diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 8a8c87d432..75e82aecc2 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -3,97 +3,216 @@ [[audits.ascii-canvas]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "3.0.0" +[[audits.bitflags]] +who = "Cory Francis Myers " +criteria = "safe-to-run" +version = "1.3.2" + +[[audits.cc]] +who = "Cory Francis Myers " +criteria = "safe-to-run" +delta = "1.0.73 -> 1.0.83" + +[[audits.chrono]] +who = "Kunal Mehta " +criteria = "safe-to-run" +delta = "0.4.26 -> 0.4.31" + [[audits.crc32fast]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "1.3.2" +[[audits.diff]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.1.13" + [[audits.digest]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "0.9.0" [[audits.dirs-next]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "2.0.0" [[audits.dirs-sys-next]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "0.1.2" +[[audits.ena]] +who = "Cory Francis Myers " +criteria = "safe-to-run" +version = "0.14.2" + [[audits.fixedbitset]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "0.4.2" +[[audits.generic-array]] +who = "Cory Francis Myers " +criteria = "safe-to-run" +version = "0.14.6" + +[[audits.getrandom]] +who = "Cory Francis Myers " +criteria = "safe-to-run" +version = "0.1.16" + +[[audits.getrandom]] +who = "Cory Francis Myers " +criteria = "safe-to-run" +delta = "0.1.16 -> 0.2.6" + [[audits.iana-time-zone]] who = "Kunal Mehta " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "0.1.58" notes = "Only code for Linux was reviewed." [[audits.idna]] who = "Kunal Mehta " -criteria = "safe-to-deploy" +criteria = "safe-to-run" delta = "0.3.0 -> 0.4.0" notes = "Primarily adding a no_std mode" [[audits.lalrpop]] who = "Kunal Mehta " -criteria = "safe-to-deploy" -delta = "0.19.12 -> 0.20.0" +criteria = "safe-to-run" +delta = "0.19.10 -> 0.20.0" notes = "Autogenerated code was not reviewed." [[audits.lalrpop-util]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "0.19.12" [[audits.lalrpop-util]] who = "Kunal Mehta " -criteria = "safe-to-deploy" +criteria = "safe-to-run" delta = "0.19.12 -> 0.20.0" +[[audits.memoffset]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.6.5" + +[[audits.memsec]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.6.3" + +[[audits.petgraph]] +who = "Kunal Mehta " +criteria = "safe-to-run" +delta = "0.6.2 -> 0.6.4" + [[audits.phf_shared]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "0.10.0" [[audits.pkg-config]] who = "Kunal Mehta " -criteria = "safe-to-deploy" +criteria = "safe-to-run" delta = "0.3.26 -> 0.3.27" +[[audits.ppv-lite86]] +who = "Kunal Mehta " +criteria = "safe-to-run" +delta = "0.2.10 -> 0.2.16" + +[[audits.pyo3]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.18.3" + +[[audits.pyo3-build-config]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.18.3" +notes = "Windows, cross-compiling and abi3 code not reviewed." + +[[audits.pyo3-ffi]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.18.3" +notes = "Unsurprisingly lots of unsafe, appears fine for an FFI library. PyPy and Windows code was skipped." + [[audits.pyo3-macros]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" +version = "0.18.3" + +[[audits.pyo3-macros-backend]] +who = "Kunal Mehta " +criteria = "safe-to-run" version = "0.18.3" [[audits.rand]] who = "Kunal Mehta " -criteria = "safe-to-deploy" +criteria = "safe-to-run" delta = "0.7.3 -> 0.8.5" +[[audits.rand]] +who = "Kunal Mehta " +criteria = "safe-to-run" +delta = "0.8.3 -> 0.8.5" + [[audits.rand_chacha]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" delta = "0.2.2 -> 0.3.1" [[audits.rand_core]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" delta = "0.5.1 -> 0.6.3" [[audits.siphasher]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "0.3.10" +[[audits.smallvec]] +who = "Kunal Mehta " +criteria = "safe-to-run" +delta = "1.6.1 -> 1.11.1" + +[[audits.string_cache]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.8.7" + +[[audits.term]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.7.0" +notes = "Windows code was not reviewed." + +[[audits.tiny-keccak]] +who = "Cory Francis Myers " +criteria = "safe-to-run" +version = "2.0.2" + +[[audits.typenum]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "1.15.0" + +[[audits.xxhash-rust]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.8.7" +notes = "Only the `xxh3` feature, used by Sequoia, was reviewed" + [[trusted.aho-corasick]] criteria = "safe-to-deploy" user-id = 189 # Andrew Gallant (BurntSushi) @@ -149,6 +268,13 @@ user-id = 539 # Josh Stone (cuviper) start = "2019-04-02" end = "2024-04-10" +[[trusted.ena]] +criteria = "safe-to-deploy" +user-id = 1386 # Niko Matsakis (nikomatsakis) +start = "2019-03-19" +end = "2024-05-02" +notes = "Rust Project member" + [[trusted.equivalent]] criteria = "safe-to-deploy" user-id = 539 # Josh Stone (cuviper) @@ -198,6 +324,13 @@ start = "2022-01-22" end = "2024-04-10" notes = "Rust Project member" +[[trusted.lalrpop]] +criteria = "safe-to-deploy" +user-id = 1386 # Niko Matsakis (nikomatsakis) +start = "2023-03-25" +end = "2024-05-02" +notes = "Rust Project member" + [[trusted.libc]] criteria = "safe-to-deploy" user-id = 1 # Alex Crichton (alexcrichton) @@ -240,6 +373,27 @@ start = "2019-05-20" end = "2024-04-10" notes = "Rust Project member" +[[trusted.openssl]] +criteria = "safe-to-deploy" +user-id = 5 # Steven Fackler (sfackler) +start = "2019-02-22" +end = "2024-05-02" +notes = "Rust Project member" + +[[trusted.openssl]] +criteria = "safe-to-deploy" +user-id = 163 # Alex Gaynor (alex) +start = "2023-03-24" +end = "2024-05-02" +notes = "Rust Project member" + +[[trusted.openssl-sys]] +criteria = "safe-to-deploy" +user-id = 5 # Steven Fackler (sfackler) +start = "2019-03-01" +end = "2024-05-02" +notes = "Rust Project member" + [[trusted.parking_lot]] criteria = "safe-to-deploy" user-id = 2915 # Amanieu d'Antras (Amanieu) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index c5212f8bd8..ea6f9707c8 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -1,5 +1,6 @@ # cargo-vet config file +default-criteria = "safe-to-run" [cargo-vet] version = "0.8" @@ -43,6 +44,9 @@ notes = "Redox OS-only" criteria = [] notes = "Redox OS-only" +[policy.redwood] +criteria = "safe-to-run" + [policy.wasi] criteria = [] notes = "WASM-only" @@ -118,115 +122,3 @@ notes = "Windows-only" [policy.windows_x86_64_msvc] criteria = [] notes = "Windows-only" - -[[exemptions.bitflags]] -version = "2.4.0" -criteria = "safe-to-deploy" - -[[exemptions.cc]] -version = "1.0.83" -criteria = "safe-to-deploy" - -[[exemptions.chrono]] -version = "0.4.31" -criteria = "safe-to-deploy" - -[[exemptions.diff]] -version = "0.1.13" -criteria = "safe-to-deploy" - -[[exemptions.ena]] -version = "0.14.2" -criteria = "safe-to-deploy" - -[[exemptions.flate2]] -version = "1.0.27" -criteria = "safe-to-deploy" - -[[exemptions.generic-array]] -version = "0.14.7" -criteria = "safe-to-deploy" - -[[exemptions.getrandom]] -version = "0.2.10" -criteria = "safe-to-deploy" - -[[exemptions.itertools]] -version = "0.10.5" -criteria = "safe-to-deploy" - -[[exemptions.lalrpop]] -version = "0.19.12" -criteria = "safe-to-deploy" - -[[exemptions.memoffset]] -version = "0.8.0" -criteria = "safe-to-deploy" - -[[exemptions.memsec]] -version = "0.6.3" -criteria = "safe-to-deploy" - -[[exemptions.once_cell]] -version = "1.18.0" -criteria = "safe-to-deploy" - -[[exemptions.openssl]] -version = "0.10.57" -criteria = "safe-to-deploy" - -[[exemptions.openssl-sys]] -version = "0.9.93" -criteria = "safe-to-deploy" - -[[exemptions.petgraph]] -version = "0.6.4" -criteria = "safe-to-deploy" - -[[exemptions.ppv-lite86]] -version = "0.2.17" -criteria = "safe-to-deploy" - -[[exemptions.pyo3]] -version = "0.18.3" -criteria = "safe-to-deploy" - -[[exemptions.pyo3-build-config]] -version = "0.18.3" -criteria = "safe-to-deploy" - -[[exemptions.pyo3-ffi]] -version = "0.18.3" -criteria = "safe-to-deploy" - -[[exemptions.pyo3-macros-backend]] -version = "0.18.3" -criteria = "safe-to-deploy" - -[[exemptions.rand]] -version = "0.7.3" -criteria = "safe-to-deploy" - -[[exemptions.smallvec]] -version = "1.11.1" -criteria = "safe-to-deploy" - -[[exemptions.string_cache]] -version = "0.8.7" -criteria = "safe-to-deploy" - -[[exemptions.term]] -version = "0.7.0" -criteria = "safe-to-deploy" - -[[exemptions.tiny-keccak]] -version = "2.0.2" -criteria = "safe-to-deploy" - -[[exemptions.typenum]] -version = "1.17.0" -criteria = "safe-to-deploy" - -[[exemptions.xxhash-rust]] -version = "0.8.7" -criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index b93a7d9dbc..96082dd191 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -99,12 +99,12 @@ user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" -[[publisher.libc]] -version = "0.2.146" -when = "2023-06-06" -user-id = 2915 -user-login = "Amanieu" -user-name = "Amanieu d'Antras" +[[publisher.lalrpop]] +version = "0.19.10" +when = "2023-04-24" +user-id = 1386 +user-login = "nikomatsakis" +user-name = "Niko Matsakis" [[publisher.linux-raw-sys]] version = "0.4.10" @@ -134,6 +134,20 @@ user-id = 539 user-login = "cuviper" user-name = "Josh Stone" +[[publisher.openssl]] +version = "0.10.57" +when = "2023-08-27" +user-id = 163 +user-login = "alex" +user-name = "Alex Gaynor" + +[[publisher.openssl-sys]] +version = "0.9.93" +when = "2023-09-04" +user-id = 5 +user-login = "sfackler" +user-name = "Steven Fackler" + [[publisher.parking_lot]] version = "0.12.1" when = "2022-05-31" @@ -267,20 +281,6 @@ user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" -[[publisher.unicode-normalization]] -version = "0.1.22" -when = "2022-09-16" -user-id = 1139 -user-login = "Manishearth" -user-name = "Manish Goregaokar" - -[[publisher.unicode-xid]] -version = "0.2.4" -when = "2022-09-15" -user-id = 1139 -user-login = "Manishearth" -user-name = "Manish Goregaokar" - [[publisher.unindent]] version = "0.1.11" when = "2022-12-17" @@ -305,6 +305,12 @@ who = "Benjamin Bouvier " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.2" +[[audits.bytecode-alliance.audits.cfg-if]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.0.0" +notes = "I am the author of this crate." + [[audits.bytecode-alliance.audits.crypto-common]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" @@ -352,6 +358,18 @@ criteria = "safe-to-deploy" delta = "0.2.146 -> 0.2.147" notes = "Only new type definitions and updating others for some platforms, no major changes" +[[audits.bytecode-alliance.audits.libc]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.2.148 -> 0.2.149" +notes = "Lots of new functions and constants for new platforms and nothing out of the ordinary for what one would expect of the `libc` crate." + +[[audits.bytecode-alliance.audits.memoffset]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.8.0" +notes = "This was a small update to the crate which has to do with Rust language features and compiler versions, no substantial changes." + [[audits.bytecode-alliance.audits.miniz_oxide]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -366,11 +384,10 @@ its own longevity should be relatively hardened against some of the more common compression-related issues. """ -[[audits.bytecode-alliance.audits.pkg-config]] +[[audits.bytecode-alliance.audits.openssl-macros]] who = "Pat Hickey " criteria = "safe-to-deploy" -version = "0.3.25" -notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably." +version = "0.1.0" [[audits.bytecode-alliance.audits.tempfile]] who = "Alex Crichton " @@ -413,10 +430,52 @@ criteria = "safe-to-deploy" version = "0.2.15" notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." -[[audits.google.audits.cfg-if]] +[[audits.google.audits.bitflags]] +who = "Dennis Kempin " +criteria = "safe-to-run" +delta = "1.3.2 -> 2.2.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.bitflags]] who = "George Burgess IV " -criteria = "safe-to-deploy" -version = "1.0.0" +criteria = "safe-to-run" +delta = "2.3.2 -> 2.4.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.cc]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "1.0.79" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.cc]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "1.0.79 -> 1.0.82" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.cc]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "1.0.82 -> 1.0.83" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.chrono]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.4.23" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.chrono]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "0.4.23 -> 0.4.24" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.chrono]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "0.4.24 -> 0.4.26" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.fastrand]] @@ -429,10 +488,82 @@ that the RNG here is not cryptographically secure. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" -[[audits.google.audits.openssl-macros]] +[[audits.google.audits.flate2]] who = "George Burgess IV " -criteria = "safe-to-deploy" -version = "0.1.0" +criteria = "safe-to-run" +version = "1.0.26" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.flate2]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "1.0.26 -> 1.0.27" +notes = """ +There is a CRC implementation in here, but those are not considered crypto. +Further, it's only used in tests internal to this crate. +""" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.getrandom]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.2.10" +notes = """ +While this crate provides crypto methods, they all defer to system or hardware +crypto implementations. Hence, this crate does not implement crypto. +""" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.itertools]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.10.5" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.lazy_static]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "1.4.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.libc]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.2.146" +notes = """ +Much like the getrandom crate, this exports interfaces to APIs which perform +crypto, but does not implement any crypto itself. +""" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.log]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.4.17" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.log]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "0.4.17 -> 0.4.20" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.memoffset]] +who = "Dennis Kempin " +criteria = "safe-to-run" +delta = "0.6.5 -> 0.7.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.once_cell]] +who = "crosvm" +criteria = "safe-to-run" +version = "1.17.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.once_cell]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "1.17.0 -> 1.18.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.openssl-macros]] @@ -441,12 +572,66 @@ criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.petgraph]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.6.2" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.pkg-config]] +who = "Alexandre Courbot " +criteria = "safe-to-run" +version = "0.3.26" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.ppv-lite86]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "0.2.10" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.rand]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "0.8.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.rand_chacha]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "0.3.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.rand_core]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "0.6.4" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.smallvec]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "1.6.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.tempfile]] who = "George Burgess IV " criteria = "safe-to-run" version = "3.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.unicode-normalization]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.1.22" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.unicode-xid]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.2.4" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.version_check]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -468,6 +653,11 @@ who = "David Cook " criteria = "safe-to-deploy" delta = "0.21.2 -> 0.21.3" +[[audits.isrg.audits.base64]] +who = "Ameer Ghani " +criteria = "safe-to-run" +delta = "0.21.3 -> 0.21.4" + [[audits.isrg.audits.block-buffer]] who = "David Cook " criteria = "safe-to-deploy" @@ -483,16 +673,6 @@ who = "David Cook " criteria = "safe-to-deploy" delta = "0.10.6 -> 0.10.7" -[[audits.isrg.audits.rand_chacha]] -who = "David Cook " -criteria = "safe-to-deploy" -version = "0.3.1" - -[[audits.isrg.audits.rand_core]] -who = "David Cook " -criteria = "safe-to-deploy" -version = "0.6.3" - [[audits.mozilla.wildcard-audits.core-foundation-sys]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -503,24 +683,6 @@ renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.wildcard-audits.unicode-normalization]] -who = "Manish Goregaokar " -criteria = "safe-to-deploy" -user-id = 1139 # Manish Goregaokar (Manishearth) -start = "2019-11-06" -end = "2024-05-03" -notes = "All code written or reviewed by Manish" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.wildcard-audits.unicode-xid]] -who = "Manish Goregaokar " -criteria = "safe-to-deploy" -user-id = 1139 # Manish Goregaokar (Manishearth) -start = "2019-07-25" -end = "2024-05-03" -notes = "All code written or reviewed by Manish" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.android_system_properties]] who = "Nicolas Silva " criteria = "safe-to-deploy" @@ -567,6 +729,12 @@ version = "0.6.3" notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.bitflags]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "2.2.1 -> 2.3.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.block-buffer]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -591,39 +759,12 @@ criteria = "safe-to-deploy" delta = "1.9.0 -> 2.0.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.lazy_static]] -who = "Nika Layzell " -criteria = "safe-to-deploy" -version = "1.4.0" -notes = "I have read over the macros, and audited the unsafe code." -aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" - [[audits.mozilla.audits.libc]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.147 -> 0.2.148" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.libc]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -delta = "0.2.148 -> 0.2.149" -notes = "New defintions for a new target we don't use" -aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" - -[[audits.mozilla.audits.log]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -version = "0.4.17" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.log]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -delta = "0.4.17 -> 0.4.18" -notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed." -aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" - [[audits.mozilla.audits.new_debug_unreachable]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -631,10 +772,10 @@ version = "1.0.4" notes = "This is a trivial crate." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.pkg-config]] +[[audits.mozilla.audits.ppv-lite86]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.3.25 -> 0.3.26" +delta = "0.2.16 -> 0.2.17" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.precomputed-hash]] @@ -644,12 +785,6 @@ version = "0.1.1" notes = "This is a trivial crate." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.rand_core]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.6.3 -> 0.6.4" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.tempfile]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" @@ -662,18 +797,18 @@ criteria = "safe-to-deploy" delta = "3.6.0 -> 3.8.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.typenum]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.15.0 -> 1.16.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.unicode-bidi]] who = "Makoto Kato " criteria = "safe-to-deploy" delta = "0.3.8 -> 0.3.13" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.zcash.audits.base64]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.21.3 -> 0.21.4" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.block-buffer]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -681,16 +816,10 @@ delta = "0.10.3 -> 0.10.4" notes = "Adds panics to prevent a block size of zero from causing unsoundness." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.log]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.4.18 -> 0.4.19" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.log]] -who = "Jack Grigg " +[[audits.zcash.audits.generic-array]] +who = "Sean Bowe " criteria = "safe-to-deploy" -delta = "0.4.19 -> 0.4.20" +delta = "0.14.6 -> 0.14.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.siphasher]] @@ -705,3 +834,9 @@ criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" notes = "Adds `#![forbid(unsafe_code)]` and license files." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.typenum]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.16.0 -> 1.17.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"