# cargo-vet imports lock [[publisher.bumpalo]] version = "3.12.0" when = "2023-01-17" user-id = 696 user-login = "fitzgen" user-name = "Nick Fitzgerald" [[publisher.core-foundation-sys]] version = "0.8.4" when = "2023-04-03" user-id = 5946 user-login = "jrmuizel" user-name = "Jeff Muizelaar" [[publisher.getopts]] version = "0.2.21" when = "2019-08-19" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.itoa]] version = "1.0.11" when = "2024-03-26" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.js-sys]] version = "0.3.64" when = "2023-06-12" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.libc]] version = "0.2.153" when = "2024-01-31" user-id = 51017 user-login = "JohnTitor" user-name = "Yuki Okushi" [[publisher.num-traits]] version = "0.2.18" when = "2024-02-08" user-id = 539 user-login = "cuviper" user-name = "Josh Stone" [[publisher.proc-macro2]] version = "1.0.79" when = "2024-03-12" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.ryu]] version = "1.0.17" when = "2024-02-19" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_json]] version = "1.0.115" when = "2024-03-26" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.syn]] version = "2.0.56" when = "2024-03-30" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.thiserror]] version = "1.0.58" when = "2024-03-12" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.thiserror-impl]] version = "1.0.58" when = "2024-03-12" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.toml]] version = "0.5.7" when = "2020-10-11" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.unicode-width]] version = "0.1.11" when = "2023-09-19" user-id = 1139 user-login = "Manishearth" user-name = "Manish Goregaokar" [[publisher.wasi]] version = "0.11.0+wasi-snapshot-preview1" when = "2022-01-19" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasm-bindgen]] version = "0.2.87" when = "2023-06-12" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasm-bindgen-backend]] version = "0.2.87" when = "2023-06-12" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasm-bindgen-macro]] version = "0.2.87" when = "2023-06-12" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasm-bindgen-macro-support]] version = "0.2.87" when = "2023-06-12" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasm-bindgen-shared]] version = "0.2.87" when = "2023-06-12" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.windows-core]] version = "0.52.0" when = "2023-11-15" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-targets]] version = "0.52.4" when = "2024-02-28" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_gnullvm]] version = "0.52.4" when = "2024-02-28" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_msvc]] version = "0.52.4" when = "2024-02-28" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_gnu]] version = "0.52.4" when = "2024-02-28" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_msvc]] version = "0.52.4" when = "2024-02-28" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnu]] version = "0.52.4" when = "2024-02-28" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnullvm]] version = "0.52.4" when = "2024-02-28" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_msvc]] version = "0.52.4" when = "2024-02-28" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.xash3d-admin]] version = "0.1.0" when = "2024-01-28" user-id = 251561 user-login = "numas13" user-name = "Denis Drakhnia" [[publisher.xash3d-master]] version = "0.1.0" when = "2024-01-28" user-id = 251561 user-login = "numas13" user-name = "Denis Drakhnia" [[publisher.xash3d-protocol]] version = "0.1.0" when = "2024-01-28" user-id = 251561 user-login = "numas13" user-name = "Denis Drakhnia" [[publisher.xash3d-query]] version = "0.1.0" when = "2024-01-28" user-id = 251561 user-login = "numas13" user-name = "Denis Drakhnia" [[audits.bytecode-alliance.wildcard-audits.bumpalo]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" user-id = 696 # Nick Fitzgerald (fitzgen) start = "2019-03-16" end = "2024-03-10" [[audits.bytecode-alliance.audits.arrayref]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" version = "0.3.6" notes = """ Unsafe code, but its logic looks good to me. Necessary given what it is doing. Well tested, has quickchecks. """ [[audits.bytecode-alliance.audits.arrayvec]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" version = "0.7.2" notes = """ Well documented invariants, good assertions for those invariants in unsafe code, and tested with MIRI to boot. LGTM. """ [[audits.bytecode-alliance.audits.cc]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.0.73" notes = "I am the author of this crate." [[audits.bytecode-alliance.audits.fastrand]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "2.0.0 -> 2.0.1" notes = """ This update had a few doc updates but no otherwise-substantial source code updates. """ [[audits.bytecode-alliance.audits.iana-time-zone]] who = "Dan Gohman " criteria = "safe-to-deploy" version = "0.1.59" notes = """ I also manually ran windows-bindgen and confirmed that the output matches the bindings checked into the repo. """ [[audits.bytecode-alliance.audits.iana-time-zone-haiku]] who = "Dan Gohman " criteria = "safe-to-deploy" version = "0.1.2" [[audits.bytecode-alliance.audits.signal-hook-registry]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "1.4.1" [[audits.google.audits.autocfg]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.1.0" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits except for reasonable, client-controlled usage of `std::fs` in `AutoCfg::with_dir`. This crate has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb The CL description contains a link to a Google-internal document with audit details. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.autocfg]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.1.0 -> 1.2.0" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and nothing changed from the baseline audit of 1.1.0. Skimmed through the 1.1.0 => 1.2.0 delta and everything seemed okay. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.bitflags]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "2.4.2" notes = """ Audit notes: * I've checked for any discussion in Google-internal cl/546819168 (where audit of version 2.3.3 happened) * `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]` * There are 2 cases of `unsafe` in `src/external.rs` but they seem to be correct in a straightforward way - they just propagate the marker trait's impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type * Additional discussion and/or notes may be found in https://crrev.com/c/5238056 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.bitflags]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "2.4.2 -> 2.5.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.cfg-if]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.fastrand]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.9.0" notes = """ `does-not-implement-crypto` is certified because this crate explicitly says that the RNG here is not cryptographically secure. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.quote]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.35" notes = """ Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits (except for benign \"net\" hit in tests and \"fs\" hit in README.md) """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.serde]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.197" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`. There were some hits for `net`, but they were related to serialization and not actually opening any connections or anything like that. There were 2 hits of `unsafe` when grepping: * In `fn as_str` in `impl Buf` * In `fn serialize` in `impl Serialize for net::Ipv4Addr` Unsafe review comments can be found in https://crrev.com/c/5350573/2 (this review also covered `serde_json_lenient`). Version 1.0.130 of the crate has been added to Chromium in https://crrev.com/c/3265545. The CL description contains a link to a (Google-internal, sorry) document with a mini security review. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.serde_derive]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.197" notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.unicode-ident]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.12" notes = ''' I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. All two functions from the public API of this crate use `unsafe` to avoid bound checks for an array access. Cross-module analysis shows that the offsets can be statically proven to be within array bounds. More details can be found in the unsafe review CL at https://crrev.com/c/5350386. This crate has been added to Chromium in https://crrev.com/c/3891618. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.isrg.audits.crunchy]] who = "David Cook " criteria = "safe-to-deploy" version = "0.2.2" [[audits.isrg.audits.getrandom]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "0.2.10 -> 0.2.11" [[audits.isrg.audits.getrandom]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.2.11 -> 0.2.12" [[audits.mozilla.wildcard-audits.core-foundation-sys]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 5946 # Jeff Muizelaar (jrmuizel) start = "2020-10-14" end = "2023-05-04" renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.unicode-width]] who = "Manish Goregaokar " criteria = "safe-to-deploy" user-id = 1139 # Manish Goregaokar (Manishearth) start = "2019-12-05" end = "2024-05-03" notes = "All code written or reviewed by Manish" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.android_system_properties]] who = "Nicolas Silva " criteria = "safe-to-deploy" version = "0.1.2" notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.android_system_properties]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.2 -> 0.1.4" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.android_system_properties]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.4 -> 0.1.5" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.cc]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.73 -> 1.0.78" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.cc]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "1.0.78 -> 1.0.83" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.fastrand]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.9.0 -> 2.0.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.log]] who = "Mike Hommey " criteria = "safe-to-deploy" version = "0.4.17" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.log]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "0.4.17 -> 0.4.18" notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed." aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.toml]] who = "Bobby Holley " criteria = "safe-to-deploy" delta = "0.5.7 -> 0.5.9" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.toml]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.5.9 -> 0.5.10" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.toml]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.5.10 -> 0.5.11" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.zcash.audits.arrayref]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.3.6 -> 0.3.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"