From 9f33277a4ff703e2c7d9dddea35950505de046bf Mon Sep 17 00:00:00 2001 From: hdbg Date: Sat, 14 Feb 2026 18:54:09 +0100 Subject: [PATCH] security(server): `cargo-vet` proper init --- .woodpecker/server-vet.yaml | 26 + server/supply-chain/audits.toml | 48 ++ server/supply-chain/config.toml | 946 +++++++++++++++++++++++++++ server/supply-chain/imports.lock | 1040 ++++++++++++++++++++++++++++++ 4 files changed, 2060 insertions(+) create mode 100644 .woodpecker/server-vet.yaml create mode 100644 server/supply-chain/audits.toml create mode 100644 server/supply-chain/config.toml create mode 100644 server/supply-chain/imports.lock diff --git a/.woodpecker/server-vet.yaml b/.woodpecker/server-vet.yaml new file mode 100644 index 0000000..8730537 --- /dev/null +++ b/.woodpecker/server-vet.yaml @@ -0,0 +1,26 @@ +when: + - event: pull_request + path: + include: ['.woodpecker/server-*.yaml', 'server/**'] + - event: push + branch: main + path: + include: ['.woodpecker/server-*.yaml', 'server/**'] + +steps: + - name: test + image: jdxcode/mise:latest + directory: server + environment: + CARGO_TERM_COLOR: always + CARGO_TARGET_DIR: /usr/local/cargo/target + CARGO_HOME: /usr/local/cargo/registry + volumes: + - cargo-target:/usr/local/cargo/target + - cargo-registry:/usr/local/cargo/registry + commands: + - apt-get update && apt-get install -y pkg-config + # Install only the necessary Rust toolchain and test runner to speed up the CI + - mise install rust + - mise install cargo:cargo-vet + - mise exec cargo:cargo-vet -- cargo vet \ No newline at end of file diff --git a/server/supply-chain/audits.toml b/server/supply-chain/audits.toml new file mode 100644 index 0000000..f7e6d2e --- /dev/null +++ b/server/supply-chain/audits.toml @@ -0,0 +1,48 @@ + +# cargo-vet audits file + +[[audits.test-log]] +who = "hdbg " +criteria = "safe-to-deploy" +delta = "0.2.18 -> 0.2.19" + +[[audits.test-log-macros]] +who = "hdbg " +criteria = "safe-to-deploy" +delta = "0.2.18 -> 0.2.19" + +[[trusted.h2]] +criteria = "safe-to-deploy" +user-id = 359 # Sean McArthur (seanmonstar) +start = "2019-03-13" +end = "2027-02-14" + +[[trusted.hashbrown]] +criteria = "safe-to-deploy" +user-id = 55123 # rust-lang-owner +start = "2025-04-30" +end = "2027-02-14" + +[[trusted.hyper-util]] +criteria = "safe-to-deploy" +user-id = 359 # Sean McArthur (seanmonstar) +start = "2022-01-15" +end = "2027-02-14" + +[[trusted.rustix]] +criteria = "safe-to-deploy" +user-id = 6825 # Dan Gohman (sunfishcode) +start = "2021-10-29" +end = "2027-02-14" + +[[trusted.serde_json]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-02-28" +end = "2027-02-14" + +[[trusted.syn]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-03-01" +end = "2027-02-14" diff --git a/server/supply-chain/config.toml b/server/supply-chain/config.toml new file mode 100644 index 0000000..e4404b4 --- /dev/null +++ b/server/supply-chain/config.toml @@ -0,0 +1,946 @@ + +# cargo-vet config file + +[cargo-vet] +version = "0.10" + +[imports.bytecode-alliance] +url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[imports.google] +url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" + +[imports.mozilla] +url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" + +[[exemptions.addr2line]] +version = "0.25.1" +criteria = "safe-to-deploy" + +[[exemptions.aho-corasick]] +version = "1.1.4" +criteria = "safe-to-deploy" + +[[exemptions.anyhow]] +version = "1.0.101" +criteria = "safe-to-deploy" + +[[exemptions.asn1-rs]] +version = "0.7.1" +criteria = "safe-to-deploy" + +[[exemptions.asn1-rs-derive]] +version = "0.6.0" +criteria = "safe-to-deploy" + +[[exemptions.asn1-rs-impl]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.async-trait]] +version = "0.1.89" +criteria = "safe-to-deploy" + +[[exemptions.autocfg]] +version = "1.5.0" +criteria = "safe-to-deploy" + +[[exemptions.aws-lc-rs]] +version = "1.15.4" +criteria = "safe-to-deploy" + +[[exemptions.aws-lc-sys]] +version = "0.37.0" +criteria = "safe-to-deploy" + +[[exemptions.axum]] +version = "0.8.8" +criteria = "safe-to-deploy" + +[[exemptions.axum-core]] +version = "0.5.6" +criteria = "safe-to-deploy" + +[[exemptions.backtrace]] +version = "0.3.76" +criteria = "safe-to-deploy" + +[[exemptions.backtrace-ext]] +version = "0.2.1" +criteria = "safe-to-deploy" + +[[exemptions.bb8]] +version = "0.9.1" +criteria = "safe-to-deploy" + +[[exemptions.bitflags]] +version = "2.10.0" +criteria = "safe-to-deploy" + +[[exemptions.block-buffer]] +version = "0.11.0" +criteria = "safe-to-deploy" + +[[exemptions.bytes]] +version = "1.11.1" +criteria = "safe-to-deploy" + +[[exemptions.cc]] +version = "1.2.55" +criteria = "safe-to-deploy" + +[[exemptions.cfg-if]] +version = "1.0.4" +criteria = "safe-to-deploy" + +[[exemptions.chacha20]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.chrono]] +version = "0.4.43" +criteria = "safe-to-deploy" + +[[exemptions.cmake]] +version = "0.1.57" +criteria = "safe-to-deploy" + +[[exemptions.cpufeatures]] +version = "0.2.17" +criteria = "safe-to-deploy" + +[[exemptions.cpufeatures]] +version = "0.3.0" +criteria = "safe-to-deploy" + +[[exemptions.crc32fast]] +version = "1.5.0" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-utils]] +version = "0.8.21" +criteria = "safe-to-deploy" + +[[exemptions.crypto-common]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.curve25519-dalek]] +version = "5.0.0-pre.6" +criteria = "safe-to-deploy" + +[[exemptions.curve25519-dalek-derive]] +version = "0.1.1" +criteria = "safe-to-deploy" + +[[exemptions.darling]] +version = "0.21.3" +criteria = "safe-to-deploy" + +[[exemptions.darling_core]] +version = "0.21.3" +criteria = "safe-to-deploy" + +[[exemptions.darling_macro]] +version = "0.21.3" +criteria = "safe-to-deploy" + +[[exemptions.dashmap]] +version = "6.1.0" +criteria = "safe-to-deploy" + +[[exemptions.data-encoding]] +version = "2.10.0" +criteria = "safe-to-deploy" + +[[exemptions.der-parser]] +version = "10.0.0" +criteria = "safe-to-deploy" + +[[exemptions.deranged]] +version = "0.5.5" +criteria = "safe-to-deploy" + +[[exemptions.diesel]] +version = "2.3.6" +criteria = "safe-to-deploy" + +[[exemptions.diesel-async]] +version = "0.7.4" +criteria = "safe-to-deploy" + +[[exemptions.diesel_derives]] +version = "2.3.7" +criteria = "safe-to-deploy" + +[[exemptions.diesel_migrations]] +version = "2.3.1" +criteria = "safe-to-deploy" + +[[exemptions.diesel_table_macro_syntax]] +version = "0.3.0" +criteria = "safe-to-deploy" + +[[exemptions.digest]] +version = "0.11.0-rc.11" +criteria = "safe-to-deploy" + +[[exemptions.downcast-rs]] +version = "2.0.2" +criteria = "safe-to-deploy" + +[[exemptions.dsl_auto_type]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.dunce]] +version = "1.0.5" +criteria = "safe-to-deploy" + +[[exemptions.dyn-clone]] +version = "1.0.20" +criteria = "safe-to-deploy" + +[[exemptions.ed25519]] +version = "3.0.0-rc.4" +criteria = "safe-to-deploy" + +[[exemptions.ed25519-dalek]] +version = "3.0.0-pre.6" +criteria = "safe-to-deploy" + +[[exemptions.errno]] +version = "0.3.14" +criteria = "safe-to-deploy" + +[[exemptions.fiat-crypto]] +version = "0.3.0" +criteria = "safe-to-deploy" + +[[exemptions.find-msvc-tools]] +version = "0.1.9" +criteria = "safe-to-deploy" + +[[exemptions.fixedbitset]] +version = "0.5.7" +criteria = "safe-to-deploy" + +[[exemptions.flate2]] +version = "1.1.9" +criteria = "safe-to-deploy" + +[[exemptions.fs_extra]] +version = "1.3.0" +criteria = "safe-to-deploy" + +[[exemptions.futures-task]] +version = "0.3.31" +criteria = "safe-to-deploy" + +[[exemptions.futures-util]] +version = "0.3.31" +criteria = "safe-to-deploy" + +[[exemptions.getrandom]] +version = "0.2.17" +criteria = "safe-to-deploy" + +[[exemptions.getrandom]] +version = "0.3.4" +criteria = "safe-to-deploy" + +[[exemptions.getrandom]] +version = "0.4.1" +criteria = "safe-to-deploy" + +[[exemptions.hashbrown]] +version = "0.14.5" +criteria = "safe-to-deploy" + +[[exemptions.http]] +version = "1.4.0" +criteria = "safe-to-deploy" + +[[exemptions.http-body]] +version = "1.0.1" +criteria = "safe-to-deploy" + +[[exemptions.http-body-util]] +version = "0.1.3" +criteria = "safe-to-deploy" + +[[exemptions.httparse]] +version = "1.10.1" +criteria = "safe-to-deploy" + +[[exemptions.hybrid-array]] +version = "0.4.7" +criteria = "safe-to-deploy" + +[[exemptions.hyper]] +version = "1.8.1" +criteria = "safe-to-deploy" + +[[exemptions.hyper-timeout]] +version = "0.5.2" +criteria = "safe-to-deploy" + +[[exemptions.iana-time-zone]] +version = "0.1.65" +criteria = "safe-to-deploy" + +[[exemptions.id-arena]] +version = "2.3.0" +criteria = "safe-to-deploy" + +[[exemptions.ident_case]] +version = "1.0.1" +criteria = "safe-to-deploy" + +[[exemptions.indexmap]] +version = "2.13.0" +criteria = "safe-to-deploy" + +[[exemptions.is_ci]] +version = "1.2.0" +criteria = "safe-to-deploy" + +[[exemptions.itertools]] +version = "0.14.0" +criteria = "safe-to-deploy" + +[[exemptions.itoa]] +version = "1.0.17" +criteria = "safe-to-deploy" + +[[exemptions.jobserver]] +version = "0.1.34" +criteria = "safe-to-deploy" + +[[exemptions.js-sys]] +version = "0.3.85" +criteria = "safe-to-deploy" + +[[exemptions.kameo]] +version = "0.19.2" +criteria = "safe-to-deploy" + +[[exemptions.kameo_macros]] +version = "0.19.0" +criteria = "safe-to-deploy" + +[[exemptions.libc]] +version = "0.2.181" +criteria = "safe-to-deploy" + +[[exemptions.libsqlite3-sys]] +version = "0.35.0" +criteria = "safe-to-deploy" + +[[exemptions.linux-raw-sys]] +version = "0.11.0" +criteria = "safe-to-deploy" + +[[exemptions.lock_api]] +version = "0.4.14" +criteria = "safe-to-deploy" + +[[exemptions.log]] +version = "0.4.29" +criteria = "safe-to-deploy" + +[[exemptions.matchit]] +version = "0.8.4" +criteria = "safe-to-deploy" + +[[exemptions.memchr]] +version = "2.8.0" +criteria = "safe-to-deploy" + +[[exemptions.memsafe]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.miette]] +version = "7.6.0" +criteria = "safe-to-deploy" + +[[exemptions.miette-derive]] +version = "7.6.0" +criteria = "safe-to-deploy" + +[[exemptions.migrations_internals]] +version = "2.3.0" +criteria = "safe-to-deploy" + +[[exemptions.migrations_macros]] +version = "2.3.0" +criteria = "safe-to-deploy" + +[[exemptions.mime]] +version = "0.3.17" +criteria = "safe-to-deploy" + +[[exemptions.minimal-lexical]] +version = "0.2.1" +criteria = "safe-to-deploy" + +[[exemptions.mio]] +version = "1.1.1" +criteria = "safe-to-deploy" + +[[exemptions.multimap]] +version = "0.10.1" +criteria = "safe-to-deploy" + +[[exemptions.num-bigint]] +version = "0.4.6" +criteria = "safe-to-deploy" + +[[exemptions.num-conv]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.object]] +version = "0.37.3" +criteria = "safe-to-deploy" + +[[exemptions.oid-registry]] +version = "0.8.1" +criteria = "safe-to-deploy" + +[[exemptions.once_cell]] +version = "1.21.3" +criteria = "safe-to-deploy" + +[[exemptions.owo-colors]] +version = "4.2.3" +criteria = "safe-to-deploy" + +[[exemptions.parking_lot]] +version = "0.12.5" +criteria = "safe-to-deploy" + +[[exemptions.parking_lot_core]] +version = "0.9.12" +criteria = "safe-to-deploy" + +[[exemptions.pem]] +version = "3.0.6" +criteria = "safe-to-deploy" + +[[exemptions.petgraph]] +version = "0.8.3" +criteria = "safe-to-deploy" + +[[exemptions.pin-project]] +version = "1.1.10" +criteria = "safe-to-deploy" + +[[exemptions.pin-project-internal]] +version = "1.1.10" +criteria = "safe-to-deploy" + +[[exemptions.portable-atomic]] +version = "1.13.1" +criteria = "safe-to-deploy" + +[[exemptions.prettyplease]] +version = "0.2.37" +criteria = "safe-to-deploy" + +[[exemptions.proc-macro2]] +version = "1.0.106" +criteria = "safe-to-deploy" + +[[exemptions.prost]] +version = "0.14.3" +criteria = "safe-to-deploy" + +[[exemptions.prost-build]] +version = "0.14.3" +criteria = "safe-to-deploy" + +[[exemptions.prost-derive]] +version = "0.14.3" +criteria = "safe-to-deploy" + +[[exemptions.prost-types]] +version = "0.14.3" +criteria = "safe-to-deploy" + +[[exemptions.pulldown-cmark]] +version = "0.13.0" +criteria = "safe-to-deploy" + +[[exemptions.pulldown-cmark-to-cmark]] +version = "22.0.0" +criteria = "safe-to-deploy" + +[[exemptions.quote]] +version = "1.0.44" +criteria = "safe-to-deploy" + +[[exemptions.r-efi]] +version = "5.3.0" +criteria = "safe-to-deploy" + +[[exemptions.rand]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.rand_core]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.rcgen]] +version = "0.14.7" +criteria = "safe-to-deploy" + +[[exemptions.redox_syscall]] +version = "0.5.18" +criteria = "safe-to-deploy" + +[[exemptions.regex]] +version = "1.12.3" +criteria = "safe-to-deploy" + +[[exemptions.regex-automata]] +version = "0.4.14" +criteria = "safe-to-deploy" + +[[exemptions.regex-syntax]] +version = "0.8.9" +criteria = "safe-to-deploy" + +[[exemptions.ring]] +version = "0.17.14" +criteria = "safe-to-deploy" + +[[exemptions.rsqlite-vfs]] +version = "0.1.0" +criteria = "safe-to-deploy" + +[[exemptions.rustc-demangle]] +version = "0.1.27" +criteria = "safe-to-deploy" + +[[exemptions.rustc_version]] +version = "0.4.1" +criteria = "safe-to-deploy" + +[[exemptions.rusticata-macros]] +version = "4.1.0" +criteria = "safe-to-deploy" + +[[exemptions.rustls]] +version = "0.23.36" +criteria = "safe-to-deploy" + +[[exemptions.rustls-pki-types]] +version = "1.14.0" +criteria = "safe-to-deploy" + +[[exemptions.rustls-webpki]] +version = "0.103.9" +criteria = "safe-to-deploy" + +[[exemptions.rustversion]] +version = "1.0.22" +criteria = "safe-to-deploy" + +[[exemptions.scoped-futures]] +version = "0.1.4" +criteria = "safe-to-deploy" + +[[exemptions.scopeguard]] +version = "1.2.0" +criteria = "safe-to-deploy" + +[[exemptions.secrecy]] +version = "0.10.3" +criteria = "safe-to-deploy" + +[[exemptions.semver]] +version = "1.0.27" +criteria = "safe-to-deploy" + +[[exemptions.serde]] +version = "1.0.228" +criteria = "safe-to-deploy" + +[[exemptions.serde_core]] +version = "1.0.228" +criteria = "safe-to-deploy" + +[[exemptions.serde_derive]] +version = "1.0.228" +criteria = "safe-to-deploy" + +[[exemptions.sha2]] +version = "0.11.0-rc.5" +criteria = "safe-to-deploy" + +[[exemptions.signal-hook-registry]] +version = "1.4.8" +criteria = "safe-to-deploy" + +[[exemptions.signature]] +version = "3.0.0-rc.10" +criteria = "safe-to-deploy" + +[[exemptions.simd-adler32]] +version = "0.3.8" +criteria = "safe-to-deploy" + +[[exemptions.slab]] +version = "0.4.12" +criteria = "safe-to-deploy" + +[[exemptions.smlang]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.smlang-macros]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.socket2]] +version = "0.6.2" +criteria = "safe-to-deploy" + +[[exemptions.sqlite-wasm-rs]] +version = "0.5.2" +criteria = "safe-to-deploy" + +[[exemptions.string_morph]] +version = "0.1.0" +criteria = "safe-to-deploy" + +[[exemptions.subtle]] +version = "2.6.1" +criteria = "safe-to-deploy" + +[[exemptions.supports-color]] +version = "3.0.2" +criteria = "safe-to-deploy" + +[[exemptions.supports-hyperlinks]] +version = "3.2.0" +criteria = "safe-to-deploy" + +[[exemptions.supports-unicode]] +version = "3.0.0" +criteria = "safe-to-deploy" + +[[exemptions.sync_wrapper]] +version = "1.0.2" +criteria = "safe-to-deploy" + +[[exemptions.tempfile]] +version = "3.25.0" +criteria = "safe-to-deploy" + +[[exemptions.terminal_size]] +version = "0.4.3" +criteria = "safe-to-deploy" + +[[exemptions.thiserror]] +version = "2.0.18" +criteria = "safe-to-deploy" + +[[exemptions.thiserror-impl]] +version = "2.0.18" +criteria = "safe-to-deploy" + +[[exemptions.thread_local]] +version = "1.1.9" +criteria = "safe-to-run" + +[[exemptions.time]] +version = "0.3.47" +criteria = "safe-to-deploy" + +[[exemptions.time-core]] +version = "0.1.8" +criteria = "safe-to-deploy" + +[[exemptions.time-macros]] +version = "0.2.27" +criteria = "safe-to-deploy" + +[[exemptions.tokio]] +version = "1.49.0" +criteria = "safe-to-deploy" + +[[exemptions.tokio-macros]] +version = "2.6.0" +criteria = "safe-to-deploy" + +[[exemptions.tokio-rustls]] +version = "0.26.4" +criteria = "safe-to-deploy" + +[[exemptions.tokio-stream]] +version = "0.1.18" +criteria = "safe-to-deploy" + +[[exemptions.tokio-util]] +version = "0.7.18" +criteria = "safe-to-deploy" + +[[exemptions.toml]] +version = "0.9.11+spec-1.1.0" +criteria = "safe-to-deploy" + +[[exemptions.toml_parser]] +version = "1.0.6+spec-1.1.0" +criteria = "safe-to-deploy" + +[[exemptions.tonic]] +version = "0.14.3" +criteria = "safe-to-deploy" + +[[exemptions.tonic-build]] +version = "0.14.3" +criteria = "safe-to-deploy" + +[[exemptions.tonic-prost]] +version = "0.14.4" +criteria = "safe-to-deploy" + +[[exemptions.tonic-prost-build]] +version = "0.14.3" +criteria = "safe-to-deploy" + +[[exemptions.tower]] +version = "0.5.3" +criteria = "safe-to-deploy" + +[[exemptions.tower-layer]] +version = "0.3.3" +criteria = "safe-to-deploy" + +[[exemptions.tower-service]] +version = "0.3.3" +criteria = "safe-to-deploy" + +[[exemptions.tracing]] +version = "0.1.44" +criteria = "safe-to-deploy" + +[[exemptions.tracing-attributes]] +version = "0.1.31" +criteria = "safe-to-deploy" + +[[exemptions.tracing-core]] +version = "0.1.36" +criteria = "safe-to-deploy" + +[[exemptions.tracing-subscriber]] +version = "0.3.22" +criteria = "safe-to-run" + +[[exemptions.try-lock]] +version = "0.2.5" +criteria = "safe-to-deploy" + +[[exemptions.typenum]] +version = "1.19.0" +criteria = "safe-to-deploy" + +[[exemptions.unicase]] +version = "2.9.0" +criteria = "safe-to-deploy" + +[[exemptions.unicode-ident]] +version = "1.0.23" +criteria = "safe-to-deploy" + +[[exemptions.untrusted]] +version = "0.7.1" +criteria = "safe-to-deploy" + +[[exemptions.untrusted]] +version = "0.9.0" +criteria = "safe-to-deploy" + +[[exemptions.uuid]] +version = "1.20.0" +criteria = "safe-to-deploy" + +[[exemptions.want]] +version = "0.3.1" +criteria = "safe-to-deploy" + +[[exemptions.wasi]] +version = "0.11.1+wasi-snapshot-preview1" +criteria = "safe-to-deploy" + +[[exemptions.wasm-bindgen]] +version = "0.2.108" +criteria = "safe-to-deploy" + +[[exemptions.wasm-bindgen-macro]] +version = "0.2.108" +criteria = "safe-to-deploy" + +[[exemptions.wasm-bindgen-macro-support]] +version = "0.2.108" +criteria = "safe-to-deploy" + +[[exemptions.wasm-bindgen-shared]] +version = "0.2.108" +criteria = "safe-to-deploy" + +[[exemptions.winapi]] +version = "0.3.9" +criteria = "safe-to-deploy" + +[[exemptions.winapi-i686-pc-windows-gnu]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.winapi-x86_64-pc-windows-gnu]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.windows-core]] +version = "0.62.2" +criteria = "safe-to-deploy" + +[[exemptions.windows-implement]] +version = "0.60.2" +criteria = "safe-to-deploy" + +[[exemptions.windows-interface]] +version = "0.59.3" +criteria = "safe-to-deploy" + +[[exemptions.windows-link]] +version = "0.2.1" +criteria = "safe-to-deploy" + +[[exemptions.windows-result]] +version = "0.4.1" +criteria = "safe-to-deploy" + +[[exemptions.windows-strings]] +version = "0.5.1" +criteria = "safe-to-deploy" + +[[exemptions.windows-sys]] +version = "0.52.0" +criteria = "safe-to-deploy" + +[[exemptions.windows-sys]] +version = "0.60.2" +criteria = "safe-to-deploy" + +[[exemptions.windows-sys]] +version = "0.61.2" +criteria = "safe-to-deploy" + +[[exemptions.windows-targets]] +version = "0.52.6" +criteria = "safe-to-deploy" + +[[exemptions.windows-targets]] +version = "0.53.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_aarch64_gnullvm]] +version = "0.52.6" +criteria = "safe-to-deploy" + +[[exemptions.windows_aarch64_gnullvm]] +version = "0.53.1" +criteria = "safe-to-deploy" + +[[exemptions.windows_aarch64_msvc]] +version = "0.52.6" +criteria = "safe-to-deploy" + +[[exemptions.windows_aarch64_msvc]] +version = "0.53.1" +criteria = "safe-to-deploy" + +[[exemptions.windows_i686_gnu]] +version = "0.52.6" +criteria = "safe-to-deploy" + +[[exemptions.windows_i686_gnu]] +version = "0.53.1" +criteria = "safe-to-deploy" + +[[exemptions.windows_i686_gnullvm]] +version = "0.52.6" +criteria = "safe-to-deploy" + +[[exemptions.windows_i686_gnullvm]] +version = "0.53.1" +criteria = "safe-to-deploy" + +[[exemptions.windows_i686_msvc]] +version = "0.52.6" +criteria = "safe-to-deploy" + +[[exemptions.windows_i686_msvc]] +version = "0.53.1" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_gnu]] +version = "0.52.6" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_gnu]] +version = "0.53.1" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_gnullvm]] +version = "0.52.6" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_gnullvm]] +version = "0.53.1" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_msvc]] +version = "0.52.6" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_msvc]] +version = "0.53.1" +criteria = "safe-to-deploy" + +[[exemptions.winnow]] +version = "0.7.14" +criteria = "safe-to-deploy" + +[[exemptions.x509-parser]] +version = "0.18.1" +criteria = "safe-to-deploy" + +[[exemptions.yasna]] +version = "0.5.2" +criteria = "safe-to-deploy" + +[[exemptions.zeroize]] +version = "1.8.2" +criteria = "safe-to-deploy" + +[[exemptions.zmij]] +version = "1.0.20" +criteria = "safe-to-deploy" + +[[exemptions.zstd]] +version = "0.13.3" +criteria = "safe-to-deploy" + +[[exemptions.zstd-safe]] +version = "7.2.4" +criteria = "safe-to-deploy" + +[[exemptions.zstd-sys]] +version = "2.0.16+zstd.1.5.7" +criteria = "safe-to-deploy" diff --git a/server/supply-chain/imports.lock b/server/supply-chain/imports.lock new file mode 100644 index 0000000..a35eb4b --- /dev/null +++ b/server/supply-chain/imports.lock @@ -0,0 +1,1040 @@ + +# cargo-vet imports lock + +[[publisher.bumpalo]] +version = "3.19.1" +when = "2025-12-16" +user-id = 696 +user-login = "fitzgen" +user-name = "Nick Fitzgerald" + +[[publisher.core-foundation-sys]] +version = "0.8.4" +when = "2023-04-03" +user-id = 5946 +user-login = "jrmuizel" +user-name = "Jeff Muizelaar" + +[[publisher.h2]] +version = "0.4.13" +when = "2026-01-05" +user-id = 359 +user-login = "seanmonstar" +user-name = "Sean McArthur" + +[[publisher.hashbrown]] +version = "0.15.5" +when = "2025-08-07" +user-id = 55123 +user-login = "rust-lang-owner" + +[[publisher.hashbrown]] +version = "0.16.1" +when = "2025-11-20" +user-id = 55123 +user-login = "rust-lang-owner" + +[[publisher.hyper-util]] +version = "0.1.20" +when = "2026-02-02" +user-id = 359 +user-login = "seanmonstar" +user-name = "Sean McArthur" + +[[publisher.rustix]] +version = "1.1.3" +when = "2025-12-23" +user-id = 6825 +user-login = "sunfishcode" +user-name = "Dan Gohman" + +[[publisher.serde_json]] +version = "1.0.149" +when = "2026-01-06" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.syn]] +version = "1.0.109" +when = "2023-02-24" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.syn]] +version = "2.0.114" +when = "2026-01-07" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.unicode-width]] +version = "0.1.14" +when = "2024-09-19" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + +[[publisher.unicode-width]] +version = "0.2.2" +when = "2025-10-06" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + +[[publisher.unicode-xid]] +version = "0.2.6" +when = "2024-09-19" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + +[[publisher.wasip2]] +version = "1.0.2+wasi-0.2.9" +when = "2026-01-15" +user-id = 1 +user-login = "alexcrichton" +user-name = "Alex Crichton" + +[[publisher.wasip3]] +version = "0.4.0+wasi-0.3.0-rc-2026-01-06" +when = "2026-01-15" +user-id = 1 +user-login = "alexcrichton" +user-name = "Alex Crichton" + +[[publisher.wasm-encoder]] +version = "0.244.0" +when = "2026-01-06" +trusted-publisher = "github:bytecodealliance/wasm-tools" + +[[publisher.wasm-metadata]] +version = "0.236.0" +when = "2025-07-28" +user-id = 73222 +user-login = "wasmtime-publish" + +[[publisher.wasmparser]] +version = "0.244.0" +when = "2026-01-06" +trusted-publisher = "github:bytecodealliance/wasm-tools" + +[[publisher.wit-bindgen]] +version = "0.51.0" +when = "2026-01-12" +trusted-publisher = "github:bytecodealliance/wit-bindgen" + +[[publisher.wit-bindgen-core]] +version = "0.51.0" +when = "2026-01-12" +trusted-publisher = "github:bytecodealliance/wit-bindgen" + +[[publisher.wit-bindgen-rust]] +version = "0.51.0" +when = "2026-01-12" +trusted-publisher = "github:bytecodealliance/wit-bindgen" + +[[publisher.wit-bindgen-rust-macro]] +version = "0.51.0" +when = "2026-01-12" +trusted-publisher = "github:bytecodealliance/wit-bindgen" + +[[publisher.wit-component]] +version = "0.244.0" +when = "2026-01-06" +trusted-publisher = "github:bytecodealliance/wasm-tools" + +[[publisher.wit-parser]] +version = "0.244.0" +when = "2026-01-06" +trusted-publisher = "github:bytecodealliance/wasm-tools" + +[[audits.bytecode-alliance.wildcard-audits.bumpalo]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +user-id = 696 # Nick Fitzgerald (fitzgen) +start = "2019-03-16" +end = "2026-08-21" + +[[audits.bytecode-alliance.wildcard-audits.wasip2]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2025-08-10" +end = "2026-08-21" +notes = """ +This is a Bytecode Alliance authored crate. +""" + +[[audits.bytecode-alliance.wildcard-audits.wasip3]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2025-09-10" +end = "2026-08-21" +notes = """ +This is a Bytecode Alliance authored crate. +""" + +[[audits.bytecode-alliance.wildcard-audits.wasm-encoder]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wasm-tools" +start = "2025-08-14" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +user-id = 73222 # wasmtime-publish +start = "2023-01-01" +end = "2026-06-03" +notes = """ +The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate +publication of this crate from CI. This repository requires all PRs are reviewed +by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. +""" + +[[audits.bytecode-alliance.wildcard-audits.wasmparser]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wasm-tools" +start = "2025-08-14" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-bindgen]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wit-bindgen" +start = "2025-08-13" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-bindgen-core]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wit-bindgen" +start = "2025-08-13" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-bindgen-rust]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wit-bindgen" +start = "2025-08-13" +end = "2027-01-12" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-bindgen-rust-macro]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wit-bindgen" +start = "2025-08-13" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-component]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wasm-tools" +start = "2025-08-14" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-parser]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wasm-tools" +start = "2025-08-14" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.adler2]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "2.0.0" +notes = "Fork of the original `adler` crate, zero unsfae code, works in `no_std`, does what it says on th tin." + +[[audits.bytecode-alliance.audits.atomic-waker]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.1.2" +notes = "Contains `unsafe` code but it's well-documented and scoped to what it's intended to be doing. Otherwise a well-focused and straightforward crate." + +[[audits.bytecode-alliance.audits.core-foundation-sys]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "0.8.4 -> 0.8.6" +notes = """ +The changes here are all typical bindings updates: new functions, types, and +constants. I have not audited all the bindings for ABI conformance. +""" + +[[audits.bytecode-alliance.audits.displaydoc]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +delta = "0.2.4 -> 0.2.5" + +[[audits.bytecode-alliance.audits.fastrand]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "2.0.0 -> 2.0.1" +notes = """ +This update had a few doc updates but no otherwise-substantial source code +updates. +""" + +[[audits.bytecode-alliance.audits.fastrand]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "2.1.1 -> 2.3.0" +notes = "Minor refactoring, nothing new." + +[[audits.bytecode-alliance.audits.foldhash]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.1.3" +notes = """ +Only a minor amount of `unsafe` code in this crate related to global per-process +initialization which looks correct to me. +""" + +[[audits.bytecode-alliance.audits.futures]] +who = "Joel Dice " +criteria = "safe-to-deploy" +version = "0.3.31" + +[[audits.bytecode-alliance.audits.futures-channel]] +who = "Joel Dice " +criteria = "safe-to-deploy" +version = "0.3.31" + +[[audits.bytecode-alliance.audits.futures-core]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" +notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." + +[[audits.bytecode-alliance.audits.futures-core]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "0.3.28 -> 0.3.31" + +[[audits.bytecode-alliance.audits.futures-executor]] +who = "Joel Dice " +criteria = "safe-to-deploy" +version = "0.3.31" + +[[audits.bytecode-alliance.audits.futures-io]] +who = "Joel Dice " +criteria = "safe-to-deploy" +version = "0.3.31" + +[[audits.bytecode-alliance.audits.futures-macro]] +who = "Joel Dice " +criteria = "safe-to-deploy" +version = "0.3.31" + +[[audits.bytecode-alliance.audits.futures-sink]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" + +[[audits.bytecode-alliance.audits.futures-sink]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "0.3.28 -> 0.3.31" + +[[audits.bytecode-alliance.audits.gimli]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.29.0 -> 0.31.0" +notes = "Various updates here and there, nothing too major, what you'd expect from a DWARF parsing crate." + +[[audits.bytecode-alliance.audits.gimli]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.31.0 -> 0.31.1" +notes = "No fundmanetally new `unsafe` code, some small refactoring of existing code. Lots of changes in tests, not as many changes in the rest of the crate. More dwarf!" + +[[audits.bytecode-alliance.audits.gimli]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.31.1 -> 0.32.0" +notes = "Ever more DWARF to parse, but also no new `unsafe` and everything looks like gimli." + +[[audits.bytecode-alliance.audits.gimli]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.32.0 -> 0.32.3" +notes = "Ever more dwarf, it never ends! (nothing out of the ordinary)" + +[[audits.bytecode-alliance.audits.heck]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.4.0" +notes = "Contains `forbid_unsafe` and only uses `std::fmt` from the standard library. Otherwise only contains string manipulation." + +[[audits.bytecode-alliance.audits.heck]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.4.1 -> 0.5.0" +notes = "Minor changes for a `no_std` upgrade but otherwise everything looks as expected." + +[[audits.bytecode-alliance.audits.iana-time-zone-haiku]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +version = "0.1.2" + +[[audits.bytecode-alliance.audits.leb128fmt]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.1.0" +notes = "Well-scoped crate do doing LEB encoding with no `unsafe` code and does what it says on the tin." + +[[audits.bytecode-alliance.audits.matchers]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.1.0" + +[[audits.bytecode-alliance.audits.matchers]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.1.0 -> 0.2.0" +notes = "Some unsafe code, but not more than before. Nothing awry." + +[[audits.bytecode-alliance.audits.miniz_oxide]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.7.1" +notes = """ +This crate is a Rust implementation of zlib compression/decompression and has +been used by default by the Rust standard library for quite some time. It's also +a default dependency of the popular `backtrace` crate for decompressing debug +information. This crate forbids unsafe code and does not otherwise access system +resources. It's originally a port of the `miniz.c` library as well, and given +its own longevity should be relatively hardened against some of the more common +compression-related issues. +""" + +[[audits.bytecode-alliance.audits.miniz_oxide]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.8.0" +notes = "Minor updates, using new Rust features like `const`, no major changes." + +[[audits.bytecode-alliance.audits.miniz_oxide]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.8.5" +notes = """ +Lots of small updates here and there, for example around modernizing Rust +idioms. No new `unsafe` code and everything looks like what you'd expect a +compression library to be doing. +""" + +[[audits.bytecode-alliance.audits.miniz_oxide]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.8.5 -> 0.8.9" +notes = "No new unsafe code, just refactorings." + +[[audits.bytecode-alliance.audits.num-traits]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "0.2.19" +notes = "As advertised: a numeric library. The only `unsafe` is from some float-to-int conversions, which seems expected." + +[[audits.bytecode-alliance.audits.percent-encoding]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "2.2.0" +notes = """ +This crate is a single-file crate that does what it says on the tin. There are +a few `unsafe` blocks related to utf-8 validation which are locally verifiable +as correct and otherwise this crate is good to go. +""" + +[[audits.bytecode-alliance.audits.pin-project-lite]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.2.13 -> 0.2.14" +notes = "No substantive changes in this update" + +[[audits.bytecode-alliance.audits.pin-utils]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.1.0" + +[[audits.bytecode-alliance.audits.pkg-config]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.25" +notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably." + +[[audits.bytecode-alliance.audits.pkg-config]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.3.26 -> 0.3.29" +notes = """ +No `unsafe` additions or anything outside of the purview of the crate in this +change. +""" + +[[audits.bytecode-alliance.audits.pkg-config]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +delta = "0.3.29 -> 0.3.32" + +[[audits.bytecode-alliance.audits.sharded-slab]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.1.4" +notes = "I always really enjoy reading eliza's code, she left perfect comments at every use of unsafe." + +[[audits.bytecode-alliance.audits.shlex]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = "Only minor `unsafe` code blocks which look valid and otherwise does what it says on the tin." + +[[audits.bytecode-alliance.audits.smallvec]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.13.2 -> 1.14.0" +notes = "Minor new feature, nothing out of the ordinary." + +[[audits.bytecode-alliance.audits.test-log]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.2.11" + +[[audits.bytecode-alliance.audits.test-log]] +who = "Alex Crichton " +criteria = "safe-to-run" +delta = "0.2.11 -> 0.2.16" +notes = "Crate implementation was moved to a `*-macros` crate, crate is very small as a result." + +[[audits.bytecode-alliance.audits.test-log]] +who = "Alex Crichton " +criteria = "safe-to-run" +delta = "0.2.16 -> 0.2.18" +notes = "Minor updates, nothing changing unsafe" + +[[audits.bytecode-alliance.audits.test-log-macros]] +who = "Alex Crichton " +criteria = "safe-to-run" +version = "0.2.16" +notes = "Simple procedural macro copied from its previous source." + +[[audits.bytecode-alliance.audits.test-log-macros]] +who = "Alex Crichton " +criteria = "safe-to-run" +delta = "0.2.16 -> 0.2.18" +notes = "Standard macro changes, nothing out of place" + +[[audits.bytecode-alliance.audits.vcpkg]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.2.15" +notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.236.0 -> 0.237.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.237.0 -> 0.238.1" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.238.1 -> 0.239.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.239.0 -> 0.240.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.240.0 -> 0.241.2" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.241.2 -> 0.242.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.242.0 -> 0.243.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.243.0 -> 0.244.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.google.audits.base64]] +who = "amarjotgill " +criteria = "safe-to-deploy" +version = "0.22.1" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.either]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +version = "1.13.0" +notes = "Unsafe code pertaining to wrapping Pin APIs. Mostly passes invariants down." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.either]] +who = "Daniel Cheng " +criteria = "safe-to-deploy" +delta = "1.13.0 -> 1.14.0" +notes = """ +Inheriting ub-risk-1 from the baseline review of 1.13.0. While the delta has some diffs in unsafe code, they are either: +- migrating code to use helper macros +- migrating match patterns to take advantage of default bindings mode from RFC 2005 +Either way, the result is code that does exactly the same thing and does not change the risk of UB. + +See https://crrev.com/c/6323164 for more audit details. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.either]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.14.0 -> 1.15.0" +notes = 'The delta in `lib.rs` only tweaks doc comments and `#[cfg(feature = "std")]`.' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.equivalent]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.0.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.equivalent]] +who = "Jonathan Hao " +criteria = "safe-to-deploy" +delta = "1.0.1 -> 1.0.2" +notes = "No changes to any .rs files or Rust code." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.fastrand]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.9.0" +notes = """ +`does-not-implement-crypto` is certified because this crate explicitly says +that the RNG here is not cryptographically secure. +""" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.foldhash]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.1.4" +notes = "No changes to safety-relevant code" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.foldhash]] +who = "Chris Palmer " +criteria = "safe-to-deploy" +delta = "0.1.4 -> 0.1.5" +notes = "No new `unsafe`." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.httpdate]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.0.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.lazy_static]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.4.0" +notes = ''' +I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. + +There are two places where `unsafe` is used. Unsafe review notes can be found +in https://crrev.com/c/5347418. + +This crate has been added to Chromium in https://crrev.com/c/3321895. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.lazy_static]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.4.0 -> 1.5.0" +notes = "Unsafe review notes: https://crrev.com/c/5650836" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.nom]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "7.1.3" +notes = """ +Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/5046153 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.num-integer]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +version = "0.1.46" +notes = "Contains no unsafe" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.pin-project-lite]] +who = "David Koloski " +criteria = "safe-to-deploy" +version = "0.2.9" +notes = "Reviewed on https://fxrev.dev/824504" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.pin-project-lite]] +who = "David Koloski " +criteria = "safe-to-deploy" +delta = "0.2.9 -> 0.2.13" +notes = "Audited at https://fxrev.dev/946396" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.smallvec]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +version = "1.13.2" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.strsim]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "0.10.0" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.mozilla.wildcard-audits.core-foundation-sys]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +user-id = 5946 # Jeff Muizelaar (jrmuizel) +start = "2020-10-14" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.unicode-width]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2019-12-05" +end = "2026-02-01" +notes = "All code written or reviewed by Manish" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.unicode-xid]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2019-07-25" +end = "2026-02-01" +notes = "All code written or reviewed by Manish" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.adler2]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "2.0.0 -> 2.0.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.android_system_properties]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +version = "0.1.2" +notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.android_system_properties]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.1.2 -> 0.1.4" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.android_system_properties]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.1.4 -> 0.1.5" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.core-foundation-sys]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.8.6 -> 0.8.7" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.displaydoc]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +version = "0.2.3" +notes = """ +This crate is convenient macros to implement core::fmt::Display trait. +Although `unsafe` is used for test code to call `libc::abort()`, it has no `unsafe` code in this crate. And there is no file access. +It meets the criteria for safe-to-deploy. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.displaydoc]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.3 -> 0.2.4" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.fastrand]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.9.0 -> 2.0.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.fastrand]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "2.0.1 -> 2.1.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.fastrand]] +who = "Chris Martin " +criteria = "safe-to-deploy" +delta = "2.1.0 -> 2.1.1" +notes = "Fairly trivial changes, no chance of security regression." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.fnv]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.0.7" +notes = "Simple hasher implementation with no unsafe code." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.foldhash]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "0.1.5 -> 0.2.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.futures-core]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.28" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.futures-sink]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.28" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.gimli]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.30.0" +notes = """ +Unsafe code blocks are sound. Minimal dependencies used. No use of +side-effectful std functions. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.gimli]] +who = "Chris Martin " +criteria = "safe-to-deploy" +delta = "0.30.0 -> 0.29.0" +notes = "No unsafe code, mostly algorithms and parsing. Very unlikely to cause security issues." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.heck]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.4.0 -> 0.4.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.hex]] +who = "Simon Friedberger " +criteria = "safe-to-deploy" +version = "0.4.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.percent-encoding]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +delta = "2.2.0 -> 2.3.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.percent-encoding]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +delta = "2.3.0 -> 2.3.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.percent-encoding]] +who = "edgul " +criteria = "safe-to-deploy" +delta = "2.3.1 -> 2.3.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.pin-project-lite]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +delta = "0.2.14 -> 0.2.16" +notes = """ +Only functional change is to work around a bug in the negative_impls feature +(https://github.com/taiki-e/pin-project/issues/340#issuecomment-2432146009) +""" +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.pkg-config]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.powerfmt]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.2.0" +notes = """ +A tiny bit of unsafe code to implement functionality that isn't in stable rust +yet, but it's all valid. Otherwise it's a pretty simple crate. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.serde_spanned]] +who = "Ben Dean-Kawamura " +criteria = "safe-to-deploy" +version = "1.0.3" +notes = "Relatively simple Serde trait implementations. No IO or unsafe code." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.serde_spanned]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.3 -> 1.0.4" +notes = "Unchanged" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.sharded-slab]] +who = "Mark Hammond " +criteria = "safe-to-deploy" +delta = "0.1.4 -> 0.1.7" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.shlex]] +who = "Max Inden " +criteria = "safe-to-deploy" +delta = "1.1.0 -> 1.3.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.smallvec]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +delta = "1.14.0 -> 1.15.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.strsim]] +who = "Ben Dean-Kawamura " +criteria = "safe-to-deploy" +delta = "0.10.0 -> 0.11.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.synstructure]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "0.12.6" +notes = """ +I am the primary author of the `synstructure` crate, and its current +maintainer. The one use of `unsafe` is unnecessary, but documented and +harmless. It will be removed in the next version. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.synstructure]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.12.6 -> 0.13.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.synstructure]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.13.0 -> 0.13.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.synstructure]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +delta = "0.13.1 -> 0.13.2" +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.textwrap]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +version = "0.15.0" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.textwrap]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.15.0 -> 0.15.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.textwrap]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.15.2 -> 0.16.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.textwrap]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "0.16.0 -> 0.16.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.textwrap]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +delta = "0.16.1 -> 0.16.2" +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.toml_datetime]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +version = "0.7.5+spec-1.1.0" +notes = "Pure data type crate with some datetime parsing. No unsafe." +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.unicode-linebreak]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +version = "0.1.5" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"