You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
703 lines
20 KiB
703 lines
20 KiB
|
|
# cargo-vet imports lock |
|
|
|
[[publisher.bumpalo]] |
|
version = "3.15.4" |
|
when = "2024-03-07" |
|
user-id = 696 |
|
user-login = "fitzgen" |
|
user-name = "Nick Fitzgerald" |
|
|
|
[[publisher.core-foundation-sys]] |
|
version = "0.8.4" |
|
when = "2023-04-03" |
|
user-id = 5946 |
|
user-login = "jrmuizel" |
|
user-name = "Jeff Muizelaar" |
|
|
|
[[publisher.getopts]] |
|
version = "0.2.21" |
|
when = "2019-08-19" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.itoa]] |
|
version = "1.0.11" |
|
when = "2024-03-26" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.js-sys]] |
|
version = "0.3.69" |
|
when = "2024-03-04" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.libc]] |
|
version = "0.2.154" |
|
when = "2024-04-29" |
|
user-id = 51017 |
|
user-login = "JohnTitor" |
|
user-name = "Yuki Okushi" |
|
|
|
[[publisher.lock_api]] |
|
version = "0.4.12" |
|
when = "2024-04-25" |
|
user-id = 2915 |
|
user-login = "Amanieu" |
|
user-name = "Amanieu d'Antras" |
|
|
|
[[publisher.num-traits]] |
|
version = "0.2.18" |
|
when = "2024-02-08" |
|
user-id = 539 |
|
user-login = "cuviper" |
|
user-name = "Josh Stone" |
|
|
|
[[publisher.parking_lot]] |
|
version = "0.12.3" |
|
when = "2024-05-24" |
|
user-id = 2915 |
|
user-login = "Amanieu" |
|
user-name = "Amanieu d'Antras" |
|
|
|
[[publisher.parking_lot_core]] |
|
version = "0.9.10" |
|
when = "2024-04-25" |
|
user-id = 2915 |
|
user-login = "Amanieu" |
|
user-name = "Amanieu d'Antras" |
|
|
|
[[publisher.proc-macro2]] |
|
version = "1.0.85" |
|
when = "2024-06-02" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.quote]] |
|
version = "1.0.36" |
|
when = "2024-04-10" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.ryu]] |
|
version = "1.0.18" |
|
when = "2024-05-07" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.scopeguard]] |
|
version = "1.2.0" |
|
when = "2023-07-17" |
|
user-id = 2915 |
|
user-login = "Amanieu" |
|
user-name = "Amanieu d'Antras" |
|
|
|
[[publisher.serde]] |
|
version = "1.0.203" |
|
when = "2024-05-25" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.serde_derive]] |
|
version = "1.0.203" |
|
when = "2024-05-25" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.serde_json]] |
|
version = "1.0.117" |
|
when = "2024-05-08" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.smallvec]] |
|
version = "1.13.2" |
|
when = "2024-03-20" |
|
user-id = 2017 |
|
user-login = "mbrubeck" |
|
user-name = "Matt Brubeck" |
|
|
|
[[publisher.syn]] |
|
version = "2.0.56" |
|
when = "2024-03-30" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.thiserror]] |
|
version = "1.0.61" |
|
when = "2024-05-17" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.thiserror-impl]] |
|
version = "1.0.61" |
|
when = "2024-05-17" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.toml]] |
|
version = "0.5.7" |
|
when = "2020-10-11" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.unicode-width]] |
|
version = "0.1.12" |
|
when = "2024-04-26" |
|
user-id = 1139 |
|
user-login = "Manishearth" |
|
user-name = "Manish Goregaokar" |
|
|
|
[[publisher.wasi]] |
|
version = "0.11.0+wasi-snapshot-preview1" |
|
when = "2022-01-19" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.wasm-bindgen]] |
|
version = "0.2.91" |
|
when = "2024-02-06" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.wasm-bindgen-backend]] |
|
version = "0.2.92" |
|
when = "2024-03-04" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.wasm-bindgen-macro]] |
|
version = "0.2.92" |
|
when = "2024-03-04" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.wasm-bindgen-shared]] |
|
version = "0.2.92" |
|
when = "2024-03-04" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.windows-core]] |
|
version = "0.52.0" |
|
when = "2023-11-15" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows-sys]] |
|
version = "0.48.0" |
|
when = "2023-03-31" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows-targets]] |
|
version = "0.48.5" |
|
when = "2023-08-18" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows-targets]] |
|
version = "0.52.5" |
|
when = "2024-04-12" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_aarch64_gnullvm]] |
|
version = "0.48.5" |
|
when = "2023-08-18" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_aarch64_gnullvm]] |
|
version = "0.52.5" |
|
when = "2024-04-12" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_aarch64_msvc]] |
|
version = "0.48.5" |
|
when = "2023-08-18" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_aarch64_msvc]] |
|
version = "0.52.5" |
|
when = "2024-04-12" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_i686_gnu]] |
|
version = "0.48.5" |
|
when = "2023-08-18" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_i686_gnu]] |
|
version = "0.52.5" |
|
when = "2024-04-12" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_i686_gnullvm]] |
|
version = "0.52.5" |
|
when = "2024-04-12" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_i686_msvc]] |
|
version = "0.48.5" |
|
when = "2023-08-18" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_i686_msvc]] |
|
version = "0.52.5" |
|
when = "2024-04-12" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_x86_64_gnu]] |
|
version = "0.48.5" |
|
when = "2023-08-18" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_x86_64_gnu]] |
|
version = "0.52.5" |
|
when = "2024-04-12" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_x86_64_gnullvm]] |
|
version = "0.48.5" |
|
when = "2023-08-18" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_x86_64_gnullvm]] |
|
version = "0.52.5" |
|
when = "2024-04-12" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_x86_64_msvc]] |
|
version = "0.48.5" |
|
when = "2023-08-18" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_x86_64_msvc]] |
|
version = "0.52.5" |
|
when = "2024-04-12" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.xash3d-admin]] |
|
version = "0.1.0" |
|
when = "2024-01-28" |
|
user-id = 251561 |
|
user-login = "numas13" |
|
user-name = "Denis Drakhnia" |
|
|
|
[[publisher.xash3d-master]] |
|
version = "0.1.0" |
|
when = "2024-01-28" |
|
user-id = 251561 |
|
user-login = "numas13" |
|
user-name = "Denis Drakhnia" |
|
|
|
[[publisher.xash3d-protocol]] |
|
version = "0.1.0" |
|
when = "2024-01-28" |
|
user-id = 251561 |
|
user-login = "numas13" |
|
user-name = "Denis Drakhnia" |
|
|
|
[[publisher.xash3d-query]] |
|
version = "0.1.0" |
|
when = "2024-01-28" |
|
user-id = 251561 |
|
user-login = "numas13" |
|
user-name = "Denis Drakhnia" |
|
|
|
[[audits.bytecode-alliance.wildcard-audits.bumpalo]] |
|
who = "Nick Fitzgerald <fitzgen@gmail.com>" |
|
criteria = "safe-to-deploy" |
|
user-id = 696 # Nick Fitzgerald (fitzgen) |
|
start = "2019-03-16" |
|
end = "2025-07-30" |
|
|
|
[[audits.bytecode-alliance.audits.arrayref]] |
|
who = "Nick Fitzgerald <fitzgen@gmail.com>" |
|
criteria = "safe-to-deploy" |
|
version = "0.3.6" |
|
notes = """ |
|
Unsafe code, but its logic looks good to me. Necessary given what it is |
|
doing. Well tested, has quickchecks. |
|
""" |
|
|
|
[[audits.bytecode-alliance.audits.arrayvec]] |
|
who = "Nick Fitzgerald <fitzgen@gmail.com>" |
|
criteria = "safe-to-deploy" |
|
version = "0.7.2" |
|
notes = """ |
|
Well documented invariants, good assertions for those invariants in unsafe code, |
|
and tested with MIRI to boot. LGTM. |
|
""" |
|
|
|
[[audits.bytecode-alliance.audits.cc]] |
|
who = "Alex Crichton <alex@alexcrichton.com>" |
|
criteria = "safe-to-deploy" |
|
version = "1.0.73" |
|
notes = "I am the author of this crate." |
|
|
|
[[audits.bytecode-alliance.audits.core-foundation-sys]] |
|
who = "Dan Gohman <dev@sunfishcode.online>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.8.4 -> 0.8.6" |
|
notes = """ |
|
The changes here are all typical bindings updates: new functions, types, and |
|
constants. I have not audited all the bindings for ABI conformance. |
|
""" |
|
|
|
[[audits.bytecode-alliance.audits.fastrand]] |
|
who = "Alex Crichton <alex@alexcrichton.com>" |
|
criteria = "safe-to-deploy" |
|
delta = "2.0.0 -> 2.0.1" |
|
notes = """ |
|
This update had a few doc updates but no otherwise-substantial source code |
|
updates. |
|
""" |
|
|
|
[[audits.bytecode-alliance.audits.iana-time-zone]] |
|
who = "Dan Gohman <dev@sunfishcode.online>" |
|
criteria = "safe-to-deploy" |
|
version = "0.1.59" |
|
notes = """ |
|
I also manually ran windows-bindgen and confirmed that the output matches |
|
the bindings checked into the repo. |
|
""" |
|
|
|
[[audits.bytecode-alliance.audits.iana-time-zone-haiku]] |
|
who = "Dan Gohman <dev@sunfishcode.online>" |
|
criteria = "safe-to-deploy" |
|
version = "0.1.2" |
|
|
|
[[audits.bytecode-alliance.audits.signal-hook-registry]] |
|
who = "Pat Hickey <phickey@fastly.com>" |
|
criteria = "safe-to-deploy" |
|
version = "1.4.1" |
|
|
|
[[audits.google.audits.autocfg]] |
|
who = "Lukasz Anforowicz <lukasza@chromium.org>" |
|
criteria = "safe-to-deploy" |
|
version = "1.1.0" |
|
notes = """ |
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` |
|
and there were no hits except for reasonable, client-controlled usage of |
|
`std::fs` in `AutoCfg::with_dir`. |
|
|
|
This crate has been added to Chromium in |
|
https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb |
|
The CL description contains a link to a Google-internal document with audit details. |
|
""" |
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" |
|
|
|
[[audits.google.audits.autocfg]] |
|
who = "Lukasz Anforowicz <lukasza@chromium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "1.1.0 -> 1.2.0" |
|
notes = ''' |
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` |
|
and nothing changed from the baseline audit of 1.1.0. Skimmed through the |
|
1.1.0 => 1.2.0 delta and everything seemed okay. |
|
''' |
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" |
|
|
|
[[audits.google.audits.bitflags]] |
|
who = "Lukasz Anforowicz <lukasza@chromium.org>" |
|
criteria = "safe-to-deploy" |
|
version = "2.4.2" |
|
notes = """ |
|
Audit notes: |
|
|
|
* I've checked for any discussion in Google-internal cl/546819168 (where audit |
|
of version 2.3.3 happened) |
|
* `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]` |
|
* There are 2 cases of `unsafe` in `src/external.rs` but they seem to be |
|
correct in a straightforward way - they just propagate the marker trait's |
|
impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type |
|
* Additional discussion and/or notes may be found in https://crrev.com/c/5238056 |
|
""" |
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" |
|
|
|
[[audits.google.audits.bitflags]] |
|
who = "Adrian Taylor <adetaylor@chromium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "2.4.2 -> 2.5.0" |
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" |
|
|
|
[[audits.google.audits.cfg-if]] |
|
who = "George Burgess IV <gbiv@google.com>" |
|
criteria = "safe-to-deploy" |
|
version = "1.0.0" |
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" |
|
|
|
[[audits.google.audits.fastrand]] |
|
who = "George Burgess IV <gbiv@google.com>" |
|
criteria = "safe-to-deploy" |
|
version = "1.9.0" |
|
notes = """ |
|
`does-not-implement-crypto` is certified because this crate explicitly says |
|
that the RNG here is not cryptographically secure. |
|
""" |
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" |
|
|
|
[[audits.google.audits.getrandom]] |
|
who = "David Koloski <dkoloski@google.com>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.2.2 -> 0.2.12" |
|
notes = "Audited at https://fxrev.dev/932979" |
|
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" |
|
|
|
[[audits.google.audits.unicode-ident]] |
|
who = "Lukasz Anforowicz <lukasza@chromium.org>" |
|
criteria = "safe-to-deploy" |
|
version = "1.0.12" |
|
notes = ''' |
|
I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. |
|
|
|
All two functions from the public API of this crate use `unsafe` to avoid bound |
|
checks for an array access. Cross-module analysis shows that the offsets can |
|
be statically proven to be within array bounds. More details can be found in |
|
the unsafe review CL at https://crrev.com/c/5350386. |
|
|
|
This crate has been added to Chromium in https://crrev.com/c/3891618. |
|
''' |
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" |
|
|
|
[[audits.isrg.audits.crunchy]] |
|
who = "David Cook <dcook@divviup.org>" |
|
criteria = "safe-to-deploy" |
|
version = "0.2.2" |
|
|
|
[[audits.isrg.audits.getrandom]] |
|
who = "David Cook <dcook@divviup.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.2.12 -> 0.2.14" |
|
|
|
[[audits.isrg.audits.getrandom]] |
|
who = "David Cook <dcook@divviup.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.2.14 -> 0.2.15" |
|
|
|
[[audits.isrg.audits.once_cell]] |
|
who = "Brandon Pitman <bran@bran.land>" |
|
criteria = "safe-to-deploy" |
|
delta = "1.17.1 -> 1.17.2" |
|
|
|
[[audits.mozilla.wildcard-audits.core-foundation-sys]] |
|
who = "Bobby Holley <bobbyholley@gmail.com>" |
|
criteria = "safe-to-deploy" |
|
user-id = 5946 # Jeff Muizelaar (jrmuizel) |
|
start = "2020-10-14" |
|
end = "2023-05-04" |
|
renew = false |
|
notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.wildcard-audits.unicode-width]] |
|
who = "Manish Goregaokar <manishsmail@gmail.com>" |
|
criteria = "safe-to-deploy" |
|
user-id = 1139 # Manish Goregaokar (Manishearth) |
|
start = "2019-12-05" |
|
end = "2024-05-03" |
|
notes = "All code written or reviewed by Manish" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.android_system_properties]] |
|
who = "Nicolas Silva <nical@fastmail.com>" |
|
criteria = "safe-to-deploy" |
|
version = "0.1.2" |
|
notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship." |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.android_system_properties]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.1.2 -> 0.1.4" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.android_system_properties]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.1.4 -> 0.1.5" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.cc]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "1.0.73 -> 1.0.78" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.cc]] |
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>" |
|
criteria = "safe-to-deploy" |
|
delta = "1.0.78 -> 1.0.83" |
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.fastrand]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "1.9.0 -> 2.0.0" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.log]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
version = "0.4.17" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.log]] |
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.4.17 -> 0.4.18" |
|
notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed." |
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.once_cell]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "1.12.0 -> 1.13.1" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.once_cell]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "1.13.1 -> 1.16.0" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.once_cell]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "1.16.0 -> 1.17.1" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.toml]] |
|
who = "Bobby Holley <bobbyholley@gmail.com>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.5.7 -> 0.5.9" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.toml]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.5.9 -> 0.5.10" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.toml]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.5.10 -> 0.5.11" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.zcash.audits.arrayref]] |
|
who = "Sean Bowe <ewillbefull@gmail.com>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.3.6 -> 0.3.7" |
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
|
|
|
[[audits.zcash.audits.autocfg]] |
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "1.2.0 -> 1.3.0" |
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" |
|
|
|
[[audits.zcash.audits.cc]] |
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "1.0.83 -> 1.0.94" |
|
notes = """ |
|
The optimization to use `buffer.set_len(buffer.capacity())` in `command_helpers::StderrForwarder::forward_available` |
|
doesn't look panic-safe: if `stderr.read` panics and that panic is caught by a caller of `forward_available`, then |
|
the inner buffer of `StderrForwarder` will contain uninitialized data. This looks difficult to trigger in practice, |
|
but I have opened an issue <https://github.com/rust-lang/cc-rs/issues/1036>. |
|
|
|
`parallel::async_executor` contains `unsafe` pinning code but it looks reasonable. Similarly for the `unsafe` |
|
initialization code in `parallel::job_token::JobTokenServer` and file operations in `parallel::stderr`. |
|
|
|
This crate executes commands, and my review is likely not sufficient to detect subtle backdoors. |
|
I did not review the use of library handles in the `com` package on Windows. |
|
""" |
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
|
|
|
[[audits.zcash.audits.cc]] |
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "1.0.94 -> 1.0.97" |
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" |
|
|
|
[[audits.zcash.audits.fastrand]] |
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "2.0.2 -> 2.1.0" |
|
notes = """ |
|
As noted in the changelog, this version produces different output for a given seed. |
|
The documentation did not mention stability. It is possible that some uses relying on |
|
determinism across the update would be broken. |
|
|
|
The new constants do appear to match WyRand v4.2 (modulo ordering issues that I have not checked): |
|
https://github.com/wangyi-fudan/wyhash/blob/408620b6d12b7d667b3dd6ae39b7929a39e8fa05/wyhash.h#L145 |
|
I have no way to check whether these constants are an improvement or not. |
|
""" |
|
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" |
|
|
|
[[audits.zcash.audits.mio]] |
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.8.10 -> 0.8.11" |
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" |
|
|
|
[[audits.zcash.audits.wasm-bindgen-macro-support]] |
|
who = "Daira-Emma Hopwood <daira@jacaranda.org>" |
|
criteria = "safe-to-deploy" |
|
version = "0.2.92" |
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|