# cargo-vet imports lock

[[publisher.bumpalo]]
version = "3.12.0"
when = "2023-01-17"
user-id = 696
user-login = "fitzgen"
user-name = "Nick Fitzgerald"

[[publisher.core-foundation-sys]]
version = "0.8.4"
when = "2023-04-03"
user-id = 5946
user-login = "jrmuizel"
user-name = "Jeff Muizelaar"

[[publisher.getopts]]
version = "0.2.21"
when = "2019-08-19"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"

[[publisher.itoa]]
version = "1.0.11"
when = "2024-03-26"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"

[[publisher.js-sys]]
version = "0.3.64"
when = "2023-06-12"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"

[[publisher.libc]]
version = "0.2.153"
when = "2024-01-31"
user-id = 51017
user-login = "JohnTitor"
user-name = "Yuki Okushi"

[[publisher.num-traits]]
version = "0.2.18"
when = "2024-02-08"
user-id = 539
user-login = "cuviper"
user-name = "Josh Stone"

[[publisher.proc-macro2]]
version = "1.0.79"
when = "2024-03-12"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"

[[publisher.ryu]]
version = "1.0.17"
when = "2024-02-19"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"

[[publisher.serde_json]]
version = "1.0.115"
when = "2024-03-26"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"

[[publisher.syn]]
version = "2.0.56"
when = "2024-03-30"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"

[[publisher.thiserror]]
version = "1.0.58"
when = "2024-03-12"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"

[[publisher.thiserror-impl]]
version = "1.0.58"
when = "2024-03-12"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"

[[publisher.toml]]
version = "0.5.7"
when = "2020-10-11"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"

[[publisher.unicode-width]]
version = "0.1.11"
when = "2023-09-19"
user-id = 1139
user-login = "Manishearth"
user-name = "Manish Goregaokar"

[[publisher.wasi]]
version = "0.11.0+wasi-snapshot-preview1"
when = "2022-01-19"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"

[[publisher.wasm-bindgen]]
version = "0.2.87"
when = "2023-06-12"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"

[[publisher.wasm-bindgen-backend]]
version = "0.2.87"
when = "2023-06-12"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"

[[publisher.wasm-bindgen-macro]]
version = "0.2.87"
when = "2023-06-12"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"

[[publisher.wasm-bindgen-macro-support]]
version = "0.2.87"
when = "2023-06-12"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"

[[publisher.wasm-bindgen-shared]]
version = "0.2.87"
when = "2023-06-12"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"

[[publisher.windows-core]]
version = "0.52.0"
when = "2023-11-15"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows-targets]]
version = "0.52.4"
when = "2024-02-28"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows_aarch64_gnullvm]]
version = "0.52.4"
when = "2024-02-28"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows_aarch64_msvc]]
version = "0.52.4"
when = "2024-02-28"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows_i686_gnu]]
version = "0.52.4"
when = "2024-02-28"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows_i686_msvc]]
version = "0.52.4"
when = "2024-02-28"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows_x86_64_gnu]]
version = "0.52.4"
when = "2024-02-28"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows_x86_64_gnullvm]]
version = "0.52.4"
when = "2024-02-28"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows_x86_64_msvc]]
version = "0.52.4"
when = "2024-02-28"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.xash3d-admin]]
version = "0.1.0"
when = "2024-01-28"
user-id = 251561
user-login = "numas13"
user-name = "Denis Drakhnia"

[[publisher.xash3d-master]]
version = "0.1.0"
when = "2024-01-28"
user-id = 251561
user-login = "numas13"
user-name = "Denis Drakhnia"

[[publisher.xash3d-protocol]]
version = "0.1.0"
when = "2024-01-28"
user-id = 251561
user-login = "numas13"
user-name = "Denis Drakhnia"

[[publisher.xash3d-query]]
version = "0.1.0"
when = "2024-01-28"
user-id = 251561
user-login = "numas13"
user-name = "Denis Drakhnia"

[[audits.bytecode-alliance.wildcard-audits.bumpalo]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
user-id = 696 # Nick Fitzgerald (fitzgen)
start = "2019-03-16"
end = "2024-03-10"

[[audits.bytecode-alliance.audits.arrayref]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "0.3.6"
notes = """
Unsafe code, but its logic looks good to me. Necessary given what it is
doing. Well tested, has quickchecks.
"""

[[audits.bytecode-alliance.audits.arrayvec]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "0.7.2"
notes = """
Well documented invariants, good assertions for those invariants in unsafe code,
and tested with MIRI to boot. LGTM.
"""

[[audits.bytecode-alliance.audits.cc]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.73"
notes = "I am the author of this crate."

[[audits.bytecode-alliance.audits.fastrand]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "2.0.0 -> 2.0.1"
notes = """
This update had a few doc updates but no otherwise-substantial source code
updates.
"""

[[audits.bytecode-alliance.audits.iana-time-zone]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.1.59"
notes = """
I also manually ran windows-bindgen and confirmed that the output matches
the bindings checked into the repo.
"""

[[audits.bytecode-alliance.audits.iana-time-zone-haiku]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.1.2"

[[audits.bytecode-alliance.audits.signal-hook-registry]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "1.4.1"

[[audits.google.audits.autocfg]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = """
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
and there were no hits except for reasonable, client-controlled usage of
`std::fs` in `AutoCfg::with_dir`.

This crate has been added to Chromium in
https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb
The CL description contains a link to a Google-internal document with audit details.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.autocfg]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
delta = "1.1.0 -> 1.2.0"
notes = '''
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
and nothing changed from the baseline audit of 1.1.0.  Skimmed through the
1.1.0 => 1.2.0 delta and everything seemed okay.
'''
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.bitflags]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "2.4.2"
notes = """
Audit notes:

* I've checked for any discussion in Google-internal cl/546819168 (where audit
  of version 2.3.3 happened)
* `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]`
* There are 2 cases of `unsafe` in `src/external.rs` but they seem to be
  correct in a straightforward way - they just propagate the marker trait's
  impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type
* Additional discussion and/or notes may be found in https://crrev.com/c/5238056
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.bitflags]]
who = "Adrian Taylor <adetaylor@chromium.org>"
criteria = "safe-to-deploy"
delta = "2.4.2 -> 2.5.0"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.cfg-if]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
version = "1.0.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"

[[audits.google.audits.fastrand]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
version = "1.9.0"
notes = """
`does-not-implement-crypto` is certified because this crate explicitly says
that the RNG here is not cryptographically secure.
"""
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"

[[audits.google.audits.quote]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "1.0.35"
notes = """
Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits
(except for benign \"net\" hit in tests and \"fs\" hit in README.md)
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.serde]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "1.0.197"
notes = """
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`.

There were some hits for `net`, but they were related to serialization and
not actually opening any connections or anything like that.

There were 2 hits of `unsafe` when grepping:
* In `fn as_str` in `impl Buf`
* In `fn serialize` in `impl Serialize for net::Ipv4Addr`

Unsafe review comments can be found in https://crrev.com/c/5350573/2 (this
review also covered `serde_json_lenient`).

Version 1.0.130 of the crate has been added to Chromium in
https://crrev.com/c/3265545.  The CL description contains a link to a
(Google-internal, sorry) document with a mini security review.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.serde_derive]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "1.0.197"
notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.unicode-ident]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "1.0.12"
notes = '''
I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits.

All two functions from the public API of this crate use `unsafe` to avoid bound
checks for an array access.  Cross-module analysis shows that the offsets can
be statically proven to be within array bounds.  More details can be found in
the unsafe review CL at https://crrev.com/c/5350386.

This crate has been added to Chromium in https://crrev.com/c/3891618.
'''
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

[[audits.isrg.audits.crunchy]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
version = "0.2.2"

[[audits.isrg.audits.getrandom]]
who = "Brandon Pitman <bran@bran.land>"
criteria = "safe-to-deploy"
delta = "0.2.10 -> 0.2.11"

[[audits.isrg.audits.getrandom]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
delta = "0.2.11 -> 0.2.12"

[[audits.mozilla.wildcard-audits.core-foundation-sys]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 5946 # Jeff Muizelaar (jrmuizel)
start = "2020-10-14"
end = "2023-05-04"
renew = false
notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.wildcard-audits.unicode-width]]
who = "Manish Goregaokar <manishsmail@gmail.com>"
criteria = "safe-to-deploy"
user-id = 1139 # Manish Goregaokar (Manishearth)
start = "2019-12-05"
end = "2024-05-03"
notes = "All code written or reviewed by Manish"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.android_system_properties]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
version = "0.1.2"
notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.android_system_properties]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.2 -> 0.1.4"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.android_system_properties]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.4 -> 0.1.5"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.cc]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.73 -> 1.0.78"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.cc]]
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
criteria = "safe-to-deploy"
delta = "1.0.78 -> 1.0.83"
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"

[[audits.mozilla.audits.fastrand]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.9.0 -> 2.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.log]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
version = "0.4.17"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.log]]
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.4.17 -> 0.4.18"
notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed."
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"

[[audits.mozilla.audits.toml]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.5.7 -> 0.5.9"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.toml]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.5.9 -> 0.5.10"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.toml]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.5.10 -> 0.5.11"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.zcash.audits.arrayref]]
who = "Sean Bowe <ewillbefull@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.3.6 -> 0.3.7"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"