# cargo-vet imports lock [[audits.mozilla.audits.anyhow]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.57 -> 1.0.61" [[audits.mozilla.audits.anyhow]] who = "Bobby Holley " criteria = "safe-to-deploy" delta = "1.0.58 -> 1.0.57" notes = "No functional differences, just CI config and docs." [[audits.mozilla.audits.anyhow]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.61 -> 1.0.62" [[audits.mozilla.audits.arbitrary]] who = "Mike Hommey " criteria = "safe-to-run" delta = "1.1.0 -> 1.1.1" [[audits.mozilla.audits.arbitrary]] who = "Mike Hommey " criteria = "safe-to-run" delta = "1.1.1 -> 1.1.3" [[audits.mozilla.audits.async-trait]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.56 -> 0.1.57" [[audits.mozilla.audits.autocfg]] who = "Josh Stone " criteria = "safe-to-deploy" version = "1.1.0" notes = "All code written or reviewed by Josh Stone." [[audits.mozilla.audits.bit-set]] who = "Aria Beingessner " criteria = "safe-to-deploy" version = "0.5.2" notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues." [[audits.mozilla.audits.bit-set]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.5.2 -> 0.5.3" [[audits.mozilla.audits.bit-vec]] who = "Aria Beingessner " criteria = "safe-to-deploy" version = "0.6.3" notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." [[audits.mozilla.audits.bumpalo]] who = "Bobby Holley " criteria = "safe-to-run" delta = "3.9.1 -> 3.10.0" notes = """ Some nontrivial functional changes but certainly meets the no-malware bar of safe-to-run. If we needed safe-to-deploy for this in m-c I'd ask Nick to re- certify this version, but we don't, so this is fine for now. """ [[audits.mozilla.audits.bytes]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.1.0 -> 1.2.1" [[audits.mozilla.audits.clap_lex]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.0 -> 0.2.2" [[audits.mozilla.audits.clap_lex]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.2 -> 0.2.4" [[audits.mozilla.audits.cpufeatures]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.2 -> 0.2.4" [[audits.mozilla.audits.crossbeam-channel]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.5.4 -> 0.5.6" [[audits.mozilla.audits.crossbeam-deque]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.8.1 -> 0.8.2" [[audits.mozilla.audits.crossbeam-epoch]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.9.8 -> 0.9.10" [[audits.mozilla.audits.crossbeam-utils]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.8.8 -> 0.8.11" [[audits.mozilla.audits.crypto-common]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.3 -> 0.1.6" [[audits.mozilla.audits.derive_arbitrary]] who = "Mike Hommey " criteria = "safe-to-run" delta = "1.1.0 -> 1.1.1" [[audits.mozilla.audits.derive_arbitrary]] who = "Mike Hommey " criteria = "safe-to-run" delta = "1.1.1 -> 1.1.3" [[audits.mozilla.audits.either]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.6.1 -> 1.7.0" [[audits.mozilla.audits.either]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.7.0 -> 1.8.0" [[audits.mozilla.audits.encoding_rs]] who = "Henri Sivonen " criteria = "safe-to-deploy" version = "0.8.31" notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ." [[audits.mozilla.audits.fastrand]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.7.0 -> 1.8.0" [[audits.mozilla.audits.flagset]] who = "Ryan Hunt " criteria = "safe-to-deploy" version = "0.4.3" notes = "Uses no ambient capabilities, vetted the one instance of unsafe." [[audits.mozilla.audits.fnv]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "1.0.7" notes = "Simple hasher implementation with no unsafe code." [[audits.mozilla.audits.fxhash]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "0.2.1" notes = "Straightforward crate with no unsafe code, does what it says on the tin." [[audits.mozilla.audits.generic-array]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.14.5 -> 0.14.6" [[audits.mozilla.audits.getrandom]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.6 -> 0.2.7" [[audits.mozilla.audits.half]] who = "John M. Schanck " criteria = "safe-to-deploy" version = "1.8.2" notes = """ This crate contains unsafe code for bitwise casts to/from binary16 floating-point format. I've reviewed these and found no issues. There are no uses of ambient capabilities. """ [[audits.mozilla.audits.hashbrown]] who = "Mike Hommey " criteria = "safe-to-deploy" version = "0.12.3" notes = "This version is used in rust's libstd, so effectively we're already trusting it" [[audits.mozilla.audits.hermit-abi]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.19 -> 0.2.6" [[audits.mozilla.audits.indexmap]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.8.2 -> 1.9.1" [[audits.mozilla.audits.itoa]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.2 -> 1.0.3" [[audits.mozilla.audits.libc]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.126 -> 0.2.132" [[audits.mozilla.audits.log]] who = "Mike Hommey " criteria = "safe-to-deploy" version = "0.4.17" [[audits.mozilla.audits.memmap2]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.5.4 -> 0.5.7" [[audits.mozilla.audits.memoffset]] who = "Gabriele Svelto " criteria = "safe-to-deploy" delta = "0.6.5 -> 0.7.1" [[audits.mozilla.audits.miniz_oxide]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.5.3 -> 0.6.2" [[audits.mozilla.audits.num-integer]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.1.45" notes = "All code written or reviewed by Josh Stone." [[audits.mozilla.audits.num-iter]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.1.43" notes = "All code written or reviewed by Josh Stone." [[audits.mozilla.audits.num-traits]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.2.15" notes = "All code written or reviewed by Josh Stone." [[audits.mozilla.audits.num_cpus]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.13.1 -> 1.14.0" [[audits.mozilla.audits.num_cpus]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.14.0 -> 1.15.0" [[audits.mozilla.audits.once_cell]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.12.0 -> 1.13.1" [[audits.mozilla.audits.once_cell]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.13.1 -> 1.16.0" [[audits.mozilla.audits.os_str_bytes]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "6.1.0 -> 6.3.0" [[audits.mozilla.audits.paste]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.7 -> 1.0.8" [[audits.mozilla.audits.proc-macro2]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.39 -> 1.0.43" [[audits.mozilla.audits.quote]] who = "Nika Layzell " criteria = "safe-to-deploy" version = "1.0.18" notes = """ `quote` is a utility crate used by proc-macros to generate TokenStreams conveniently from source code. The bulk of the logic is some complex interlocking `macro_rules!` macros which are used to parse and build the `TokenStream` within the proc-macro. This crate contains no unsafe code, and the internal logic, while difficult to read, is generally straightforward. I have audited the the quote macros, ident formatter, and runtime logic. """ [[audits.mozilla.audits.quote]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.18 -> 1.0.21" [[audits.mozilla.audits.redox_syscall]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.13 -> 0.2.16" [[audits.mozilla.audits.regex]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.5.6 -> 1.6.0" [[audits.mozilla.audits.regex-syntax]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.6.26 -> 0.6.27" [[audits.mozilla.audits.ryu]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.10 -> 1.0.11" [[audits.mozilla.audits.serde]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.137 -> 1.0.143" [[audits.mozilla.audits.serde]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.143 -> 1.0.144" [[audits.mozilla.audits.serde_cbor]] who = "R. Martinho Fernandes " criteria = "safe-to-deploy" version = "0.11.1" [[audits.mozilla.audits.serde_cbor]] who = "John M. Schanck " criteria = "safe-to-deploy" delta = "0.11.1 -> 0.11.2" [[audits.mozilla.audits.serde_derive]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.137 -> 1.0.143" [[audits.mozilla.audits.serde_derive]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.143 -> 1.0.144" [[audits.mozilla.audits.serde_json]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.81 -> 1.0.83" [[audits.mozilla.audits.serde_json]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.83 -> 1.0.85" [[audits.mozilla.audits.smallvec]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.8.0 -> 1.9.0" [[audits.mozilla.audits.syn]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.96 -> 1.0.99" [[audits.mozilla.audits.synstructure]] who = "Nika Layzell " criteria = "safe-to-deploy" version = "0.12.6" notes = """ I am the primary author of the `synstructure` crate, and its current maintainer. The one use of `unsafe` is unnecessary, but documented and harmless. It will be removed in the next version. """ [[audits.mozilla.audits.thiserror]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.31 -> 1.0.32" [[audits.mozilla.audits.thiserror-impl]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.31 -> 1.0.32" [[audits.mozilla.audits.tracing]] who = "Mike Hommey " criteria = "safe-to-run" delta = "0.1.35 -> 0.1.36" [[audits.mozilla.audits.tracing-attributes]] who = "Mike Hommey " criteria = "safe-to-run" delta = "0.1.21 -> 0.1.22" [[audits.mozilla.audits.tracing-core]] who = "Mike Hommey " criteria = "safe-to-run" delta = "0.1.27 -> 0.1.29" [[audits.mozilla.audits.unicode-normalization]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.19 -> 0.1.20" notes = "I am the author of most of these changes upstream, and prepared the release myself, at which point I looked at the other changes since 0.1.19." [[audits.mozilla.audits.unicode-normalization]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.20 -> 0.1.21" [[audits.mozilla.audits.wasm-encoder]] who = "Ryan Hunt " criteria = "safe-to-deploy" version = "0.7.0" notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. This has no unsafe code and uses no ambient capabilities." [[audits.mozilla.audits.wasm-encoder]] who = "Ryan Hunt " criteria = "safe-to-deploy" delta = "0.7.0 -> 0.14.0" notes = "wasm-encoder has no unsafe code and uses no ambient capabilities." [[audits.mozilla.audits.wasm-encoder]] who = "Yury Delendik " criteria = "safe-to-deploy" delta = "0.14.0 -> 0.15.0" [[audits.mozilla.audits.wasm-smith]] who = "Ryan Hunt " criteria = "safe-to-deploy" version = "0.11.2" notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. I've vetted the one instance of unsafe code." [[audits.mozilla.audits.wasm-smith]] who = "Yury Delendik " criteria = "safe-to-run" delta = "0.11.2 -> 0.11.3" [[audits.mozilla.audits.wasmparser]] who = "Ryan Hunt " criteria = "safe-to-deploy" version = "0.87.0" notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. I've vetted the one instance of unsafe code." [[audits.mozilla.audits.wasmparser]] who = "Yury Delendik " criteria = "safe-to-deploy" delta = "0.87.0 -> 0.88.0" [[audits.mozilla.audits.wast]] who = "Ryan Hunt " criteria = "safe-to-deploy" version = "44.0.0" [[audits.mozilla.audits.wast]] who = "Yury Delendik " criteria = "safe-to-deploy" delta = "44.0.0 -> 45.0.0"