|
|
|
|
|
|
|
# cargo-vet imports lock
|
|
|
|
|
|
|
|
[[publisher.bumpalo]]
|
|
|
|
version = "3.15.4"
|
|
|
|
when = "2024-03-07"
|
|
|
|
user-id = 696
|
|
|
|
user-login = "fitzgen"
|
|
|
|
user-name = "Nick Fitzgerald"
|
|
|
|
|
|
|
|
[[publisher.core-foundation-sys]]
|
|
|
|
version = "0.8.4"
|
|
|
|
when = "2023-04-03"
|
|
|
|
user-id = 5946
|
|
|
|
user-login = "jrmuizel"
|
|
|
|
user-name = "Jeff Muizelaar"
|
|
|
|
|
|
|
|
[[publisher.getopts]]
|
|
|
|
version = "0.2.21"
|
|
|
|
when = "2019-08-19"
|
|
|
|
user-id = 1
|
|
|
|
user-login = "alexcrichton"
|
|
|
|
user-name = "Alex Crichton"
|
|
|
|
|
|
|
|
[[publisher.itoa]]
|
|
|
|
version = "1.0.11"
|
|
|
|
when = "2024-03-26"
|
|
|
|
user-id = 3618
|
|
|
|
user-login = "dtolnay"
|
|
|
|
user-name = "David Tolnay"
|
|
|
|
|
|
|
|
[[publisher.js-sys]]
|
|
|
|
version = "0.3.69"
|
|
|
|
when = "2024-03-04"
|
|
|
|
user-id = 1
|
|
|
|
user-login = "alexcrichton"
|
|
|
|
user-name = "Alex Crichton"
|
|
|
|
|
|
|
|
[[publisher.libc]]
|
|
|
|
version = "0.2.154"
|
|
|
|
when = "2024-04-29"
|
|
|
|
user-id = 51017
|
|
|
|
user-login = "JohnTitor"
|
|
|
|
user-name = "Yuki Okushi"
|
|
|
|
|
|
|
|
[[publisher.lock_api]]
|
|
|
|
version = "0.4.12"
|
|
|
|
when = "2024-04-25"
|
|
|
|
user-id = 2915
|
|
|
|
user-login = "Amanieu"
|
|
|
|
user-name = "Amanieu d'Antras"
|
|
|
|
|
|
|
|
[[publisher.num-traits]]
|
|
|
|
version = "0.2.18"
|
|
|
|
when = "2024-02-08"
|
|
|
|
user-id = 539
|
|
|
|
user-login = "cuviper"
|
|
|
|
user-name = "Josh Stone"
|
|
|
|
|
|
|
|
[[publisher.parking_lot]]
|
|
|
|
version = "0.12.3"
|
|
|
|
when = "2024-05-24"
|
|
|
|
user-id = 2915
|
|
|
|
user-login = "Amanieu"
|
|
|
|
user-name = "Amanieu d'Antras"
|
|
|
|
|
|
|
|
[[publisher.parking_lot_core]]
|
|
|
|
version = "0.9.10"
|
|
|
|
when = "2024-04-25"
|
|
|
|
user-id = 2915
|
|
|
|
user-login = "Amanieu"
|
|
|
|
user-name = "Amanieu d'Antras"
|
|
|
|
|
|
|
|
[[publisher.proc-macro2]]
|
|
|
|
version = "1.0.85"
|
|
|
|
when = "2024-06-02"
|
|
|
|
user-id = 3618
|
|
|
|
user-login = "dtolnay"
|
|
|
|
user-name = "David Tolnay"
|
|
|
|
|
|
|
|
[[publisher.quote]]
|
|
|
|
version = "1.0.36"
|
|
|
|
when = "2024-04-10"
|
|
|
|
user-id = 3618
|
|
|
|
user-login = "dtolnay"
|
|
|
|
user-name = "David Tolnay"
|
|
|
|
|
|
|
|
[[publisher.ryu]]
|
|
|
|
version = "1.0.18"
|
|
|
|
when = "2024-05-07"
|
|
|
|
user-id = 3618
|
|
|
|
user-login = "dtolnay"
|
|
|
|
user-name = "David Tolnay"
|
|
|
|
|
|
|
|
[[publisher.scopeguard]]
|
|
|
|
version = "1.2.0"
|
|
|
|
when = "2023-07-17"
|
|
|
|
user-id = 2915
|
|
|
|
user-login = "Amanieu"
|
|
|
|
user-name = "Amanieu d'Antras"
|
|
|
|
|
|
|
|
[[publisher.serde]]
|
|
|
|
version = "1.0.203"
|
|
|
|
when = "2024-05-25"
|
|
|
|
user-id = 3618
|
|
|
|
user-login = "dtolnay"
|
|
|
|
user-name = "David Tolnay"
|
|
|
|
|
|
|
|
[[publisher.serde_derive]]
|
|
|
|
version = "1.0.203"
|
|
|
|
when = "2024-05-25"
|
|
|
|
user-id = 3618
|
|
|
|
user-login = "dtolnay"
|
|
|
|
user-name = "David Tolnay"
|
|
|
|
|
|
|
|
[[publisher.serde_json]]
|
|
|
|
version = "1.0.117"
|
|
|
|
when = "2024-05-08"
|
|
|
|
user-id = 3618
|
|
|
|
user-login = "dtolnay"
|
|
|
|
user-name = "David Tolnay"
|
|
|
|
|
|
|
|
[[publisher.smallvec]]
|
|
|
|
version = "1.13.2"
|
|
|
|
when = "2024-03-20"
|
|
|
|
user-id = 2017
|
|
|
|
user-login = "mbrubeck"
|
|
|
|
user-name = "Matt Brubeck"
|
|
|
|
|
|
|
|
[[publisher.syn]]
|
|
|
|
version = "2.0.56"
|
|
|
|
when = "2024-03-30"
|
|
|
|
user-id = 3618
|
|
|
|
user-login = "dtolnay"
|
|
|
|
user-name = "David Tolnay"
|
|
|
|
|
|
|
|
[[publisher.thiserror]]
|
|
|
|
version = "1.0.61"
|
|
|
|
when = "2024-05-17"
|
|
|
|
user-id = 3618
|
|
|
|
user-login = "dtolnay"
|
|
|
|
user-name = "David Tolnay"
|
|
|
|
|
|
|
|
[[publisher.thiserror-impl]]
|
|
|
|
version = "1.0.61"
|
|
|
|
when = "2024-05-17"
|
|
|
|
user-id = 3618
|
|
|
|
user-login = "dtolnay"
|
|
|
|
user-name = "David Tolnay"
|
|
|
|
|
|
|
|
[[publisher.toml]]
|
|
|
|
version = "0.5.7"
|
|
|
|
when = "2020-10-11"
|
|
|
|
user-id = 1
|
|
|
|
user-login = "alexcrichton"
|
|
|
|
user-name = "Alex Crichton"
|
|
|
|
|
|
|
|
[[publisher.unicode-width]]
|
|
|
|
version = "0.1.12"
|
|
|
|
when = "2024-04-26"
|
|
|
|
user-id = 1139
|
|
|
|
user-login = "Manishearth"
|
|
|
|
user-name = "Manish Goregaokar"
|
|
|
|
|
|
|
|
[[publisher.wasi]]
|
|
|
|
version = "0.11.0+wasi-snapshot-preview1"
|
|
|
|
when = "2022-01-19"
|
|
|
|
user-id = 1
|
|
|
|
user-login = "alexcrichton"
|
|
|
|
user-name = "Alex Crichton"
|
|
|
|
|
|
|
|
[[publisher.wasm-bindgen]]
|
|
|
|
version = "0.2.91"
|
|
|
|
when = "2024-02-06"
|
|
|
|
user-id = 1
|
|
|
|
user-login = "alexcrichton"
|
|
|
|
user-name = "Alex Crichton"
|
|
|
|
|
|
|
|
[[publisher.wasm-bindgen-backend]]
|
|
|
|
version = "0.2.92"
|
|
|
|
when = "2024-03-04"
|
|
|
|
user-id = 1
|
|
|
|
user-login = "alexcrichton"
|
|
|
|
user-name = "Alex Crichton"
|
|
|
|
|
|
|
|
[[publisher.wasm-bindgen-macro]]
|
|
|
|
version = "0.2.92"
|
|
|
|
when = "2024-03-04"
|
|
|
|
user-id = 1
|
|
|
|
user-login = "alexcrichton"
|
|
|
|
user-name = "Alex Crichton"
|
|
|
|
|
|
|
|
[[publisher.wasm-bindgen-shared]]
|
|
|
|
version = "0.2.92"
|
|
|
|
when = "2024-03-04"
|
|
|
|
user-id = 1
|
|
|
|
user-login = "alexcrichton"
|
|
|
|
user-name = "Alex Crichton"
|
|
|
|
|
|
|
|
[[publisher.windows-core]]
|
|
|
|
version = "0.52.0"
|
|
|
|
when = "2023-11-15"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows-sys]]
|
|
|
|
version = "0.48.0"
|
|
|
|
when = "2023-03-31"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows-targets]]
|
|
|
|
version = "0.48.5"
|
|
|
|
when = "2023-08-18"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows-targets]]
|
|
|
|
version = "0.52.5"
|
|
|
|
when = "2024-04-12"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows_aarch64_gnullvm]]
|
|
|
|
version = "0.48.5"
|
|
|
|
when = "2023-08-18"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows_aarch64_gnullvm]]
|
|
|
|
version = "0.52.5"
|
|
|
|
when = "2024-04-12"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows_aarch64_msvc]]
|
|
|
|
version = "0.48.5"
|
|
|
|
when = "2023-08-18"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows_aarch64_msvc]]
|
|
|
|
version = "0.52.5"
|
|
|
|
when = "2024-04-12"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows_i686_gnu]]
|
|
|
|
version = "0.48.5"
|
|
|
|
when = "2023-08-18"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows_i686_gnu]]
|
|
|
|
version = "0.52.5"
|
|
|
|
when = "2024-04-12"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows_i686_gnullvm]]
|
|
|
|
version = "0.52.5"
|
|
|
|
when = "2024-04-12"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows_i686_msvc]]
|
|
|
|
version = "0.48.5"
|
|
|
|
when = "2023-08-18"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows_i686_msvc]]
|
|
|
|
version = "0.52.5"
|
|
|
|
when = "2024-04-12"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows_x86_64_gnu]]
|
|
|
|
version = "0.48.5"
|
|
|
|
when = "2023-08-18"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows_x86_64_gnu]]
|
|
|
|
version = "0.52.5"
|
|
|
|
when = "2024-04-12"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows_x86_64_gnullvm]]
|
|
|
|
version = "0.48.5"
|
|
|
|
when = "2023-08-18"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows_x86_64_gnullvm]]
|
|
|
|
version = "0.52.5"
|
|
|
|
when = "2024-04-12"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows_x86_64_msvc]]
|
|
|
|
version = "0.48.5"
|
|
|
|
when = "2023-08-18"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.windows_x86_64_msvc]]
|
|
|
|
version = "0.52.5"
|
|
|
|
when = "2024-04-12"
|
|
|
|
user-id = 64539
|
|
|
|
user-login = "kennykerr"
|
|
|
|
user-name = "Kenny Kerr"
|
|
|
|
|
|
|
|
[[publisher.xash3d-admin]]
|
|
|
|
version = "0.1.0"
|
|
|
|
when = "2024-01-28"
|
|
|
|
user-id = 251561
|
|
|
|
user-login = "numas13"
|
|
|
|
user-name = "Denis Drakhnia"
|
|
|
|
|
|
|
|
[[publisher.xash3d-master]]
|
|
|
|
version = "0.1.0"
|
|
|
|
when = "2024-01-28"
|
|
|
|
user-id = 251561
|
|
|
|
user-login = "numas13"
|
|
|
|
user-name = "Denis Drakhnia"
|
|
|
|
|
|
|
|
[[publisher.xash3d-protocol]]
|
|
|
|
version = "0.1.0"
|
|
|
|
when = "2024-01-28"
|
|
|
|
user-id = 251561
|
|
|
|
user-login = "numas13"
|
|
|
|
user-name = "Denis Drakhnia"
|
|
|
|
|
|
|
|
[[publisher.xash3d-query]]
|
|
|
|
version = "0.1.0"
|
|
|
|
when = "2024-01-28"
|
|
|
|
user-id = 251561
|
|
|
|
user-login = "numas13"
|
|
|
|
user-name = "Denis Drakhnia"
|
|
|
|
|
|
|
|
[[audits.bytecode-alliance.wildcard-audits.bumpalo]]
|
|
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
user-id = 696 # Nick Fitzgerald (fitzgen)
|
|
|
|
start = "2019-03-16"
|
|
|
|
end = "2025-07-30"
|
|
|
|
|
|
|
|
[[audits.bytecode-alliance.audits.arrayref]]
|
|
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
version = "0.3.6"
|
|
|
|
notes = """
|
|
|
|
Unsafe code, but its logic looks good to me. Necessary given what it is
|
|
|
|
doing. Well tested, has quickchecks.
|
|
|
|
"""
|
|
|
|
|
|
|
|
[[audits.bytecode-alliance.audits.arrayvec]]
|
|
|
|
who = "Nick Fitzgerald <fitzgen@gmail.com>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
version = "0.7.2"
|
|
|
|
notes = """
|
|
|
|
Well documented invariants, good assertions for those invariants in unsafe code,
|
|
|
|
and tested with MIRI to boot. LGTM.
|
|
|
|
"""
|
|
|
|
|
|
|
|
[[audits.bytecode-alliance.audits.cc]]
|
|
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
version = "1.0.73"
|
|
|
|
notes = "I am the author of this crate."
|
|
|
|
|
|
|
|
[[audits.bytecode-alliance.audits.core-foundation-sys]]
|
|
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "0.8.4 -> 0.8.6"
|
|
|
|
notes = """
|
|
|
|
The changes here are all typical bindings updates: new functions, types, and
|
|
|
|
constants. I have not audited all the bindings for ABI conformance.
|
|
|
|
"""
|
|
|
|
|
|
|
|
[[audits.bytecode-alliance.audits.fastrand]]
|
|
|
|
who = "Alex Crichton <alex@alexcrichton.com>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "2.0.0 -> 2.0.1"
|
|
|
|
notes = """
|
|
|
|
This update had a few doc updates but no otherwise-substantial source code
|
|
|
|
updates.
|
|
|
|
"""
|
|
|
|
|
|
|
|
[[audits.bytecode-alliance.audits.iana-time-zone]]
|
|
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
version = "0.1.59"
|
|
|
|
notes = """
|
|
|
|
I also manually ran windows-bindgen and confirmed that the output matches
|
|
|
|
the bindings checked into the repo.
|
|
|
|
"""
|
|
|
|
|
|
|
|
[[audits.bytecode-alliance.audits.iana-time-zone-haiku]]
|
|
|
|
who = "Dan Gohman <dev@sunfishcode.online>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
version = "0.1.2"
|
|
|
|
|
|
|
|
[[audits.bytecode-alliance.audits.signal-hook-registry]]
|
|
|
|
who = "Pat Hickey <phickey@fastly.com>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
version = "1.4.1"
|
|
|
|
|
|
|
|
[[audits.google.audits.autocfg]]
|
|
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
version = "1.1.0"
|
|
|
|
notes = """
|
|
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
|
|
|
|
and there were no hits except for reasonable, client-controlled usage of
|
|
|
|
`std::fs` in `AutoCfg::with_dir`.
|
|
|
|
|
|
|
|
This crate has been added to Chromium in
|
|
|
|
https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb
|
|
|
|
The CL description contains a link to a Google-internal document with audit details.
|
|
|
|
"""
|
|
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
|
|
|
|
[[audits.google.audits.autocfg]]
|
|
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "1.1.0 -> 1.2.0"
|
|
|
|
notes = '''
|
|
|
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
|
|
|
|
and nothing changed from the baseline audit of 1.1.0. Skimmed through the
|
|
|
|
1.1.0 => 1.2.0 delta and everything seemed okay.
|
|
|
|
'''
|
|
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
|
|
|
|
[[audits.google.audits.bitflags]]
|
|
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
version = "2.4.2"
|
|
|
|
notes = """
|
|
|
|
Audit notes:
|
|
|
|
|
|
|
|
* I've checked for any discussion in Google-internal cl/546819168 (where audit
|
|
|
|
of version 2.3.3 happened)
|
|
|
|
* `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]`
|
|
|
|
* There are 2 cases of `unsafe` in `src/external.rs` but they seem to be
|
|
|
|
correct in a straightforward way - they just propagate the marker trait's
|
|
|
|
impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type
|
|
|
|
* Additional discussion and/or notes may be found in https://crrev.com/c/5238056
|
|
|
|
"""
|
|
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
|
|
|
|
[[audits.google.audits.bitflags]]
|
|
|
|
who = "Adrian Taylor <adetaylor@chromium.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "2.4.2 -> 2.5.0"
|
|
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
|
|
|
|
[[audits.google.audits.cfg-if]]
|
|
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
version = "1.0.0"
|
|
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
|
|
|
|
[[audits.google.audits.fastrand]]
|
|
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
version = "1.9.0"
|
|
|
|
notes = """
|
|
|
|
`does-not-implement-crypto` is certified because this crate explicitly says
|
|
|
|
that the RNG here is not cryptographically secure.
|
|
|
|
"""
|
|
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
|
|
|
|
[[audits.google.audits.getrandom]]
|
|
|
|
who = "David Koloski <dkoloski@google.com>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "0.2.2 -> 0.2.12"
|
|
|
|
notes = "Audited at https://fxrev.dev/932979"
|
|
|
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
|
|
|
|
|
|
|
|
[[audits.google.audits.unicode-ident]]
|
|
|
|
who = "Lukasz Anforowicz <lukasza@chromium.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
version = "1.0.12"
|
|
|
|
notes = '''
|
|
|
|
I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits.
|
|
|
|
|
|
|
|
All two functions from the public API of this crate use `unsafe` to avoid bound
|
|
|
|
checks for an array access. Cross-module analysis shows that the offsets can
|
|
|
|
be statically proven to be within array bounds. More details can be found in
|
|
|
|
the unsafe review CL at https://crrev.com/c/5350386.
|
|
|
|
|
|
|
|
This crate has been added to Chromium in https://crrev.com/c/3891618.
|
|
|
|
'''
|
|
|
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
|
|
|
|
|
|
|
|
[[audits.isrg.audits.crunchy]]
|
|
|
|
who = "David Cook <dcook@divviup.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
version = "0.2.2"
|
|
|
|
|
|
|
|
[[audits.isrg.audits.getrandom]]
|
|
|
|
who = "David Cook <dcook@divviup.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "0.2.12 -> 0.2.14"
|
|
|
|
|
|
|
|
[[audits.isrg.audits.getrandom]]
|
|
|
|
who = "David Cook <dcook@divviup.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "0.2.14 -> 0.2.15"
|
|
|
|
|
|
|
|
[[audits.isrg.audits.once_cell]]
|
|
|
|
who = "Brandon Pitman <bran@bran.land>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "1.17.1 -> 1.17.2"
|
|
|
|
|
|
|
|
[[audits.mozilla.wildcard-audits.core-foundation-sys]]
|
|
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
user-id = 5946 # Jeff Muizelaar (jrmuizel)
|
|
|
|
start = "2020-10-14"
|
|
|
|
end = "2023-05-04"
|
|
|
|
renew = false
|
|
|
|
notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla."
|
|
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.mozilla.wildcard-audits.unicode-width]]
|
|
|
|
who = "Manish Goregaokar <manishsmail@gmail.com>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
user-id = 1139 # Manish Goregaokar (Manishearth)
|
|
|
|
start = "2019-12-05"
|
|
|
|
end = "2024-05-03"
|
|
|
|
notes = "All code written or reviewed by Manish"
|
|
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.mozilla.audits.android_system_properties]]
|
|
|
|
who = "Nicolas Silva <nical@fastmail.com>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
version = "0.1.2"
|
|
|
|
notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship."
|
|
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.mozilla.audits.android_system_properties]]
|
|
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "0.1.2 -> 0.1.4"
|
|
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.mozilla.audits.android_system_properties]]
|
|
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "0.1.4 -> 0.1.5"
|
|
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.mozilla.audits.cc]]
|
|
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "1.0.73 -> 1.0.78"
|
|
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.mozilla.audits.cc]]
|
|
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "1.0.78 -> 1.0.83"
|
|
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.mozilla.audits.fastrand]]
|
|
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "1.9.0 -> 2.0.0"
|
|
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.mozilla.audits.log]]
|
|
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
version = "0.4.17"
|
|
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.mozilla.audits.log]]
|
|
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "0.4.17 -> 0.4.18"
|
|
|
|
notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed."
|
|
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.mozilla.audits.once_cell]]
|
|
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "1.12.0 -> 1.13.1"
|
|
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.mozilla.audits.once_cell]]
|
|
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "1.13.1 -> 1.16.0"
|
|
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.mozilla.audits.once_cell]]
|
|
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "1.16.0 -> 1.17.1"
|
|
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.mozilla.audits.toml]]
|
|
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "0.5.7 -> 0.5.9"
|
|
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.mozilla.audits.toml]]
|
|
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "0.5.9 -> 0.5.10"
|
|
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.mozilla.audits.toml]]
|
|
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "0.5.10 -> 0.5.11"
|
|
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.zcash.audits.arrayref]]
|
|
|
|
who = "Sean Bowe <ewillbefull@gmail.com>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "0.3.6 -> 0.3.7"
|
|
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.zcash.audits.autocfg]]
|
|
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "1.2.0 -> 1.3.0"
|
|
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.zcash.audits.cc]]
|
|
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "1.0.83 -> 1.0.94"
|
|
|
|
notes = """
|
|
|
|
The optimization to use `buffer.set_len(buffer.capacity())` in `command_helpers::StderrForwarder::forward_available`
|
|
|
|
doesn't look panic-safe: if `stderr.read` panics and that panic is caught by a caller of `forward_available`, then
|
|
|
|
the inner buffer of `StderrForwarder` will contain uninitialized data. This looks difficult to trigger in practice,
|
|
|
|
but I have opened an issue <https://github.com/rust-lang/cc-rs/issues/1036>.
|
|
|
|
|
|
|
|
`parallel::async_executor` contains `unsafe` pinning code but it looks reasonable. Similarly for the `unsafe`
|
|
|
|
initialization code in `parallel::job_token::JobTokenServer` and file operations in `parallel::stderr`.
|
|
|
|
|
|
|
|
This crate executes commands, and my review is likely not sufficient to detect subtle backdoors.
|
|
|
|
I did not review the use of library handles in the `com` package on Windows.
|
|
|
|
"""
|
|
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.zcash.audits.cc]]
|
|
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "1.0.94 -> 1.0.97"
|
|
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.zcash.audits.fastrand]]
|
|
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "2.0.2 -> 2.1.0"
|
|
|
|
notes = """
|
|
|
|
As noted in the changelog, this version produces different output for a given seed.
|
|
|
|
The documentation did not mention stability. It is possible that some uses relying on
|
|
|
|
determinism across the update would be broken.
|
|
|
|
|
|
|
|
The new constants do appear to match WyRand v4.2 (modulo ordering issues that I have not checked):
|
|
|
|
https://github.com/wangyi-fudan/wyhash/blob/408620b6d12b7d667b3dd6ae39b7929a39e8fa05/wyhash.h#L145
|
|
|
|
I have no way to check whether these constants are an improvement or not.
|
|
|
|
"""
|
|
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.zcash.audits.mio]]
|
|
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
delta = "0.8.10 -> 0.8.11"
|
|
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|
|
|
|
|
|
[[audits.zcash.audits.wasm-bindgen-macro-support]]
|
|
|
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
|
|
|
|
criteria = "safe-to-deploy"
|
|
|
|
version = "0.2.92"
|
|
|
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|