# cargo-vet imports lock [[publisher.bumpalo]] version = "3.19.1" when = "2025-12-16" user-id = 696 user-login = "fitzgen" user-name = "Nick Fitzgerald" [[publisher.core-foundation-sys]] version = "0.8.4" when = "2023-04-03" user-id = 5946 user-login = "jrmuizel" user-name = "Jeff Muizelaar" [[publisher.h2]] version = "0.4.13" when = "2026-01-05" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.hashbrown]] version = "0.15.5" when = "2025-08-07" user-id = 55123 user-login = "rust-lang-owner" [[publisher.hashbrown]] version = "0.16.1" when = "2025-11-20" user-id = 55123 user-login = "rust-lang-owner" [[publisher.hyper-util]] version = "0.1.20" when = "2026-02-02" user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.libc]] version = "0.2.182" when = "2026-02-13" user-id = 55123 user-login = "rust-lang-owner" [[publisher.rustix]] version = "1.1.3" when = "2025-12-23" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" [[publisher.serde_json]] version = "1.0.149" when = "2026-01-06" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.syn]] version = "1.0.109" when = "2023-02-24" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.syn]] version = "2.0.115" when = "2026-02-12" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.thread_local]] version = "1.1.9" when = "2025-06-12" user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.toml]] version = "0.9.12+spec-1.1.0" when = "2026-02-10" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.toml_parser]] version = "1.0.8+spec-1.1.0" when = "2026-02-12" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.unicode-width]] version = "0.1.14" when = "2024-09-19" user-id = 1139 user-login = "Manishearth" user-name = "Manish Goregaokar" [[publisher.unicode-width]] version = "0.2.2" when = "2025-10-06" user-id = 1139 user-login = "Manishearth" user-name = "Manish Goregaokar" [[publisher.unicode-xid]] version = "0.2.6" when = "2024-09-19" user-id = 1139 user-login = "Manishearth" user-name = "Manish Goregaokar" [[publisher.wasip2]] version = "1.0.2+wasi-0.2.9" when = "2026-01-15" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasip3]] version = "0.4.0+wasi-0.3.0-rc-2026-01-06" when = "2026-01-15" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasm-encoder]] version = "0.244.0" when = "2026-01-06" trusted-publisher = "github:bytecodealliance/wasm-tools" [[publisher.wasm-metadata]] version = "0.236.0" when = "2025-07-28" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasmparser]] version = "0.244.0" when = "2026-01-06" trusted-publisher = "github:bytecodealliance/wasm-tools" [[publisher.windows-sys]] version = "0.52.0" when = "2023-11-15" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-sys]] version = "0.59.0" when = "2024-07-30" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-sys]] version = "0.60.2" when = "2025-06-12" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-sys]] version = "0.61.2" when = "2025-10-06" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.wit-bindgen]] version = "0.51.0" when = "2026-01-12" trusted-publisher = "github:bytecodealliance/wit-bindgen" [[publisher.wit-bindgen-core]] version = "0.51.0" when = "2026-01-12" trusted-publisher = "github:bytecodealliance/wit-bindgen" [[publisher.wit-bindgen-rust]] version = "0.51.0" when = "2026-01-12" trusted-publisher = "github:bytecodealliance/wit-bindgen" [[publisher.wit-bindgen-rust-macro]] version = "0.51.0" when = "2026-01-12" trusted-publisher = "github:bytecodealliance/wit-bindgen" [[publisher.wit-component]] version = "0.244.0" when = "2026-01-06" trusted-publisher = "github:bytecodealliance/wasm-tools" [[publisher.wit-parser]] version = "0.244.0" when = "2026-01-06" trusted-publisher = "github:bytecodealliance/wasm-tools" [[audits.bytecode-alliance.wildcard-audits.bumpalo]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" user-id = 696 # Nick Fitzgerald (fitzgen) start = "2019-03-16" end = "2026-08-21" [[audits.bytecode-alliance.wildcard-audits.wasip2]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 1 # Alex Crichton (alexcrichton) start = "2025-08-10" end = "2026-08-21" notes = """ This is a Bytecode Alliance authored crate. """ [[audits.bytecode-alliance.wildcard-audits.wasip3]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 1 # Alex Crichton (alexcrichton) start = "2025-09-10" end = "2026-08-21" notes = """ This is a Bytecode Alliance authored crate. """ [[audits.bytecode-alliance.wildcard-audits.wasm-encoder]] who = "Alex Crichton " criteria = "safe-to-deploy" trusted-publisher = "github:bytecodealliance/wasm-tools" start = "2025-08-14" end = "2027-01-08" notes = "The Bytecode Alliance is the author of this crate" [[audits.bytecode-alliance.wildcard-audits.wasm-metadata]] who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 # wasmtime-publish start = "2023-01-01" end = "2026-06-03" notes = """ The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ [[audits.bytecode-alliance.wildcard-audits.wasmparser]] who = "Alex Crichton " criteria = "safe-to-deploy" trusted-publisher = "github:bytecodealliance/wasm-tools" start = "2025-08-14" end = "2027-01-08" notes = "The Bytecode Alliance is the author of this crate" [[audits.bytecode-alliance.wildcard-audits.wit-bindgen]] who = "Alex Crichton " criteria = "safe-to-deploy" trusted-publisher = "github:bytecodealliance/wit-bindgen" start = "2025-08-13" end = "2027-01-08" notes = "The Bytecode Alliance is the author of this crate" [[audits.bytecode-alliance.wildcard-audits.wit-bindgen-core]] who = "Alex Crichton " criteria = "safe-to-deploy" trusted-publisher = "github:bytecodealliance/wit-bindgen" start = "2025-08-13" end = "2027-01-08" notes = "The Bytecode Alliance is the author of this crate" [[audits.bytecode-alliance.wildcard-audits.wit-bindgen-rust]] who = "Alex Crichton " criteria = "safe-to-deploy" trusted-publisher = "github:bytecodealliance/wit-bindgen" start = "2025-08-13" end = "2027-01-12" notes = "The Bytecode Alliance is the author of this crate" [[audits.bytecode-alliance.wildcard-audits.wit-bindgen-rust-macro]] who = "Alex Crichton " criteria = "safe-to-deploy" trusted-publisher = "github:bytecodealliance/wit-bindgen" start = "2025-08-13" end = "2027-01-08" notes = "The Bytecode Alliance is the author of this crate" [[audits.bytecode-alliance.wildcard-audits.wit-component]] who = "Alex Crichton " criteria = "safe-to-deploy" trusted-publisher = "github:bytecodealliance/wasm-tools" start = "2025-08-14" end = "2027-01-08" notes = "The Bytecode Alliance is the author of this crate" [[audits.bytecode-alliance.wildcard-audits.wit-parser]] who = "Alex Crichton " criteria = "safe-to-deploy" trusted-publisher = "github:bytecodealliance/wasm-tools" start = "2025-08-14" end = "2027-01-08" notes = "The Bytecode Alliance is the author of this crate" [[audits.bytecode-alliance.audits.adler2]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "2.0.0" notes = "Fork of the original `adler` crate, zero unsfae code, works in `no_std`, does what it says on th tin." [[audits.bytecode-alliance.audits.atomic-waker]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.1.2" notes = "Contains `unsafe` code but it's well-documented and scoped to what it's intended to be doing. Otherwise a well-focused and straightforward crate." [[audits.bytecode-alliance.audits.cipher]] who = "Andrew Brown " criteria = "safe-to-deploy" version = "0.4.4" notes = "Most unsafe is hidden by `inout` dependency; only remaining unsafe is raw-splitting a slice and an unreachable hint. Older versions of this regularly reach ~150k daily downloads." [[audits.bytecode-alliance.audits.core-foundation-sys]] who = "Dan Gohman " criteria = "safe-to-deploy" delta = "0.8.4 -> 0.8.6" notes = """ The changes here are all typical bindings updates: new functions, types, and constants. I have not audited all the bindings for ABI conformance. """ [[audits.bytecode-alliance.audits.displaydoc]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" delta = "0.2.4 -> 0.2.5" [[audits.bytecode-alliance.audits.errno]] who = "Dan Gohman " criteria = "safe-to-deploy" version = "0.3.0" notes = "This crate uses libc and windows-sys APIs to get and set the raw OS error value." [[audits.bytecode-alliance.audits.errno]] who = "Dan Gohman " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.3.1" notes = "Just a dependency version bump and a bug fix for redox" [[audits.bytecode-alliance.audits.errno]] who = "Dan Gohman " criteria = "safe-to-deploy" delta = "0.3.9 -> 0.3.10" [[audits.bytecode-alliance.audits.fastrand]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "2.0.0 -> 2.0.1" notes = """ This update had a few doc updates but no otherwise-substantial source code updates. """ [[audits.bytecode-alliance.audits.fastrand]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "2.1.1 -> 2.3.0" notes = "Minor refactoring, nothing new." [[audits.bytecode-alliance.audits.foldhash]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.1.3" notes = """ Only a minor amount of `unsafe` code in this crate related to global per-process initialization which looks correct to me. """ [[audits.bytecode-alliance.audits.futures]] who = "Joel Dice " criteria = "safe-to-deploy" version = "0.3.31" [[audits.bytecode-alliance.audits.futures-channel]] who = "Joel Dice " criteria = "safe-to-deploy" version = "0.3.31" [[audits.bytecode-alliance.audits.futures-core]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.27" notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." [[audits.bytecode-alliance.audits.futures-core]] who = "Pat Hickey " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.31" [[audits.bytecode-alliance.audits.futures-executor]] who = "Joel Dice " criteria = "safe-to-deploy" version = "0.3.31" [[audits.bytecode-alliance.audits.futures-io]] who = "Joel Dice " criteria = "safe-to-deploy" version = "0.3.31" [[audits.bytecode-alliance.audits.futures-macro]] who = "Joel Dice " criteria = "safe-to-deploy" version = "0.3.31" [[audits.bytecode-alliance.audits.futures-sink]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.27" [[audits.bytecode-alliance.audits.futures-sink]] who = "Pat Hickey " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.31" [[audits.bytecode-alliance.audits.gimli]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.29.0 -> 0.31.0" notes = "Various updates here and there, nothing too major, what you'd expect from a DWARF parsing crate." [[audits.bytecode-alliance.audits.gimli]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.31.1" notes = "No fundmanetally new `unsafe` code, some small refactoring of existing code. Lots of changes in tests, not as many changes in the rest of the crate. More dwarf!" [[audits.bytecode-alliance.audits.gimli]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.31.1 -> 0.32.0" notes = "Ever more DWARF to parse, but also no new `unsafe` and everything looks like gimli." [[audits.bytecode-alliance.audits.gimli]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.32.3" notes = "Ever more dwarf, it never ends! (nothing out of the ordinary)" [[audits.bytecode-alliance.audits.heck]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.4.0" notes = "Contains `forbid_unsafe` and only uses `std::fmt` from the standard library. Otherwise only contains string manipulation." [[audits.bytecode-alliance.audits.heck]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.4.1 -> 0.5.0" notes = "Minor changes for a `no_std` upgrade but otherwise everything looks as expected." [[audits.bytecode-alliance.audits.http-body]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "1.0.0-rc.2" [[audits.bytecode-alliance.audits.http-body]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "1.0.0-rc.2 -> 1.0.0" notes = "Only minor changes made for a stable release." [[audits.bytecode-alliance.audits.iana-time-zone-haiku]] who = "Dan Gohman " criteria = "safe-to-deploy" version = "0.1.2" [[audits.bytecode-alliance.audits.inout]] who = "Andrew Brown " criteria = "safe-to-deploy" version = "0.1.3" notes = "A part of RustCrypto/utils, this crate is designed to handle unsafe buffers and carefully documents the safety concerns throughout. Older versions of this tally up to ~130k daily downloads." [[audits.bytecode-alliance.audits.leb128fmt]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.1.0" notes = "Well-scoped crate do doing LEB encoding with no `unsafe` code and does what it says on the tin." [[audits.bytecode-alliance.audits.matchers]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" [[audits.bytecode-alliance.audits.matchers]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.1.0 -> 0.2.0" notes = "Some unsafe code, but not more than before. Nothing awry." [[audits.bytecode-alliance.audits.miniz_oxide]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.7.1" notes = """ This crate is a Rust implementation of zlib compression/decompression and has been used by default by the Rust standard library for quite some time. It's also a default dependency of the popular `backtrace` crate for decompressing debug information. This crate forbids unsafe code and does not otherwise access system resources. It's originally a port of the `miniz.c` library as well, and given its own longevity should be relatively hardened against some of the more common compression-related issues. """ [[audits.bytecode-alliance.audits.miniz_oxide]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.7.1 -> 0.8.0" notes = "Minor updates, using new Rust features like `const`, no major changes." [[audits.bytecode-alliance.audits.miniz_oxide]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.8.0 -> 0.8.5" notes = """ Lots of small updates here and there, for example around modernizing Rust idioms. No new `unsafe` code and everything looks like what you'd expect a compression library to be doing. """ [[audits.bytecode-alliance.audits.miniz_oxide]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.8.5 -> 0.8.9" notes = "No new unsafe code, just refactorings." [[audits.bytecode-alliance.audits.nu-ansi-term]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.46.0" notes = "one use of unsafe to call windows specific api to get console handle." [[audits.bytecode-alliance.audits.nu-ansi-term]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.46.0 -> 0.50.1" notes = "Lots of stylistic/rust-related chanegs, plus new features, but nothing out of the ordrinary." [[audits.bytecode-alliance.audits.nu-ansi-term]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.50.1 -> 0.50.3" notes = "CI changes, Rust changes, nothing out of the ordinary." [[audits.bytecode-alliance.audits.num-traits]] who = "Andrew Brown " criteria = "safe-to-deploy" version = "0.2.19" notes = "As advertised: a numeric library. The only `unsafe` is from some float-to-int conversions, which seems expected." [[audits.bytecode-alliance.audits.percent-encoding]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "2.2.0" notes = """ This crate is a single-file crate that does what it says on the tin. There are a few `unsafe` blocks related to utf-8 validation which are locally verifiable as correct and otherwise this crate is good to go. """ [[audits.bytecode-alliance.audits.pin-project-lite]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.2.13 -> 0.2.14" notes = "No substantive changes in this update" [[audits.bytecode-alliance.audits.pin-utils]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" [[audits.bytecode-alliance.audits.pkg-config]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.25" notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably." [[audits.bytecode-alliance.audits.pkg-config]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.3.26 -> 0.3.29" notes = """ No `unsafe` additions or anything outside of the purview of the crate in this change. """ [[audits.bytecode-alliance.audits.pkg-config]] who = "Chris Fallin " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.32" [[audits.bytecode-alliance.audits.sharded-slab]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.4" notes = "I always really enjoy reading eliza's code, she left perfect comments at every use of unsafe." [[audits.bytecode-alliance.audits.shlex]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.1.0" notes = "Only minor `unsafe` code blocks which look valid and otherwise does what it says on the tin." [[audits.bytecode-alliance.audits.smallvec]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "1.13.2 -> 1.14.0" notes = "Minor new feature, nothing out of the ordinary." [[audits.bytecode-alliance.audits.test-log]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.2.11" [[audits.bytecode-alliance.audits.test-log]] who = "Alex Crichton " criteria = "safe-to-run" delta = "0.2.11 -> 0.2.16" notes = "Crate implementation was moved to a `*-macros` crate, crate is very small as a result." [[audits.bytecode-alliance.audits.test-log]] who = "Alex Crichton " criteria = "safe-to-run" delta = "0.2.16 -> 0.2.18" notes = "Minor updates, nothing changing unsafe" [[audits.bytecode-alliance.audits.test-log-macros]] who = "Alex Crichton " criteria = "safe-to-run" version = "0.2.16" notes = "Simple procedural macro copied from its previous source." [[audits.bytecode-alliance.audits.test-log-macros]] who = "Alex Crichton " criteria = "safe-to-run" delta = "0.2.16 -> 0.2.18" notes = "Standard macro changes, nothing out of place" [[audits.bytecode-alliance.audits.tracing-log]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.1.3" notes = """ This is a standard adapter between the `log` ecosystem and the `tracing` ecosystem. There's one `unsafe` block in this crate and it's well-scoped. """ [[audits.bytecode-alliance.audits.tracing-log]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.1.3 -> 0.2.0" notes = "Nothing out of the ordinary, a typical major version update and nothing awry." [[audits.bytecode-alliance.audits.try-lock]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.2.4" notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect" [[audits.bytecode-alliance.audits.vcpkg]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.2.15" notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." [[audits.bytecode-alliance.audits.want]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.0" [[audits.bytecode-alliance.audits.wasm-metadata]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.236.0 -> 0.237.0" notes = "The Bytecode Alliance is the author of this crate" [[audits.bytecode-alliance.audits.wasm-metadata]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.237.0 -> 0.238.1" notes = "The Bytecode Alliance is the author of this crate" [[audits.bytecode-alliance.audits.wasm-metadata]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.238.1 -> 0.239.0" notes = "The Bytecode Alliance is the author of this crate" [[audits.bytecode-alliance.audits.wasm-metadata]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.239.0 -> 0.240.0" notes = "The Bytecode Alliance is the author of this crate" [[audits.bytecode-alliance.audits.wasm-metadata]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.240.0 -> 0.241.2" notes = "The Bytecode Alliance is the author of this crate" [[audits.bytecode-alliance.audits.wasm-metadata]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.241.2 -> 0.242.0" notes = "The Bytecode Alliance is the author of this crate" [[audits.bytecode-alliance.audits.wasm-metadata]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.242.0 -> 0.243.0" notes = "The Bytecode Alliance is the author of this crate" [[audits.bytecode-alliance.audits.wasm-metadata]] who = "Alex Crichton " criteria = "safe-to-deploy" delta = "0.243.0 -> 0.244.0" notes = "The Bytecode Alliance is the author of this crate" [[audits.google.audits.autocfg]] who = "Manish Goregaokar " criteria = "safe-to-deploy" version = "1.4.0" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.base64]] who = "amarjotgill " criteria = "safe-to-deploy" version = "0.22.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.either]] who = "Manish Goregaokar " criteria = "safe-to-deploy" version = "1.13.0" notes = "Unsafe code pertaining to wrapping Pin APIs. Mostly passes invariants down." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.either]] who = "Daniel Cheng " criteria = "safe-to-deploy" delta = "1.13.0 -> 1.14.0" notes = """ Inheriting ub-risk-1 from the baseline review of 1.13.0. While the delta has some diffs in unsafe code, they are either: - migrating code to use helper macros - migrating match patterns to take advantage of default bindings mode from RFC 2005 Either way, the result is code that does exactly the same thing and does not change the risk of UB. See https://crrev.com/c/6323164 for more audit details. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.either]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.14.0 -> 1.15.0" notes = 'The delta in `lib.rs` only tweaks doc comments and `#[cfg(feature = "std")]`.' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.equivalent]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.equivalent]] who = "Jonathan Hao " criteria = "safe-to-deploy" delta = "1.0.1 -> 1.0.2" notes = "No changes to any .rs files or Rust code." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.fastrand]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.9.0" notes = """ `does-not-implement-crypto` is certified because this crate explicitly says that the RNG here is not cryptographically secure. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.foldhash]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "0.1.3 -> 0.1.4" notes = "No changes to safety-relevant code" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.foldhash]] who = "Chris Palmer " criteria = "safe-to-deploy" delta = "0.1.4 -> 0.1.5" notes = "No new `unsafe`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.httpdate]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.lazy_static]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.4.0" notes = ''' I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. There are two places where `unsafe` is used. Unsafe review notes can be found in https://crrev.com/c/5347418. This crate has been added to Chromium in https://crrev.com/c/3321895. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.lazy_static]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" delta = "1.4.0 -> 1.5.0" notes = "Unsafe review notes: https://crrev.com/c/5650836" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.nom]] who = "danakj@chromium.org" criteria = "safe-to-deploy" version = "7.1.3" notes = """ Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/5046153 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.num-integer]] who = "Manish Goregaokar " criteria = "safe-to-deploy" version = "0.1.46" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.pin-project-lite]] who = "David Koloski " criteria = "safe-to-deploy" version = "0.2.9" notes = "Reviewed on https://fxrev.dev/824504" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.pin-project-lite]] who = "David Koloski " criteria = "safe-to-deploy" delta = "0.2.9 -> 0.2.13" notes = "Audited at https://fxrev.dev/946396" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.proc-macro-error-attr]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "1.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.rand_core]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "0.6.4" notes = """ For more detailed unsafe review notes please see https://crrev.com/c/6362797 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.rustversion]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.0.14" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits except for: * Using trivially-safe `unsafe` in test code: ``` tests/test_const.rs:unsafe fn _unsafe() {} tests/test_const.rs:const _UNSAFE: () = unsafe { _unsafe() }; ``` * Using `unsafe` in a string: ``` src/constfn.rs: "unsafe" => Qualifiers::Unsafe, ``` * Using `std::fs` in `build/build.rs` to write `${OUT_DIR}/version.expr` which is later read back via `include!` used in `src/lib.rs`. Version `1.0.6` of this crate has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.rustversion]] who = "Adrian Taylor " criteria = "safe-to-deploy" delta = "1.0.14 -> 1.0.15" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.rustversion]] who = "danakj " criteria = "safe-to-deploy" delta = "1.0.15 -> 1.0.16" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.rustversion]] who = "Dustin J. Mitchell " criteria = "safe-to-deploy" delta = "1.0.16 -> 1.0.17" notes = "Just updates windows compat" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.rustversion]] who = "Liza Burakova " criteria = "safe-to-deploy" delta = "1.0.17 -> 1.0.18" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.rustversion]] who = "Dustin J. Mitchell " criteria = "safe-to-deploy" delta = "1.0.18 -> 1.0.19" notes = "No unsafe, just doc changes" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.rustversion]] who = "Daniel Cheng " criteria = "safe-to-deploy" delta = "1.0.19 -> 1.0.20" notes = "Only minor updates to documentation and the mock today used for testing." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.smallvec]] who = "Manish Goregaokar " criteria = "safe-to-deploy" version = "1.13.2" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.strsim]] who = "danakj@chromium.org" criteria = "safe-to-deploy" version = "0.10.0" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.strum]] who = "danakj@chromium.org" criteria = "safe-to-deploy" version = "0.25.0" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.strum_macros]] who = "danakj@chromium.org" criteria = "safe-to-deploy" version = "0.25.3" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.mozilla.wildcard-audits.core-foundation-sys]] who = "Bobby Holley " criteria = "safe-to-deploy" user-id = 5946 # Jeff Muizelaar (jrmuizel) start = "2020-10-14" end = "2023-05-04" renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.unicode-width]] who = "Manish Goregaokar " criteria = "safe-to-deploy" user-id = 1139 # Manish Goregaokar (Manishearth) start = "2019-12-05" end = "2026-02-01" notes = "All code written or reviewed by Manish" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.wildcard-audits.unicode-xid]] who = "Manish Goregaokar " criteria = "safe-to-deploy" user-id = 1139 # Manish Goregaokar (Manishearth) start = "2019-07-25" end = "2026-02-01" notes = "All code written or reviewed by Manish" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.adler2]] who = "Erich Gubler " criteria = "safe-to-deploy" delta = "2.0.0 -> 2.0.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.android_system_properties]] who = "Nicolas Silva " criteria = "safe-to-deploy" version = "0.1.2" notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.android_system_properties]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.2 -> 0.1.4" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.android_system_properties]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.4 -> 0.1.5" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.core-foundation-sys]] who = "Erich Gubler " criteria = "safe-to-deploy" delta = "0.8.6 -> 0.8.7" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.displaydoc]] who = "Makoto Kato " criteria = "safe-to-deploy" version = "0.2.3" notes = """ This crate is convenient macros to implement core::fmt::Display trait. Although `unsafe` is used for test code to call `libc::abort()`, it has no `unsafe` code in this crate. And there is no file access. It meets the criteria for safe-to-deploy. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.displaydoc]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.3 -> 0.2.4" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.errno]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.1 -> 0.3.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fastrand]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.9.0 -> 2.0.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fastrand]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "2.0.1 -> 2.1.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fastrand]] who = "Chris Martin " criteria = "safe-to-deploy" delta = "2.1.0 -> 2.1.1" notes = "Fairly trivial changes, no chance of security regression." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fnv]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "1.0.7" notes = "Simple hasher implementation with no unsafe code." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.foldhash]] who = "Erich Gubler " criteria = "safe-to-deploy" delta = "0.1.5 -> 0.2.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-core]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-sink]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.gimli]] who = "Alex Franchuk " criteria = "safe-to-deploy" version = "0.30.0" notes = """ Unsafe code blocks are sound. Minimal dependencies used. No use of side-effectful std functions. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.gimli]] who = "Chris Martin " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.29.0" notes = "No unsafe code, mostly algorithms and parsing. Very unlikely to cause security issues." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.heck]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.4.0 -> 0.4.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.hex]] who = "Simon Friedberger " criteria = "safe-to-deploy" version = "0.4.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.percent-encoding]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "2.2.0 -> 2.3.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.percent-encoding]] who = "Valentin Gosu " criteria = "safe-to-deploy" delta = "2.3.0 -> 2.3.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.percent-encoding]] who = "edgul " criteria = "safe-to-deploy" delta = "2.3.1 -> 2.3.2" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.pin-project-lite]] who = "Nika Layzell " criteria = "safe-to-deploy" delta = "0.2.14 -> 0.2.16" notes = """ Only functional change is to work around a bug in the negative_impls feature (https://github.com/taiki-e/pin-project/issues/340#issuecomment-2432146009) """ aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" [[audits.mozilla.audits.pkg-config]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.powerfmt]] who = "Alex Franchuk " criteria = "safe-to-deploy" version = "0.2.0" notes = """ A tiny bit of unsafe code to implement functionality that isn't in stable rust yet, but it's all valid. Otherwise it's a pretty simple crate. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.rustc_version]] who = "Nika Layzell " criteria = "safe-to-deploy" version = "0.4.0" notes = """ Use of powerful capabilities is limited to invoking `rustc -vV` to get version information for parsing version information. """ aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" [[audits.mozilla.audits.serde_spanned]] who = "Ben Dean-Kawamura " criteria = "safe-to-deploy" version = "1.0.3" notes = "Relatively simple Serde trait implementations. No IO or unsafe code." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.serde_spanned]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "1.0.3 -> 1.0.4" notes = "Unchanged" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.sharded-slab]] who = "Mark Hammond " criteria = "safe-to-deploy" delta = "0.1.4 -> 0.1.7" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.shlex]] who = "Max Inden " criteria = "safe-to-deploy" delta = "1.1.0 -> 1.3.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.similar]] who = "Nika Layzell " criteria = "safe-to-deploy" delta = "2.2.1 -> 2.7.0" aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" [[audits.mozilla.audits.smallvec]] who = "Erich Gubler " criteria = "safe-to-deploy" delta = "1.14.0 -> 1.15.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.strsim]] who = "Ben Dean-Kawamura " criteria = "safe-to-deploy" delta = "0.10.0 -> 0.11.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.strum]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" delta = "0.25.0 -> 0.26.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.strum]] who = "Erich Gubler " criteria = "safe-to-deploy" delta = "0.26.3 -> 0.27.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.strum_macros]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" delta = "0.25.3 -> 0.26.4" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.strum_macros]] who = "Erich Gubler " criteria = "safe-to-deploy" delta = "0.26.4 -> 0.27.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.synstructure]] who = "Nika Layzell " criteria = "safe-to-deploy" version = "0.12.6" notes = """ I am the primary author of the `synstructure` crate, and its current maintainer. The one use of `unsafe` is unnecessary, but documented and harmless. It will be removed in the next version. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.synstructure]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.12.6 -> 0.13.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.synstructure]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.13.0 -> 0.13.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.synstructure]] who = "Nika Layzell " criteria = "safe-to-deploy" delta = "0.13.1 -> 0.13.2" aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" [[audits.mozilla.audits.textwrap]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" version = "0.15.0" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.textwrap]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.15.0 -> 0.15.2" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.textwrap]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.15.2 -> 0.16.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.textwrap]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" delta = "0.16.0 -> 0.16.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.textwrap]] who = "Nika Layzell " criteria = "safe-to-deploy" delta = "0.16.1 -> 0.16.2" aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" [[audits.mozilla.audits.toml_datetime]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" version = "0.7.5+spec-1.1.0" notes = "Pure data type crate with some datetime parsing. No unsafe." aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.unicode-linebreak]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" version = "0.1.5" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" [[audits.mozilla.audits.windows-link]] who = "Mark Hammond " criteria = "safe-to-deploy" version = "0.1.1" notes = "A microsoft crate allowing unsafe calls to windows apis." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.windows-link]] who = "Erich Gubler " criteria = "safe-to-deploy" delta = "0.1.1 -> 0.2.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.zeroize]] who = "Benjamin Beurdouche " criteria = "safe-to-deploy" version = "1.8.1" notes = """ This code DOES contain unsafe code required to internally call volatiles for deleting data. This is expected and documented behavior. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.zcash.audits.autocfg]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.4.0 -> 1.5.0" notes = "Filesystem change is to remove the generated LLVM IR output file after probing." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.dunce]] who = "Jack Grigg " criteria = "safe-to-deploy" version = "1.0.5" notes = """ Does what it says on the tin. No `unsafe`, and the only IO is `std::fs::canonicalize`. Path and string handling looks plausibly correct. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.errno]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.3 -> 0.3.8" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.errno]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.8 -> 0.3.9" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.errno]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.10 -> 0.3.11" notes = "The `__errno` location for vxworks and cygwin looks correct from a quick search." aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.zcash.audits.errno]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.11 -> 0.3.13" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.errno]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.13 -> 0.3.14" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.http-body]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.0 -> 1.0.1" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.inout]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.3 -> 0.1.4" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.zcash.audits.rustc_version]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.0 -> 0.4.1" notes = "Changes to `Command` usage are to add support for `RUSTC_WRAPPER`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.rustversion]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.20 -> 1.0.21" notes = "Build script change is to fix building with `-Zfmt-debug=none`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.rustversion]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.21 -> 1.0.22" notes = "Changes to generated code are to prepend a clippy annotation." aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.zcash.audits.strum]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.27.1 -> 0.27.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.strum_macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.27.1 -> 0.27.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.try-lock]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.4 -> 0.2.5" notes = "Bumps MSRV to remove unsafe code block." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.want]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.3.1" notes = """ Migrates to `try-lock 0.2.4` to replace some unsafe APIs that were not marked `unsafe` (but that were being used safely). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.windows-link]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.0 -> 0.2.1" notes = "No code changes at all." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash.audits.zeroize]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.8.1 -> 1.8.2" notes = """ Changes to `unsafe` code are to alter how `core::mem::size_of` is named; no actual changes to the `unsafe` logic. """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml"