# cargo-vet imports lock [[publisher.bumpalo]] version = "3.10.0" when = "2022-06-01" user-id = 696 user-login = "fitzgen" user-name = "Nick Fitzgerald" [[publisher.hashbrown]] version = "0.11.2" when = "2021-03-25" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.hashbrown]] version = "0.14.5" when = "2024-04-28" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.indexmap]] version = "1.8.2" when = "2022-05-28" user-id = 539 user-login = "cuviper" user-name = "Josh Stone" [[publisher.indexmap]] version = "2.4.0" when = "2024-08-13" user-id = 539 user-login = "cuviper" user-name = "Josh Stone" [[publisher.serde]] version = "1.0.193" when = "2023-11-21" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_derive]] version = "1.0.193" when = "2023-11-21" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_spanned]] version = "0.6.7" when = "2024-07-25" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.syn]] version = "1.0.96" when = "2022-06-02" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.syn]] version = "2.0.43" when = "2023-12-25" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.toml_datetime]] version = "0.6.8" when = "2024-07-30" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.toml_edit]] version = "0.14.4" when = "2022-05-09" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.toml_edit]] version = "0.22.20" when = "2024-07-31" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.unicode-width]] version = "0.1.9" when = "2021-09-16" user-id = 1139 user-login = "Manishearth" user-name = "Manish Goregaokar" [[publisher.winnow]] version = "0.6.18" when = "2024-07-31" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[audits.bytecodealliance.wildcard-audits.bumpalo]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" user-id = 696 # Nick Fitzgerald (fitzgen) start = "2019-03-16" end = "2025-07-30" [[audits.bytecodealliance.audits.adler]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.0.2" notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm." [[audits.bytecodealliance.audits.atty]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.2.14" notes = """ Contains only unsafe code for what this crate's purpose is and only accesses the environment's terminal information when asked. Does its stated purpose and no more. """ [[audits.bytecodealliance.audits.backtrace]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.3.66" notes = "I am the author of this crate." [[audits.bytecodealliance.audits.cargo-platform]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.2" notes = "no build, no ambient capabilities, no unsafe" [[audits.bytecodealliance.audits.cc]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.0.73" notes = "I am the author of this crate." [[audits.bytecodealliance.audits.cfg-if]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.0.0" notes = "I am the author of this crate." [[audits.bytecodealliance.audits.errno]] who = "Dan Gohman " criteria = "safe-to-deploy" version = "0.3.0" notes = "This crate uses libc and windows-sys APIs to get and set the raw OS error value." [[audits.bytecodealliance.audits.errno]] who = "Dan Gohman " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.3.1" notes = "Just a dependency version bump and a bug fix for redox" [[audits.bytecodealliance.audits.errno-dragonfly]] who = "Jamey Sharp " criteria = "safe-to-deploy" version = "0.1.2" notes = "This should be portable to any POSIX system and seems like it should be part of the libc crate, but at any rate it's safe as is." [[audits.bytecodealliance.audits.heck]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.4.0" notes = "Contains `forbid_unsafe` and only uses `std::fmt` from the standard library. Otherwise only contains string manipulation." [[audits.bytecodealliance.audits.httpdate]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "1.0.2" notes = "No unsafety, no io" [[audits.bytecodealliance.audits.idna]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.3.0" notes = """ This is a crate without unsafe code or usage of the standard library. The large size of this crate comes from the large generated unicode tables file. This crate is broadly used throughout the ecosystem and does not contain anything suspicious. """ [[audits.bytecodealliance.audits.is-terminal]] who = "Dan Gohman " criteria = "safe-to-deploy" version = "0.4.7" notes = """ The is-terminal implementation code is now sync'd up with the prototype implementation in the Rust standard library. """ [[audits.bytecodealliance.audits.pin-utils]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" [[audits.bytecodealliance.audits.pkg-config]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.25" notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably." [[audits.bytecodealliance.audits.quote]] who = "Pat Hickey " criteria = "safe-to-deploy" delta = "1.0.23 -> 1.0.27" [[audits.bytecodealliance.audits.rustc-demangle]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.1.21" notes = "I am the author of this crate." [[audits.bytecodealliance.audits.sct]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.7.0" notes = "no unsafe, no build, no ambient capabilities" [[audits.bytecodealliance.audits.sharded-slab]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.4" notes = "I always really enjoy reading eliza's code, she left perfect comments at every use of unsafe." [[audits.bytecodealliance.audits.slab]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.4.6" notes = "provides a datastructure implemented using std's Vec. all uses of unsafe are just delegating to the underlying unsafe Vec methods." [[audits.bytecodealliance.audits.static_assertions]] who = "Andrew Brown " criteria = "safe-to-deploy" version = "1.1.0" notes = "No dependencies and completely a compile-time crate as advertised. Uses `unsafe` in one module as a compile-time check only: `mem::transmute` and `ptr::write` are wrapped in an impossible-to-run closure." [[audits.bytecodealliance.audits.thread_local]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "1.1.4" notes = "uses unsafe to implement thread local storage of objects" [[audits.bytecodealliance.audits.tinyvec]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.6.0" notes = """ This crate, while it implements collections, does so without `std::*` APIs and without `unsafe`. Skimming the crate everything looks reasonable and what one would expect from idiomatic safe collections in Rust. """ [[audits.bytecodealliance.audits.tracing-attributes]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.1.21 -> 0.1.26" notes = "This range notably updated `syn` to 2.x.x and otherwise adds a few features here and there but nothing out of the ordering for a procedural macro." [[audits.bytecodealliance.audits.tracing-log]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.1.3" notes = """ This is a standard adapter between the `log` ecosystem and the `tracing` ecosystem. There's one `unsafe` block in this crate and it's well-scoped. """ [[audits.bytecodealliance.audits.unicode-bidi]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.3.8" notes = """ This crate has no unsafe code and does not use `std::*`. Skimming the crate it does not attempt to out of the bounds of what it's already supposed to be doing. """ [[audits.bytecodealliance.audits.unicode-normalization]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.1.19" notes = """ This crate contains one usage of `unsafe` which I have manually checked to see it as correct. This crate's size comes in large part due to the generated unicode tables that it contains. This crate is additionally widely used throughout the ecosystem and skimming the crate shows no usage of `std::*` APIs and nothing suspicious. """ [[audits.bytecodealliance.audits.vcpkg]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.2.15" notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." [[audits.bytecodealliance.audits.want]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.0" [[audits.bytecodealliance.audits.wasm-bindgen-shared]] who = "Pat Hickey " criteria = "safe-to-deploy" delta = "0.2.83 -> 0.2.80" [[audits.embark.audits.thiserror]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.40" notes = "Wrapper over implementation crate, found no unsafe or ambient capabilities used" [[audits.embark.audits.thiserror-impl]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.40" notes = "Found no unsafe or ambient capabilities used" [[audits.embark.audits.tinyvec_macros]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.1.0" notes = "Inspected it and is a tiny crate with single safe macro" [[audits.embark.audits.valuable]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.1.0" notes = "No unsafe usage or ambient capabilities, sane build script" [[audits.embark.audits.yaml-rust]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.4.5" notes = "No unsafe usage or ambient capabilities" [[audits.google.audits.bitflags]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.3.2" notes = """ Security review of earlier versions of the crate can be found at (Google-internal, sorry): go/image-crate-chromium-security-review The crate exposes a function marked as `unsafe`, but doesn't use any `unsafe` blocks (except for tests of the single `unsafe` function). I think this justifies marking this crate as `ub-risk-1`. Additional review comments can be found at https://crrev.com/c/4723145/31 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.equivalent]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.number_prefix]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.pin-project-lite]] who = "David Koloski " criteria = "safe-to-deploy" version = "0.2.9" notes = "Reviewed on https://fxrev.dev/824504" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro-error-attr]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.78" notes = """ Grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits (except for a benign \"fs\" hit in a doc comment) Notes from the `unsafe` review can be found in https://crrev.com/c/5385745. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "1.0.78 -> 1.0.79" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "1.0.79 -> 1.0.80" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Dustin J. Mitchell " criteria = "safe-to-deploy" delta = "1.0.80 -> 1.0.81" notes = "Comment changes only" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "danakj " criteria = "safe-to-deploy" delta = "1.0.81 -> 1.0.82" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Dustin J. Mitchell " criteria = "safe-to-deploy" delta = "1.0.82 -> 1.0.83" notes = "Substantive change is replacing String with Box, saving memory." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.0.83 -> 1.0.84" notes = "Only doc comment changes in `src/lib.rs`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "danakj@chromium.org" criteria = "safe-to-deploy" delta = "1.0.84 -> 1.0.85" notes = "Test-only changes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.0.85 -> 1.0.86" notes = """ Comment-only changes in `build.rs`. Reordering of `Cargo.toml` entries. Just bumping up the version number in `lib.rs`. Config-related changes in `test_size.rs`. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.strsim]] who = "danakj@chromium.org" criteria = "safe-to-deploy" version = "0.10.0" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.version_check]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.9.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.isrg.audits.untrusted]] who = "David Cook " criteria = "safe-to-deploy" version = "0.7.1" [[audits.isrg.audits.wasm-bindgen-shared]] who = "David Cook " criteria = "safe-to-deploy" version = "0.2.83" [[audits.mozilla.wildcard-audits.unicode-width]] who = "Manish Goregaokar " criteria = "safe-to-deploy" user-id = 1139 # Manish Goregaokar (Manishearth) start = "2019-12-05" end = "2024-05-03" notes = "All code written or reviewed by Manish" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.autocfg]] who = "Josh Stone " criteria = "safe-to-deploy" version = "1.1.0" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.cargo_metadata]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" version = "0.15.2" notes = "I reviewed the whole code base. Parser for the output of cargo-metadata, relying mostly on serde. No unsafe code used." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.encoding_rs]] who = "Henri Sivonen " criteria = "safe-to-deploy" version = "0.8.31" notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fnv]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "1.0.7" notes = "Simple hasher implementation with no unsafe code." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.hex]] who = "Simon Friedberger " criteria = "safe-to-deploy" version = "0.4.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.idna]] who = "Bobby Holley " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.2.3" notes = "Backwards diff with some algorithm changes, no unsafe code." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.linked-hash-map]] who = "Aria Beingessner " criteria = "safe-to-deploy" version = "0.5.4" notes = "I own this crate (I am contain-rs) and 0.5.4 passes miri. This code is very old and used by lots of people, so I'm pretty confident in it, even though it's in maintenance-mode and missing some nice-to-have APIs." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.log]] who = "Mike Hommey " criteria = "safe-to-deploy" version = "0.4.17" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.matches]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "0.1.9" notes = "This is a trivial crate." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num-bigint]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.4.3" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num-integer]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.1.45" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num-traits]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.2.15" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.quote]] who = "Nika Layzell " criteria = "safe-to-deploy" version = "1.0.18" notes = """ `quote` is a utility crate used by proc-macros to generate TokenStreams conveniently from source code. The bulk of the logic is some complex interlocking `macro_rules!` macros which are used to parse and build the `TokenStream` within the proc-macro. This crate contains no unsafe code, and the internal logic, while difficult to read, is generally straightforward. I have audited the the quote macros, ident formatter, and runtime logic. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.quote]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.18 -> 1.0.21" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.quote]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.21 -> 1.0.23" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.quote]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "1.0.27 -> 1.0.28" notes = "Enabled on wasm targets" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.rustc-hash]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "1.1.0" notes = "Straightforward crate with no unsafe code, does what it says on the tin." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.textwrap]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" version = "0.15.0" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.typenum]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.15.0 -> 1.16.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"