You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
528 lines
16 KiB
528 lines
16 KiB
|
|
# cargo-vet imports lock |
|
|
|
[[publisher.bumpalo]] |
|
version = "3.12.0" |
|
when = "2023-01-17" |
|
user-id = 696 |
|
user-login = "fitzgen" |
|
user-name = "Nick Fitzgerald" |
|
|
|
[[publisher.core-foundation-sys]] |
|
version = "0.8.4" |
|
when = "2023-04-03" |
|
user-id = 5946 |
|
user-login = "jrmuizel" |
|
user-name = "Jeff Muizelaar" |
|
|
|
[[publisher.getopts]] |
|
version = "0.2.21" |
|
when = "2019-08-19" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.itoa]] |
|
version = "1.0.11" |
|
when = "2024-03-26" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.js-sys]] |
|
version = "0.3.64" |
|
when = "2023-06-12" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.libc]] |
|
version = "0.2.153" |
|
when = "2024-01-31" |
|
user-id = 51017 |
|
user-login = "JohnTitor" |
|
user-name = "Yuki Okushi" |
|
|
|
[[publisher.num-traits]] |
|
version = "0.2.18" |
|
when = "2024-02-08" |
|
user-id = 539 |
|
user-login = "cuviper" |
|
user-name = "Josh Stone" |
|
|
|
[[publisher.proc-macro2]] |
|
version = "1.0.79" |
|
when = "2024-03-12" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.ryu]] |
|
version = "1.0.17" |
|
when = "2024-02-19" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.serde_json]] |
|
version = "1.0.115" |
|
when = "2024-03-26" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.syn]] |
|
version = "2.0.56" |
|
when = "2024-03-30" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.thiserror]] |
|
version = "1.0.58" |
|
when = "2024-03-12" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.thiserror-impl]] |
|
version = "1.0.58" |
|
when = "2024-03-12" |
|
user-id = 3618 |
|
user-login = "dtolnay" |
|
user-name = "David Tolnay" |
|
|
|
[[publisher.toml]] |
|
version = "0.5.7" |
|
when = "2020-10-11" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.unicode-width]] |
|
version = "0.1.11" |
|
when = "2023-09-19" |
|
user-id = 1139 |
|
user-login = "Manishearth" |
|
user-name = "Manish Goregaokar" |
|
|
|
[[publisher.wasi]] |
|
version = "0.11.0+wasi-snapshot-preview1" |
|
when = "2022-01-19" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.wasm-bindgen]] |
|
version = "0.2.87" |
|
when = "2023-06-12" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.wasm-bindgen-backend]] |
|
version = "0.2.87" |
|
when = "2023-06-12" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.wasm-bindgen-macro]] |
|
version = "0.2.87" |
|
when = "2023-06-12" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.wasm-bindgen-macro-support]] |
|
version = "0.2.87" |
|
when = "2023-06-12" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.wasm-bindgen-shared]] |
|
version = "0.2.87" |
|
when = "2023-06-12" |
|
user-id = 1 |
|
user-login = "alexcrichton" |
|
user-name = "Alex Crichton" |
|
|
|
[[publisher.windows-core]] |
|
version = "0.52.0" |
|
when = "2023-11-15" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows-targets]] |
|
version = "0.52.4" |
|
when = "2024-02-28" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_aarch64_gnullvm]] |
|
version = "0.52.4" |
|
when = "2024-02-28" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_aarch64_msvc]] |
|
version = "0.52.4" |
|
when = "2024-02-28" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_i686_gnu]] |
|
version = "0.52.4" |
|
when = "2024-02-28" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_i686_msvc]] |
|
version = "0.52.4" |
|
when = "2024-02-28" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_x86_64_gnu]] |
|
version = "0.52.4" |
|
when = "2024-02-28" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_x86_64_gnullvm]] |
|
version = "0.52.4" |
|
when = "2024-02-28" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.windows_x86_64_msvc]] |
|
version = "0.52.4" |
|
when = "2024-02-28" |
|
user-id = 64539 |
|
user-login = "kennykerr" |
|
user-name = "Kenny Kerr" |
|
|
|
[[publisher.xash3d-admin]] |
|
version = "0.1.0" |
|
when = "2024-01-28" |
|
user-id = 251561 |
|
user-login = "numas13" |
|
user-name = "Denis Drakhnia" |
|
|
|
[[publisher.xash3d-master]] |
|
version = "0.1.0" |
|
when = "2024-01-28" |
|
user-id = 251561 |
|
user-login = "numas13" |
|
user-name = "Denis Drakhnia" |
|
|
|
[[publisher.xash3d-protocol]] |
|
version = "0.1.0" |
|
when = "2024-01-28" |
|
user-id = 251561 |
|
user-login = "numas13" |
|
user-name = "Denis Drakhnia" |
|
|
|
[[publisher.xash3d-query]] |
|
version = "0.1.0" |
|
when = "2024-01-28" |
|
user-id = 251561 |
|
user-login = "numas13" |
|
user-name = "Denis Drakhnia" |
|
|
|
[[audits.bytecode-alliance.wildcard-audits.bumpalo]] |
|
who = "Nick Fitzgerald <fitzgen@gmail.com>" |
|
criteria = "safe-to-deploy" |
|
user-id = 696 # Nick Fitzgerald (fitzgen) |
|
start = "2019-03-16" |
|
end = "2024-03-10" |
|
|
|
[[audits.bytecode-alliance.audits.arrayref]] |
|
who = "Nick Fitzgerald <fitzgen@gmail.com>" |
|
criteria = "safe-to-deploy" |
|
version = "0.3.6" |
|
notes = """ |
|
Unsafe code, but its logic looks good to me. Necessary given what it is |
|
doing. Well tested, has quickchecks. |
|
""" |
|
|
|
[[audits.bytecode-alliance.audits.arrayvec]] |
|
who = "Nick Fitzgerald <fitzgen@gmail.com>" |
|
criteria = "safe-to-deploy" |
|
version = "0.7.2" |
|
notes = """ |
|
Well documented invariants, good assertions for those invariants in unsafe code, |
|
and tested with MIRI to boot. LGTM. |
|
""" |
|
|
|
[[audits.bytecode-alliance.audits.cc]] |
|
who = "Alex Crichton <alex@alexcrichton.com>" |
|
criteria = "safe-to-deploy" |
|
version = "1.0.73" |
|
notes = "I am the author of this crate." |
|
|
|
[[audits.bytecode-alliance.audits.fastrand]] |
|
who = "Alex Crichton <alex@alexcrichton.com>" |
|
criteria = "safe-to-deploy" |
|
delta = "2.0.0 -> 2.0.1" |
|
notes = """ |
|
This update had a few doc updates but no otherwise-substantial source code |
|
updates. |
|
""" |
|
|
|
[[audits.bytecode-alliance.audits.iana-time-zone]] |
|
who = "Dan Gohman <dev@sunfishcode.online>" |
|
criteria = "safe-to-deploy" |
|
version = "0.1.59" |
|
notes = """ |
|
I also manually ran windows-bindgen and confirmed that the output matches |
|
the bindings checked into the repo. |
|
""" |
|
|
|
[[audits.bytecode-alliance.audits.iana-time-zone-haiku]] |
|
who = "Dan Gohman <dev@sunfishcode.online>" |
|
criteria = "safe-to-deploy" |
|
version = "0.1.2" |
|
|
|
[[audits.bytecode-alliance.audits.signal-hook-registry]] |
|
who = "Pat Hickey <phickey@fastly.com>" |
|
criteria = "safe-to-deploy" |
|
version = "1.4.1" |
|
|
|
[[audits.google.audits.autocfg]] |
|
who = "Lukasz Anforowicz <lukasza@chromium.org>" |
|
criteria = "safe-to-deploy" |
|
version = "1.1.0" |
|
notes = """ |
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` |
|
and there were no hits except for reasonable, client-controlled usage of |
|
`std::fs` in `AutoCfg::with_dir`. |
|
|
|
This crate has been added to Chromium in |
|
https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb |
|
The CL description contains a link to a Google-internal document with audit details. |
|
""" |
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" |
|
|
|
[[audits.google.audits.autocfg]] |
|
who = "Lukasz Anforowicz <lukasza@chromium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "1.1.0 -> 1.2.0" |
|
notes = ''' |
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` |
|
and nothing changed from the baseline audit of 1.1.0. Skimmed through the |
|
1.1.0 => 1.2.0 delta and everything seemed okay. |
|
''' |
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" |
|
|
|
[[audits.google.audits.bitflags]] |
|
who = "Lukasz Anforowicz <lukasza@chromium.org>" |
|
criteria = "safe-to-deploy" |
|
version = "2.4.2" |
|
notes = """ |
|
Audit notes: |
|
|
|
* I've checked for any discussion in Google-internal cl/546819168 (where audit |
|
of version 2.3.3 happened) |
|
* `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]` |
|
* There are 2 cases of `unsafe` in `src/external.rs` but they seem to be |
|
correct in a straightforward way - they just propagate the marker trait's |
|
impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type |
|
* Additional discussion and/or notes may be found in https://crrev.com/c/5238056 |
|
""" |
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" |
|
|
|
[[audits.google.audits.bitflags]] |
|
who = "Adrian Taylor <adetaylor@chromium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "2.4.2 -> 2.5.0" |
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" |
|
|
|
[[audits.google.audits.cfg-if]] |
|
who = "George Burgess IV <gbiv@google.com>" |
|
criteria = "safe-to-deploy" |
|
version = "1.0.0" |
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" |
|
|
|
[[audits.google.audits.fastrand]] |
|
who = "George Burgess IV <gbiv@google.com>" |
|
criteria = "safe-to-deploy" |
|
version = "1.9.0" |
|
notes = """ |
|
`does-not-implement-crypto` is certified because this crate explicitly says |
|
that the RNG here is not cryptographically secure. |
|
""" |
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" |
|
|
|
[[audits.google.audits.quote]] |
|
who = "Lukasz Anforowicz <lukasza@chromium.org>" |
|
criteria = "safe-to-deploy" |
|
version = "1.0.35" |
|
notes = """ |
|
Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits |
|
(except for benign \"net\" hit in tests and \"fs\" hit in README.md) |
|
""" |
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" |
|
|
|
[[audits.google.audits.serde]] |
|
who = "Lukasz Anforowicz <lukasza@chromium.org>" |
|
criteria = "safe-to-deploy" |
|
version = "1.0.197" |
|
notes = """ |
|
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`. |
|
|
|
There were some hits for `net`, but they were related to serialization and |
|
not actually opening any connections or anything like that. |
|
|
|
There were 2 hits of `unsafe` when grepping: |
|
* In `fn as_str` in `impl Buf` |
|
* In `fn serialize` in `impl Serialize for net::Ipv4Addr` |
|
|
|
Unsafe review comments can be found in https://crrev.com/c/5350573/2 (this |
|
review also covered `serde_json_lenient`). |
|
|
|
Version 1.0.130 of the crate has been added to Chromium in |
|
https://crrev.com/c/3265545. The CL description contains a link to a |
|
(Google-internal, sorry) document with a mini security review. |
|
""" |
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" |
|
|
|
[[audits.google.audits.serde_derive]] |
|
who = "Lukasz Anforowicz <lukasza@chromium.org>" |
|
criteria = "safe-to-deploy" |
|
version = "1.0.197" |
|
notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits" |
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" |
|
|
|
[[audits.google.audits.unicode-ident]] |
|
who = "Lukasz Anforowicz <lukasza@chromium.org>" |
|
criteria = "safe-to-deploy" |
|
version = "1.0.12" |
|
notes = ''' |
|
I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. |
|
|
|
All two functions from the public API of this crate use `unsafe` to avoid bound |
|
checks for an array access. Cross-module analysis shows that the offsets can |
|
be statically proven to be within array bounds. More details can be found in |
|
the unsafe review CL at https://crrev.com/c/5350386. |
|
|
|
This crate has been added to Chromium in https://crrev.com/c/3891618. |
|
''' |
|
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" |
|
|
|
[[audits.isrg.audits.crunchy]] |
|
who = "David Cook <dcook@divviup.org>" |
|
criteria = "safe-to-deploy" |
|
version = "0.2.2" |
|
|
|
[[audits.isrg.audits.getrandom]] |
|
who = "Brandon Pitman <bran@bran.land>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.2.10 -> 0.2.11" |
|
|
|
[[audits.isrg.audits.getrandom]] |
|
who = "David Cook <dcook@divviup.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.2.11 -> 0.2.12" |
|
|
|
[[audits.mozilla.wildcard-audits.core-foundation-sys]] |
|
who = "Bobby Holley <bobbyholley@gmail.com>" |
|
criteria = "safe-to-deploy" |
|
user-id = 5946 # Jeff Muizelaar (jrmuizel) |
|
start = "2020-10-14" |
|
end = "2023-05-04" |
|
renew = false |
|
notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.wildcard-audits.unicode-width]] |
|
who = "Manish Goregaokar <manishsmail@gmail.com>" |
|
criteria = "safe-to-deploy" |
|
user-id = 1139 # Manish Goregaokar (Manishearth) |
|
start = "2019-12-05" |
|
end = "2024-05-03" |
|
notes = "All code written or reviewed by Manish" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.android_system_properties]] |
|
who = "Nicolas Silva <nical@fastmail.com>" |
|
criteria = "safe-to-deploy" |
|
version = "0.1.2" |
|
notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship." |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.android_system_properties]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.1.2 -> 0.1.4" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.android_system_properties]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.1.4 -> 0.1.5" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.cc]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "1.0.73 -> 1.0.78" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.cc]] |
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>" |
|
criteria = "safe-to-deploy" |
|
delta = "1.0.78 -> 1.0.83" |
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.fastrand]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "1.9.0 -> 2.0.0" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.log]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
version = "0.4.17" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.log]] |
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.4.17 -> 0.4.18" |
|
notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed." |
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.toml]] |
|
who = "Bobby Holley <bobbyholley@gmail.com>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.5.7 -> 0.5.9" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.toml]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.5.9 -> 0.5.10" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.mozilla.audits.toml]] |
|
who = "Mike Hommey <mh+mozilla@glandium.org>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.5.10 -> 0.5.11" |
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" |
|
|
|
[[audits.zcash.audits.arrayref]] |
|
who = "Sean Bowe <ewillbefull@gmail.com>" |
|
criteria = "safe-to-deploy" |
|
delta = "0.3.6 -> 0.3.7" |
|
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
|
|
|