# cargo-vet imports lock [[publisher.aho-corasick]] version = "1.0.5" when = "2023-08-29" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.anstream]] version = "0.5.0" when = "2023-08-24" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle]] version = "1.0.2" when = "2023-08-23" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle-parse]] version = "0.2.1" when = "2023-06-20" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle-wincon]] version = "2.1.0" when = "2023-08-24" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.bstr]] version = "1.6.2" when = "2023-08-30" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.byteorder]] version = "1.4.3" when = "2021-03-10" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.bytes]] version = "1.4.0" when = "2023-01-31" user-id = 6741 user-login = "Darksonn" user-name = "Alice Ryhl" [[publisher.cfg-expr]] version = "0.15.4" when = "2023-07-28" user-id = 52553 user-login = "embark-studios" [[publisher.clap]] version = "4.4.2" when = "2023-08-31" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap_builder]] version = "4.4.2" when = "2023-08-31" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap_derive]] version = "4.4.2" when = "2023-08-31" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap_lex]] version = "0.5.1" when = "2023-08-24" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.core-foundation]] version = "0.9.3" when = "2022-02-07" user-id = 5946 user-login = "jrmuizel" user-name = "Jeff Muizelaar" [[publisher.core-foundation-sys]] version = "0.8.4" when = "2023-04-03" user-id = 5946 user-login = "jrmuizel" user-name = "Jeff Muizelaar" [[publisher.encoding_rs]] version = "0.8.33" when = "2023-08-23" user-id = 4484 user-login = "hsivonen" user-name = "Henri Sivonen" [[publisher.filetime]] version = "0.2.22" when = "2023-08-05" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.globset]] version = "0.4.13" when = "2023-08-05" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.itoa]] version = "1.0.9" when = "2023-07-15" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.jobserver]] version = "0.1.26" when = "2023-02-28" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.krates]] version = "0.15.1" when = "2023-09-03" user-id = 52553 user-login = "embark-studios" [[publisher.kstring]] version = "2.0.0" when = "2022-03-29" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.linux-raw-sys]] version = "0.4.5" when = "2023-07-31" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" [[publisher.memchr]] version = "2.6.2" when = "2023-08-30" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.num_cpus]] version = "1.16.0" when = "2023-06-29" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.paste]] version = "1.0.14" when = "2023-07-15" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.regex]] version = "1.9.4" when = "2023-08-26" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.regex-automata]] version = "0.3.7" when = "2023-08-26" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.regex-syntax]] version = "0.7.5" when = "2023-08-26" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.rustix]] version = "0.38.11" when = "2023-08-31" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" [[publisher.rustversion]] version = "1.0.14" when = "2023-07-15" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.ryu]] version = "1.0.15" when = "2023-07-15" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.same-file]] version = "1.0.6" when = "2020-01-11" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.scopeguard]] version = "1.2.0" when = "2023-07-17" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.serde]] version = "1.0.188" when = "2023-08-26" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_derive]] version = "1.0.188" when = "2023-08-26" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_json]] version = "1.0.105" when = "2023-08-15" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_spanned]] version = "0.6.3" when = "2023-06-24" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.spdx]] version = "0.10.2" when = "2023-07-14" user-id = 52553 user-login = "embark-studios" [[publisher.syn]] version = "1.0.109" when = "2023-02-24" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.syn]] version = "2.0.29" when = "2023-08-17" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.target-lexicon]] version = "0.12.11" when = "2023-07-31" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" [[publisher.termcolor]] version = "1.2.0" when = "2023-01-15" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.toml]] version = "0.7.6" when = "2023-07-05" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.toml_edit]] version = "0.19.14" when = "2023-07-14" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.unicode-normalization]] version = "0.1.22" when = "2022-09-16" user-id = 1139 user-login = "Manishearth" user-name = "Manish Goregaokar" [[publisher.unicode-width]] version = "0.1.10" when = "2022-09-13" user-id = 1139 user-login = "Manishearth" user-name = "Manish Goregaokar" [[publisher.walkdir]] version = "2.3.3" when = "2023-03-16" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.winapi-util]] version = "0.1.5" when = "2020-04-20" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.winnow]] version = "0.5.15" when = "2023-08-24" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[audits.embark.wildcard-audits.cfg-expr]] who = "Jake Shadle " criteria = "safe-to-deploy" user-id = 52553 # embark-studios start = "2020-01-01" end = "2024-05-23" notes = "Maintained by Embark. No unsafe usage or ambient capabilities" [[audits.embark.wildcard-audits.krates]] who = "Jake Shadle " criteria = "safe-to-deploy" user-id = 52553 # embark-studios start = "2020-01-01" end = "2024-05-23" notes = """ Maintained by Embark. No unsafe usage but does allow calling of cargo via the cargo_metadata crate """ [[audits.embark.wildcard-audits.spdx]] who = "Jake Shadle " criteria = "safe-to-deploy" user-id = 52553 # embark-studios start = "2020-01-01" end = "2024-05-23" notes = "Maintained by Embark. No unsafe usage or ambient capabilities" [[audits.embark.audits.cargo_metadata]] who = "Johan Andersson " criteria = "safe-to-deploy" delta = "0.15.3 -> 0.15.4" notes = "No notable changes" [[audits.embark.audits.cargo_metadata]] who = "Johan Andersson " criteria = "safe-to-deploy" delta = "0.15.4 -> 0.17.0" notes = "No notable changes" [[audits.embark.audits.colorchoice]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.0" notes = "No unsafe usage or ambient capabilities" [[audits.embark.audits.idna]] who = "Johan Andersson " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.4.0" notes = "No unsafe usage or ambient capabilities" [[audits.embark.audits.similar]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "2.2.1" notes = "No unsafe usage or ambient capabilities" [[audits.embark.audits.tap]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.1" notes = "No unsafe usage or ambient capabilities" [[audits.embark.audits.tinyvec_macros]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.1.0" notes = "Inspected it and is a tiny crate with single safe macro" [[audits.embark.audits.toml_datetime]] who = "Johan Andersson " criteria = "safe-to-deploy" delta = "0.6.1 -> 0.6.2" notes = "No notable changes" [[audits.embark.audits.utf8parse]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.2.1" notes = "Single unsafe usage that looks sound, no ambient capabilities" [[audits.embark.audits.webpki-roots]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.22.4" notes = "Inspected it to confirm that it only contains data definitions and no runtime code" [[audits.embark.audits.yaml-rust]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.4.5" notes = "No unsafe usage or ambient capabilities" [[audits.firefox.wildcard-audits.core-foundation]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 5946 # Jeff Muizelaar (jrmuizel) start = "2019-03-29" end = "2023-05-04" renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." [[audits.firefox.wildcard-audits.core-foundation-sys]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 5946 # Jeff Muizelaar (jrmuizel) start = "2020-10-14" end = "2023-05-04" renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." [[audits.firefox.wildcard-audits.encoding_rs]] who = "Henri Sivonen " criteria = "safe-to-deploy" user-id = 4484 # Henri Sivonen (hsivonen) start = "2019-02-26" end = "2024-08-28" notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ." [[audits.firefox.wildcard-audits.unicode-normalization]] who = "Manish Goregaokar " criteria = "safe-to-deploy" user-id = 1139 # Manish Goregaokar (Manishearth) start = "2019-11-06" end = "2024-05-03" notes = "All code written or reviewed by Manish" [[audits.firefox.wildcard-audits.unicode-width]] who = "Manish Goregaokar " criteria = "safe-to-deploy" user-id = 1139 # Manish Goregaokar (Manishearth) start = "2019-12-05" end = "2024-05-03" notes = "All code written or reviewed by Manish" [[audits.firefox.audits.autocfg]] who = "Josh Stone " criteria = "safe-to-deploy" version = "1.1.0" notes = "All code written or reviewed by Josh Stone." [[audits.firefox.audits.block-buffer]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.2 -> 0.10.3" [[audits.firefox.audits.crossbeam-epoch]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.9.8 -> 0.9.10" [[audits.firefox.audits.crossbeam-epoch]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.9.10 -> 0.9.13" [[audits.firefox.audits.crossbeam-epoch]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.9.13 -> 0.9.14" [[audits.firefox.audits.crossbeam-queue]] who = "Matthew Gregan " criteria = "safe-to-deploy" version = "0.3.8" [[audits.firefox.audits.crossbeam-utils]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.8.8 -> 0.8.11" [[audits.firefox.audits.crossbeam-utils]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.8.11 -> 0.8.14" [[audits.firefox.audits.crypto-common]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.3 -> 0.1.6" [[audits.firefox.audits.digest]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.3 -> 0.10.6" [[audits.firefox.audits.fnv]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "1.0.7" notes = "Simple hasher implementation with no unsafe code." [[audits.firefox.audits.fs-err]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "2.8.1 -> 2.9.0" [[audits.firefox.audits.futures-channel]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" [[audits.firefox.audits.futures-core]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" [[audits.firefox.audits.futures-io]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" [[audits.firefox.audits.futures-macro]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.21 -> 0.3.23" [[audits.firefox.audits.futures-macro]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.23 -> 0.3.25" [[audits.firefox.audits.futures-macro]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" [[audits.firefox.audits.futures-macro]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.26 -> 0.3.28" [[audits.firefox.audits.futures-sink]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" [[audits.firefox.audits.futures-task]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.21 -> 0.3.23" [[audits.firefox.audits.futures-task]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.23 -> 0.3.25" [[audits.firefox.audits.futures-task]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" [[audits.firefox.audits.futures-task]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.26 -> 0.3.28" [[audits.firefox.audits.futures-util]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.21 -> 0.3.23" [[audits.firefox.audits.futures-util]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.23 -> 0.3.25" [[audits.firefox.audits.futures-util]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" [[audits.firefox.audits.futures-util]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.26 -> 0.3.28" [[audits.firefox.audits.generic-array]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.14.5 -> 0.14.6" [[audits.firefox.audits.getrandom]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.6 -> 0.2.7" [[audits.firefox.audits.getrandom]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.7 -> 0.2.8" [[audits.firefox.audits.getrandom]] who = "Yannis Juglaret " criteria = "safe-to-deploy" delta = "0.2.8 -> 0.2.9" [[audits.firefox.audits.goblin]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "0.1.3 -> 0.5.4" notes = "Several bugfixes since 2019. This version is also in use by Mozilla's crash reporting tooling, e.g. minidump-writer" [[audits.firefox.audits.goblin]] who = "Gabriele Svelto " criteria = "safe-to-deploy" delta = "0.5.4 -> 0.6.0" notes = "Mostly bug fixes and some added functionality" [[audits.firefox.audits.goblin]] who = "Gabriele Svelto " criteria = "safe-to-deploy" delta = "0.6.0 -> 0.7.1" [[audits.firefox.audits.hashbrown]] who = "Mike Hommey " criteria = "safe-to-deploy" version = "0.12.3" notes = "This version is used in rust's libstd, so effectively we're already trusting it" [[audits.firefox.audits.heck]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.4.0 -> 0.4.1" [[audits.firefox.audits.indexmap]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.9.1 -> 1.9.2" [[audits.firefox.audits.libc]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.126 -> 0.2.132" [[audits.firefox.audits.libc]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.132 -> 0.2.138" [[audits.firefox.audits.libc]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.138 -> 0.2.139" [[audits.firefox.audits.linked-hash-map]] who = "Aria Beingessner " criteria = "safe-to-deploy" version = "0.5.4" notes = "I own this crate (I am contain-rs) and 0.5.4 passes miri. This code is very old and used by lots of people, so I'm pretty confident in it, even though it's in maintenance-mode and missing some nice-to-have APIs." [[audits.firefox.audits.linked-hash-map]] who = "Mike Hommey " criteria = "safe-to-run" delta = "0.5.4 -> 0.5.6" [[audits.firefox.audits.memoffset]] who = "Gabriele Svelto " criteria = "safe-to-deploy" delta = "0.6.5 -> 0.7.1" [[audits.firefox.audits.memoffset]] who = "Gabriele Svelto " criteria = "safe-to-deploy" delta = "0.8.0 -> 0.9.0" [[audits.firefox.audits.nom]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "7.1.1 -> 7.1.3" [[audits.firefox.audits.num-traits]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.2.15" notes = "All code written or reviewed by Josh Stone." [[audits.firefox.audits.object]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.28.4 -> 0.30.0" [[audits.firefox.audits.object]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.30.3" [[audits.firefox.audits.once_cell]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.16.0 -> 1.17.1" [[audits.firefox.audits.proc-macro2]] who = "Nika Layzell " criteria = "safe-to-deploy" version = "1.0.39" notes = """ `proc-macro2` acts as either a thin(-ish) wrapper around the std-provided `proc_macro` crate, or as a fallback implementation of the crate, depending on where it is used. If using this crate on older versions of rustc (1.56 and earlier), it will temporarily replace the panic handler while initializing in order to detect if it is running within a `proc_macro`, which could lead to surprising behaviour. This should not be an issue for more recent compiler versions, which support `proc_macro::is_available()`. The `proc-macro2` crate's fallback behaviour is not identical to the complex behaviour of the rustc compiler (e.g. it does not perform unicode normalization for identifiers), however it behaves well enough for its intended use-case (tests and scripts processing rust code). `proc-macro2` does not use unsafe code, however exposes one `unsafe` API to allow bypassing checks in the fallback implementation when constructing `Literal` using `from_str_unchecked`. This was intended to only be used by the `quote!` macro, however it has been removed (https://github.com/dtolnay/quote/commit/f621fe64a8a501cae8e95ebd6848e637bbc79078), and is likely completely unused. Even when used, this API shouldn't be able to cause unsoundness. """ [[audits.firefox.audits.proc-macro2]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.39 -> 1.0.43" [[audits.firefox.audits.proc-macro2]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.43 -> 1.0.49" [[audits.firefox.audits.proc-macro2]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.49 -> 1.0.51" [[audits.firefox.audits.rayon]] who = "Josh Stone " criteria = "safe-to-deploy" version = "1.5.3" notes = "All code written or reviewed by Josh Stone or Niko Matsakis." [[audits.firefox.audits.rayon]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.5.3 -> 1.6.1" [[audits.firefox.audits.rayon-core]] who = "Josh Stone " criteria = "safe-to-deploy" version = "1.9.3" notes = "All code written or reviewed by Josh Stone or Niko Matsakis." [[audits.firefox.audits.rayon-core]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.9.3 -> 1.10.1" [[audits.firefox.audits.rayon-core]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.10.1 -> 1.10.2" [[audits.firefox.audits.scroll]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "0.10.2 -> 0.11.0" notes = "Small changes to exposed traits, that look reasonable and have additional buffer boundary checks. No unsafe code touched." [[audits.firefox.audits.scroll_derive]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "0.10.5 -> 0.11.0" notes = "No code changes. Tagged together with its parent crate scroll." [[audits.firefox.audits.scroll_derive]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.11.0 -> 0.11.1" [[audits.firefox.audits.sha2]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.2 -> 0.10.6" [[audits.firefox.audits.time-core]] who = "Kershaw Chang " criteria = "safe-to-deploy" version = "0.1.0" [[audits.firefox.audits.typenum]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.15.0 -> 1.16.0" [[audits.firefox.audits.uluru]] who = "Emilio Cobos Álvarez " criteria = "safe-to-deploy" version = "3.0.0" notes = """ I've reviewed multiple patches in this crate, including the initial implementation back in the day. It has no unsafe code at all nowadays. """ [[audits.firefox.audits.unicode-bidi]] who = "Makoto Kato " criteria = "safe-to-deploy" delta = "0.3.8 -> 0.3.13" [[audits.google.audits.version_check]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.9.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.isrg.audits.base64]] who = "Tim Geoghegan " criteria = "safe-to-deploy" delta = "0.21.0 -> 0.21.1" [[audits.isrg.audits.base64]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "0.21.1 -> 0.21.2" [[audits.isrg.audits.base64]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.21.2 -> 0.21.3" [[audits.isrg.audits.block-buffer]] who = "David Cook " criteria = "safe-to-deploy" version = "0.9.0" [[audits.isrg.audits.digest]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.10.6 -> 0.10.7" [[audits.isrg.audits.getrandom]] who = "Tim Geoghegan " criteria = "safe-to-deploy" delta = "0.2.9 -> 0.2.10" notes = "These changes include some new `unsafe` code for the `emscripten` and `psvita` targets, but all it does is call `libc::getentropy`." [[audits.isrg.audits.libc]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "0.2.139 -> 0.2.141" [[audits.isrg.audits.num-traits]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.2.15 -> 0.2.16" [[audits.isrg.audits.once_cell]] who = "David Cook " criteria = "safe-to-deploy" delta = "1.15.0 -> 1.16.0" notes = """ Changes to unsafe code in src/lib.rs, src/impl_std.rs, and src/imp_pl.rs are functionally equivalent, and call unwrap_unchecked() on already-initialized Options. The new implementation based on critical_section appears to be sound. """ [[audits.isrg.audits.once_cell]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.17.1 -> 1.17.2" [[audits.isrg.audits.once_cell]] who = "David Cook " criteria = "safe-to-deploy" delta = "1.17.2 -> 1.18.0" [[audits.isrg.audits.rayon]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.6.1 -> 1.7.0" [[audits.isrg.audits.rayon-core]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.10.2 -> 1.11.0" [[audits.isrg.audits.sha2]] who = "David Cook " criteria = "safe-to-deploy" version = "0.10.2" [[audits.isrg.audits.untrusted]] who = "David Cook " criteria = "safe-to-deploy" version = "0.7.1" [[audits.mozilla.audits.crossbeam-channel]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "0.5.7 -> 0.5.8" notes = "Reviewed the fix, previous versions indeed had were able to trigger a race condition" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.lazy_static]] who = "Nika Layzell " criteria = "safe-to-deploy" version = "1.4.0" notes = "I have read over the macros, and audited the unsafe code." aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" [[audits.mozilla.audits.libc]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "0.2.141 -> 0.2.146" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.proc-macro2]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "1.0.57 -> 1.0.59" notes = "Enabled on Wasm" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.proc-macro2]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "1.0.63 -> 1.0.66" notes = "Removed special support for some really old Rust versions" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.wasmtime.audits.addr2line]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.17.0 -> 0.19.0" notes = """ This is a minor update for addr2line which looks to mainly update its dependencies and refactor existing code to expose more functionality and such. """ [[audits.wasmtime.audits.addr2line]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.19.0 -> 0.20.0" notes = "This version brings support for split-dwarf which while it uses the filesystem is always done at the behest of the caller, so everything is as expected for this update." [[audits.wasmtime.audits.addr2line]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.20.0 -> 0.21.0" notes = "This version bump updated some dependencies and optimized some internals. All looks good." [[audits.wasmtime.audits.adler]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.0.2" notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm." [[audits.wasmtime.audits.base64]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.21.0" notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." [[audits.wasmtime.audits.block-buffer]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.2" [[audits.wasmtime.audits.cargo_metadata]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.15.3" notes = "no build, no unsafe, inputs to cargo command are reasonably sanitized" [[audits.wasmtime.audits.cfg-if]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.0.0" notes = "I am the author of this crate." [[audits.wasmtime.audits.codespan-reporting]] who = "Jamey Sharp " criteria = "safe-to-deploy" version = "0.11.1" notes = "This library uses `forbid(unsafe_code)` and has no filesystem or network I/O." [[audits.wasmtime.audits.crypto-common]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" version = "0.1.3" [[audits.wasmtime.audits.digest]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.3" [[audits.wasmtime.audits.futures-channel]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.27" notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)" [[audits.wasmtime.audits.futures-core]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.27" notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." [[audits.wasmtime.audits.futures-io]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.27" [[audits.wasmtime.audits.futures-sink]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.27" [[audits.wasmtime.audits.gimli]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.26.1 -> 0.27.0" notes = """ This is a standard update to gimli for more DWARF support for more platforms, more features, etc. Some minor `unsafe` code was added that does not appear incorrect. Otherwise looks like someone probably ran clippy and/or rustfmt. """ [[audits.wasmtime.audits.gimli]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.27.0 -> 0.27.3" notes = "More support for more DWARF, nothing major in this update. Some small refactorings and updates to publication of the package but otherwise everything's in order." [[audits.wasmtime.audits.gimli]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.27.3 -> 0.28.0" notes = """ Still looks like a good DWARF-parsing crate, nothing major was added or deleted and no `unsafe` code to review here. """ [[audits.wasmtime.audits.hashbrown]] who = "Chris Fallin " criteria = "safe-to-deploy" delta = "0.12.3 -> 0.13.1" notes = "The diff looks plausible. Much of it is low-level memory-layout code and I can't be 100% certain without a deeper dive into the implementation logic, but nothing looks actively malicious." [[audits.wasmtime.audits.hashbrown]] who = "Trevor Elliott " criteria = "safe-to-deploy" delta = "0.13.1 -> 0.13.2" notes = "I read through the diff between v0.13.1 and v0.13.2, and verified that the changes made matched up with the changelog entries. There were very few changes between these two releases, and it was easy to verify what they did." [[audits.wasmtime.audits.heck]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.4.0" notes = "Contains `forbid_unsafe` and only uses `std::fmt` from the standard library. Otherwise only contains string manipulation." [[audits.wasmtime.audits.idna]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.3.0" notes = """ This is a crate without unsafe code or usage of the standard library. The large size of this crate comes from the large generated unicode tables file. This crate is broadly used throughout the ecosystem and does not contain anything suspicious. """ [[audits.wasmtime.audits.libc]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.2.146 -> 0.2.147" notes = "Only new type definitions and updating others for some platforms, no major changes" [[audits.wasmtime.audits.memoffset]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.7.1 -> 0.8.0" notes = "This was a small update to the crate which has to do with Rust language features and compiler versions, no substantial changes." [[audits.wasmtime.audits.miniz_oxide]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.7.1" notes = """ This crate is a Rust implementation of zlib compression/decompression and has been used by default by the Rust standard library for quite some time. It's also a default dependency of the popular `backtrace` crate for decompressing debug information. This crate forbids unsafe code and does not otherwise access system resources. It's originally a port of the `miniz.c` library as well, and given its own longevity should be relatively hardened against some of the more common compression-related issues. """ [[audits.wasmtime.audits.mio]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.8.6 -> 0.8.8" notes = "Mostly OS portability updates along with some minor bugfixes." [[audits.wasmtime.audits.object]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.30.3 -> 0.31.1" notes = "A large-ish update to the crate but nothing out of the ordering. Support for new formats like xcoff, new constants, minor refactorings, etc. Nothing out of the ordinary." [[audits.wasmtime.audits.object]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.31.1 -> 0.32.0" notes = "Various new features and refactorings as one would expect from an object parsing crate, all looks good." [[audits.wasmtime.audits.openssl-probe]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.5" notes = "IO is only checking for the existence of paths in the filesystem" [[audits.wasmtime.audits.pin-utils]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" [[audits.wasmtime.audits.proc-macro2]] who = "Pat Hickey " criteria = "safe-to-deploy" delta = "1.0.51 -> 1.0.57" [[audits.wasmtime.audits.proc-macro2]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "1.0.59 -> 1.0.63" notes = """ This is a routine update for new nightly features and new syntax popping up on nightly, nothing out of the ordinary. """ [[audits.wasmtime.audits.rustc-demangle]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.1.21" notes = "I am the author of this crate." [[audits.wasmtime.audits.rustls-webpki]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.100.1" [[audits.wasmtime.audits.rustls-webpki]] who = "Pat Hickey " criteria = "safe-to-deploy" delta = "0.100.1 -> 0.101.4" [[audits.wasmtime.audits.sct]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.7.0" notes = "no unsafe, no build, no ambient capabilities" [[audits.wasmtime.audits.smallvec]] who = "Dan Gohman " criteria = "safe-to-deploy" delta = "1.8.0 -> 1.11.0" notes = """ The main change is the switch to use `NonNull` internally instead of `*mut T`. This seems reasonable, as `Vec` also never stores a null pointer, and in particular the new `NonNull::new_unchecked`s look ok. Most of the rest of the changes are adding some new unstable features which aren't enabled by default. """ [[audits.wasmtime.audits.tinyvec]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.6.0" notes = """ This crate, while it implements collections, does so without `std::*` APIs and without `unsafe`. Skimming the crate everything looks reasonable and what one would expect from idiomatic safe collections in Rust. """ [[audits.wasmtime.audits.tracing]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.1.34 -> 0.1.37" notes = """ A routine set of updates for the tracing crate this includes minor refactorings, addition of benchmarks, some test updates, but overall nothing out of the ordinary. """ [[audits.wasmtime.audits.tracing-core]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.1.28 -> 0.1.31" notes = """ This is a relatively minor set of releases with minor refactorings and bug fixes. Nothing fundamental was added in these changes. """ [[audits.wasmtime.audits.try-lock]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.2.4" notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect" [[audits.wasmtime.audits.unicode-bidi]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.3.8" notes = """ This crate has no unsafe code and does not use `std::*`. Skimming the crate it does not attempt to out of the bounds of what it's already supposed to be doing. """ [[audits.wasmtime.audits.want]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.0" [[audits.wasmtime.audits.webpki-roots]] who = "Pat Hickey " criteria = "safe-to-deploy" delta = "0.22.4 -> 0.23.0" [[audits.wasmtime.audits.webpki-roots]] who = "Pat Hickey " criteria = "safe-to-deploy" delta = "0.23.0 -> 0.25.2" [[audits.zcash.audits.block-buffer]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.10.3 -> 0.10.4" notes = "Adds panics to prevent a block size of zero from causing unsoundness." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.crossbeam-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.6 -> 0.5.7" notes = "Fixes wrapping overflows for large timeouts." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.crossbeam-deque]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.2 -> 0.8.3" notes = "No new code." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.crossbeam-epoch]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.14 -> 0.9.15" notes = "Bumps memoffset to 0.9, and unmarks some ARMv7r and Sony Vita targets as not having 64-bit atomics." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.crossbeam-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.14 -> 0.8.15" notes = """ - Fixes a wrapping overflow for large timeouts. - Marks some BPF and Sony Vita targets as not having atomics. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.crossbeam-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.15 -> 0.8.16" notes = """ - Fixes cache line alignment for some targets. - Replaces `mem::replace` with `Option::take` inside `unsafe` blocks. - Unmarks some ARMv7r and Sony Vita targets as not having 64-bit atomics. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.generic-array]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.14.6 -> 0.14.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.hashbrown]] who = "Daira Emma Hopwood " criteria = "safe-to-deploy" delta = "0.13.2 -> 0.14.0" notes = """ There is some additional use of unsafe code but the changes in this crate looked plausible. There is a new default dependency on the `allocator-api2` crate, which itself has quite a lot of unsafe code. Many previously undocumented safety requirements have been documented. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.http]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.8 -> 0.2.9" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.hyper]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.14.25 -> 0.14.26" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.hyper]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.14.26 -> 0.14.27" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.indexmap]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "1.9.2 -> 1.9.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.ipnet]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.5.0 -> 2.7.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.ipnet]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "2.7.1 -> 2.7.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.ipnet]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.7.2 -> 2.8.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.mio]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.2 -> 0.8.4" notes = """ Migrates from winapi to windows-sys. The changes to API usage look reasonable based on what I've seen in other uses of the windows-sys crate. Unsafe code falls into two categories: - Usage of `mem::zeroed()`, which doesn't look obviously wrong. The `..unsafe { mem::zeroed() }` in `sys::unix::selector::kqueue` looks weird but AFAICT is saying \"take any unspecified fields from an instance of this struct that has been zero-initialized\", which is fine for integer fields. It would be nice if there was documentation to this effect (explaining why this is done instead of `..Default::default()`). - Calls to Windows API methods. These are either pre-existing (and altered for the differences in the crate abstractions), or newly added in logic that appears to be copied from miow 0.3.6 (I scanned this by eye and didn't see any noteworthy changes other than handling windows-sys API differences). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.mio]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.4 -> 0.8.5" notes = "The only unsafe changes are in epoll_create1 failure cases. Usage of epoll_create and fcntl looks fine; it is vulnerable to a race condition in multithreaded programs that fork child processes, but epoll_create1 is how you avoid this problem. See the discussion of the O_CLOEXEC flag in the open(2) man page for details." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.mio]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.5 -> 0.8.6" notes = """ New `unsafe` usages: - `NonZeroU8::new_unchecked`: I verified the constant is non-zero. - Additional `syscall!(close(socket))` calls before returning errors. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.parking_lot]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.2 -> 0.12.1" notes = "Most `unsafe {}` changes were to reduce the scope of the unsafe blocks. I didn't closely review the migration to the asm! macro but it looks reasonable." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.rustc-demangle]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.1.21 -> 0.1.22" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.rustc-demangle]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.22 -> 0.1.23" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.sha2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.10.6 -> 0.10.7" notes = """ The new `unsafe` assembly backend only uses aarch64 intrinsics, via their typed Rust APIs (aside from the SHA2-specific intrinsics that are not in Rust yet). I did not perform a cryptographic review, but the code to load from and store into the function arguments looks correct. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.time-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.tinyvec_macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" notes = "Adds `#![forbid(unsafe_code)]` and license files." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.toml_datetime]] who = "Jack Grigg " criteria = "safe-to-deploy" version = "0.5.1" notes = "Crate has `#![forbid(unsafe_code)]`, no `unwrap / expect / panic`, no ambient capabilities." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.toml_datetime]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.1 -> 0.6.1" notes = "Fixes a bug in parsing negative minutes in datetime string offsets." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.toml_datetime]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.6.2 -> 0.6.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.want]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.3.1" notes = """ Migrates to `try-lock 0.2.4` to replace some unsafe APIs that were not marked `unsafe` (but that were being used safely). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.wyz]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.0 -> 0.5.1" notes = "Only change to unsafe code is to extract a drop impl into a method. I note however that most of the changes in the published 0.5.1 are not present in the v0.5.1 tag on the GitHub repository." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"