-deploy" +version = "0.2.2" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.ciborium-io]] +who = "Daniel Verkamp " +criteria = "safe-to-deploy" +version = "0.2.2" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.ciborium-ll]] +who = "Daniel Verkamp " +criteria = "safe-to-deploy" +version = "0.2.2" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.clap]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "4.5.15" +notes = ''' +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` +and there were no hits, except for `std::net::IpAddr` usage in +`examples/typed-derive.rs`. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.clap]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "4.5.15 -> 4.5.17" +notes = "Minor code change and toml changes." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.clap]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "4.5.17 -> 4.5.18" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.clap]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "4.5.18 -> 4.5.20" +notes = "Trivial changes" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.clap]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "4.5.20 -> 4.5.21" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.clap]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "4.5.21 -> 4.5.23" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.clap_builder]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "4.5.15" +notes = ''' +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` +and there were no hits. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.clap_builder]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "4.5.15 -> 4.5.17" +notes = "No new unsafe, net, fs" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.clap_builder]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "4.5.17 -> 4.5.18" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.clap_builder]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "4.5.18 -> 4.5.20" +notes = "No new unsafe" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.clap_builder]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "4.5.20 -> 4.5.21" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.clap_builder]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "4.5.21 -> 4.5.23" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.clap_lex]] +who = "Ying Hsu " +criteria = "safe-to-deploy" +version = "0.7.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.clap_lex]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "0.7.0 -> 0.7.1" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.clap_lex]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.7.2" +notes = "No `.rs` changes in the delta." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.codespan-reporting]] who = "danakj@chromium.org" criteria = "safe-to-deploy" -version = "0.6.0" +version = "0.11.1" notes = """ Reviewed in https://crrev.com/c/5171063 @@ -998,6 +1698,25 @@ Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.core-foundation-sys]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +version = "0.8.7" +notes = "OSX system APIs" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.crc32fast]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.4.2" +notes = """ +Security review of earlier versions of the crate can be found at +(Google-internal, sorry): go/image-crate-chromium-security-review + +Audit comments for 1.4.2 can be found at https://crrev.com/c/4723145. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.crossbeam-channel]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -1028,22 +1747,29 @@ criteria = "safe-to-deploy" delta = "0.9.14 -> 0.9.15" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" -[[audits.google.audits.downcast-rs]] +[[audits.google.audits.displaydoc]] who = "George Burgess IV " criteria = "safe-to-deploy" -version = "1.2.0" +version = "0.2.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" -[[audits.google.audits.either]] +[[audits.google.audits.downcast-rs]] who = "George Burgess IV " criteria = "safe-to-deploy" -version = "1.8.1" +version = "1.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.either]] -who = "George Burgess IV " +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +version = "1.13.0" +notes = "Unsafe code pertaining to wrapping Pin APIs. Mostly passes invariants down." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.enumn]] +who = "Alexandre Courbot " criteria = "safe-to-deploy" -delta = "1.8.1 -> 1.9.0" +delta = "0.1.12 -> 0.1.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.equivalent]] @@ -1053,22 +1779,162 @@ version = "1.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.errno]] -who = "George Burgess IV " +who = "Ying Hsu " criteria = "safe-to-deploy" -version = "0.2.8" +version = "0.3.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" -[[audits.google.audits.errno]] -who = "George Burgess IV " +[[audits.google.audits.fdeflate]] +who = "Lukasz Anforowicz " criteria = "safe-to-deploy" -delta = "0.2.8 -> 0.3.1" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +version = "0.3.4" +notes = ''' +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` +and there were no hits. + +Note that some additional, internal notes about an older version of this crate +can be found at go/image-crate-chromium-security-review. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.fdeflate]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "0.3.4 -> 0.3.5" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.fdeflate]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "0.3.5 -> 0.3.6" +notes = "No unsafe, no crypto, mysterious tables replaced with const expressions" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.fdeflate]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "0.3.6 -> 0.3.7" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.flate2]] -who = "George Burgess IV " +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.30" +notes = ''' +WARNING: This certification is a result of a **partial** audit. The +`any_zlib` code has **not** been audited. Ability to track partial +audits is tracked in https://github.com/mozilla/cargo-vet/issues/380 +Chromium does use the `any_zlib` feature(s). Accidentally depending on +this feature in the future is prevented using the `ban_features` feature +of `gnrt` - see: +https://crrev.com/c/4723145/31/third_party/rust/chromium_crates_io/gnrt_config.toml + +Security review of earlier versions of the crate can be found at +(Google-internal, sorry): go/image-crate-chromium-security-review + +I grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`. + +All `unsafe` in `flate2` is gated behind `#[cfg(feature = "any_zlib")]`: + +* The code under `src/ffi/...` will not be used because the `mod c` + declaration in `src/ffi/mod.rs` depends on the `any_zlib` config +* 7 uses of `unsafe` in `src/mem.rs` also all depend on the + `any_zlib` config: + - 2 in `fn set_dictionary` (under `impl Compress`) + - 2 in `fn set_level` (under `impl Compress`) + - 3 in `fn set_dictionary` (under `impl Decompress`) + +All hits of `'\bfs\b'` are in comments, or example code, or test code +(but not in product code). + +There were no hits of `-i cipher`, `-i crypto`, `'\bnet\b'`. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.flate2]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.30 -> 1.0.31" +notes = """ +WARNING: This certification is a result of a **partial** audit. The +`any_zlib` code has **not** been audited. See the audit of 1.0.30 for +more details. + +Only benign changes: + +* Comment-only changes in `.rs` files +* Also changing dependency version in `Cargo.toml`, but this is for `any_zlib` + feature which is not used in Chromium (i.e. this is a *partial* audit - see + the previous audit notes for 1.0.30) +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.flate2]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.31 -> 1.0.33" +notes = """ +WARNING: This certification is a result of a **partial** audit. The +`any_zlib` code has **not** been audited. See the audit of 1.0.30 for +more details. + +This delta audit has been reviewed in https://crrev.com/c/5811890 +The delta can be seen at https://diff.rs/flate2/1.0.31/1.0.33 +The delta bumps up `miniz_oxide` dependency to `0.8.0` +The delta also contains some changes to `src/ffi/c.rs` which is *NOT* used by Chromium +and therefore hasn't been covered by this partial audit. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.flate2]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.33 -> 1.0.34" +notes = """ +WARNING: This certification is a result of a **partial** audit. The +`any_zlib` code has **not** been audited. See the audit of 1.0.30 for +more details. + +The delta can be seen at https://diff.rs/flate2/1.0.33/1.0.34 +The delta bumps up `libz-rs-sys` dependency from `0.2.1` to `0.3.0` +The delta in `lib.rs` only tweaks comments and has no code changes. +The delta also contains some changes to `src/ffi/c.rs` which is *NOT* used by Chromium +and therefore hasn't been covered by this partial audit. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.flate2]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.34 -> 1.0.35" +notes = "There are no significant code changes in this delta (just one string constant change). Note that prior audits may have been partial." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.foldhash]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "0.1.3" +notes = """ +`ub-risk-2` review notes can be found in https://crrev.com/c/6071306/5/third_party/rust/chromium_crates_io/vendor/foldhash-0.1.3/src/seed.rs + +`does-not-implement-crypto` based on `README.md` which explicitly says that +\"Foldhash is **not appropriate for any cryptographic purpose**.\" +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.foldhash]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.1.4" +notes = "No changes to safety-relevant code" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.foldhash]] +who = "Chris Palmer " criteria = "safe-to-deploy" -version = "1.0.26" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +delta = "0.1.4 -> 0.1.5" +notes = "No new `unsafe`." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.foreign-types]] who = "George Burgess IV " @@ -1095,6 +1961,24 @@ delta = "0.2.2 -> 0.2.12" notes = "Audited at https://fxrev.dev/932979" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.getrandom]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "0.2.12 -> 0.2.14" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.getrandom]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "0.2.14 -> 0.2.15" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.half]] +who = "Daniel Verkamp " +criteria = "safe-to-deploy" +version = "2.4.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.hashbrown]] who = "Nicholas Bishop " criteria = "safe-to-deploy" @@ -1108,9 +1992,38 @@ delta = "0.13.2 -> 0.14.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.heck]] -who = "ChromeOS" +who = "Ying Hsu " +criteria = "safe-to-deploy" +version = "0.5.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.icu_locid_transform]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.5.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.icu_locid_transform_data]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.5.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.icu_provider]] +who = "George Burgess IV " criteria = "safe-to-deploy" -version = "0.4.0" +version = "1.5.0" +notes = """ +This crate contains a custom impl of FxHash. The maintainers needed a custom +hashing function that was `const` and self-contained. Since FxHash isn't built +to be crypto secure, this does-not-implement-crypto. +""" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.icu_provider_macros]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.5.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.idna]] @@ -1119,30 +2032,64 @@ criteria = "safe-to-deploy" version = "0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.idna]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +delta = "0.3.0 -> 1.0.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.itertools]] who = "ChromeOS" criteria = "safe-to-deploy" version = "0.10.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.itoa]] +who = "Liza Burakova " +criteria = "safe-to-deploy" +delta = "1.0.11 -> 1.0.14" +notes = """ +Unsafe review at https://crrev.com/c/6051067 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.lazy_static]] who = "Android Legacy" criteria = "safe-to-deploy" version = "1.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.lazy_static]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.4.0 -> 1.5.0" +notes = "Unsafe review notes: https://crrev.com/c/5650836" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.libloading]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.7.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" -[[audits.google.audits.log]] +[[audits.google.audits.litemap]] who = "George Burgess IV " criteria = "safe-to-deploy" -delta = "0.4.17 -> 0.4.20" +version = "0.7.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.log]] +who = "danakj " +criteria = "safe-to-deploy" +version = "0.4.22" +notes = """ +Unsafe review in https://docs.google.com/document/d/1IXQbD1GhTRqNHIGxq6yy7qHqxeO4CwN5noMFXnqyDIM/edit?usp=sharing + +Unsafety is generally very well-documented, with one exception, which we +describe in the review doc. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.memmap2]] who = "Ying Hsu " criteria = "safe-to-deploy" @@ -1156,16 +2103,10 @@ version = "0.6.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.miniz_oxide]] -who = "George Burgess IV " -criteria = "safe-to-deploy" -version = "0.6.2" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" - -[[audits.google.audits.miniz_oxide]] -who = "George Burgess IV " +who = "Lukasz Anforowicz " criteria = "safe-to-deploy" -delta = "0.6.2 -> 0.7.1" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +delta = "0.8.0 -> 0.8.2" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.nix]] who = "David Koloski " @@ -1187,89 +2128,420 @@ Issues: """ aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.num-traits]] -who = "George Burgess IV " +[[audits.google.audits.num-traits]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +version = "0.2.19" +notes = "Contains a single line of float-to-int unsafe with decent safety comments" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.num_threads]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.1.6" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.once_cell]] +who = "Ying Hsu " +criteria = "safe-to-deploy" +version = "1.19.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.percent-encoding]] +who = "ChromeOS" +criteria = "safe-to-deploy" +version = "2.2.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.pin-project-lite]] +who = "ChromeOS" +criteria = "safe-to-deploy" +version = "0.2.9" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.pin-project-lite]] +who = "David Koloski " +criteria = "safe-to-deploy" +delta = "0.2.9 -> 0.2.13" +notes = "Audited at https://fxrev.dev/946396" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.pkg-config]] +who = "Justin Green " +criteria = "safe-to-deploy" +version = "0.3.31" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.png]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "0.17.13" +notes = ''' +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` +and there were no hits except for reasonable, client-controlled usage of +`std::fs::File` in tests in `src/encoder.rs`, tests in `src/decoder/stream.rs`, +and in some example code. + +Note that some additional, internal notes about an older version of this crate +can be found at go/image-crate-chromium-security-review. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.png]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "0.17.13 -> 0.17.14" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.png]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "0.17.14 -> 0.17.15" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Ying Hsu " +criteria = "safe-to-deploy" +version = "1.0.79" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Hung-Hsien Chen " +criteria = "safe-to-deploy" +delta = "1.0.79 -> 1.0.86" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.86 -> 1.0.87" +notes = "No new unsafe interactions." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Liza Burakova Qualifiers::Unsafe, + ``` + +* Using `std::fs` in `build/build.rs` to write `${OUT_DIR}/version.expr` + which is later read back via `include!` used in `src/lib.rs`. + +Version `1.0.6` of this crate has been added to Chromium in +https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.14 -> 1.0.15" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.15 -> 1.0.16" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.16 -> 1.0.17" +notes = "Just updates windows compat" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Liza Burakova " +criteria = "safe-to-deploy" +delta = "1.0.17 -> 1.0.18" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.18 -> 1.0.19" +notes = "No unsafe, just doc changes" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Daniel Cheng " +criteria = "safe-to-deploy" +delta = "1.0.19 -> 1.0.20" +notes = "Only minor updates to documentation and the mock today used for testing." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.same-file]] +who = "Android Legacy" +criteria = "safe-to-deploy" +version = "1.0.6" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.scopeguard]] +who = "Android Legacy" +criteria = "safe-to-deploy" +version = "1.1.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.203 -> 1.0.204" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.204 -> 1.0.207" +notes = "The small change in `src/private/ser.rs` should have no impact on `ub-risk-2`." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.207 -> 1.0.209" +notes = """ +The delta carries fairly small changes in `src/private/de.rs` and +`src/private/ser.rs` (see https://crrev.com/c/5812194/2..5). AFAICT the +delta has no impact on the `unsafe`, `from_utf8_unchecked`-related parts +of the crate (in `src/de/format.rs` and `src/ser/impls.rs`). +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.209 -> 1.0.210" +notes = "Almost no new code - just feature rearrangement" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Liza Burakova " +criteria = "safe-to-deploy" +delta = "1.0.210 -> 1.0.213" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.213 -> 1.0.214" +notes = "No unsafe, no crypto" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.214 -> 1.0.215" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.215 -> 1.0.216" +notes = "The delta makes minor changes in `build.rs` - switching to the `?` syntax sugar." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.203 -> 1.0.204" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.204 -> 1.0.207" +notes = 'Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.207 -> 1.0.209" +notes = ''' +There are no code changes in this delta - see https://crrev.com/c/5812194/2..5 + +I've neverthless also grepped for `-i cipher`, `-i crypto`, `\bfs\b`, +`\bnet\b`, and `\bunsafe\b`. There were no hits. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "Adrian Taylor " criteria = "safe-to-deploy" -delta = "0.2.15 -> 0.2.16" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +delta = "1.0.209 -> 1.0.210" +notes = "Almost no new code - just feature rearrangement" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.num_threads]] -who = "George Burgess IV " +[[audits.google.audits.serde_derive]] +who = "Liza Burakova " criteria = "safe-to-deploy" -version = "0.1.6" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +delta = "1.0.210 -> 1.0.213" +notes = "Grepped for 'unsafe', 'crypt', 'cipher', 'fs', 'net' - there were no hits" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.once_cell]] -who = "crosvm" +[[audits.google.audits.serde_derive]] +who = "Dustin J. Mitchell " criteria = "safe-to-deploy" -version = "1.17.0" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +delta = "1.0.213 -> 1.0.214" +notes = "No changes to unsafe, no crypto" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.once_cell]] -who = "George Burgess IV " +[[audits.google.audits.serde_derive]] +who = "Adrian Taylor " criteria = "safe-to-deploy" -delta = "1.17.0 -> 1.18.0" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +delta = "1.0.214 -> 1.0.215" +notes = "Minor changes should not impact UB risk" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.percent-encoding]] -who = "ChromeOS" +[[audits.google.audits.serde_derive]] +who = "Lukasz Anforowicz " criteria = "safe-to-deploy" -version = "2.2.0" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +delta = "1.0.215 -> 1.0.216" +notes = "The delta adds `#[automatically_derived]` in a few places. Still no `unsafe`." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.pin-project-lite]] -who = "ChromeOS" +[[audits.google.audits.serde_json]] +who = "Adrian Taylor " criteria = "safe-to-deploy" -version = "0.2.9" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +delta = "1.0.117 -> 1.0.120" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.pin-project-lite]] -who = "David Koloski " +[[audits.google.audits.serde_json]] +who = "Lukasz Anforowicz " criteria = "safe-to-deploy" -delta = "0.2.9 -> 0.2.13" -notes = "Audited at https://fxrev.dev/946396" -aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" +delta = "1.0.120 -> 1.0.122" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.quick-xml]] -who = "Matthew DeVore " +[[audits.google.audits.serde_json]] +who = "Lukasz Anforowicz " criteria = "safe-to-deploy" -version = "0.30.0" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +delta = "1.0.122 -> 1.0.124" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.quote]] -who = "ChromeOS" +[[audits.google.audits.serde_json]] +who = "Lukasz Anforowicz " criteria = "safe-to-deploy" -version = "1.0.23" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +delta = "1.0.124 -> 1.0.127" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.quote]] -who = "George Burgess IV " +[[audits.google.audits.serde_json]] +who = "danakj " criteria = "safe-to-deploy" -delta = "1.0.23 -> 1.0.26" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +delta = "1.0.127 -> 1.0.128" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.quote]] -who = "George Burgess IV " +[[audits.google.audits.serde_json]] +who = "Liza Burakova " criteria = "safe-to-deploy" -delta = "1.0.26 -> 1.0.28" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +delta = "1.0.128 -> 1.0.132" +notes = """ +Methods moved into new deserializer trait in de.rs. +New methods for converting Number to i128 or u128 in number.rs +No new unsafe changes. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.quote]] +[[audits.google.audits.serde_json]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.132 -> 1.0.133" +notes = "No changes affecting safety-to-run and still no crypto" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.shlex]] who = "George Burgess IV " criteria = "safe-to-deploy" -delta = "1.0.28 -> 1.0.31" +version = "1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" -[[audits.google.audits.same-file]] -who = "Android Legacy" +[[audits.google.audits.smallvec]] +who = "Manish Goregaokar " criteria = "safe-to-deploy" -version = "1.0.6" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +version = "1.13.2" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.scopeguard]] -who = "Android Legacy" +[[audits.google.audits.stable_deref_trait]] +who = "George Burgess IV " criteria = "safe-to-deploy" -version = "1.1.0" +version = "1.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.static_assertions]] @@ -1278,6 +2550,35 @@ criteria = "safe-to-deploy" version = "1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.strum]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "0.25.0" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.strum_macros]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "0.25.3" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.synstructure]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +version = "0.13.1" +notes = "Exposes unsafe codegen APIs but does not itself contain unsafe" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.termcolor]] who = "danakj@chromium.org" criteria = "safe-to-deploy" @@ -1295,18 +2596,35 @@ criteria = "safe-to-deploy" delta = "1.4.0 -> 1.4.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.tinystr]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.7.6" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.tinytemplate]] who = "Ying Hsu " criteria = "safe-to-deploy" version = "1.2.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" -[[audits.google.audits.tracing-core]] -who = "David Koloski " +[[audits.google.audits.toml]] +who = "George Burgess IV " criteria = "safe-to-deploy" -delta = "0.1.21 -> 0.1.31" -notes = "Reviewed on https://fxrev.dev/906816" -aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" +version = "0.5.10" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.toml]] +who = "Hung-Hsien Chen " +criteria = "safe-to-deploy" +delta = "0.5.10 -> 0.8.19" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.toml_datetime]] +who = "Hung-Hsien Chen " +criteria = "safe-to-deploy" +version = "0.6.8" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.twox-hash]] who = "Dennis Kempin " @@ -1315,12 +2633,48 @@ version = "1.6.3" notes = "Non-cyptographic hashing function" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.unicode-ident]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.12" +notes = ''' +I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. + +All two functions from the public API of this crate use `unsafe` to avoid bound +checks for an array access. Cross-module analysis shows that the offsets can +be statically proven to be within array bounds. More details can be found in +the unsafe review CL at https://crrev.com/c/5350386. + +This crate has been added to Chromium in https://crrev.com/c/3891618. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.unicode-ident]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.12 -> 1.0.13" +notes = "Lots of table updates, and tables are assumed correct with unsafe `.get_unchecked()`, so ub-risk-2 is appropriate" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.unicode-ident]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.13 -> 1.0.14" +notes = "Minimal delta in `.rs` files: new test assertions + doc changes." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.unicode-normalization]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.1.22" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.utf8_iter]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.0.4" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.version_check]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -1338,6 +2692,31 @@ Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.winapi-util]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "0.1.8 -> 0.1.9" +notes = "The delta only changes Cargo.toml." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.writeable]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.5.5" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.yoke]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.7.5" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.yoke-derive]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.7.5" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.zerocopy]] who = "ChromeOS" criteria = "safe-to-deploy" @@ -1374,6 +2753,24 @@ criteria = "safe-to-deploy" delta = "0.7.8 -> 0.7.32" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.zerofrom]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.1.5" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.zerofrom-derive]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.1.5" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.zerovec-derive]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.10.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.zstd-sys]] who = "Matt Turner " criteria = "safe-to-deploy" @@ -1381,20 +2778,52 @@ version = "2.0.9+zstd.1.5.5" notes = "Includes an implementation of xxhash (a non-cyptographic hashing function) as part of the zstd C sources" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.isrg.audits.base64]] +who = "Tim Geoghegan " +criteria = "safe-to-deploy" +delta = "0.21.0 -> 0.21.1" + +[[audits.isrg.audits.base64]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.21.1 -> 0.21.2" + +[[audits.isrg.audits.base64]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.21.2 -> 0.21.3" + [[audits.isrg.audits.criterion]] who = "Brandon Pitman " criteria = "safe-to-run" delta = "0.4.0 -> 0.5.1" -[[audits.isrg.audits.num-traits]] -who = "Ameer Ghani " +[[audits.isrg.audits.crunchy]] +who = "David Cook " criteria = "safe-to-deploy" -delta = "0.2.16 -> 0.2.17" +version = "0.2.2" [[audits.isrg.audits.once_cell]] -who = "Brandon Pitman " +who = "David Cook " +criteria = "safe-to-deploy" +delta = "1.19.0 -> 1.20.1" + +[[audits.isrg.audits.rayon-core]] +who = "Ameer Ghani " +criteria = "safe-to-deploy" +version = "1.12.1" + +[[audits.mozilla.audits.bitflags]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +delta = "2.9.0 -> 2.9.1" +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.bytes]] +who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -delta = "1.18.0 -> 1.19.0" +delta = "1.4.0 -> 1.9.0" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.cc]] who = "Jan-Erik Rediger " @@ -1408,17 +2837,46 @@ criteria = "safe-to-deploy" delta = "0.5.8 -> 0.5.11" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" +[[audits.mozilla.audits.crossbeam-channel]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "0.5.11 -> 0.5.12" +notes = "Minimal change fixing a memory leak." +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.crossbeam-channel]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "0.5.13 -> 0.5.14" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + [[audits.mozilla.audits.crossbeam-utils]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "0.8.14 -> 0.8.19" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" -[[audits.mozilla.audits.unicode-ident]] +[[audits.mozilla.audits.home]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "0.5.3" +notes = """ +Crate with straightforward code for determining the user's HOME directory. Only +unsafe code is used to invoke the Windows SHGetFolderPathW API to get the +profile directory when the USERPROFILE environment variable is unavailable. +""" +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.home]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +delta = "0.5.3 -> 0.5.11" +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.memchr]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" -delta = "1.0.8 -> 1.0.9" -notes = "Dependency updates only" +delta = "2.5.0 -> 2.7.4" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.wasmtime.wildcard-audits.bumpalo]] @@ -1445,31 +2903,52 @@ who = "Pat Hickey " criteria = "safe-to-deploy" delta = "1.0.69 -> 1.0.71" +[[audits.wasmtime.audits.base64]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.21.0" +notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." + [[audits.wasmtime.audits.cc]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.0.73" notes = "I am the author of this crate." -[[audits.wasmtime.audits.core-foundation-sys]] +[[audits.wasmtime.audits.errno]] who = "Dan Gohman " criteria = "safe-to-deploy" -delta = "0.8.4 -> 0.8.6" -notes = """ -The changes here are all typical bindings updates: new functions, types, and -constants. I have not audited all the bindings for ABI conformance. -""" +delta = "0.3.9 -> 0.3.10" -[[audits.wasmtime.audits.flate2]] -who = "Andrew Brown " +[[audits.wasmtime.audits.icu_properties]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +delta = "1.5.0 -> 1.5.1" + +[[audits.wasmtime.audits.jobserver]] +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "1.0.26 -> 1.0.28" -notes = "No new `unsafe` and no large changes in function. This diff is mostly refactoring with a lot of docs, CI, test changes. Adds some defensive clearing out of certain variables as a safeguard." +delta = "0.1.25 -> 0.1.32" + +[[audits.wasmtime.audits.miniz_oxide]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.7.1" +notes = """ +This crate is a Rust implementation of zlib compression/decompression and has +been used by default by the Rust standard library for quite some time. It's also +a default dependency of the popular `backtrace` crate for decompressing debug +information. This crate forbids unsafe code and does not otherwise access system +resources. It's originally a port of the `miniz.c` library as well, and given +its own longevity should be relatively hardened against some of the more common +compression-related issues. +""" -[[audits.wasmtime.audits.libloading]] -who = "Iceber Gu " +[[audits.wasmtime.audits.miniz_oxide]] +who = "Alex Crichton " criteria = "safe-to-deploy" -delta = "0.7.3 -> 0.8.1" +delta = "0.7.1 -> 0.8.0" +notes = "Minor updates, using new Rust features like `const`, no major changes." [[audits.wasmtime.audits.tinyvec]] who = "Alex Crichton " @@ -1490,11 +2969,6 @@ This crate has no unsafe code and does not use `std::*`. Skimming the crate it does not attempt to out of the bounds of what it's already supposed to be doing. """ -[[audits.wasmtime.audits.unicode-ident]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "1.0.8" - [[audits.zcash.audits.ahash]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1513,29 +2987,35 @@ nightly features are available. aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.anyhow]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "1.0.79 -> 1.0.82" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.base64]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.75 -> 1.0.77" -notes = """ -- Build script changes are to rerun cargo if the `RUSTC_BOOTSTRAP` env variable - changes, and enable a few more `rustc` config flags. -- Some `unsafe fn`s were altered to add `unsafe` blocks, to make the safety - contracts in the code clearer (instead of using the `unsafe fn`'s implicit - `unsafe` block); no actual `unsafe` changes were made. -""" +delta = "0.21.3 -> 0.21.4" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.anyhow]] +[[audits.zcash.audits.base64]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "1.0.77 -> 1.0.79" -notes = """ -Build script changes are to refactor the existing probe into a separate file -(which removes a filesystem write), and adjust how it gets rerun in response to -changes in the build environment. -""" +delta = "0.21.4 -> 0.21.5" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.base64]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "0.21.5 -> 0.21.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.clap_lex]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.7.2 -> 0.7.4" +aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" + [[audits.zcash.audits.crossbeam-deque]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1573,9 +3053,16 @@ delta = "0.9.17 -> 0.9.18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.errno]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "0.3.8 -> 0.3.9" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.getrandom]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.3.3 -> 0.3.8" +delta = "0.2.15 -> 0.2.16" +notes = "New support for Cygwin looks correct to me." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.nix]] @@ -1604,22 +3091,17 @@ criteria = "safe-to-deploy" delta = "0.7.0 -> 0.7.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" -[[audits.zcash.audits.quote]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.31 -> 1.0.33" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.quote]] +[[audits.zcash.audits.oorandom]] who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.33 -> 1.0.35" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +criteria = "safe-to-run" +delta = "11.1.3 -> 11.1.4" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" -[[audits.zcash.audits.regex-syntax]] +[[audits.zcash.audits.rustversion]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "0.7.2 -> 0.7.5" +delta = "1.0.20 -> 1.0.21" +notes = "Build script change is to fix building with `-Zfmt-debug=none`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.scopeguard]] @@ -1629,27 +3111,9 @@ delta = "1.1.0 -> 1.2.0" notes = "Only change to an `unsafe` block is to replace a `mem::forget` with `ManuallyDrop`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.time-core]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.1.0 -> 0.1.1" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.tinyvec_macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" notes = "Adds `#![forbid(unsafe_code)]` and license files." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.tracing-core]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.1.31 -> 0.1.32" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.unicode-ident]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.9 -> 1.0.12" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"