# cargo-vet imports lock [[publisher.arbitrary]] version = "1.3.2" when = "2023-10-30" user-id = 696 user-login = "fitzgen" user-name = "Nick Fitzgerald" [[publisher.bumpalo]] version = "3.15.4" when = "2024-03-07" user-id = 696 user-login = "fitzgen" user-name = "Nick Fitzgerald" [[publisher.core-foundation]] version = "0.9.3" when = "2022-02-07" user-id = 5946 user-login = "jrmuizel" user-name = "Jeff Muizelaar" [[publisher.core-foundation-sys]] version = "0.8.4" when = "2023-04-03" user-id = 5946 user-login = "jrmuizel" user-name = "Jeff Muizelaar" [[publisher.cranelift-bforest]] version = "0.108.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.cranelift-codegen]] version = "0.108.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.cranelift-codegen-meta]] version = "0.108.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.cranelift-codegen-shared]] version = "0.108.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.cranelift-control]] version = "0.108.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.cranelift-entity]] version = "0.108.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.cranelift-frontend]] version = "0.108.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.cranelift-isle]] version = "0.108.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.cranelift-native]] version = "0.108.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.cranelift-wasm]] version = "0.108.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.encoding_rs]] version = "0.8.34" when = "2024-04-10" user-id = 4484 user-login = "hsivonen" user-name = "Henri Sivonen" [[publisher.regalloc2]] version = "0.9.3" when = "2023-10-05" user-id = 3726 user-login = "cfallin" user-name = "Chris Fallin" [[publisher.spdx]] version = "0.10.4" when = "2024-02-26" user-id = 52553 user-login = "embark-studios" [[publisher.unicode-normalization]] version = "0.1.23" when = "2024-02-20" user-id = 1139 user-login = "Manishearth" user-name = "Manish Goregaokar" [[publisher.unicode-width]] version = "0.1.12" when = "2024-04-26" user-id = 1139 user-login = "Manishearth" user-name = "Manish Goregaokar" [[publisher.wasi-common]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasm-encoder]] version = "0.207.0" when = "2024-05-07" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasm-encoder]] version = "0.208.1" when = "2024-05-20" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasm-metadata]] version = "0.208.1" when = "2024-05-20" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmparser]] version = "0.207.0" when = "2024-05-07" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmparser]] version = "0.208.1" when = "2024-05-20" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmprinter]] version = "0.207.0" when = "2024-05-07" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmtime]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmtime-asm-macros]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmtime-cache]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmtime-component-macro]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmtime-component-util]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmtime-cranelift]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmtime-environ]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmtime-fiber]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmtime-jit-debug]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmtime-jit-icache-coherence]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmtime-slab]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmtime-types]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmtime-wasi]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmtime-wasi-http]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmtime-winch]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmtime-wit-bindgen]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wast]] version = "208.0.1" when = "2024-05-20" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wat]] version = "1.208.1" when = "2024-05-20" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wiggle]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wiggle-generate]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wiggle-macro]] version = "21.0.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.winch-codegen]] version = "0.19.1" when = "2024-05-22" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wit-bindgen]] version = "0.25.0" when = "2024-05-20" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wit-bindgen-core]] version = "0.25.0" when = "2024-05-20" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wit-bindgen-rt]] version = "0.25.0" when = "2024-05-20" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wit-bindgen-rust]] version = "0.25.0" when = "2024-05-20" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wit-bindgen-rust-macro]] version = "0.25.0" when = "2024-05-20" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wit-component]] version = "0.208.1" when = "2024-05-20" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wit-parser]] version = "0.207.0" when = "2024-05-07" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wit-parser]] version = "0.208.1" when = "2024-05-20" user-id = 73222 user-login = "wasmtime-publish" [[audits.bytecode-alliance.wildcard-audits.arbitrary]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" user-id = 696 start = "2020-01-14" end = "2024-04-21" notes = "I am an author of this crate." [[audits.bytecode-alliance.wildcard-audits.bumpalo]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" user-id = 696 start = "2019-03-16" end = "2024-03-10" [[audits.bytecode-alliance.wildcard-audits.cranelift-bforest]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.cranelift-codegen]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.cranelift-codegen-meta]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.cranelift-codegen-shared]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.cranelift-control]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2023-05-22" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.cranelift-entity]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.cranelift-frontend]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.cranelift-isle]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-12-13" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.cranelift-native]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.cranelift-wasm]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.regalloc2]] who = "Chris Fallin " criteria = "safe-to-deploy" user-id = 3726 start = "2021-12-03" end = "2024-05-02" notes = "We (Bytecode Alliance) are the primary authors of regalloc2 and co-develop it with Cranelift/Wasmtime, with the same code-review, testing/fuzzing, and security standards." [[audits.bytecode-alliance.wildcard-audits.wasi-common]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wasm-encoder]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 start = "2023-01-01" end = "2025-05-08" notes = """ The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ [[audits.bytecode-alliance.wildcard-audits.wasm-metadata]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 start = "2023-01-01" end = "2025-05-08" notes = """ The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ [[audits.bytecode-alliance.wildcard-audits.wasmparser]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 start = "2023-01-01" end = "2025-05-08" notes = """ The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ [[audits.bytecode-alliance.wildcard-audits.wasmprinter]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 start = "2023-01-01" end = "2025-05-08" notes = """ The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ [[audits.bytecode-alliance.wildcard-audits.wasmtime]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wasmtime-asm-macros]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2022-08-22" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wasmtime-cache]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wasmtime-component-macro]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2022-07-20" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wasmtime-component-util]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2022-08-22" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wasmtime-cranelift]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wasmtime-environ]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wasmtime-fiber]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wasmtime-jit-debug]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2022-03-07" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wasmtime-jit-icache-coherence]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2022-11-21" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wasmtime-slab]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 start = "2023-01-01" end = "2025-05-08" notes = """ The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ [[audits.bytecode-alliance.wildcard-audits.wasmtime-types]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wasmtime-wasi]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wasmtime-wasi-http]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2023-05-22" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wasmtime-winch]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2022-11-21" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wasmtime-wit-bindgen]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2023-01-20" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wast]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 start = "2023-01-01" end = "2025-05-08" notes = """ The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ [[audits.bytecode-alliance.wildcard-audits.wat]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 start = "2023-01-01" end = "2025-05-08" notes = """ The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ [[audits.bytecode-alliance.wildcard-audits.wiggle]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wiggle-generate]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wiggle-macro]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2021-10-29" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.winch-codegen]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 73222 start = "2022-11-21" end = "2024-06-26" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.wildcard-audits.wit-bindgen]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 start = "2023-01-01" end = "2025-05-08" notes = """ The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ [[audits.bytecode-alliance.wildcard-audits.wit-bindgen-core]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 start = "2023-01-01" end = "2025-05-08" notes = """ The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ [[audits.bytecode-alliance.wildcard-audits.wit-bindgen-rt]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 start = "2023-01-01" end = "2025-05-08" notes = """ The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ [[audits.bytecode-alliance.wildcard-audits.wit-bindgen-rust]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 start = "2023-01-01" end = "2025-05-08" notes = """ The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ [[audits.bytecode-alliance.wildcard-audits.wit-bindgen-rust-macro]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 start = "2023-01-01" end = "2025-05-08" notes = """ The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ [[audits.bytecode-alliance.wildcard-audits.wit-component]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 start = "2023-01-01" end = "2025-05-08" notes = """ The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ [[audits.bytecode-alliance.wildcard-audits.wit-parser]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 start = "2023-01-01" end = "2025-05-08" notes = """ The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ [[audits.bytecode-alliance.audits.adler]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.0.2" notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm." [[audits.bytecode-alliance.audits.ambient-authority]] who = "Dan Gohman " criteria = "safe-to-deploy" version = "0.0.2" notes = "Contains no unsafe code, no IO, no build.rs." [[audits.bytecode-alliance.audits.base64]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.21.0" notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." [[audits.bytecode-alliance.audits.block-buffer]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.2" [[audits.bytecode-alliance.audits.cargo_metadata]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.15.3" notes = "no build, no unsafe, inputs to cargo command are reasonably sanitized" [[audits.bytecode-alliance.audits.cargo_metadata]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.17.0 -> 0.18.1" notes = "No major changes, no unsafe code here." [[audits.bytecode-alliance.audits.cc]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.0.73" notes = "I am the author of this crate." [[audits.bytecode-alliance.audits.cfg-if]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.0.0" notes = "I am the author of this crate." [[audits.bytecode-alliance.audits.cobs]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.2.3" notes = "No `unsafe` code in the crate and no usage of `std`" [[audits.bytecode-alliance.audits.core-foundation-sys]] who = "Dan Gohman " criteria = "safe-to-deploy" delta = "0.8.4 -> 0.8.6" notes = """ The changes here are all typical bindings updates: new functions, types, and constants. I have not audited all the bindings for ABI conformance. """ [[audits.bytecode-alliance.audits.crypto-common]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" version = "0.1.3" [[audits.bytecode-alliance.audits.embedded-io]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.4.0" notes = "No `unsafe` code and only uses `std` in ways one would expect the crate to do so." [[audits.bytecode-alliance.audits.errno]] who = "Dan Gohman " criteria = "safe-to-deploy" version = "0.3.0" notes = "This crate uses libc and windows-sys APIs to get and set the raw OS error value." [[audits.bytecode-alliance.audits.errno]] who = "Dan Gohman " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.3.1" notes = "Just a dependency version bump and a bug fix for redox" [[audits.bytecode-alliance.audits.fastrand]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "2.0.0 -> 2.0.1" notes = """ This update had a few doc updates but no otherwise-substantial source code updates. """ [[audits.bytecode-alliance.audits.foreign-types]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.2" notes = "This crate defined a macro-rules which creates wrappers working with FFI types. The implementation of this crate appears to be safe, but each use of this macro would need to be vetted for correctness as well." [[audits.bytecode-alliance.audits.foreign-types-shared]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.1" [[audits.bytecode-alliance.audits.futures-channel]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.27" notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)" [[audits.bytecode-alliance.audits.futures-core]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.27" notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." [[audits.bytecode-alliance.audits.fxprof-processed-profile]] who = "Jamey Sharp " criteria = "safe-to-deploy" version = "0.6.0" notes = """ No unsafe code, I/O, or powerful imports. This is a straightforward set of data structures representing the Firefox \"processed\" profile format, with serde serialization support. All logic is trivial: either unit conversion, or hash-consing to support de-duplication required by the format. """ [[audits.bytecode-alliance.audits.hashbrown]] who = "Chris Fallin " criteria = "safe-to-deploy" delta = "0.12.3 -> 0.13.1" notes = "The diff looks plausible. Much of it is low-level memory-layout code and I can't be 100% certain without a deeper dive into the implementation logic, but nothing looks actively malicious." [[audits.bytecode-alliance.audits.hashbrown]] who = "Trevor Elliott " criteria = "safe-to-deploy" delta = "0.13.1 -> 0.13.2" notes = "I read through the diff between v0.13.1 and v0.13.2, and verified that the changes made matched up with the changelog entries. There were very few changes between these two releases, and it was easy to verify what they did." [[audits.bytecode-alliance.audits.heck]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.4.0" notes = "Contains `forbid_unsafe` and only uses `std::fmt` from the standard library. Otherwise only contains string manipulation." [[audits.bytecode-alliance.audits.heck]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.4.1 -> 0.5.0" notes = "Minor changes for a `no_std` upgrade but otherwise everything looks as expected." [[audits.bytecode-alliance.audits.http-body]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "1.0.0-rc.2" [[audits.bytecode-alliance.audits.http-body]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "1.0.0-rc.2 -> 1.0.0" notes = "Only minor changes made for a stable release." [[audits.bytecode-alliance.audits.iana-time-zone-haiku]] who = "Dan Gohman " criteria = "safe-to-deploy" version = "0.1.2" [[audits.bytecode-alliance.audits.id-arena]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" version = "2.2.1" notes = "I am the author of this crate." [[audits.bytecode-alliance.audits.idna]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.3.0" notes = """ This is a crate without unsafe code or usage of the standard library. The large size of this crate comes from the large generated unicode tables file. This crate is broadly used throughout the ecosystem and does not contain anything suspicious. """ [[audits.bytecode-alliance.audits.itertools]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" delta = "0.10.5 -> 0.12.1" notes = """ Minimal `unsafe` usage. Few blocks that existed looked reasonable. Does what it says on the tin: lots of iterators. """ [[audits.bytecode-alliance.audits.ittapi]] who = "Andrew Brown " criteria = "safe-to-deploy" version = "0.3.4" [[audits.bytecode-alliance.audits.ittapi]] who = "rahulchaphalkar " criteria = "safe-to-deploy" delta = "0.3.4 -> 0.4.0" [[audits.bytecode-alliance.audits.ittapi-sys]] who = "Andrew Brown " criteria = "safe-to-deploy" version = "0.3.4" [[audits.bytecode-alliance.audits.ittapi-sys]] who = "rahulchaphalkar " criteria = "safe-to-deploy" delta = "0.3.4 -> 0.4.0" [[audits.bytecode-alliance.audits.leb128]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" version = "0.2.5" notes = "I am the author of this crate." [[audits.bytecode-alliance.audits.mach2]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" delta = "0.4.1 -> 0.4.2" notes = "It does unsafe FFI bindings, as expected. I didn't check the FFI bindings against the C headers." [[audits.bytecode-alliance.audits.matchers]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" [[audits.bytecode-alliance.audits.memfd]] who = "Dan Gohman " criteria = "safe-to-deploy" version = "0.6.2" notes = """ The only changes from 0.6.1 were from my own PR which updated memfd to newer dependencies. """ [[audits.bytecode-alliance.audits.memfd]] who = "Dan Gohman " criteria = "safe-to-deploy" delta = "0.6.2 -> 0.6.3" notes = "Just a dependency version bump and documentation update" [[audits.bytecode-alliance.audits.memfd]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.6.3 -> 0.6.4" notes = "This commit only updated the dependency `rustix`, so same as before." [[audits.bytecode-alliance.audits.miniz_oxide]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.7.1" notes = """ This crate is a Rust implementation of zlib compression/decompression and has been used by default by the Rust standard library for quite some time. It's also a default dependency of the popular `backtrace` crate for decompressing debug information. This crate forbids unsafe code and does not otherwise access system resources. It's originally a port of the `miniz.c` library as well, and given its own longevity should be relatively hardened against some of the more common compression-related issues. """ [[audits.bytecode-alliance.audits.native-tls]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.2.11" notes = "build is only looking for environment variables to set cfg. only two minor uses of unsafe,on macos, with ffi bindings to digest primitives and libc atexit. otherwise, this is an abstraction over three very complex systems (schannel, security-framework, and openssl) which may end up having subtle differences, but none of those are apparent from the implementation of this crate" [[audits.bytecode-alliance.audits.nu-ansi-term]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.46.0" notes = "one use of unsafe to call windows specific api to get console handle." [[audits.bytecode-alliance.audits.openssl-macros]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" [[audits.bytecode-alliance.audits.openssl-probe]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.5" notes = "IO is only checking for the existence of paths in the filesystem" [[audits.bytecode-alliance.audits.overload]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.1" notes = "small crate, only defines macro-rules!, nicely documented as well" [[audits.bytecode-alliance.audits.percent-encoding]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "2.2.0" notes = """ This crate is a single-file crate that does what it says on the tin. There are a few `unsafe` blocks related to utf-8 validation which are locally verifiable as correct and otherwise this crate is good to go. """ [[audits.bytecode-alliance.audits.pin-utils]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" [[audits.bytecode-alliance.audits.pkg-config]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.25" notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably." [[audits.bytecode-alliance.audits.pkg-config]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.3.26 -> 0.3.29" notes = """ No `unsafe` additions or anything outside of the purview of the crate in this change. """ [[audits.bytecode-alliance.audits.postcard]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.0.8" notes = """ I've audited the unsafe code to do what it looks like it's doing. Otherwise the crate is a standard serializer/deserializer crate. """ [[audits.bytecode-alliance.audits.rustc-demangle]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.1.21" notes = "I am the author of this crate." [[audits.bytecode-alliance.audits.sharded-slab]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.4" notes = "I always really enjoy reading eliza's code, she left perfect comments at every use of unsafe." [[audits.bytecode-alliance.audits.sptr]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.3.2" notes = """ This crate is 90% documentation and does contain a good deal of `unsafe` code, but it's all doing what it says on the tin: being a stable polyfill for strict provenance APIs in the standard library while they're on Nightly. """ [[audits.bytecode-alliance.audits.thread_local]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "1.1.4" notes = "uses unsafe to implement thread local storage of objects" [[audits.bytecode-alliance.audits.tinyvec]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.6.0" notes = """ This crate, while it implements collections, does so without `std::*` APIs and without `unsafe`. Skimming the crate everything looks reasonable and what one would expect from idiomatic safe collections in Rust. """ [[audits.bytecode-alliance.audits.tinyvec_macros]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.1.0" notes = """ This is a trivial crate which only contains a singular macro definition which is intended to multiplex across the internal representation of a tinyvec, presumably. This trivially doesn't contain anything bad. """ [[audits.bytecode-alliance.audits.tokio-native-tls]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.1" notes = "unsafety is used for smuggling std::task::Context as a raw pointer. Lifetime and type safety appears to be taken care of correctly." [[audits.bytecode-alliance.audits.tracing-subscriber]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.17" [[audits.bytecode-alliance.audits.try-lock]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.2.4" notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect" [[audits.bytecode-alliance.audits.unicode-bidi]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.3.8" notes = """ This crate has no unsafe code and does not use `std::*`. Skimming the crate it does not attempt to out of the bounds of what it's already supposed to be doing. """ [[audits.bytecode-alliance.audits.unicode-ident]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "1.0.8" [[audits.bytecode-alliance.audits.vcpkg]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.2.15" notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." [[audits.bytecode-alliance.audits.want]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.0" [[audits.bytecode-alliance.audits.wast]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "35.0.2" notes = "The Bytecode Alliance is the author of this crate." [[audits.bytecode-alliance.audits.webpki-roots]] who = "Pat Hickey " criteria = "safe-to-deploy" delta = "0.22.4 -> 0.23.0" [[audits.bytecode-alliance.audits.webpki-roots]] who = "Pat Hickey " criteria = "safe-to-deploy" delta = "0.23.0 -> 0.25.2" [[audits.embark-studios.wildcard-audits.spdx]] who = "Jake Shadle " criteria = "safe-to-deploy" user-id = 52553 start = "2020-01-01" end = "2024-05-23" notes = "Maintained by Embark. No unsafe usage or ambient capabilities" [[audits.embark-studios.audits.cargo_metadata]] who = "Johan Andersson " criteria = "safe-to-deploy" delta = "0.15.3 -> 0.15.4" notes = "No notable changes" [[audits.embark-studios.audits.cargo_metadata]] who = "Johan Andersson " criteria = "safe-to-deploy" delta = "0.15.4 -> 0.17.0" notes = "No notable changes" [[audits.embark-studios.audits.epaint]] who = "Johan Andersson " criteria = "safe-to-deploy" violation = "<0.20.0" notes = "Specified crate license does not include licenses of embedded fonts if using default features or the `default_fonts` feature. Tracked in: https://github.com/emilk/egui/issues/2321" [[audits.embark-studios.audits.idna]] who = "Johan Andersson " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.4.0" notes = "No unsafe usage or ambient capabilities" [[audits.embark-studios.audits.thiserror]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.40" notes = "Wrapper over implementation crate, found no unsafe or ambient capabilities used" [[audits.embark-studios.audits.thiserror-impl]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.40" notes = "Found no unsafe or ambient capabilities used" [[audits.embark-studios.audits.valuable]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.1.0" notes = "No unsafe usage or ambient capabilities, sane build script" [[audits.embark-studios.audits.webpki-roots]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.22.4" notes = "Inspected it to confirm that it only contains data definitions and no runtime code" [audits.fermyon.audits] [[audits.google.audits.async-stream]] who = "George Burgess IV " criteria = "safe-to-run" version = "0.3.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.async-stream]] who = "George Burgess IV " criteria = "safe-to-run" delta = "0.3.4 -> 0.3.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.async-stream-impl]] who = "George Burgess IV " criteria = "safe-to-run" version = "0.3.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.async-stream-impl]] who = "George Burgess IV " criteria = "safe-to-run" delta = "0.3.4 -> 0.3.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.equivalent]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.fastrand]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.9.0" notes = """ `does-not-implement-crypto` is certified because this crate explicitly says that the RNG here is not cryptographically secure. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.glob]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.3.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.httpdate]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.openssl-macros]] who = "George Burgess IV " criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.pin-project-lite]] who = "David Koloski " criteria = "safe-to-deploy" version = "0.2.9" notes = "Reviewed on https://fxrev.dev/824504" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.pin-project-lite]] who = "David Koloski " criteria = "safe-to-deploy" delta = "0.2.9 -> 0.2.13" notes = "Audited at https://fxrev.dev/946396" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro-error-attr]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.tokio-stream]] who = "David Koloski " criteria = "safe-to-deploy" version = "0.1.11" notes = "Reviewed on https://fxrev.dev/804724" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.tokio-stream]] who = "David Koloski " criteria = "safe-to-deploy" delta = "0.1.11 -> 0.1.14" notes = "Reviewed on https://fxrev.dev/907732." aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.unicode-xid]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.2.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.utf8parse]] who = "David Koloski " criteria = "safe-to-deploy" version = "0.2.1" notes = "Reviewed on https://fxrev.dev/904811" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.version_check]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.9.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" [[audits.isrg.audits.base64]] who = "Tim Geoghegan " criteria = "safe-to-deploy" delta = "0.21.0 -> 0.21.1" [[audits.isrg.audits.base64]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "0.21.1 -> 0.21.2" [[audits.isrg.audits.base64]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.21.2 -> 0.21.3" [[audits.isrg.audits.block-buffer]] who = "David Cook " criteria = "safe-to-deploy" version = "0.9.0" [[audits.isrg.audits.either]] who = "David Cook " criteria = "safe-to-deploy" version = "1.6.1" [[audits.isrg.audits.num-traits]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.2.15 -> 0.2.16" [[audits.isrg.audits.num-traits]] who = "Ameer Ghani " criteria = "safe-to-deploy" delta = "0.2.16 -> 0.2.17" [[audits.isrg.audits.num-traits]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.2.17 -> 0.2.18" [[audits.isrg.audits.num-traits]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.2.18 -> 0.2.19" [[audits.isrg.audits.rand_chacha]] who = "David Cook " criteria = "safe-to-deploy" version = "0.3.1" [[audits.isrg.audits.rand_core]] who = "David Cook " criteria = "safe-to-deploy" version = "0.6.3" [[audits.isrg.audits.rayon]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.6.1 -> 1.7.0" [[audits.isrg.audits.rayon]] who = "David Cook " criteria = "safe-to-deploy" delta = "1.7.0 -> 1.8.0" [[audits.isrg.audits.rayon]] who = "Ameer Ghani " criteria = "safe-to-deploy" delta = "1.8.0 -> 1.8.1" [[audits.isrg.audits.rayon]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.8.1 -> 1.9.0" [[audits.isrg.audits.rayon]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.9.0 -> 1.10.0" [[audits.isrg.audits.rayon-core]] who = "Ameer Ghani " criteria = "safe-to-deploy" version = "1.12.1" [[audits.isrg.audits.thiserror]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.0.40 -> 1.0.43" [[audits.isrg.audits.thiserror-impl]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.0.40 -> 1.0.43" [[audits.isrg.audits.wasm-bindgen-shared]] who = "David Cook " criteria = "safe-to-deploy" version = "0.2.83" [[audits.mozilla.wildcard-audits.core-foundation]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 5946 start = "2019-03-29" end = "2023-05-04" notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.core-foundation-sys]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 5946 start = "2020-10-14" end = "2023-05-04" notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.encoding_rs]] who = "Henri Sivonen " criteria = "safe-to-deploy" user-id = 4484 start = "2019-02-26" end = "2024-08-28" notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.unicode-normalization]] who = "Manish Goregaokar " criteria = "safe-to-deploy" user-id = 1139 start = "2019-11-06" end = "2024-05-03" notes = "All code written or reviewed by Manish" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.unicode-width]] who = "Manish Goregaokar " criteria = "safe-to-deploy" user-id = 1139 start = "2019-12-05" end = "2024-05-03" notes = "All code written or reviewed by Manish" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.android_system_properties]] who = "Nicolas Silva " criteria = "safe-to-deploy" version = "0.1.2" notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.android_system_properties]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.2 -> 0.1.4" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.android_system_properties]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.4 -> 0.1.5" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.block-buffer]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.2 -> 0.10.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.cc]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.73 -> 1.0.78" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.cc]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "1.0.78 -> 1.0.83" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.core-foundation]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" delta = "0.9.3 -> 0.9.4" notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.crypto-common]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.3 -> 0.1.6" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.debugid]] who = "Gabriele Svelto " criteria = "safe-to-deploy" version = "0.8.0" notes = "This crates was written by Sentry and I've fully audited it as Firefox crash reporting machinery relies on it." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.deranged]] who = "Alex Franchuk " criteria = "safe-to-deploy" version = "0.3.11" notes = """ This crate contains a decent bit of `unsafe` code, however all internal unsafety is verified with copious assertions (many are compile-time), and otherwise the unsafety is documented and left to the caller to verify. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.either]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.6.1 -> 1.7.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.either]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.7.0 -> 1.8.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.either]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.8.0 -> 1.8.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.errno]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.1 -> 0.3.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fastrand]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.9.0 -> 2.0.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fnv]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "1.0.7" notes = "Simple hasher implementation with no unsafe code." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.form_urlencoded]] who = "Valentin Gosu " criteria = "safe-to-deploy" version = "1.2.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.form_urlencoded]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "1.2.0 -> 1.2.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-channel]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-core]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fxhash]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "0.2.1" notes = "Straightforward crate with no unsafe code, does what it says on the tin." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.hashbrown]] who = "Mike Hommey " criteria = "safe-to-deploy" version = "0.12.3" notes = "This version is used in rust's libstd, so effectively we're already trusting it" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.heck]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.4.0 -> 0.4.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.hex]] who = "Simon Friedberger " criteria = "safe-to-deploy" version = "0.4.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.idna]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "0.4.0 -> 0.5.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.lazy_static]] who = "Nika Layzell " criteria = "safe-to-deploy" version = "1.4.0" notes = "I have read over the macros, and audited the unsafe code." aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" [[audits.mozilla.audits.log]] who = "Mike Hommey " criteria = "safe-to-deploy" version = "0.4.17" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.log]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "0.4.17 -> 0.4.18" notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed." aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.log]] who = "Kagami Sascha Rosylight " criteria = "safe-to-deploy" delta = "0.4.18 -> 0.4.20" notes = "Only cfg attribute and internal macro changes and module refactorings" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.mach2]] who = "Gabriele Svelto " criteria = "safe-to-deploy" version = "0.4.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num-conv]] who = "Alex Franchuk " criteria = "safe-to-deploy" version = "0.1.0" notes = """ Very straightforward, simple crate. No dependencies, unsafe, extern, side-effectful std functions, etc. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num-traits]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.2.15" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.percent-encoding]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "2.2.0 -> 2.3.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.percent-encoding]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "2.3.0 -> 2.3.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.pkg-config]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.powerfmt]] who = "Alex Franchuk " criteria = "safe-to-deploy" version = "0.2.0" notes = """ A tiny bit of unsafe code to implement functionality that isn't in stable rust yet, but it's all valid. Otherwise it's a pretty simple crate. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.rand_core]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.6.3 -> 0.6.4" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.rayon]] who = "Josh Stone " criteria = "safe-to-deploy" version = "1.5.3" notes = "All code written or reviewed by Josh Stone or Niko Matsakis." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.rayon]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.5.3 -> 1.6.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.rustc-hash]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "1.1.0" notes = "Straightforward crate with no unsafe code, does what it says on the tin." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.subtle]] who = "Simon Friedberger " criteria = "safe-to-deploy" version = "2.5.0" notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.time-core]] who = "Kershaw Chang " criteria = "safe-to-deploy" version = "0.1.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.time-core]] who = "Kershaw Chang " criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.time-core]] who = "Alex Franchuk " criteria = "safe-to-deploy" delta = "0.1.1 -> 0.1.2" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.time-macros]] who = "Kershaw Chang " criteria = "safe-to-deploy" version = "0.2.6" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.time-macros]] who = "Kershaw Chang " criteria = "safe-to-deploy" delta = "0.2.6 -> 0.2.10" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.time-macros]] who = "Alex Franchuk " criteria = "safe-to-deploy" delta = "0.2.10 -> 0.2.18" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.unicode-bidi]] who = "Makoto Kato " criteria = "safe-to-deploy" delta = "0.3.8 -> 0.3.13" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.unicode-bidi]] who = "Jonathan Kew " criteria = "safe-to-deploy" delta = "0.3.13 -> 0.3.14" notes = "I am the author of the bulk of the upstream changes in this version, and also checked the remaining post-0.3.13 changes." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.unicode-bidi]] who = "Jonathan Kew " criteria = "safe-to-deploy" delta = "0.3.14 -> 0.3.15" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.unicode-ident]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "1.0.8 -> 1.0.9" notes = "Dependency updates only" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.url]] who = "Valentin Gosu " criteria = "safe-to-deploy" version = "2.4.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.url]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "2.4.0 -> 2.4.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.url]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "2.4.1 -> 2.5.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.zerocopy]] who = "Alex Franchuk " criteria = "safe-to-deploy" version = "0.7.32" notes = """ This crate is `no_std` so doesn't use any side-effectful std functions. It contains quite a lot of `unsafe` code, however. I verified portions of this. It also has a large, thorough test suite. The project claims to run tests with Miri to have stronger soundness checks, and also claims to use formal verification tools to prove correctness. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.zerocopy-derive]] who = "Alex Franchuk " criteria = "safe-to-deploy" version = "0.7.32" notes = "Clean, safe macros for zerocopy." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.zcash.audits.base64]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.21.3 -> 0.21.4" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.base64]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.21.4 -> 0.21.5" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.base64]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.21.5 -> 0.21.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.block-buffer]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.10.3 -> 0.10.4" notes = "Adds panics to prevent a block size of zero from causing unsoundness." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.bumpalo]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "3.15.4 -> 3.16.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.cc]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.83 -> 1.0.94" notes = """ The optimization to use `buffer.set_len(buffer.capacity())` in `command_helpers::StderrForwarder::forward_available` doesn't look panic-safe: if `stderr.read` panics and that panic is caught by a caller of `forward_available`, then the inner buffer of `StderrForwarder` will contain uninitialized data. This looks difficult to trigger in practice, but I have opened an issue . `parallel::async_executor` contains `unsafe` pinning code but it looks reasonable. Similarly for the `unsafe` initialization code in `parallel::job_token::JobTokenServer` and file operations in `parallel::stderr`. This crate executes commands, and my review is likely not sufficient to detect subtle backdoors. I did not review the use of library handles in the `com` package on Windows. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.cc]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.94 -> 1.0.97" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.either]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.8.1 -> 1.9.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.either]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.9.0 -> 1.11.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.errno]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.3 -> 0.3.8" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.errno]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.8 -> 0.3.9" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.fastrand]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "2.0.1 -> 2.0.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.fastrand]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "2.0.2 -> 2.1.0" notes = """ As noted in the changelog, this version produces different output for a given seed. The documentation did not mention stability. It is possible that some uses relying on determinism across the update would be broken. The new constants do appear to match WyRand v4.2 (modulo ordering issues that I have not checked): https://github.com/wangyi-fudan/wyhash/blob/408620b6d12b7d667b3dd6ae39b7929a39e8fa05/wyhash.h#L145 I have no way to check whether these constants are an improvement or not. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.futures-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.29" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.futures-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.futures-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.29" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.futures-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.log]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.4.20 -> 0.4.21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.miniz_oxide]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.7.1 -> 0.7.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.pin-project-lite]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.13 -> 0.2.14" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.pkg-config]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.rustc-demangle]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.1.21 -> 0.1.22" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.rustc-demangle]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.22 -> 0.1.23" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.rustc-demangle]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.1.23 -> 0.1.24" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.sharded-slab]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.4 -> 0.1.7" notes = "Only change to an `unsafe` block is to fix a clippy lint." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.thread_local]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.1.4 -> 1.1.7" notes = """ New `unsafe` usage: - An extra `deallocate_bucket`, to replace a `Mutex::lock` with a `compare_exchange`. - Setting and getting a `#[thread_local] static mut Option` on nightly. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.thread_local]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.1.7 -> 1.1.8" notes = """ Adds `unsafe` code that makes an assumption that `ptr::null_mut::>()` is a valid representation of an `AtomicPtr>`, but this is likely a correct assumption. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.tinyvec_macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" notes = "Adds `#![forbid(unsafe_code)]` and license files." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.tokio-stream]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.1.14 -> 0.1.15" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.tracing-subscriber]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.17 -> 0.3.18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.try-lock]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.4 -> 0.2.5" notes = "Bumps MSRV to remove unsafe code block." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.unicode-ident]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.9 -> 1.0.12" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.want]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.3.1" notes = """ Migrates to `try-lock 0.2.4` to replace some unsafe APIs that were not marked `unsafe` (but that were being used safely). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wasm-bindgen-macro-support]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" version = "0.2.92" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wasm-bindgen-shared]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.83 -> 0.2.84" notes = "Bumps the schema version to add `linked_modules`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wasm-bindgen-shared]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.84 -> 0.2.87" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wasm-bindgen-shared]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.87 -> 0.2.89" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wasm-bindgen-shared]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.89 -> 0.2.92" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.webpki-roots]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.25.2 -> 0.25.4" notes = "I have not checked consistency with the Mozilla IncludedCACertificateReportPEMCSV report." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.zerocopy]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.7.32 -> 0.7.34" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.zerocopy-derive]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.7.32 -> 0.7.34" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"