91de5de049
While bringing in no major updates for Wasmtime I've taken this opportunity to list myself for `cargo vet` with wildcard audits of this family of crates. That means I shouldn't need to further add any more entries in the future for updating these crates and additionally any other organizations using these audits will automatically be able to have audits for version that I publish. While here I also ran `cargo vet prune` which was able to remove a number of our exemptions.
329 lines
12 KiB
Plaintext
329 lines
12 KiB
Plaintext
|
|
# cargo-vet imports lock
|
|
|
|
[[publisher.wasm-mutate]]
|
|
version = "0.2.23"
|
|
when = "2023-04-13"
|
|
user-id = 1
|
|
user-login = "alexcrichton"
|
|
user-name = "Alex Crichton"
|
|
|
|
[[publisher.wasm-smith]]
|
|
version = "0.12.6"
|
|
when = "2023-04-13"
|
|
user-id = 1
|
|
user-login = "alexcrichton"
|
|
user-name = "Alex Crichton"
|
|
|
|
[[publisher.wasmparser]]
|
|
version = "0.103.0"
|
|
when = "2023-04-13"
|
|
user-id = 1
|
|
user-login = "alexcrichton"
|
|
user-name = "Alex Crichton"
|
|
|
|
[[publisher.wasmprinter]]
|
|
version = "0.2.55"
|
|
when = "2023-04-13"
|
|
user-id = 1
|
|
user-login = "alexcrichton"
|
|
user-name = "Alex Crichton"
|
|
|
|
[[publisher.wast]]
|
|
version = "56.0.0"
|
|
when = "2023-04-13"
|
|
user-id = 1
|
|
user-login = "alexcrichton"
|
|
user-name = "Alex Crichton"
|
|
|
|
[[publisher.wat]]
|
|
version = "1.0.62"
|
|
when = "2023-04-13"
|
|
user-id = 1
|
|
user-login = "alexcrichton"
|
|
user-name = "Alex Crichton"
|
|
|
|
[[publisher.wit-parser]]
|
|
version = "0.7.0"
|
|
when = "2023-04-13"
|
|
user-id = 1
|
|
user-login = "alexcrichton"
|
|
user-name = "Alex Crichton"
|
|
|
|
[[audits.embark-studios.audits.anyhow]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.58"
|
|
|
|
[[audits.embark-studios.audits.anyhow]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.58 -> 1.0.66"
|
|
notes = "New unsafe usage, looks sane. Expert maintainer"
|
|
|
|
[[audits.embark-studios.audits.cty]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.2"
|
|
notes = "Inspected it and is a tiny crate with just type definitions"
|
|
|
|
[[audits.embark-studios.audits.webpki-roots]]
|
|
who = "Johan Andersson <opensource@embark-studios.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.22.4"
|
|
notes = "Inspected it to confirm that it only contains data definitions and no runtime code"
|
|
|
|
[[audits.google.audits.libfuzzer-sys]]
|
|
who = "ChromeOS"
|
|
criteria = "safe-to-run"
|
|
version = "0.4.4"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.miniz_oxide]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-run"
|
|
version = "0.6.2"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.static_assertions]]
|
|
who = "ChromeOS"
|
|
criteria = "safe-to-run"
|
|
version = "1.1.0"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.google.audits.version_check]]
|
|
who = "George Burgess IV <gbiv@google.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.4"
|
|
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT"
|
|
|
|
[[audits.isrg.audits.block-buffer]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.0"
|
|
|
|
[[audits.isrg.audits.opaque-debug]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.0"
|
|
|
|
[[audits.isrg.audits.universal-hash]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.1"
|
|
|
|
[[audits.isrg.audits.untrusted]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.1"
|
|
|
|
[[audits.isrg.audits.wasm-bindgen-shared]]
|
|
who = "David Cook <dcook@divviup.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.83"
|
|
|
|
[[audits.mozilla.audits.autocfg]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.1.0"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bit-set]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.2"
|
|
notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.bit-vec]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.6.3"
|
|
notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.crypto-common]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.3 -> 0.1.6"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.either]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.6.1"
|
|
notes = """
|
|
Straightforward crate providing the Either enum and trait implementations with
|
|
no unsafe code.
|
|
"""
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.encoding_rs]]
|
|
who = "Henri Sivonen <hsivonen@hsivonen.fi>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.8.31"
|
|
notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.flagset]]
|
|
who = "Ryan Hunt <rhunt@eqrion.net>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.3"
|
|
notes = "Uses no ambient capabilities, vetted the one instance of unsafe."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.fnv]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.7"
|
|
notes = "Simple hasher implementation with no unsafe code."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.fxhash]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.1"
|
|
notes = "Straightforward crate with no unsafe code, does what it says on the tin."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.half]]
|
|
who = "John M. Schanck <jschanck@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.8.2"
|
|
notes = """
|
|
This crate contains unsafe code for bitwise casts to/from binary16 floating-point
|
|
format. I've reviewed these and found no issues. There are no uses of ambient
|
|
capabilities.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.hashbrown]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.3"
|
|
notes = "This version is used in rust's libstd, so effectively we're already trusting it"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.hermit-abi]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.19 -> 0.2.6"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.lazy_static]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.4.0"
|
|
notes = "I have read over the macros, and audited the unsafe code."
|
|
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.log]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.17"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.memoffset]]
|
|
who = "Gabriele Svelto <gsvelto@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.5 -> 0.7.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num-integer]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.45"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num-iter]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.43"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num-traits]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.15"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num_cpus]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.13.1 -> 1.14.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.num_cpus]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.14.0 -> 1.15.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.once_cell]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.12.0 -> 1.13.1"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.once_cell]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.13.1 -> 1.16.0"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.quote]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.18"
|
|
notes = """
|
|
`quote` is a utility crate used by proc-macros to generate TokenStreams
|
|
conveniently from source code. The bulk of the logic is some complex
|
|
interlocking `macro_rules!` macros which are used to parse and build the
|
|
`TokenStream` within the proc-macro.
|
|
|
|
This crate contains no unsafe code, and the internal logic, while difficult to
|
|
read, is generally straightforward. I have audited the the quote macros, ident
|
|
formatter, and runtime logic.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.slab]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.6 -> 0.4.7"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.socket2]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.4 -> 0.4.7"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.synstructure]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.6"
|
|
notes = """
|
|
I am the primary author of the `synstructure` crate, and its current
|
|
maintainer. The one use of `unsafe` is unnecessary, but documented and
|
|
harmless. It will be removed in the next version.
|
|
"""
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.unicode-normalization]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.19 -> 0.1.20"
|
|
notes = "I am the author of most of these changes upstream, and prepared the release myself, at which point I looked at the other changes since 0.1.19."
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|
|
|
|
[[audits.mozilla.audits.unicode-normalization]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.20 -> 0.1.21"
|
|
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
|