cargo vet

supply-chain/config.toml

@@ -149,10 +149,6 @@ criteria = "safe-to-run"
 version = "0.3.4"
 criteria = "safe-to-run"
 
-[[exemptions.portable-atomic]]
-version = "1.9.0"
-criteria = "safe-to-deploy"
-
 [[exemptions.ppv-lite86]]
 version = "0.2.16"
 criteria = "safe-to-deploy"

supply-chain/imports.lock

@@ -590,6 +590,19 @@ version = "0.2.15"
 notes = "All code written or reviewed by Josh Stone."
 aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
 
+[[audits.mozilla.audits.once_cell]]
+who = "Mike Hommey <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "1.16.0 -> 1.17.1"
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
+[[audits.mozilla.audits.once_cell]]
+who = "Erich Gubler <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "1.20.1 -> 1.20.2"
+notes = "This update works around a Cargo bug that forces the addition of `portable-atomic` into a lockfile, which we have never needed to use."
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
 [[audits.mozilla.audits.rand_core]]
 who = "Mike Hommey <[email protected]>"
 criteria = "safe-to-deploy"
@@ -700,16 +713,6 @@ criteria = "safe-to-deploy"
 delta = "2.7.2 -> 2.7.4"
 aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
 
-[[audits.zcash.audits.once_cell]]
-who = "Jack Grigg <[email protected]>"
-criteria = "safe-to-deploy"
-delta = "1.17.0 -> 1.17.1"
-notes = """
-Small refactor that reduces the overall amount of `unsafe` code. The new strict provenance
-approach looks reasonable.
-"""
-aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
-
 [[audits.zcash.audits.unicode-ident]]
 who = "Daira Hopwood <[email protected]>"
 criteria = "safe-to-deploy"