# cargo-vet imports lock [[publisher.aho-corasick]] version = "1.1.3" when = "2024-03-20" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.anstream]] version = "0.6.15" when = "2024-07-25" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle]] version = "1.0.8" when = "2024-07-25" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle-parse]] version = "0.2.5" when = "2024-07-25" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle-query]] version = "1.1.1" when = "2024-07-25" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle-wincon]] version = "3.0.4" when = "2024-07-25" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anyhow]] version = "1.0.86" when = "2024-05-18" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.async-std]] version = "1.12.0" when = "2022-06-18" user-id = 4333 user-login = "joshtriplett" user-name = "Josh Triplett" [[publisher.async-trait]] version = "0.1.81" when = "2024-07-07" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.backtrace]] version = "0.3.73" when = "2024-06-12" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.bumpalo]] version = "3.16.0" when = "2024-04-08" user-id = 696 user-login = "fitzgen" user-name = "Nick Fitzgerald" [[publisher.by_address]] version = "1.2.1" when = "2024-03-27" user-id = 2017 user-login = "mbrubeck" user-name = "Matt Brubeck" [[publisher.byteorder]] version = "1.5.0" when = "2023-10-06" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.bytes]] version = "1.7.1" when = "2024-08-01" user-id = 6741 user-login = "Darksonn" user-name = "Alice Ryhl" [[publisher.clap]] version = "4.5.16" when = "2024-08-15" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap_derive]] version = "4.5.13" when = "2024-07-31" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap_lex]] version = "0.7.2" when = "2024-07-25" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.colorchoice]] version = "1.0.2" when = "2024-07-25" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.core-foundation]] version = "0.9.3" when = "2022-02-07" user-id = 5946 user-login = "jrmuizel" user-name = "Jeff Muizelaar" [[publisher.core-graphics-types]] version = "0.1.1" when = "2020-09-15" user-id = 2396 user-login = "jdm" user-name = "Josh Matthews" [[publisher.core-text]] version = "19.2.0" when = "2021-02-14" user-id = 5946 user-login = "jrmuizel" user-name = "Jeff Muizelaar" [[publisher.csv]] version = "1.3.0" when = "2023-10-03" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.csv-core]] version = "0.1.11" when = "2023-10-03" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.encoding_rs]] version = "0.8.34" when = "2024-04-10" user-id = 4484 user-login = "hsivonen" user-name = "Henri Sivonen" [[publisher.etagere]] version = "0.2.13" when = "2024-06-17" user-id = 1281 user-login = "nical" user-name = "Nicolas Silva" [[publisher.euclid]] version = "0.22.10" when = "2024-05-21" user-id = 1281 user-login = "nical" user-name = "Nicolas Silva" [[publisher.h2]] version = "0.4.5" when = "2024-05-17" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.hashbrown]] version = "0.14.5" when = "2024-04-28" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.http]] version = "1.1.0" when = "2024-03-04" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.http-body-util]] version = "0.1.2" when = "2024-06-10" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.httparse]] version = "1.9.4" when = "2024-06-17" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.hyper]] version = "1.4.1" when = "2024-07-09" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.hyper-tls]] version = "0.6.0" when = "2023-11-27" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.hyper-util]] version = "0.1.7" when = "2024-08-06" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.indexmap]] version = "2.4.0" when = "2024-08-13" user-id = 539 user-login = "cuviper" user-name = "Josh Stone" [[publisher.io-lifetimes]] version = "1.0.11" when = "2023-05-24" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" [[publisher.is_terminal_polyfill]] version = "1.70.1" when = "2024-07-25" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.jobserver]] version = "0.1.25" when = "2022-09-23" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.js-sys]] version = "0.3.70" when = "2024-08-12" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.libm]] version = "0.2.8" when = "2023-10-06" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.linux-raw-sys]] version = "0.3.8" when = "2023-05-19" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" [[publisher.linux-raw-sys]] version = "0.4.14" when = "2024-05-17" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" [[publisher.linux-raw-sys]] version = "0.6.5" when = "2024-08-16" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" [[publisher.lock_api]] version = "0.4.12" when = "2024-04-25" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.memchr]] version = "2.7.4" when = "2024-06-14" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.mime]] version = "0.3.17" when = "2023-03-20" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.new_debug_unreachable]] version = "1.0.6" when = "2024-03-15" user-id = 2017 user-login = "mbrubeck" user-name = "Matt Brubeck" [[publisher.num_cpus]] version = "1.16.0" when = "2023-06-29" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.parking_lot]] version = "0.11.2" when = "2021-08-27" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.parking_lot]] version = "0.12.3" when = "2024-05-24" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.parking_lot_core]] version = "0.8.6" when = "2022-12-12" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.parking_lot_core]] version = "0.9.10" when = "2024-04-25" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.paste]] version = "1.0.15" when = "2024-05-07" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.phf]] version = "0.11.2" when = "2023-06-24" user-id = 51017 user-login = "JohnTitor" user-name = "Yuki Okushi" [[publisher.phf_codegen]] version = "0.11.2" when = "2023-06-24" user-id = 51017 user-login = "JohnTitor" user-name = "Yuki Okushi" [[publisher.phf_generator]] version = "0.10.0" when = "2021-08-10" user-id = 51017 user-login = "JohnTitor" user-name = "Yuki Okushi" [[publisher.phf_generator]] version = "0.11.2" when = "2023-06-24" user-id = 51017 user-login = "JohnTitor" user-name = "Yuki Okushi" [[publisher.phf_macros]] version = "0.11.2" when = "2023-06-24" user-id = 51017 user-login = "JohnTitor" user-name = "Yuki Okushi" [[publisher.phf_shared]] version = "0.10.0" when = "2021-08-10" user-id = 51017 user-login = "JohnTitor" user-name = "Yuki Okushi" [[publisher.phf_shared]] version = "0.11.2" when = "2023-06-24" user-id = 51017 user-login = "JohnTitor" user-name = "Yuki Okushi" [[publisher.presser]] version = "0.3.1" when = "2022-10-16" user-id = 52553 user-login = "embark-studios" [[publisher.regex]] version = "1.10.6" when = "2024-08-02" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.regex-automata]] version = "0.4.7" when = "2024-06-09" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.regex-syntax]] version = "0.8.4" when = "2024-06-09" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.reqwest]] version = "0.12.5" when = "2024-06-17" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.rustix]] version = "0.37.27" when = "2023-10-26" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" [[publisher.rustix]] version = "0.38.34" when = "2024-04-22" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" [[publisher.ryu]] version = "1.0.18" when = "2024-05-07" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.same-file]] version = "1.0.6" when = "2020-01-11" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.scoped-tls]] version = "1.0.1" when = "2022-10-31" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.scopeguard]] version = "1.2.0" when = "2023-07-17" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.serde]] version = "1.0.208" when = "2024-08-15" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_derive]] version = "1.0.208" when = "2024-08-15" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_json]] version = "1.0.125" when = "2024-08-15" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_repr]] version = "0.1.19" when = "2024-04-08" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.slab]] version = "0.4.9" when = "2023-08-22" user-id = 6741 user-login = "Darksonn" user-name = "Alice Ryhl" [[publisher.smallvec]] version = "1.13.2" when = "2024-03-20" user-id = 2017 user-login = "mbrubeck" user-name = "Matt Brubeck" [[publisher.syn]] version = "1.0.109" when = "2023-02-24" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.syn]] version = "2.0.75" when = "2024-08-17" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.termcolor]] version = "1.4.1" when = "2024-01-10" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.thiserror]] version = "1.0.63" when = "2024-07-17" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.thiserror-impl]] version = "1.0.63" when = "2024-07-17" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.tokio]] version = "1.39.3" when = "2024-08-17" user-id = 6741 user-login = "Darksonn" user-name = "Alice Ryhl" [[publisher.tokio-util]] version = "0.7.11" when = "2024-05-04" user-id = 6741 user-login = "Darksonn" user-name = "Alice Ryhl" [[publisher.toml_datetime]] version = "0.6.8" when = "2024-07-30" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.toml_edit]] version = "0.21.1" when = "2024-01-31" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.try-lock]] version = "0.2.5" when = "2023-12-07" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.unicode-normalization]] version = "0.1.23" when = "2024-02-20" user-id = 1139 user-login = "Manishearth" user-name = "Manish Goregaokar" [[publisher.unicode-segmentation]] version = "1.11.0" when = "2024-02-07" user-id = 1139 user-login = "Manishearth" user-name = "Manish Goregaokar" [[publisher.unicode-xid]] version = "0.2.4" when = "2022-09-15" user-id = 1139 user-login = "Manishearth" user-name = "Manish Goregaokar" [[publisher.walkdir]] version = "2.5.0" when = "2024-03-01" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.want]] version = "0.3.1" when = "2023-06-14" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.wasi]] version = "0.11.0+wasi-snapshot-preview1" when = "2022-01-19" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasm-bindgen]] version = "0.2.93" when = "2024-08-12" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasm-bindgen-backend]] version = "0.2.93" when = "2024-08-12" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasm-bindgen-futures]] version = "0.4.43" when = "2024-08-12" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasm-bindgen-macro]] version = "0.2.93" when = "2024-08-12" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasm-bindgen-macro-support]] version = "0.2.93" when = "2024-08-12" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasm-bindgen-shared]] version = "0.2.93" when = "2024-08-12" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.web-sys]] version = "0.3.67" when = "2024-01-12" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.winapi-util]] version = "0.1.9" when = "2024-08-02" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.windows]] version = "0.52.0" when = "2023-11-15" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-core]] version = "0.52.0" when = "2023-11-15" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-sys]] version = "0.45.0" when = "2023-01-21" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-sys]] version = "0.48.0" when = "2023-03-31" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-sys]] version = "0.52.0" when = "2023-11-15" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-sys]] version = "0.59.0" when = "2024-07-30" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-targets]] version = "0.42.2" when = "2023-03-13" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-targets]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-targets]] version = "0.52.6" when = "2024-07-03" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_gnullvm]] version = "0.42.2" when = "2023-03-13" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_gnullvm]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_gnullvm]] version = "0.52.6" when = "2024-07-03" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_msvc]] version = "0.42.2" when = "2023-03-13" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_msvc]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_msvc]] version = "0.52.6" when = "2024-07-03" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_gnu]] version = "0.42.2" when = "2023-03-13" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_gnu]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_gnu]] version = "0.52.6" when = "2024-07-03" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_gnullvm]] version = "0.52.6" when = "2024-07-03" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_msvc]] version = "0.42.2" when = "2023-03-13" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_msvc]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_msvc]] version = "0.52.6" when = "2024-07-03" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnu]] version = "0.42.2" when = "2023-03-13" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnu]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnu]] version = "0.52.6" when = "2024-07-03" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnullvm]] version = "0.42.2" when = "2023-03-13" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnullvm]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnullvm]] version = "0.52.6" when = "2024-07-03" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_msvc]] version = "0.42.2" when = "2023-03-13" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_msvc]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_msvc]] version = "0.52.6" when = "2024-07-03" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.winnow]] version = "0.5.40" when = "2024-02-12" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[audits.bytecode-alliance.wildcard-audits.bumpalo]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" user-id = 696 # Nick Fitzgerald (fitzgen) start = "2019-03-16" end = "2025-07-30" [[audits.bytecode-alliance.audits.base64]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.21.0" notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." [[audits.bytecode-alliance.audits.base64]] who = "Andrew Brown " criteria = "safe-to-deploy" delta = "0.21.3 -> 0.22.1" [[audits.bytecode-alliance.audits.block-buffer]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.2" [[audits.bytecode-alliance.audits.codespan-reporting]] who = "Jamey Sharp " criteria = "safe-to-deploy" version = "0.11.1" notes = "This library uses `forbid(unsafe_code)` and has no filesystem or network I/O." [[audits.bytecode-alliance.audits.crypto-common]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" version = "0.1.3" [[audits.bytecode-alliance.audits.errno]] who = "Dan Gohman " criteria = "safe-to-deploy" version = "0.3.0" notes = "This crate uses libc and windows-sys APIs to get and set the raw OS error value." [[audits.bytecode-alliance.audits.errno]] who = "Dan Gohman " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.3.1" notes = "Just a dependency version bump and a bug fix for redox" [[audits.bytecode-alliance.audits.fastrand]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "2.0.0 -> 2.0.1" notes = """ This update had a few doc updates but no otherwise-substantial source code updates. """ [[audits.bytecode-alliance.audits.foreign-types]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.2" notes = "This crate defined a macro-rules which creates wrappers working with FFI types. The implementation of this crate appears to be safe, but each use of this macro would need to be vetted for correctness as well." [[audits.bytecode-alliance.audits.foreign-types-shared]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.1" [[audits.bytecode-alliance.audits.futures-channel]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.27" notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)" [[audits.bytecode-alliance.audits.futures-core]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.27" notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." [[audits.bytecode-alliance.audits.futures-executor]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.27" notes = "Unsafe used to implement the unpark mutex, which is well commented and not obviously incorrect. Like with futures-channel I wouldn't be able to certify it as correct without formal methods." [[audits.bytecode-alliance.audits.futures-io]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.27" [[audits.bytecode-alliance.audits.heck]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.4.1 -> 0.5.0" notes = "Minor changes for a `no_std` upgrade but otherwise everything looks as expected." [[audits.bytecode-alliance.audits.http-body]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "1.0.0-rc.2" [[audits.bytecode-alliance.audits.http-body]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "1.0.0-rc.2 -> 1.0.0" notes = "Only minor changes made for a stable release." [[audits.bytecode-alliance.audits.iana-time-zone-haiku]] who = "Dan Gohman " criteria = "safe-to-deploy" version = "0.1.2" [[audits.bytecode-alliance.audits.idna]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.3.0" notes = """ This is a crate without unsafe code or usage of the standard library. The large size of this crate comes from the large generated unicode tables file. This crate is broadly used throughout the ecosystem and does not contain anything suspicious. """ [[audits.bytecode-alliance.audits.jobserver]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.1.25 -> 0.1.32" [[audits.bytecode-alliance.audits.num-traits]] who = "Andrew Brown " criteria = "safe-to-deploy" version = "0.2.19" notes = "As advertised: a numeric library. The only `unsafe` is from some float-to-int conversions, which seems expected." [[audits.bytecode-alliance.audits.openssl-probe]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.5" notes = "IO is only checking for the existence of paths in the filesystem" [[audits.bytecode-alliance.audits.percent-encoding]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "2.2.0" notes = """ This crate is a single-file crate that does what it says on the tin. There are a few `unsafe` blocks related to utf-8 validation which are locally verifiable as correct and otherwise this crate is good to go. """ [[audits.bytecode-alliance.audits.pin-utils]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" [[audits.bytecode-alliance.audits.pkg-config]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.25" notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably." [[audits.bytecode-alliance.audits.pkg-config]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.3.26 -> 0.3.29" notes = """ No `unsafe` additions or anything outside of the purview of the crate in this change. """ [[audits.bytecode-alliance.audits.rustc-demangle]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.1.21" notes = "I am the author of this crate." [[audits.bytecode-alliance.audits.rustc-demangle]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.1.21 -> 0.1.24" [[audits.bytecode-alliance.audits.semver]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "1.0.17" notes = "plenty of unsafe pointer and vec tricks, but in well-structured and commented code that appears to be correct" [[audits.bytecode-alliance.audits.tinyvec_macros]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.1.0" notes = """ This is a trivial crate which only contains a singular macro definition which is intended to multiplex across the internal representation of a tinyvec, presumably. This trivially doesn't contain anything bad. """ [[audits.bytecode-alliance.audits.tokio-native-tls]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.1" notes = "unsafety is used for smuggling std::task::Context as a raw pointer. Lifetime and type safety appears to be taken care of correctly." [[audits.bytecode-alliance.audits.unicode-bidi]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.3.8" notes = """ This crate has no unsafe code and does not use `std::*`. Skimming the crate it does not attempt to out of the bounds of what it's already supposed to be doing. """ [[audits.bytecode-alliance.audits.vcpkg]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.2.15" notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." [[audits.embark-studios.wildcard-audits.presser]] who = "Gray Olson " criteria = "safe-to-deploy" user-id = 52553 # embark-studios start = "2021-01-01" end = "2024-05-23" notes = """ Small crate with no dependencies and no ambient capabilities. The safe interface of the crate is gated behind unsafe implementation of a core trait, and care must be taken to ensure that the relevant invariants are guaranteed when doing so. Maintained by the Ark team at Embark and used in production. """ [[audits.embark-studios.audits.cfg_aliases]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.1.1" notes = "No unsafe usage or ambient capabilities" [[audits.embark-studios.audits.idna]] who = "Johan Andersson " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.4.0" notes = "No unsafe usage or ambient capabilities" [[audits.embark-studios.audits.jni]] who = "Robert Bragg " criteria = "safe-to-deploy" version = "0.21.1" notes = """ Aims to provide a safe JNI (Java Native Interface) API over the unsafe `jni_sys` crate. This is a very general FFI abstraction for Java VMs with a lot of unsafe code throughout the API. There are almost certainly some edge cases with its design that could lead to unsound behaviour but it should still be considerably safer than working with JNI directly. A lot of the unsafe usage relates to quite-simple use of `from_raw` APIs to construct or cast wrapper types (around JNI pointers) which are fairly straight-forward to verify/trust in context. Some unsafe code has good `// # Safety` documentation (this has been enforced for newer code) but a lot of unsafe code doesn't document invariants that are being relied on. The design depends on non-trivial named lifetimes across many APIs to associate Java local references with JNI stack frames. The crate is not very actively maintained and was practically unmaintained for over a year before the 0.20 release. Robert Bragg who now works at Embark Studios became the maintainer of this crate in October 2022. In the process of working on the `jni` crate since becoming maintainer it's worth noting that I came across multiple APIs that I found needed to be re-worked to address safety issues, including ensuring that APIs that are not implemented safely are correctly declared as `unsafe`. There has been a focus on improving safety in the last two release. The jni crate has been used in production with the Signal messaging application for over two years: https://github.com/signalapp/libsignal/blob/main/rust/bridge/jni/Cargo.toml # Some Notable Open Issues - https://github.com/jni-rs/jni-rs/issues/422 - questions soundness of linking multiple versions of jni crate into an application, considering the use of (separately scoped) thread-local-storage to track thread attachments - https://github.com/jni-rs/jni-rs/issues/405 - discusses the ease with which code may expose the JVM to invalid booleans with undefined behaviour """ [[audits.embark-studios.audits.ndk-context]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.1.1" notes = "Tiny crate that initializes Android with FFI, looks sane. No other ambient capabilities" [[audits.embark-studios.audits.tap]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.1" notes = "No unsafe usage or ambient capabilities" [[audits.google.audits.adler]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.2" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` and there were no hits (except in comments and in the `README.md` file). Note that some additional, internal notes about an older version of this crate can be found at go/image-crate-chromium-security-review. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.ash]] who = "David Koloski " criteria = "safe-to-deploy" version = "0.37.0+1.3.209" notes = "Reviewed on https://fxrev.dev/694269" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.autocfg]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.1.0" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits except for reasonable, client-controlled usage of `std::fs` in `AutoCfg::with_dir`. This crate has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb The CL description contains a link to a Google-internal document with audit details. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.autocfg]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.1.0 -> 1.2.0" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and nothing changed from the baseline audit of 1.1.0. Skimmed through the 1.1.0 => 1.2.0 delta and everything seemed okay. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.bitflags]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.3.2" notes = """ Security review of earlier versions of the crate can be found at (Google-internal, sorry): go/image-crate-chromium-security-review The crate exposes a function marked as `unsafe`, but doesn't use any `unsafe` blocks (except for tests of the single `unsafe` function). I think this justifies marking this crate as `ub-risk-1`. Additional review comments can be found at https://crrev.com/c/4723145/31 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.bitflags]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "2.4.2" notes = """ Audit notes: * I've checked for any discussion in Google-internal cl/546819168 (where audit of version 2.3.3 happened) * `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]` * There are 2 cases of `unsafe` in `src/external.rs` but they seem to be correct in a straightforward way - they just propagate the marker trait's impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type * Additional discussion and/or notes may be found in https://crrev.com/c/5238056 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.bitflags]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "2.4.2 -> 2.5.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.bitflags]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "2.5.0 -> 2.6.0" notes = "The changes from the previous version are negligible and thus it retains the same properties." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.cfg-if]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.clap_builder]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "4.5.15" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` and there were no hits. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.color_quant]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.crc32fast]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.4.2" notes = """ Security review of earlier versions of the crate can be found at (Google-internal, sorry): go/image-crate-chromium-security-review Audit comments for 1.4.2 can be found at https://crrev.com/c/4723145. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.dirs-next]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "2.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.equivalent]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.fastrand]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.9.0" notes = """ `does-not-implement-crypto` is certified because this crate explicitly says that the RNG here is not cryptographically secure. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.fdeflate]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "0.3.4" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` and there were no hits. Note that some additional, internal notes about an older version of this crate can be found at go/image-crate-chromium-security-review. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.flate2]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.30" notes = ''' WARNING: This certification is a result of a **partial** audit. The `any_zlib` code has **not** been audited. Ability to track partial audits is tracked in https://github.com/mozilla/cargo-vet/issues/380 Chromium does use the `any_zlib` feature(s). Accidentally depending on this feature in the future is prevented using the `ban_features` feature of `gnrt` - see: https://crrev.com/c/4723145/31/third_party/rust/chromium_crates_io/gnrt_config.toml Security review of earlier versions of the crate can be found at (Google-internal, sorry): go/image-crate-chromium-security-review I grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`. All `unsafe` in `flate2` is gated behind `#[cfg(feature = "any_zlib")]`: * The code under `src/ffi/...` will not be used because the `mod c` declaration in `src/ffi/mod.rs` depends on the `any_zlib` config * 7 uses of `unsafe` in `src/mem.rs` also all depend on the `any_zlib` config: - 2 in `fn set_dictionary` (under `impl Compress`) - 2 in `fn set_level` (under `impl Compress`) - 3 in `fn set_dictionary` (under `impl Decompress`) All hits of `'\bfs\b'` are in comments, or example code, or test code (but not in product code). There were no hits of `-i cipher`, `-i crypto`, `'\bnet\b'`. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.flate2]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.0.30 -> 1.0.31" notes = """ Only benign changes: * Comment-only changes in `.rs` files * Also changing dependency version in `Cargo.toml`, but this is for `any_zlib` feature which is not used in Chromium (i.e. this is a *partial* audit - see the previous audit notes for 1.0.30) """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.font-types]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "0.5.2" notes = """ Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits except for 3 `unsafe impl bytemuck::SomeTrait for ...`. Each `impl` had a reasonable safety comment and there were no actual `unsafe` blocks, so I think this can be treated as `ub-risk-1`. Additional `unsafe` review comments can be found in https://crrev.com/c/5445719. For overall `safe-to-deploy` and `does-not-implement-crypto` I am mostly relying on certification by the Chromium engineers who work on the library (mostly drott@chromium.org). """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.font-types]] who = "danakj " criteria = "safe-to-deploy" delta = "0.5.2 -> 0.5.3" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.font-types]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "0.5.3 -> 0.5.4" notes = """ The delta just adds `impl From for u32` - no impact on `unsafe impl`s elsewhere. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.font-types]] who = "danakj@chromium.org" criteria = "safe-to-deploy" delta = "0.5.4 -> 0.5.5" notes = "No unsafe changes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.font-types]] who = "Dominik Röttsches " criteria = "safe-to-deploy" delta = "0.5.5 -> 0.6.0" notes = "This change comprises changes to understand larger GlyphId and compatibility with older Mac TrueType fonts. No unsafe code is introduced." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.futures]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.3.28" notes = """ `futures` has no logic other than tests - it simply `pub use`s things from other crates. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.heck]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "0.4.1" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits. `heck` (version `0.3.3`) has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.itoa]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.10" notes = ''' I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. There are a few places where `unsafe` is used. Unsafe review notes can be found in https://crrev.com/c/5350697. Version 1.0.1 of this crate has been added to Chromium in https://crrev.com/c/3321896. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.itoa]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.0.10 -> 1.0.11" notes = """ Straightforward diff between 1.0.10 and 1.0.11 - only 3 commits: * Bumping up the version * A touch up of comments * And my own PR to make `unsafe` blocks more granular: https://github.com/dtolnay/itoa/pull/42 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.lazy_static]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.4.0" notes = ''' I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. There are two places where `unsafe` is used. Unsafe review notes can be found in https://crrev.com/c/5347418. This crate has been added to Chromium in https://crrev.com/c/3321895. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.lazy_static]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.4.0 -> 1.5.0" notes = "Unsafe review notes: https://crrev.com/c/5650836" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.miniz_oxide]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "0.7.4" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` and there were no hits, except for some mentions of "unsafe" in the `README.md` and in a comment in `src/deflate/core.rs`. The comment discusses whether a function should be treated as unsafe, but there is no actual `unsafe` code, so the crate meets the `ub-risk-0` criteria. Note that some additional, internal notes about an older version of this crate can be found at go/image-crate-chromium-security-review. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.openssl-macros]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.openssl-macros]] who = "George Burgess IV " criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.pin-project-lite]] who = "David Koloski " criteria = "safe-to-deploy" version = "0.2.9" notes = "Reviewed on https://fxrev.dev/824504" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.pin-project-lite]] who = "David Koloski " criteria = "safe-to-deploy" delta = "0.2.9 -> 0.2.13" notes = "Audited at https://fxrev.dev/946396" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.png]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "0.17.13" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` and there were no hits except for reasonable, client-controlled usage of `std::fs::File` in tests in `src/encoder.rs`, tests in `src/decoder/stream.rs`, and in some example code. Note that some additional, internal notes about an older version of this crate can be found at go/image-crate-chromium-security-review. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro-error-attr]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.78" notes = """ Grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits (except for a benign \"fs\" hit in a doc comment) Notes from the `unsafe` review can be found in https://crrev.com/c/5385745. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "1.0.78 -> 1.0.79" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "1.0.79 -> 1.0.80" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Dustin J. Mitchell " criteria = "safe-to-deploy" delta = "1.0.80 -> 1.0.81" notes = "Comment changes only" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "danakj " criteria = "safe-to-deploy" delta = "1.0.81 -> 1.0.82" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Dustin J. Mitchell " criteria = "safe-to-deploy" delta = "1.0.82 -> 1.0.83" notes = "Substantive change is replacing String with Box, saving memory." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.0.83 -> 1.0.84" notes = "Only doc comment changes in `src/lib.rs`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "danakj@chromium.org" criteria = "safe-to-deploy" delta = "1.0.84 -> 1.0.85" notes = "Test-only changes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro2]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.0.85 -> 1.0.86" notes = """ Comment-only changes in `build.rs`. Reordering of `Cargo.toml` entries. Just bumping up the version number in `lib.rs`. Config-related changes in `test_size.rs`. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.quote]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.35" notes = """ Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits (except for benign \"net\" hit in tests and \"fs\" hit in README.md) """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.quote]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "1.0.35 -> 1.0.36" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.read-fonts]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "0.19.0" notes = """ Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits (except for a benign \"fs\" hit in a comment). For overall `safe-to-deploy` and `does-not-implement-crypto` I am mostly relying on certification by the Chromium engineers who work on the library (mostly drott@chromium.org). """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.read-fonts]] who = "danakj " criteria = "safe-to-deploy" delta = "0.19.0 -> 0.19.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.read-fonts]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "0.19.1 -> 0.19.2" notes = """ The delta is a bug fix in `src/tables/cmap.rs`. No new `unsafe` - still `ub-risk-0`. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.read-fonts]] who = "danakj@chromium.org" criteria = "safe-to-deploy" delta = "0.19.2 -> 0.19.3" notes = "No unsafe." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.read-fonts]] who = "Dominik Röttsches " criteria = "safe-to-deploy" delta = "0.19.3 -> 0.20.0" notes = """ Contains changes for: * Adding IntSet, SparseBitSet * Support for VARC * Improved AAT support * Fuzzer overflow fixes, and avoiding timeouts in CMAP * Closure computations for subsetting of COLR * large glyphId support. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.simd-adler32]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "0.3.7" notes = """ Security review of earlier versions of the crate can be found at (Google-internal, sorry): go/image-crate-chromium-security-review Audit comments for 1.3.2 can be found at https://crrev.com/c/4723145. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.skrifa]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "0.19.0" notes = """ Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits (except for benign \"fs\" hit in `skrifa-0.19.0/src/color/traversal_tests/mod.rs`). For overall `safe-to-deploy` and `does-not-implement-crypto` I am mostly relying on certification by the Chromium engineers who work on the library (mostly drott@chromium.org). """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.skrifa]] who = "Dustin J. Mitchell " criteria = "safe-to-deploy" delta = "0.19.0 -> 0.19.1" notes = "Crate has `forbid_unsafe` and no unsafe code. Changes all appear font-related and safe." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.skrifa]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "0.19.1 -> 0.19.2" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.skrifa]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "0.19.2 -> 0.19.3" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.skrifa]] who = "Dominik Röttsches " criteria = "safe-to-deploy" delta = "0.19.3 -> 0.20.0" notes = "Contains mainly preparatory autohint changes and data tables." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.static_assertions]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.1.0" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` and there were no hits except for one `unsafe`. The lambda where `unsafe` is used is never invoked (e.g. the `unsafe` code never runs) and is only introduced for some compile-time checks. Additional unsafe review comments can be found in https://crrev.com/c/5353376. This crate has been added to Chromium in https://crrev.com/c/3736562. The CL description contains a link to a document with an additional security review. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.tinyvec]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.6.0" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits except for some \"unsafe\" appearing in comments: ``` src/arrayvec.rs: // Note: This shouldn't use A::CAPACITY, because unsafe code can't rely on src/lib.rs://! All of this is done with no `unsafe` code within the crate. Technically the src/lib.rs://! `Vec` type from the standard library uses `unsafe` internally, but *this src/lib.rs://! crate* introduces no new `unsafe` code into your project. src/array.rs:/// Just a reminder: this trait is 100% safe, which means that `unsafe` code ``` This crate has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/24773c33e1b7a1b5069b9399fd034375995f290b """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.tinyvec]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "1.6.0 -> 1.6.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.tinyvec]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "1.6.1 -> 1.7.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.tinyvec]] who = "Dustin J. Mitchell " criteria = "safe-to-deploy" delta = "1.7.0 -> 1.8.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.unicode-ident]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.12" notes = ''' I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. All two functions from the public API of this crate use `unsafe` to avoid bound checks for an array access. Cross-module analysis shows that the offsets can be statically proven to be within array bounds. More details can be found in the unsafe review CL at https://crrev.com/c/5350386. This crate has been added to Chromium in https://crrev.com/c/3891618. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.isrg.audits.base64]] who = "Tim Geoghegan " criteria = "safe-to-deploy" delta = "0.21.0 -> 0.21.1" [[audits.isrg.audits.base64]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "0.21.1 -> 0.21.2" [[audits.isrg.audits.base64]] who = "David Cook " criteria = "safe-to-deploy" delta = "0.21.2 -> 0.21.3" [[audits.isrg.audits.block-buffer]] who = "David Cook " criteria = "safe-to-deploy" version = "0.9.0" [[audits.isrg.audits.crunchy]] who = "David Cook " criteria = "safe-to-deploy" version = "0.2.2" [[audits.isrg.audits.rand_chacha]] who = "David Cook " criteria = "safe-to-deploy" version = "0.3.1" [[audits.isrg.audits.rand_core]] who = "David Cook " criteria = "safe-to-deploy" version = "0.6.3" [[audits.isrg.audits.subtle]] who = "David Cook " criteria = "safe-to-deploy" delta = "2.5.0 -> 2.6.1" [[audits.mozilla.wildcard-audits.core-foundation]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 5946 # Jeff Muizelaar (jrmuizel) start = "2019-03-29" end = "2023-05-04" renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.core-graphics-types]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 2396 # Josh Matthews (jdm) start = "2020-07-20" end = "2023-05-04" renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.core-text]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 5946 # Jeff Muizelaar (jrmuizel) start = "2021-02-14" end = "2023-05-04" renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.encoding_rs]] who = "Henri Sivonen " criteria = "safe-to-deploy" user-id = 4484 # Henri Sivonen (hsivonen) start = "2019-02-26" end = "2024-08-28" notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.etagere]] who = "Nicolas Silva " criteria = "safe-to-deploy" user-id = 1281 # Nicolas Silva (nical) start = "2020-11-12" end = "2025-06-01" notes = "I am the author of this crate." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.euclid]] who = "Nicolas Silva " criteria = "safe-to-deploy" user-id = 1281 # Nicolas Silva (nical) start = "2019-03-14" end = "2025-04-25" notes = "I wrote most of the commits in the euclid reprository and review every change that is not produced by me." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.unicode-normalization]] who = "Manish Goregaokar " criteria = "safe-to-deploy" user-id = 1139 # Manish Goregaokar (Manishearth) start = "2019-11-06" end = "2024-05-03" notes = "All code written or reviewed by Manish" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.unicode-segmentation]] who = "Manish Goregaokar " criteria = "safe-to-deploy" user-id = 1139 # Manish Goregaokar (Manishearth) start = "2019-05-15" end = "2024-05-03" notes = "All code written or reviewed by Manish" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.unicode-xid]] who = "Manish Goregaokar " criteria = "safe-to-deploy" user-id = 1139 # Manish Goregaokar (Manishearth) start = "2019-07-25" end = "2024-05-03" notes = "All code written or reviewed by Manish" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.android_system_properties]] who = "Nicolas Silva " criteria = "safe-to-deploy" version = "0.1.2" notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.android_system_properties]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.2 -> 0.1.4" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.android_system_properties]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.4 -> 0.1.5" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.ash]] who = "Jim Blandy " criteria = "safe-to-deploy" delta = "0.37.0+1.3.209 -> 0.37.1+1.3.235" notes = """ Nicolas Silva, Jim Blandy, and Teodor Tanasoaia audited ash master branch commits from e43e9c0c to 6bd82768 inclusive. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.ash]] who = "Nicolas Silva " criteria = "safe-to-deploy" delta = "0.37.1+1.3.235 -> 0.37.2+1.3.238" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.ash]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" delta = "0.37.2+1.3.238 -> 0.37.3+1.3.251" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.bit-set]] who = "Aria Beingessner " criteria = "safe-to-deploy" version = "0.5.2" notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.bit-set]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.5.2 -> 0.5.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.bit-vec]] who = "Aria Beingessner " criteria = "safe-to-deploy" version = "0.6.3" notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.block-buffer]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.2 -> 0.10.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.core-foundation]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" delta = "0.9.3 -> 0.9.4" notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.core-graphics-types]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" delta = "0.1.1 -> 0.1.2" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.core-graphics-types]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" delta = "0.1.2 -> 0.1.3" notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.core-text]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" delta = "19.2.0 -> 20.0.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.core-text]] who = "Jonathan Kew " criteria = "safe-to-deploy" delta = "20.0.0 -> 20.1.0" notes = """ The bulk of the 20.0.0 -> 20.1.0 changes were purely cosmetic clippy and rustfmt changes. The only substantive change was the addition of wrappers to expose two additional Core Text APIs, the variants of CTFontCreateWithName and CTFontCreateWithFontDescriptor that accept a CTFontOptions parameter. These are directly parallel to the existing versions without CTFontOptions, and do not introduce any new forms of risk. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.crypto-common]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.3 -> 0.1.6" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.dwrote]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "0.11.0" notes = "All code written or reviewed by Mozilla staff." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.errno]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.1 -> 0.3.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fastrand]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.9.0 -> 2.0.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fastrand]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "2.0.1 -> 2.1.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fnv]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "1.0.7" notes = "Simple hasher implementation with no unsafe code." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.foreign-types]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" delta = "0.3.2 -> 0.5.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.foreign-types-macros]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" version = "0.2.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.foreign-types-shared]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" delta = "0.1.1 -> 0.3.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.form_urlencoded]] who = "Valentin Gosu " criteria = "safe-to-deploy" version = "1.2.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.form_urlencoded]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "1.2.0 -> 1.2.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-channel]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-core]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-executor]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-io]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.gpu-allocator]] who = "Erich Gubler " criteria = "safe-to-deploy" version = "0.25.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.hashbrown]] who = "Mike Hommey " criteria = "safe-to-deploy" version = "0.12.3" notes = "This version is used in rust's libstd, so effectively we're already trusting it" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.hex]] who = "Simon Friedberger " criteria = "safe-to-deploy" version = "0.4.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.idna]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "0.4.0 -> 0.5.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.malloc_buf]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "0.0.6" notes = """ Very small crate for managing malloc-ed buffers, primarily for use in the objc crate. There is an edge-case condition that passes slice::from_raw_parts(0x1, 0) which I'm not entirely certain is technically sound, but in either case I am reasonably confident it's not exploitable. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.memmap2]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.8.0 -> 0.9.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.metal]] who = "Jim Blandy " criteria = "safe-to-deploy" version = "0.23.1" notes = "This audit treats Dzmitry Malyshau (kvark) as a trusted reviewer." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.metal]] who = "Jim Blandy " criteria = "safe-to-deploy" delta = "0.23.1 -> 0.24.0" notes = "This audit treats Dzmitry Malyshau (kvark) as a trusted reviewer." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.metal]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" delta = "0.24.0 -> 0.25.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.metal]] who = "Erich Gubler " criteria = "safe-to-deploy" delta = "0.25.0 -> 0.26.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.metal]] who = "Nicolas Silva , Jim Blandy " criteria = "safe-to-deploy" delta = "0.26.0 -> 0.27.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.naga]] who = "Dzmitry Malyshau " criteria = "safe-to-deploy" version = "0.8.0" notes = """ This crate, up through the indicated version, was written or reviewed by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left Mozilla at the beginning of February 2022. This audit statement was collected by Jim Blandy, a Mozilla employee, over email in July 2022: Dzmitry was shown, and agreed to, the 'safe-to-deploy' text. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.naga]] who = "Jim Blandy " criteria = "safe-to-deploy" delta = "0.8.0 -> 0.9.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.naga]] who = "Jim Blandy " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.naga]] who = "Nicolas Silva " criteria = "safe-to-deploy" delta = "0.10.0 -> 0.11.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.naga]] who = "Nicolas Silva " criteria = "safe-to-deploy" delta = "0.11.0 -> 0.12.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.naga]] who = "Nicolas Silva " criteria = "safe-to-deploy" delta = "0.12.0 -> 0.13.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.naga]] who = "Nicolas Silva " criteria = "safe-to-deploy" delta = "0.13.0 -> 0.14.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.naga]] who = "Erich Gubler " criteria = "safe-to-deploy" delta = "0.14.0 -> 0.19.2" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.percent-encoding]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "2.2.0 -> 2.3.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.percent-encoding]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "2.3.0 -> 2.3.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.phf_generator]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.0 -> 0.11.2" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.phf_shared]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.10.0 -> 0.11.2" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.pin-project-lite]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.13 -> 0.2.14" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.pkg-config]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.precomputed-hash]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "0.1.1" notes = "This is a trivial crate." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.rand_core]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.6.3 -> 0.6.4" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.range-alloc]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "0.1.2" notes = "Dzmitry authored this crate while he was staff at Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.range-alloc]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.2 -> 0.1.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.redox_syscall]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "0.2.16 -> 0.3.5" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.rustc-hash]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "1.1.0" notes = "Straightforward crate with no unsafe code, does what it says on the tin." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.subtle]] who = "Simon Friedberger " criteria = "safe-to-deploy" version = "2.5.0" notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.unicode-bidi]] who = "Makoto Kato " criteria = "safe-to-deploy" delta = "0.3.8 -> 0.3.13" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.unicode-bidi]] who = "Jonathan Kew " criteria = "safe-to-deploy" delta = "0.3.13 -> 0.3.14" notes = "I am the author of the bulk of the upstream changes in this version, and also checked the remaining post-0.3.13 changes." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.unicode-bidi]] who = "Jonathan Kew " criteria = "safe-to-deploy" delta = "0.3.14 -> 0.3.15" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.unicode-linebreak]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" version = "0.1.5" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.wgpu-types]] who = "Dzmitry Malyshau " criteria = "safe-to-deploy" version = "0.12.0" notes = """ This crate, up through the indicated version, was written or reviewed by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left Mozilla at the beginning of February 2022. This audit statement was collected by Jim Blandy, a Mozilla employee, over email in July 2022: Dzmitry was shown, and agreed to, the 'safe-to-deploy' text. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.wgpu-types]] who = "Jim Blandy " criteria = "safe-to-deploy" delta = "0.12.0 -> 0.13.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.wgpu-types]] who = "Jim Blandy " criteria = "safe-to-deploy" delta = "0.13.0 -> 0.14.0" notes = "Audit by Erich Gubler, Jim Blandy, Nicolas Silva, and Teodor Tanasoaia." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.wgpu-types]] who = "Nicolas Silva " criteria = "safe-to-deploy" delta = "0.14.0 -> 0.15.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.wgpu-types]] who = "Nicolas Silva " criteria = "safe-to-deploy" delta = "0.15.0 -> 0.16.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.wgpu-types]] who = "Nicolas Silva " criteria = "safe-to-deploy" delta = "0.16.0 -> 0.17.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.wgpu-types]] who = "Nicolas Silva " criteria = "safe-to-deploy" delta = "0.17.0 -> 0.18.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.wgpu-types]] who = "Erich Gubler " criteria = "safe-to-deploy" delta = "0.18.0 -> 0.19.2" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.zcash.audits.autocfg]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.2.0 -> 1.3.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.base64]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.21.3 -> 0.21.4" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.base64]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.21.4 -> 0.21.5" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.base64]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.21.5 -> 0.21.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.block-buffer]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.10.3 -> 0.10.4" notes = "Adds panics to prevent a block size of zero from causing unsoundness." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.errno]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.3 -> 0.3.8" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.errno]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.8 -> 0.3.9" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.futures]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.30" notes = "Only sub-crate updates and corresponding changes to tests." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.futures-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.29" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.futures-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.futures-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.29" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.futures-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.futures-executor]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.30" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.futures-io]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.30" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.http-body]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.0 -> 1.0.1" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.memmap2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.3 -> 0.9.4" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.pkg-config]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.rustc_version]] who = "Jack Grigg " criteria = "safe-to-deploy" version = "0.4.0" notes = """ Most of the crate is code to parse and validate the output of `rustc -vV`. The caller can choose which `rustc` to use, or can use `rustc_version::{version, version_meta}` which will try `$RUSTC` followed by `rustc`. If an adversary can arbitrarily set the `$RUSTC` environment variable then this crate will execute arbitrary code. But when this crate is used within a build script, `$RUSTC` should be set correctly by `cargo`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.semver]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.17 -> 1.0.18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.semver]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.18 -> 1.0.19" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.semver]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.19 -> 1.0.20" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.semver]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.20 -> 1.0.22" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.semver]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.22 -> 1.0.23" notes = """ `build.rs` change is to enable checking for expected `#[cfg]` names if compiling with Rust 1.80 or later. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.tinyvec_macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" notes = "Adds `#![forbid(unsafe_code)]` and license files." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"