# cargo-vet imports lock [[publisher.aho-corasick]] version = "1.1.3" when = "2024-03-20" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.anstream]] version = "0.6.13" when = "2024-02-27" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle]] version = "1.0.6" when = "2024-02-05" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle-parse]] version = "0.2.3" when = "2023-12-04" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle-query]] version = "1.0.2" when = "2023-12-08" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle-wincon]] version = "3.0.2" when = "2023-12-04" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap_builder]] version = "4.5.2" when = "2024-03-06" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap_lex]] version = "0.7.0" when = "2024-02-08" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.colors-by-example]] version = "0.1.20" when = "2024-04-06" user-id = 183447 user-login = "koyeung" user-name = "YEUNG King On" [[publisher.is-terminal]] version = "0.4.12" when = "2024-02-09" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" [[publisher.memchr]] version = "2.7.2" when = "2024-03-27" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.proc-macro2]] version = "1.0.79" when = "2024-03-12" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.regex]] version = "1.10.4" when = "2024-03-23" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.regex-automata]] version = "0.4.6" when = "2024-03-04" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.regex-syntax]] version = "0.8.3" when = "2024-03-26" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.syn]] version = "2.0.58" when = "2024-04-03" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.termcolor]] version = "1.4.1" when = "2024-01-10" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.winapi-util]] version = "0.1.6" when = "2023-09-20" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.windows-targets]] version = "0.52.4" when = "2024-02-28" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_gnullvm]] version = "0.52.4" when = "2024-02-28" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnullvm]] version = "0.52.4" when = "2024-02-28" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[audits.bytecode-alliance.audits.quote]] who = "Pat Hickey " criteria = "safe-to-deploy" delta = "1.0.23 -> 1.0.27" [[audits.bytecode-alliance.audits.unicode-ident]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "1.0.8" [[audits.embark-studios.audits.colorchoice]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.0" notes = "No unsafe usage or ambient capabilities" [[audits.embark-studios.audits.utf8parse]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.2.1" notes = "Single unsafe usage that looks sound, no ambient capabilities" [audits.fermyon.audits] [[audits.google.audits.autocfg]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.1.0" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits except for reasonable, client-controlled usage of `std::fs` in `AutoCfg::with_dir`. This crate has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb The CL description contains a link to a Google-internal document with audit details. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.autocfg]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.1.0 -> 1.2.0" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and nothing changed from the baseline audit of 1.1.0. Skimmed through the 1.1.0 => 1.2.0 delta and everything seemed okay. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.lazy_static]] who = "Android Legacy" criteria = "safe-to-run" version = "1.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.serde]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.197" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`. There were some hits for `net`, but they were related to serialization and not actually opening any connections or anything like that. There were 2 hits of `unsafe` when grepping: * In `fn as_str` in `impl Buf` * In `fn serialize` in `impl Serialize for net::Ipv4Addr` Unsafe review comments can be found in https://crrev.com/c/5350573/2 (this review also covered `serde_json_lenient`). Version 1.0.130 of the crate has been added to Chromium in https://crrev.com/c/3265545. The CL description contains a link to a (Google-internal, sorry) document with a mini security review. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.serde_derive]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.197" notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.isrg.audits.num-traits]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.2.15 -> 0.2.16" [[audits.isrg.audits.num-traits]] who = "Ameer Ghani " criteria = "safe-to-deploy" delta = "0.2.16 -> 0.2.17" [[audits.isrg.audits.num-traits]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.2.17 -> 0.2.18" [[audits.mozilla.audits.linked-hash-map]] who = "Aria Beingessner " criteria = "safe-to-deploy" version = "0.5.4" notes = "I own this crate (I am contain-rs) and 0.5.4 passes miri. This code is very old and used by lots of people, so I'm pretty confident in it, even though it's in maintenance-mode and missing some nice-to-have APIs." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.linked-hash-map]] who = "Alex Franchuk " criteria = "safe-to-deploy" delta = "0.5.4 -> 0.5.6" notes = "New unsafe code has debug assertions and meets invariants. All other changes are formatting-related." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num-traits]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.2.15" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.quote]] who = "Nika Layzell " criteria = "safe-to-deploy" version = "1.0.18" notes = """ `quote` is a utility crate used by proc-macros to generate TokenStreams conveniently from source code. The bulk of the logic is some complex interlocking `macro_rules!` macros which are used to parse and build the `TokenStream` within the proc-macro. This crate contains no unsafe code, and the internal logic, while difficult to read, is generally straightforward. I have audited the the quote macros, ident formatter, and runtime logic. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.quote]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.18 -> 1.0.21" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.quote]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.21 -> 1.0.23" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.quote]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "1.0.27 -> 1.0.28" notes = "Enabled on wasm targets" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.quote]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "1.0.28 -> 1.0.31" notes = "Minimal changes and removal of the build.rs" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.unicode-ident]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "1.0.8 -> 1.0.9" notes = "Dependency updates only" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.zcash.audits.quote]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.31 -> 1.0.33" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.quote]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.33 -> 1.0.35" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.unicode-ident]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.9 -> 1.0.12" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"