# cargo-vet imports lock [[publisher.wasm-mutate]] version = "0.2.23" when = "2023-04-13" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasm-smith]] version = "0.12.6" when = "2023-04-13" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasmparser]] version = "0.103.0" when = "2023-04-13" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasmprinter]] version = "0.2.55" when = "2023-04-13" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wast]] version = "56.0.0" when = "2023-04-13" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wat]] version = "1.0.62" when = "2023-04-13" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wit-parser]] version = "0.7.0" when = "2023-04-13" user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" [[audits.embark-studios.audits.anyhow]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "1.0.58" [[audits.embark-studios.audits.anyhow]] who = "Johan Andersson " criteria = "safe-to-deploy" delta = "1.0.58 -> 1.0.66" notes = "New unsafe usage, looks sane. Expert maintainer" [[audits.embark-studios.audits.cty]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.2.2" notes = "Inspected it and is a tiny crate with just type definitions" [[audits.embark-studios.audits.webpki-roots]] who = "Johan Andersson " criteria = "safe-to-deploy" version = "0.22.4" notes = "Inspected it to confirm that it only contains data definitions and no runtime code" [[audits.google.audits.libfuzzer-sys]] who = "ChromeOS" criteria = "safe-to-run" version = "0.4.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.miniz_oxide]] who = "George Burgess IV " criteria = "safe-to-run" version = "0.6.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.static_assertions]] who = "ChromeOS" criteria = "safe-to-run" version = "1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.version_check]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.9.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" [[audits.isrg.audits.block-buffer]] who = "David Cook " criteria = "safe-to-deploy" version = "0.9.0" [[audits.isrg.audits.opaque-debug]] who = "David Cook " criteria = "safe-to-deploy" version = "0.3.0" [[audits.isrg.audits.universal-hash]] who = "David Cook " criteria = "safe-to-deploy" version = "0.4.1" [[audits.isrg.audits.untrusted]] who = "David Cook " criteria = "safe-to-deploy" version = "0.7.1" [[audits.isrg.audits.wasm-bindgen-shared]] who = "David Cook " criteria = "safe-to-deploy" version = "0.2.83" [[audits.mozilla.audits.autocfg]] who = "Josh Stone " criteria = "safe-to-deploy" version = "1.1.0" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.bit-set]] who = "Aria Beingessner " criteria = "safe-to-deploy" version = "0.5.2" notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.bit-vec]] who = "Aria Beingessner " criteria = "safe-to-deploy" version = "0.6.3" notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.crypto-common]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.3 -> 0.1.6" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.either]] who = "Nika Layzell " criteria = "safe-to-deploy" version = "1.6.1" notes = """ Straightforward crate providing the Either enum and trait implementations with no unsafe code. """ aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" [[audits.mozilla.audits.encoding_rs]] who = "Henri Sivonen " criteria = "safe-to-deploy" version = "0.8.31" notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.flagset]] who = "Ryan Hunt " criteria = "safe-to-deploy" version = "0.4.3" notes = "Uses no ambient capabilities, vetted the one instance of unsafe." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fnv]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "1.0.7" notes = "Simple hasher implementation with no unsafe code." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fxhash]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "0.2.1" notes = "Straightforward crate with no unsafe code, does what it says on the tin." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.half]] who = "John M. Schanck " criteria = "safe-to-deploy" version = "1.8.2" notes = """ This crate contains unsafe code for bitwise casts to/from binary16 floating-point format. I've reviewed these and found no issues. There are no uses of ambient capabilities. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.hashbrown]] who = "Mike Hommey " criteria = "safe-to-deploy" version = "0.12.3" notes = "This version is used in rust's libstd, so effectively we're already trusting it" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.hermit-abi]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.19 -> 0.2.6" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.lazy_static]] who = "Nika Layzell " criteria = "safe-to-deploy" version = "1.4.0" notes = "I have read over the macros, and audited the unsafe code." aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" [[audits.mozilla.audits.log]] who = "Mike Hommey " criteria = "safe-to-deploy" version = "0.4.17" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.memoffset]] who = "Gabriele Svelto " criteria = "safe-to-deploy" delta = "0.6.5 -> 0.7.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num-integer]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.1.45" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num-iter]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.1.43" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num-traits]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.2.15" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num_cpus]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.13.1 -> 1.14.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num_cpus]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.14.0 -> 1.15.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.once_cell]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.12.0 -> 1.13.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.once_cell]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.13.1 -> 1.16.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.quote]] who = "Nika Layzell " criteria = "safe-to-deploy" version = "1.0.18" notes = """ `quote` is a utility crate used by proc-macros to generate TokenStreams conveniently from source code. The bulk of the logic is some complex interlocking `macro_rules!` macros which are used to parse and build the `TokenStream` within the proc-macro. This crate contains no unsafe code, and the internal logic, while difficult to read, is generally straightforward. I have audited the the quote macros, ident formatter, and runtime logic. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.slab]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.4.6 -> 0.4.7" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.socket2]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.4.4 -> 0.4.7" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.synstructure]] who = "Nika Layzell " criteria = "safe-to-deploy" version = "0.12.6" notes = """ I am the primary author of the `synstructure` crate, and its current maintainer. The one use of `unsafe` is unnecessary, but documented and harmless. It will be removed in the next version. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.unicode-normalization]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.19 -> 0.1.20" notes = "I am the author of most of these changes upstream, and prepared the release myself, at which point I looked at the other changes since 0.1.19." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.unicode-normalization]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.20 -> 0.1.21" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"