# cargo-vet imports lock [[publisher.anyhow]] version = "1.0.83" when = "2024-05-06" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.arbitrary]] version = "1.3.2" when = "2023-10-30" user-id = 696 user-login = "fitzgen" user-name = "Nick Fitzgerald" [[publisher.async-trait]] version = "0.1.80" when = "2024-04-11" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.bumpalo]] version = "3.16.0" when = "2024-04-08" user-id = 696 user-login = "fitzgen" user-name = "Nick Fitzgerald" [[publisher.core-foundation]] version = "0.9.3" when = "2022-02-07" user-id = 5946 user-login = "jrmuizel" user-name = "Jeff Muizelaar" [[publisher.core-foundation-sys]] version = "0.8.4" when = "2023-04-03" user-id = 5946 user-login = "jrmuizel" user-name = "Jeff Muizelaar" [[publisher.h2]] version = "0.4.4" when = "2024-04-03" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.headers]] version = "0.4.0" when = "2023-11-24" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.headers-core]] version = "0.3.0" when = "2023-11-24" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.http]] version = "1.1.0" when = "2024-03-04" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.http-body-util]] version = "0.1.1" when = "2024-03-11" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.httparse]] version = "1.8.0" when = "2022-08-30" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.hyper]] version = "1.3.1" when = "2024-04-16" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.hyper-util]] version = "0.1.3" when = "2024-01-31" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.mime]] version = "0.3.17" when = "2023-03-20" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.num_cpus]] version = "1.16.0" when = "2023-06-29" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.paste]] version = "1.0.15" when = "2024-05-07" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.proc-macro2]] version = "1.0.82" when = "2024-05-07" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.rustversion]] version = "1.0.16" when = "2024-05-07" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.ryu]] version = "1.0.18" when = "2024-05-07" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde]] version = "1.0.201" when = "2024-05-08" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_derive]] version = "1.0.201" when = "2024-05-08" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_json]] version = "1.0.117" when = "2024-05-08" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.slab]] version = "0.4.9" when = "2023-08-22" user-id = 6741 user-login = "Darksonn" user-name = "Alice Ryhl" [[publisher.syn]] version = "2.0.63" when = "2024-05-11" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.thiserror]] version = "1.0.60" when = "2024-05-07" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.thiserror-impl]] version = "1.0.60" when = "2024-05-07" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.tokio-test]] version = "0.4.4" when = "2024-03-14" user-id = 6741 user-login = "Darksonn" user-name = "Alice Ryhl" [[publisher.try-lock]] version = "0.2.5" when = "2023-12-07" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.trybuild]] version = "1.0.95" when = "2024-05-09" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.unicase]] version = "2.7.0" when = "2023-08-21" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.unicode-normalization]] version = "0.1.23" when = "2024-02-20" user-id = 1139 user-login = "Manishearth" user-name = "Manish Goregaokar" [[publisher.venndb]] version = "0.4.0" when = "2024-04-18" user-id = 1144 user-login = "GlenDC" user-name = "Glen De Cauwsemaecker" [[publisher.want]] version = "0.3.1" when = "2023-06-14" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.windows-core]] version = "0.54.0" when = "2024-02-27" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-result]] version = "0.1.1" when = "2024-04-12" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-targets]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-targets]] version = "0.52.5" when = "2024-04-12" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_gnullvm]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_gnullvm]] version = "0.52.5" when = "2024-04-12" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_gnullvm]] version = "0.52.5" when = "2024-04-12" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnullvm]] version = "0.48.5" when = "2023-08-18" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnullvm]] version = "0.52.5" when = "2024-04-12" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[audits.bytecode-alliance.wildcard-audits.arbitrary]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" user-id = 696 # Nick Fitzgerald (fitzgen) start = "2020-01-14" end = "2024-04-21" notes = "I am an author of this crate." [[audits.bytecode-alliance.audits.adler]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.0.2" notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm." [[audits.bytecode-alliance.audits.core-foundation-sys]] who = "Dan Gohman " criteria = "safe-to-deploy" delta = "0.8.4 -> 0.8.6" notes = """ The changes here are all typical bindings updates: new functions, types, and constants. I have not audited all the bindings for ABI conformance. """ [[audits.bytecode-alliance.audits.crypto-common]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" version = "0.1.3" [[audits.bytecode-alliance.audits.http-body]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "1.0.0-rc.2" [[audits.bytecode-alliance.audits.http-body]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "1.0.0-rc.2 -> 1.0.0" notes = "Only minor changes made for a stable release." [[audits.bytecode-alliance.audits.itertools]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" delta = "0.10.5 -> 0.12.1" notes = """ Minimal `unsafe` usage. Few blocks that existed looked reasonable. Does what it says on the tin: lots of iterators. """ [[audits.bytecode-alliance.audits.matchers]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" [[audits.bytecode-alliance.audits.nu-ansi-term]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.46.0" notes = "one use of unsafe to call windows specific api to get console handle." [[audits.bytecode-alliance.audits.openssl-probe]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.5" notes = "IO is only checking for the existence of paths in the filesystem" [[audits.bytecode-alliance.audits.overload]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.1" notes = "small crate, only defines macro-rules!, nicely documented as well" [[audits.bytecode-alliance.audits.percent-encoding]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "2.2.0" notes = """ This crate is a single-file crate that does what it says on the tin. There are a few `unsafe` blocks related to utf-8 validation which are locally verifiable as correct and otherwise this crate is good to go. """ [[audits.bytecode-alliance.audits.pin-utils]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" [[audits.embark-studios.audits.tap]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.1" notes = "No unsafe usage or ambient capabilities" [[audits.embark-studios.audits.valuable]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.1.0" notes = "No unsafe usage or ambient capabilities, sane build script" [audits.fermyon.audits] [[audits.google.audits.async-stream]] who = "George Burgess IV " criteria = "safe-to-run" version = "0.3.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.async-stream]] who = "George Burgess IV " criteria = "safe-to-run" delta = "0.3.4 -> 0.3.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.async-stream-impl]] who = "George Burgess IV " criteria = "safe-to-run" version = "0.3.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.async-stream-impl]] who = "George Burgess IV " criteria = "safe-to-run" delta = "0.3.4 -> 0.3.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.bitflags]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "2.4.2" notes = """ Audit notes: * I've checked for any discussion in Google-internal cl/546819168 (where audit of version 2.3.3 happened) * `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]` * There are 2 cases of `unsafe` in `src/external.rs` but they seem to be correct in a straightforward way - they just propagate the marker trait's impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type * Additional discussion and/or notes may be found in https://crrev.com/c/5238056 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.bitflags]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "2.4.2 -> 2.5.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.cfg-if]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.clap]] who = "Ying Hsu " criteria = "safe-to-run" version = "4.5.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.clap_builder]] who = "Ying Hsu " criteria = "safe-to-run" version = "4.5.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.clap_lex]] who = "Ying Hsu " criteria = "safe-to-run" version = "0.7.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.either]] who = "agl@chromium.org" criteria = "safe-to-run" version = "1.9.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.either]] who = "Lukasz Anforowicz " criteria = "safe-to-run" delta = "1.9.0 -> 1.10.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.either]] who = "Adrian Taylor " criteria = "safe-to-run" delta = "1.10.0 -> 1.11.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.equivalent]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.glob]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.3.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.httpdate]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.itertools]] who = "ChromeOS" criteria = "safe-to-run" version = "0.10.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.itoa]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.10" notes = ''' I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. There are a few places where `unsafe` is used. Unsafe review notes can be found in https://crrev.com/c/5350697. Version 1.0.1 of this crate has been added to Chromium in https://crrev.com/c/3321896. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.itoa]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.0.10 -> 1.0.11" notes = """ Straightforward diff between 1.0.10 and 1.0.11 - only 3 commits: * Bumping up the version * A touch up of comments * And my own PR to make `unsafe` blocks more granular: https://github.com/dtolnay/itoa/pull/42 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.lazy_static]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.4.0" notes = ''' I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. There are two places where `unsafe` is used. Unsafe review notes can be found in https://crrev.com/c/5347418. This crate has been added to Chromium in https://crrev.com/c/3321895. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.linux-raw-sys]] who = "Ying Hsu " criteria = "safe-to-run" version = "0.4.13" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.quote]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.35" notes = """ Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits (except for benign \"net\" hit in tests and \"fs\" hit in README.md) """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.quote]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "1.0.35 -> 1.0.36" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.tempfile]] who = "Ying Hsu " criteria = "safe-to-run" version = "3.10.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.termcolor]] who = "danakj@chromium.org" criteria = "safe-to-run" version = "1.4.0" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.termcolor]] who = "Lukasz Anforowicz " criteria = "safe-to-run" delta = "1.4.0 -> 1.4.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.tinyvec]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.6.0" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits except for some \"unsafe\" appearing in comments: ``` src/arrayvec.rs: // Note: This shouldn't use A::CAPACITY, because unsafe code can't rely on src/lib.rs://! All of this is done with no `unsafe` code within the crate. Technically the src/lib.rs://! `Vec` type from the standard library uses `unsafe` internally, but *this src/lib.rs://! crate* introduces no new `unsafe` code into your project. src/array.rs:/// Just a reminder: this trait is 100% safe, which means that `unsafe` code ``` This crate has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/24773c33e1b7a1b5069b9399fd034375995f290b """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.unicode-ident]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.12" notes = ''' I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. All two functions from the public API of this crate use `unsafe` to avoid bound checks for an array access. Cross-module analysis shows that the offsets can be statically proven to be within array bounds. More details can be found in the unsafe review CL at https://crrev.com/c/5350386. This crate has been added to Chromium in https://crrev.com/c/3891618. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.version_check]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.9.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.mozilla.wildcard-audits.core-foundation]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 5946 # Jeff Muizelaar (jrmuizel) start = "2019-03-29" end = "2023-05-04" renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.core-foundation-sys]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 5946 # Jeff Muizelaar (jrmuizel) start = "2020-10-14" end = "2023-05-04" renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.unicode-normalization]] who = "Manish Goregaokar " criteria = "safe-to-deploy" user-id = 1139 # Manish Goregaokar (Manishearth) start = "2019-11-06" end = "2024-05-03" notes = "All code written or reviewed by Manish" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.core-foundation]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" delta = "0.9.3 -> 0.9.4" notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.crypto-common]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.3 -> 0.1.6" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fnv]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "1.0.7" notes = "Simple hasher implementation with no unsafe code." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.form_urlencoded]] who = "Valentin Gosu " criteria = "safe-to-deploy" version = "1.2.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.form_urlencoded]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "1.2.0 -> 1.2.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.percent-encoding]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "2.2.0 -> 2.3.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.percent-encoding]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "2.3.0 -> 2.3.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.subtle]] who = "Simon Friedberger " criteria = "safe-to-deploy" version = "2.5.0" notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"