From 9ec465706a3a241ecf66f02a2af8b1df4510fd61 Mon Sep 17 00:00:00 2001 From: hdbg Date: Mon, 16 Feb 2026 20:45:28 +0100 Subject: [PATCH] chore(supply-chain): update cargo-vet audits and trusted publishers --- .../arbiter-server/src/actors/keyholder.rs | 4 +- server/supply-chain/audits.toml | 47 ++ server/supply-chain/config.toml | 71 +-- server/supply-chain/imports.lock | 451 +++++++++++++++++- 4 files changed, 501 insertions(+), 72 deletions(-) diff --git a/server/crates/arbiter-server/src/actors/keyholder.rs b/server/crates/arbiter-server/src/actors/keyholder.rs index 4cfe5d7..7ab4571 100644 --- a/server/crates/arbiter-server/src/actors/keyholder.rs +++ b/server/crates/arbiter-server/src/actors/keyholder.rs @@ -213,8 +213,8 @@ impl KeyHolder { let mut conn = self.db.get().await?; schema::root_key_history::table .filter(schema::root_key_history::id.eq(*root_key_history_id)) - .select((schema::root_key_history::data_encryption_nonce)) - .select((RootKeyHistory::as_select())) + .select(schema::root_key_history::data_encryption_nonce ) + .select(RootKeyHistory::as_select() ) .first(&mut conn) .await? }; diff --git a/server/supply-chain/audits.toml b/server/supply-chain/audits.toml index f7e6d2e..677bc7d 100644 --- a/server/supply-chain/audits.toml +++ b/server/supply-chain/audits.toml @@ -1,6 +1,11 @@ # cargo-vet audits file +[[audits.similar]] +who = "hdbg " +criteria = "safe-to-deploy" +version = "2.2.1" + [[audits.test-log]] who = "hdbg " criteria = "safe-to-deploy" @@ -11,6 +16,12 @@ who = "hdbg " criteria = "safe-to-deploy" delta = "0.2.18 -> 0.2.19" +[[trusted.cc]] +criteria = "safe-to-deploy" +user-id = 55123 # rust-lang-owner +start = "2022-10-29" +end = "2027-02-16" + [[trusted.h2]] criteria = "safe-to-deploy" user-id = 359 # Sean McArthur (seanmonstar) @@ -29,6 +40,12 @@ user-id = 359 # Sean McArthur (seanmonstar) start = "2022-01-15" end = "2027-02-14" +[[trusted.libc]] +criteria = "safe-to-deploy" +user-id = 55123 # rust-lang-owner +start = "2024-08-15" +end = "2027-02-16" + [[trusted.rustix]] criteria = "safe-to-deploy" user-id = 6825 # Dan Gohman (sunfishcode) @@ -46,3 +63,33 @@ criteria = "safe-to-deploy" user-id = 3618 # David Tolnay (dtolnay) start = "2019-03-01" end = "2027-02-14" + +[[trusted.thread_local]] +criteria = "safe-to-deploy" +user-id = 2915 # Amanieu d'Antras (Amanieu) +start = "2019-09-07" +end = "2027-02-16" + +[[trusted.toml]] +criteria = "safe-to-deploy" +user-id = 6743 # Ed Page (epage) +start = "2022-12-14" +end = "2027-02-16" + +[[trusted.toml_parser]] +criteria = "safe-to-deploy" +user-id = 6743 # Ed Page (epage) +start = "2025-07-08" +end = "2027-02-16" + +[[trusted.tonic-build]] +criteria = "safe-to-deploy" +user-id = 10 +start = "2019-09-10" +end = "2027-02-16" + +[[trusted.windows-sys]] +criteria = "safe-to-deploy" +user-id = 64539 # Kenny Kerr (kennykerr) +start = "2021-11-15" +end = "2027-02-16" diff --git a/server/supply-chain/config.toml b/server/supply-chain/config.toml index e4404b4..f60f5f6 100644 --- a/server/supply-chain/config.toml +++ b/server/supply-chain/config.toml @@ -13,6 +13,9 @@ url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" [imports.mozilla] url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" +[imports.zcash] +url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml" + [[exemptions.addr2line]] version = "0.25.1" criteria = "safe-to-deploy" @@ -41,10 +44,6 @@ criteria = "safe-to-deploy" version = "0.1.89" criteria = "safe-to-deploy" -[[exemptions.autocfg]] -version = "1.5.0" -criteria = "safe-to-deploy" - [[exemptions.aws-lc-rs]] version = "1.15.4" criteria = "safe-to-deploy" @@ -193,10 +192,6 @@ criteria = "safe-to-deploy" version = "0.2.0" criteria = "safe-to-deploy" -[[exemptions.dunce]] -version = "1.0.5" -criteria = "safe-to-deploy" - [[exemptions.dyn-clone]] version = "1.0.20" criteria = "safe-to-deploy" @@ -209,10 +204,6 @@ criteria = "safe-to-deploy" version = "3.0.0-pre.6" criteria = "safe-to-deploy" -[[exemptions.errno]] -version = "0.3.14" -criteria = "safe-to-deploy" - [[exemptions.fiat-crypto]] version = "0.3.0" criteria = "safe-to-deploy" @@ -261,10 +252,6 @@ criteria = "safe-to-deploy" version = "1.4.0" criteria = "safe-to-deploy" -[[exemptions.http-body]] -version = "1.0.1" -criteria = "safe-to-deploy" - [[exemptions.http-body-util]] version = "0.1.3" criteria = "safe-to-deploy" @@ -329,10 +316,6 @@ criteria = "safe-to-deploy" version = "0.19.0" criteria = "safe-to-deploy" -[[exemptions.libc]] -version = "0.2.181" -criteria = "safe-to-deploy" - [[exemptions.libsqlite3-sys]] version = "0.35.0" criteria = "safe-to-deploy" @@ -525,10 +508,6 @@ criteria = "safe-to-deploy" version = "0.1.27" criteria = "safe-to-deploy" -[[exemptions.rustc_version]] -version = "0.4.1" -criteria = "safe-to-deploy" - [[exemptions.rusticata-macros]] version = "4.1.0" criteria = "safe-to-deploy" @@ -545,10 +524,6 @@ criteria = "safe-to-deploy" version = "0.103.9" criteria = "safe-to-deploy" -[[exemptions.rustversion]] -version = "1.0.22" -criteria = "safe-to-deploy" - [[exemptions.scoped-futures]] version = "0.1.4" criteria = "safe-to-deploy" @@ -653,10 +628,6 @@ criteria = "safe-to-deploy" version = "2.0.18" criteria = "safe-to-deploy" -[[exemptions.thread_local]] -version = "1.1.9" -criteria = "safe-to-run" - [[exemptions.time]] version = "0.3.47" criteria = "safe-to-deploy" @@ -689,14 +660,6 @@ criteria = "safe-to-deploy" version = "0.7.18" criteria = "safe-to-deploy" -[[exemptions.toml]] -version = "0.9.11+spec-1.1.0" -criteria = "safe-to-deploy" - -[[exemptions.toml_parser]] -version = "1.0.6+spec-1.1.0" -criteria = "safe-to-deploy" - [[exemptions.tonic]] version = "0.14.3" criteria = "safe-to-deploy" @@ -741,10 +704,6 @@ criteria = "safe-to-deploy" version = "0.3.22" criteria = "safe-to-run" -[[exemptions.try-lock]] -version = "0.2.5" -criteria = "safe-to-deploy" - [[exemptions.typenum]] version = "1.19.0" criteria = "safe-to-deploy" @@ -769,10 +728,6 @@ criteria = "safe-to-deploy" version = "1.20.0" criteria = "safe-to-deploy" -[[exemptions.want]] -version = "0.3.1" -criteria = "safe-to-deploy" - [[exemptions.wasi]] version = "0.11.1+wasi-snapshot-preview1" criteria = "safe-to-deploy" @@ -817,10 +772,6 @@ criteria = "safe-to-deploy" version = "0.59.3" criteria = "safe-to-deploy" -[[exemptions.windows-link]] -version = "0.2.1" -criteria = "safe-to-deploy" - [[exemptions.windows-result]] version = "0.4.1" criteria = "safe-to-deploy" @@ -829,18 +780,6 @@ criteria = "safe-to-deploy" version = "0.5.1" criteria = "safe-to-deploy" -[[exemptions.windows-sys]] -version = "0.52.0" -criteria = "safe-to-deploy" - -[[exemptions.windows-sys]] -version = "0.60.2" -criteria = "safe-to-deploy" - -[[exemptions.windows-sys]] -version = "0.61.2" -criteria = "safe-to-deploy" - [[exemptions.windows-targets]] version = "0.52.6" criteria = "safe-to-deploy" @@ -925,10 +864,6 @@ criteria = "safe-to-deploy" version = "0.5.2" criteria = "safe-to-deploy" -[[exemptions.zeroize]] -version = "1.8.2" -criteria = "safe-to-deploy" - [[exemptions.zmij]] version = "1.0.20" criteria = "safe-to-deploy" diff --git a/server/supply-chain/imports.lock b/server/supply-chain/imports.lock index a35eb4b..0692e20 100644 --- a/server/supply-chain/imports.lock +++ b/server/supply-chain/imports.lock @@ -41,6 +41,12 @@ user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" +[[publisher.libc]] +version = "0.2.182" +when = "2026-02-13" +user-id = 55123 +user-login = "rust-lang-owner" + [[publisher.rustix]] version = "1.1.3" when = "2025-12-23" @@ -63,12 +69,33 @@ user-login = "dtolnay" user-name = "David Tolnay" [[publisher.syn]] -version = "2.0.114" -when = "2026-01-07" +version = "2.0.115" +when = "2026-02-12" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" +[[publisher.thread_local]] +version = "1.1.9" +when = "2025-06-12" +user-id = 2915 +user-login = "Amanieu" +user-name = "Amanieu d'Antras" + +[[publisher.toml]] +version = "0.9.12+spec-1.1.0" +when = "2026-02-10" +user-id = 6743 +user-login = "epage" +user-name = "Ed Page" + +[[publisher.toml_parser]] +version = "1.0.8+spec-1.1.0" +when = "2026-02-12" +user-id = 6743 +user-login = "epage" +user-name = "Ed Page" + [[publisher.unicode-width]] version = "0.1.14" when = "2024-09-19" @@ -120,6 +147,34 @@ version = "0.244.0" when = "2026-01-06" trusted-publisher = "github:bytecodealliance/wasm-tools" +[[publisher.windows-sys]] +version = "0.52.0" +when = "2023-11-15" +user-id = 64539 +user-login = "kennykerr" +user-name = "Kenny Kerr" + +[[publisher.windows-sys]] +version = "0.59.0" +when = "2024-07-30" +user-id = 64539 +user-login = "kennykerr" +user-name = "Kenny Kerr" + +[[publisher.windows-sys]] +version = "0.60.2" +when = "2025-06-12" +user-id = 64539 +user-login = "kennykerr" +user-name = "Kenny Kerr" + +[[publisher.windows-sys]] +version = "0.61.2" +when = "2025-10-06" +user-id = 64539 +user-login = "kennykerr" +user-name = "Kenny Kerr" + [[publisher.wit-bindgen]] version = "0.51.0" when = "2026-01-12" @@ -265,6 +320,12 @@ criteria = "safe-to-deploy" version = "1.1.2" notes = "Contains `unsafe` code but it's well-documented and scoped to what it's intended to be doing. Otherwise a well-focused and straightforward crate." +[[audits.bytecode-alliance.audits.cipher]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "0.4.4" +notes = "Most unsafe is hidden by `inout` dependency; only remaining unsafe is raw-splitting a slice and an unreachable hint. Older versions of this regularly reach ~150k daily downloads." + [[audits.bytecode-alliance.audits.core-foundation-sys]] who = "Dan Gohman " criteria = "safe-to-deploy" @@ -279,6 +340,23 @@ who = "Nick Fitzgerald " criteria = "safe-to-deploy" delta = "0.2.4 -> 0.2.5" +[[audits.bytecode-alliance.audits.errno]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +version = "0.3.0" +notes = "This crate uses libc and windows-sys APIs to get and set the raw OS error value." + +[[audits.bytecode-alliance.audits.errno]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.3.1" +notes = "Just a dependency version bump and a bug fix for redox" + +[[audits.bytecode-alliance.audits.errno]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "0.3.9 -> 0.3.10" + [[audits.bytecode-alliance.audits.fastrand]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -385,11 +463,28 @@ criteria = "safe-to-deploy" delta = "0.4.1 -> 0.5.0" notes = "Minor changes for a `no_std` upgrade but otherwise everything looks as expected." +[[audits.bytecode-alliance.audits.http-body]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "1.0.0-rc.2" + +[[audits.bytecode-alliance.audits.http-body]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.0.0-rc.2 -> 1.0.0" +notes = "Only minor changes made for a stable release." + [[audits.bytecode-alliance.audits.iana-time-zone-haiku]] who = "Dan Gohman " criteria = "safe-to-deploy" version = "0.1.2" +[[audits.bytecode-alliance.audits.inout]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "0.1.3" +notes = "A part of RustCrypto/utils, this crate is designed to handle unsafe buffers and carefully documents the safety concerns throughout. Older versions of this tally up to ~130k daily downloads." + [[audits.bytecode-alliance.audits.leb128fmt]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -443,6 +538,24 @@ criteria = "safe-to-deploy" delta = "0.8.5 -> 0.8.9" notes = "No new unsafe code, just refactorings." +[[audits.bytecode-alliance.audits.nu-ansi-term]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.46.0" +notes = "one use of unsafe to call windows specific api to get console handle." + +[[audits.bytecode-alliance.audits.nu-ansi-term]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.46.0 -> 0.50.1" +notes = "Lots of stylistic/rust-related chanegs, plus new features, but nothing out of the ordrinary." + +[[audits.bytecode-alliance.audits.nu-ansi-term]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.50.1 -> 0.50.3" +notes = "CI changes, Rust changes, nothing out of the ordinary." + [[audits.bytecode-alliance.audits.num-traits]] who = "Andrew Brown " criteria = "safe-to-deploy" @@ -537,12 +650,38 @@ criteria = "safe-to-run" delta = "0.2.16 -> 0.2.18" notes = "Standard macro changes, nothing out of place" +[[audits.bytecode-alliance.audits.tracing-log]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.1.3" +notes = """ +This is a standard adapter between the `log` ecosystem and the `tracing` +ecosystem. There's one `unsafe` block in this crate and it's well-scoped. +""" + +[[audits.bytecode-alliance.audits.tracing-log]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.2.0" +notes = "Nothing out of the ordinary, a typical major version update and nothing awry." + +[[audits.bytecode-alliance.audits.try-lock]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.2.4" +notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect" + [[audits.bytecode-alliance.audits.vcpkg]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.2.15" notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." +[[audits.bytecode-alliance.audits.want]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.0" + [[audits.bytecode-alliance.audits.wasm-metadata]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -591,6 +730,13 @@ criteria = "safe-to-deploy" delta = "0.243.0 -> 0.244.0" notes = "The Bytecode Alliance is the author of this crate" +[[audits.google.audits.autocfg]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "Contains no unsafe" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.base64]] who = "amarjotgill " criteria = "safe-to-deploy" @@ -719,6 +865,89 @@ delta = "0.2.9 -> 0.2.13" notes = "Audited at https://fxrev.dev/946396" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.proc-macro-error-attr]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.0.4" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.rand_core]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "0.6.4" +notes = """ +For more detailed unsafe review notes please see https://crrev.com/c/6362797 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.14" +notes = """ +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` +and there were no hits except for: + +* Using trivially-safe `unsafe` in test code: + + ``` + tests/test_const.rs:unsafe fn _unsafe() {} + tests/test_const.rs:const _UNSAFE: () = unsafe { _unsafe() }; + ``` + +* Using `unsafe` in a string: + + ``` + src/constfn.rs: "unsafe" => Qualifiers::Unsafe, + ``` + +* Using `std::fs` in `build/build.rs` to write `${OUT_DIR}/version.expr` + which is later read back via `include!` used in `src/lib.rs`. + +Version `1.0.6` of this crate has been added to Chromium in +https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.14 -> 1.0.15" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.15 -> 1.0.16" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.16 -> 1.0.17" +notes = "Just updates windows compat" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Liza Burakova " +criteria = "safe-to-deploy" +delta = "1.0.17 -> 1.0.18" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.18 -> 1.0.19" +notes = "No unsafe, just doc changes" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Daniel Cheng " +criteria = "safe-to-deploy" +delta = "1.0.19 -> 1.0.20" +notes = "Only minor updates to documentation and the mock today used for testing." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.smallvec]] who = "Manish Goregaokar " criteria = "safe-to-deploy" @@ -736,6 +965,28 @@ Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.strum]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "0.25.0" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.strum_macros]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "0.25.3" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.mozilla.wildcard-audits.core-foundation-sys]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -812,6 +1063,12 @@ criteria = "safe-to-deploy" delta = "0.2.3 -> 0.2.4" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.errno]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.1 -> 0.3.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.fastrand]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -929,6 +1186,16 @@ yet, but it's all valid. Otherwise it's a pretty simple crate. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.rustc_version]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "0.4.0" +notes = """ +Use of powerful capabilities is limited to invoking `rustc -vV` to get version +information for parsing version information. +""" +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + [[audits.mozilla.audits.serde_spanned]] who = "Ben Dean-Kawamura " criteria = "safe-to-deploy" @@ -955,6 +1222,12 @@ criteria = "safe-to-deploy" delta = "1.1.0 -> 1.3.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.similar]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +delta = "2.2.1 -> 2.7.0" +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + [[audits.mozilla.audits.smallvec]] who = "Erich Gubler " criteria = "safe-to-deploy" @@ -967,6 +1240,30 @@ criteria = "safe-to-deploy" delta = "0.10.0 -> 0.11.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.strum]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "0.25.0 -> 0.26.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.strum]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.26.3 -> 0.27.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.strum_macros]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "0.25.3 -> 0.26.4" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.strum_macros]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.26.4 -> 0.27.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.synstructure]] who = "Nika Layzell " criteria = "safe-to-deploy" @@ -1038,3 +1335,153 @@ who = "Jan-Erik Rediger " criteria = "safe-to-deploy" version = "0.1.5" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.windows-link]] +who = "Mark Hammond " +criteria = "safe-to-deploy" +version = "0.1.1" +notes = "A microsoft crate allowing unsafe calls to windows apis." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.windows-link]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.1.1 -> 0.2.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.zeroize]] +who = "Benjamin Beurdouche " +criteria = "safe-to-deploy" +version = "1.8.1" +notes = """ +This code DOES contain unsafe code required to internally call volatiles +for deleting data. This is expected and documented behavior. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.zcash.audits.autocfg]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.4.0 -> 1.5.0" +notes = "Filesystem change is to remove the generated LLVM IR output file after probing." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.dunce]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +version = "1.0.5" +notes = """ +Does what it says on the tin. No `unsafe`, and the only IO is `std::fs::canonicalize`. +Path and string handling looks plausibly correct. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.errno]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.3 -> 0.3.8" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.errno]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "0.3.8 -> 0.3.9" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.errno]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.10 -> 0.3.11" +notes = "The `__errno` location for vxworks and cygwin looks correct from a quick search." +aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" + +[[audits.zcash.audits.errno]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.11 -> 0.3.13" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.errno]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.13 -> 0.3.14" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.http-body]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.0 -> 1.0.1" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.inout]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.1.4" +aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" + +[[audits.zcash.audits.rustc_version]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.4.0 -> 0.4.1" +notes = "Changes to `Command` usage are to add support for `RUSTC_WRAPPER`." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.rustversion]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.20 -> 1.0.21" +notes = "Build script change is to fix building with `-Zfmt-debug=none`." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.rustversion]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.21 -> 1.0.22" +notes = "Changes to generated code are to prepend a clippy annotation." +aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" + +[[audits.zcash.audits.strum]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.27.1 -> 0.27.2" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.strum_macros]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.27.1 -> 0.27.2" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.try-lock]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.4 -> 0.2.5" +notes = "Bumps MSRV to remove unsafe code block." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.want]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.3.1" +notes = """ +Migrates to `try-lock 0.2.4` to replace some unsafe APIs that were not marked +`unsafe` (but that were being used safely). +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.windows-link]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.0 -> 0.2.1" +notes = "No code changes at all." +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.zeroize]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.8.1 -> 1.8.2" +notes = """ +Changes to `unsafe` code are to alter how `core::mem::size_of` is named; no actual changes +to the `unsafe` logic. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml"