diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
commit | 26a029d407be480d791972afb5975cf62c9360a6 (patch) | |
tree | f435a8308119effd964b339f76abb83a57c29483 /supply-chain | |
parent | Initial commit. (diff) | |
download | firefox-26a029d407be480d791972afb5975cf62c9360a6.tar.xz firefox-26a029d407be480d791972afb5975cf62c9360a6.zip |
Adding upstream version 124.0.1.upstream/124.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'supply-chain')
-rw-r--r-- | supply-chain/audits.toml | 5107 | ||||
-rw-r--r-- | supply-chain/config.toml | 824 | ||||
-rw-r--r-- | supply-chain/imports.lock | 1460 | ||||
-rw-r--r-- | supply-chain/moz.build | 8 |
4 files changed, 7399 insertions, 0 deletions
diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml new file mode 100644 index 0000000000..01c422daf5 --- /dev/null +++ b/supply-chain/audits.toml @@ -0,0 +1,5107 @@ + +# cargo-vet audits file + +[[wildcard-audits.audio_thread_priority]] +who = "Paul Adenot <paul@paul.cx>" +criteria = "safe-to-deploy" +user-id = 1258 # Paul Adenot (padenot) +start = "2019-05-09" +end = "2024-04-24" +notes = """ +I've written most of this crate, the rest has been either written and in any +case has been reviewed by Mozilla developers. +""" + +[[wildcard-audits.authenticator]] +who = "John M. Schanck <jschanck@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 175410 # John Schanck (jschanck) +start = "2022-11-15" +end = "2024-04-26" +notes = "Maintained by the CryptoEng team at Mozilla." + +[[wildcard-audits.bhttp]] +who = "Martin Thomson <mt@lowentropy.net>" +criteria = "safe-to-deploy" +user-id = 128763 # Martin Thomson (martinthomson) +start = "2022-08-04" +end = "2024-03-09" +notes = "Though the code is safe to run and deploy, the code for processing HTTP/1.1 messages (the `read-http` feature, specifically) is not suited for deployment in real applications, either clients or servers. Some features necessary for live deployment are not implemented, such as the proper handling of some types of response (e.g., a response to a HEAD request). Software that processes HTTP/1.1 messages requires a large number of compatibility tweaks if it is to be deployed interoperably. This feature only exists to support basic validation tools and is unlikely to be widely compatible." + +[[wildcard-audits.cexpr]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +user-id = 3788 # Emilio Cobos Álvarez (emilio) +start = "2021-06-21" +end = "2024-04-21" +notes = "No unsafe code, rather straight-forward parser." + +[[wildcard-audits.cocoa]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 2396 # Josh Matthews (jdm) +start = "2019-07-23" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + +[[wildcard-audits.cocoa]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 5946 # Jeff Muizelaar (jrmuizel) +start = "2022-11-01" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + +[[wildcard-audits.cocoa-foundation]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 5946 # Jeff Muizelaar (jrmuizel) +start = "2023-03-16" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + +[[wildcard-audits.cocoa-foundation]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 2396 # Josh Matthews (jdm) +start = "2020-07-20" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + +[[wildcard-audits.core-foundation]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 2396 # Josh Matthews (jdm) +start = "2019-11-12" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + +[[wildcard-audits.core-foundation]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 5946 # Jeff Muizelaar (jrmuizel) +start = "2019-03-29" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + +[[wildcard-audits.core-foundation-sys]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 2396 # Josh Matthews (jdm) +start = "2019-11-12" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + +[[wildcard-audits.core-foundation-sys]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 5946 # Jeff Muizelaar (jrmuizel) +start = "2020-10-14" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + +[[wildcard-audits.core-graphics]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 2396 # Josh Matthews (jdm) +start = "2019-10-28" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + +[[wildcard-audits.core-graphics]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 5946 # Jeff Muizelaar (jrmuizel) +start = "2020-12-08" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + +[[wildcard-audits.core-graphics-types]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 2396 # Josh Matthews (jdm) +start = "2020-07-20" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + +[[wildcard-audits.core-text]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 2396 # Josh Matthews (jdm) +start = "2019-03-29" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + +[[wildcard-audits.core-text]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 5946 # Jeff Muizelaar (jrmuizel) +start = "2021-02-14" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + +[[wildcard-audits.dogear]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 27901 # Lina Butler (linabutler) +start = "2019-03-04" +end = "2024-05-05" +notes = "Lina developed this crate as Mozilla staff." + +[[wildcard-audits.encoding_rs]] +who = "Henri Sivonen <hsivonen@hsivonen.fi>" +criteria = "safe-to-deploy" +user-id = 4484 # Henri Sivonen (hsivonen) +start = "2019-02-26" +end = "2024-08-28" +notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ." + +[[wildcard-audits.etagere]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +user-id = 1281 # Nicolas Silva (nical) +start = "2020-11-12" +end = "2024-04-25" +notes = "I am the author of this crate." + +[[wildcard-audits.euclid]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +user-id = 1281 # Nicolas Silva (nical) +start = "2019-03-14" +end = "2024-04-25" +notes = "I wrote most of the commits in the euclid reprository and review every change that is not produced by me." + +[[wildcard-audits.freetype]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 2396 # Josh Matthews (jdm) +start = "2020-02-28" +end = "2023-05-04" +renew = false +notes = "All code written or reviewed by Mozilla staff." + +[[wildcard-audits.gleam]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 2396 # Josh Matthews (jdm) +start = "2019-03-18" +end = "2023-05-04" +renew = false +notes = "All code written or reviewed by Mozilla." + +[[wildcard-audits.gleam]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 5946 # Jeff Muizelaar (jrmuizel) +start = "2023-04-21" +end = "2023-05-04" +renew = false +notes = "All code written or reviewed by Mozilla." + +[[wildcard-audits.gleam]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 1039 +start = "2019-03-01" +end = "2023-05-04" +renew = false +notes = "All code written or reviewed by Mozilla." + +[[wildcard-audits.glean]] +who = "Chris H-C <chutten@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 48 # Jan-Erik Rediger (badboy) +start = "2020-11-10" +end = "2025-02-12" +notes = "The Glean SDKs are maintained by the Glean Team at Mozilla." + +[[wildcard-audits.glean]] +who = "Travis Long <tlong@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 66068 # Travis Long (travis79) +start = "2024-02-12" +end = "2025-02-13" + +[[wildcard-audits.glean-core]] +who = "Chris H-C <chutten@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 48 # Jan-Erik Rediger (badboy) +start = "2019-09-24" +end = "2025-02-12" +notes = "The Glean SDKs are maintained by the Glean Team at Mozilla." + +[[wildcard-audits.glean-core]] +who = "Travis Long <tlong@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 66068 # Travis Long (travis79) +start = "2020-07-10" +end = "2025-02-13" + +[[wildcard-audits.glslopt]] +who = "Jamie Nicol <jnicol@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 84794 # Jamie Nicol (jamienicol) +start = "2020-04-07" +end = "2024-04-25" + +[[wildcard-audits.io-surface]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 2396 # Josh Matthews (jdm) +start = "2019-07-23" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + +[[wildcard-audits.marionette]] +who = "Henrik Skupin <mail@hskupin.info>" +criteria = "safe-to-run" +user-id = 22262 +start = "2020-11-03" +end = "2024-03-31" +notes = "Maintained by the DevTools team at Mozilla and has no unsafe code." + +[[wildcard-audits.mozdevice]] +who = "Henrik Skupin <mail@hskupin.info>" +criteria = "safe-to-run" +user-id = 22262 +start = "2020-11-03" +end = "2024-03-31" +notes = "Maintained by the DevTools team at Mozilla and has no unsafe code." + +[[wildcard-audits.mozprofile]] +who = "Henrik Skupin <mail@hskupin.info>" +criteria = "safe-to-deploy" +user-id = 22262 +start = "2020-11-03" +end = "2024-03-31" +notes = "Maintained by the DevTools team at Mozilla and has no unsafe code." + +[[wildcard-audits.mozrunner]] +who = "Henrik Skupin <mail@hskupin.info>" +criteria = "safe-to-deploy" +user-id = 22262 +start = "2020-11-03" +end = "2024-03-31" +notes = "Maintained by the DevTools team at Mozilla and has no unsafe code." + +[[wildcard-audits.mozversion]] +who = "Henrik Skupin <mail@hskupin.info>" +criteria = "safe-to-run" +user-id = 22262 +start = "2020-11-03" +end = "2024-03-31" +notes = "Maintained by the DevTools team at Mozilla and has no unsafe code." + +[[wildcard-audits.nss-gk-api]] +who = "John M. Schanck <jschanck@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 175410 # John Schanck (jschanck) +start = "2022-11-14" +end = "2024-06-20" +notes = "Maintained by the CryptoEng team at Mozilla." + +[[wildcard-audits.ohttp]] +who = "Martin Thomson <mt@lowentropy.net>" +criteria = "safe-to-deploy" +user-id = 128763 # Martin Thomson (martinthomson) +start = "2022-08-04" +end = "2024-03-09" +notes = "This code contains two cryptographic back ends. No unsafe code is contained if the Rust `hpke` crate is used (the `rust-hpke` feature). Using NSS (the `nss` feature) involves extensive use of bindings to the native code provided by NSS. This interface uses wrappers that attempt to add safety to a fundamentally very dangerous library, but those wrappers have only been validated for use following the needs of this crate." + +[[wildcard-audits.qcms]] +who = "Jeff Muizelaar <jmuizelaar@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 5946 # Jeff Muizelaar (jrmuizel) +start = "2020-11-05" +end = "2025-01-09" +notes = "Maintained by the Graphics team at Mozilla in mozilla-central." + +[[wildcard-audits.rust_cascade]] +who = "Dana Keeler <dkeeler@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 57462 # Dana Keeler (mozkeeler) +start = "2019-11-15" +end = "2024-04-24" +notes = "Written and maintained by the security engineering team at Mozilla." + +[[wildcard-audits.unicode-normalization]] +who = "Manish Goregaokar <manishsmail@gmail.com>" +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2019-11-06" +end = "2024-05-03" +notes = "All code written or reviewed by Manish" + +[[wildcard-audits.unicode-segmentation]] +who = "Manish Goregaokar <manishsmail@gmail.com>" +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2019-05-15" +end = "2024-05-03" +notes = "All code written or reviewed by Manish" + +[[wildcard-audits.unicode-width]] +who = "Manish Goregaokar <manishsmail@gmail.com>" +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2019-12-05" +end = "2024-05-03" +notes = "All code written or reviewed by Manish" + +[[wildcard-audits.unicode-xid]] +who = "Manish Goregaokar <manishsmail@gmail.com>" +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2019-07-25" +end = "2024-05-03" +notes = "All code written or reviewed by Manish" + +[[wildcard-audits.uniffi]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 48 # Jan-Erik Rediger (badboy) +start = "2022-05-05" +end = "2024-06-21" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.uniffi]] +who = "Ben Dean-Kawamura <bdk@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 127697 # bendk +start = "2021-10-27" +end = "2024-12-11" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.uniffi_bindgen]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 48 # Jan-Erik Rediger (badboy) +start = "2022-05-05" +end = "2024-06-21" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.uniffi_bindgen]] +who = "Ben Dean-Kawamura <bdk@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 127697 # bendk +start = "2021-10-27" +end = "2024-12-11" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.uniffi_build]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 48 # Jan-Erik Rediger (badboy) +start = "2022-05-05" +end = "2024-06-21" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.uniffi_build]] +who = "Ben Dean-Kawamura <bdk@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 127697 # bendk +start = "2021-10-27" +end = "2024-12-11" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.uniffi_checksum_derive]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 48 # Jan-Erik Rediger (badboy) +start = "2022-12-16" +end = "2024-06-21" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.uniffi_checksum_derive]] +who = "Ben Dean-Kawamura <bdk@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 127697 # bendk +start = "2023-01-27" +end = "2024-12-11" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.uniffi_core]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 48 # Jan-Erik Rediger (badboy) +start = "2023-06-21" +end = "2024-06-21" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.uniffi_core]] +who = "Ben Dean-Kawamura <bdk@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 127697 # bendk +start = "2023-01-27" +end = "2024-12-11" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.uniffi_macros]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 48 # Jan-Erik Rediger (badboy) +start = "2022-05-05" +end = "2024-06-21" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.uniffi_macros]] +who = "Ben Dean-Kawamura <bdk@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 127697 # bendk +start = "2021-10-27" +end = "2024-12-11" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.uniffi_meta]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 48 # Jan-Erik Rediger (badboy) +start = "2022-08-31" +end = "2024-06-21" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.uniffi_meta]] +who = "Ben Dean-Kawamura <bdk@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 127697 # bendk +start = "2022-09-13" +end = "2024-12-11" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.uniffi_testing]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 48 # Jan-Erik Rediger (badboy) +start = "2022-12-16" +end = "2024-06-21" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.uniffi_testing]] +who = "Ben Dean-Kawamura <bdk@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 127697 # bendk +start = "2023-01-27" +end = "2024-12-11" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.uniffi_udl]] +who = "Ben Dean-Kawamura <bdk@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 127697 # bendk +start = "2023-10-18" +end = "2024-12-11" +notes = "Maintained by the Glean and Application Services teams" + +[[wildcard-audits.utf8_iter]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +user-id = 4484 # Henri Sivonen (hsivonen) +start = "2022-04-19" +end = "2024-06-16" +notes = "Maintained by Henri Sivonen who works at Mozilla." + +[[wildcard-audits.webdriver]] +who = "Henrik Skupin <mail@hskupin.info>" +criteria = "safe-to-deploy" +user-id = 22262 +start = "2020-11-03" +end = "2024-03-31" +notes = "Maintained by the DevTools team at Mozilla and has no unsafe code." + +[[audits.aa-stroke]] +who = "Lee Salzman <lsalzman@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.1.0" +notes = "Written and maintained by Gfx team at Mozilla." + +[[audits.aho-corasick]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.7.18 -> 0.7.20" + +[[audits.alsa]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.4.3 -> 0.7.0" + +[[audits.alsa]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.7.0 -> 0.8.1" + +[[audits.android_logger]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.11.0" +notes = "Small crate, wrapping Android log functionality, reviewed by janerik" + +[[audits.android_logger]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.11.0 -> 0.11.1" +notes = "Small crate, wrapping Android log functionality, now switched to properly using MaybeUninit" + +[[audits.android_logger]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.11.1 -> 0.11.3" + +[[audits.android_logger]] +who = "Chris H-C <chutten@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.11.3 -> 0.12.0" +notes = "Small wrapper crate. This update fixes log level filtering." + +[[audits.android_system_properties]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +version = "0.1.2" +notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship." + +[[audits.android_system_properties]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.2 -> 0.1.4" + +[[audits.android_system_properties]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.4 -> 0.1.5" + +[[audits.anyhow]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.57 -> 1.0.61" + +[[audits.anyhow]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +delta = "1.0.58 -> 1.0.57" +notes = "No functional differences, just CI config and docs." + +[[audits.anyhow]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.61 -> 1.0.62" + +[[audits.anyhow]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.62 -> 1.0.68" + +[[audits.anyhow]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.68 -> 1.0.69" + +[[audits.app_units]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +version = "0.7.1" +notes = """ +I'm pretty familiar with this crate. It provides a fixed-point numeric type. +The code is pretty straight-forward, there's no unsafe code at all. +""" + +[[audits.app_units]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +version = "0.7.3" + +[[audits.app_units]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.7.2" +notes = "Adding repr(transparent) plus a couple minor clean-ups, no functional changes from 0.7.1." + +[[audits.arbitrary]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.1.0 -> 1.1.1" + +[[audits.arbitrary]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.1.1 -> 1.1.3" + +[[audits.arbitrary]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.1.3 -> 1.2.0" + +[[audits.arbitrary]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.2.0 -> 1.2.3" + +[[audits.ash]] +who = "Jim Blandy <jimb@red-bean.com>" +criteria = "safe-to-deploy" +delta = "0.37.0+1.3.209 -> 0.37.1+1.3.235" +notes = """ +Nicolas Silva, Jim Blandy, and Teodor Tanasoaia audited ash master +branch commits from e43e9c0c to 6bd82768 inclusive. +""" + +[[audits.ash]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.37.1+1.3.235 -> 0.37.2+1.3.238" + +[[audits.ash]] +who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.37.2+1.3.238 -> 0.37.3+1.3.251" + +[[audits.ashmem]] +who = "Matthew Gregan <kinetik@flim.org>" +criteria = "safe-to-deploy" +version = "0.1.2" +notes = """ +Small unsafe wrapper around Android 8.0's ASharedMemory native API that falls +back to older private ioctl-based API at runtime on earlier OS releases. The +shim code is small and doesn't inspect the API arguments, so is unlikely to +expose any safety issues beyond those presented by the native OS API. +""" + +[[audits.askama]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "0.11.1" +notes = """ +Just contains some traits and re-exports for use by a broader package of related +crates. No unsafe code or ambient capability usage. +""" + +[[audits.async-task]] +who = "Nika Layzell <nika@thelayzells.com>" +criteria = "safe-to-deploy" +delta = "4.0.3 -> 4.0.3@git:f6488e35beccb26eb6e85847b02aa78a42cd3d0e" +notes = "Recorded by bholley, confirmed over slack." + +[[audits.async-task]] +who = "Nika Layzell <nika@thelayzells.com>" +criteria = "safe-to-deploy" +delta = "4.0.3 -> 4.3.0" +notes = "Main addition is the new FallibleTask type, which I implemented. No risky unsafe code changes." + +[[audits.async-trait]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.56 -> 0.1.57" + +[[audits.async-trait]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.57 -> 0.1.60" + +[[audits.async-trait]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.60 -> 0.1.64" + +[[audits.atomic_refcell]] +who = "Bobby Holley <bholley@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.1.8" +notes = "I maintain this crate and have reviewed every line." + +[[audits.atomic_refcell]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.8 -> 0.1.9" + +[[audits.audio-mixer]] +who = "Chun-Min Chang <chun.m.chang@gmail.com>" +criteria = "safe-to-deploy" +version = "0.1.2" +notes = "audio-mixer is a Mozilla-developed package." + +[[audits.audio-mixer]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.2 -> 0.1.3" + +[[audits.authenticator]] +who = "John M. Schanck <jschanck@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.4.0-alpha.13" +notes = "Maintained by the CryptoEng team at Mozilla." + +[[audits.autocfg]] +who = "Josh Stone <jistone@redhat.com>" +criteria = "safe-to-deploy" +version = "1.1.0" +notes = "All code written or reviewed by Josh Stone." + +[[audits.base64]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.13.0 -> 0.13.1" + +[[audits.bindgen]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +version = "0.59.2" +notes = "I'm the primary author and maintainer of the crate." + +[[audits.bindgen]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +delta = "0.59.2 -> 0.63.0" + +[[audits.bindgen]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.63.0 -> 0.64.0" + +[[audits.bindgen]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.64.0 -> 0.66.1" + +[[audits.bindgen]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.66.1 -> 0.68.1" + +[[audits.bindgen]] +who = "Andreas Pehrson <apehrson@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.68.1 -> 0.69.1" + +[[audits.bindgen]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.69.1 -> 0.69.2" + +[[audits.bindgen]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +delta = "0.69.2 -> 0.69.4" + +[[audits.bit-set]] +who = "Aria Beingessner <a.beingessner@gmail.com>" +criteria = "safe-to-deploy" +version = "0.5.2" +notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues." + +[[audits.bit-set]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.5.2 -> 0.5.3" + +[[audits.bit-vec]] +who = "Aria Beingessner <a.beingessner@gmail.com>" +criteria = "safe-to-deploy" +version = "0.6.3" +notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." + +[[audits.bitflags]] +who = "Alex Franchuk <afranchuk@mozilla.com>" +criteria = "safe-to-deploy" +delta = "1.3.2 -> 2.0.2" +notes = "Removal of some unsafe code/methods. No changes to externals, just some refactoring (mostly internal)." + +[[audits.bitflags]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "2.0.2 -> 2.1.0" + +[[audits.bitflags]] +who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" +criteria = "safe-to-deploy" +delta = "2.2.1 -> 2.3.2" + +[[audits.bitflags]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "2.3.3 -> 2.4.0" + +[[audits.block-buffer]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.10.2 -> 0.10.3" + +[[audits.build-parallel]] +who = "Jeff Muizelaar <jmuizelaar@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.1.2" + +[[audits.bumpalo]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-run" +delta = "3.9.1 -> 3.10.0" +notes = """ +Some nontrivial functional changes but certainly meets the no-malware bar of +safe-to-run. If we needed safe-to-deploy for this in m-c I'd ask Nick to re- +certify this version, but we don't, so this is fine for now. +""" + +[[audits.bumpalo]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "3.11.1 -> 3.12.0" + +[[audits.bytes]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.1.0 -> 1.2.1" + +[[audits.bytes]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.2.1 -> 1.3.0" + +[[audits.bytes]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.3.0 -> 1.4.0" + +[[audits.camino]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.9 -> 1.1.1" + +[[audits.camino]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.1.1 -> 1.1.2" + +[[audits.cargo_metadata]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.15.2" +notes = "I reviewed the whole code base. Parser for the output of cargo-metadata, relying mostly on serde. No unsafe code used." + +[[audits.cargo_metadata]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.15.2 -> 0.15.3" + +[[audits.cc]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.73 -> 1.0.78" + +[[audits.chardetng]] +who = "Henri Sivonen <hsivonen@hsivonen.fi>" +criteria = "safe-to-deploy" +version = "0.1.9" +notes = "I, Henri Sivonen, wrote this (safe-code-only) crate for Gecko even though the crate is published via crates.io." + +[[audits.chardetng]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.1.9 -> 0.1.9@git:3484d3e3ebdc8931493aa5df4d7ee9360a90e76b" + +[[audits.chardetng_c]] +who = "Henri Sivonen <hsivonen@hsivonen.fi>" +criteria = "safe-to-deploy" +version = "0.1.2" +notes = "I, Henri Sivonen, wrote this crate for Gecko even though it is published via crates.io. The buffer input assumes Rust slice constraints for the start pointer. In Gecko, this is taken care of by mozilla::Span, but the C API doesn't conform to idiomatic C constraints on this point." + +[[audits.chardetng_c]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.1.2 -> 0.1.2@git:ed8a4c6f900a90d4dbc1d64b856e61490a1c3570" + +[[audits.clang-sys]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.3.3 -> 1.4.0" + +[[audits.clang-sys]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.4.0 -> 1.6.0" + +[[audits.clap_lex]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.0 -> 0.2.2" + +[[audits.clap_lex]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.2 -> 0.2.4" + +[[audits.comedy]] +who = "Nick Alexander <nalexander@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.2.0" +notes = """ +The comedy crate was written by Adam Gashlin for Mozilla's use. The entire +comedy 0.2.0 crate is full of `unsafe` code and makes many assumptions about +memory and layout, but there is no particular processing of untrusted input +here. +""" + +[[audits.cookie]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.16.0 -> 0.16.2" + +[[audits.core-graphics]] +who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.22.3 -> 0.23.1" + +[[audits.core-graphics-types]] +who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.1.1 -> 0.1.2" + +[[audits.core-text]] +who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" +criteria = "safe-to-deploy" +delta = "19.2.0 -> 20.0.0" + +[[audits.core-text]] +who = "Jonathan Kew <jfkthame@gmail.com>" +criteria = "safe-to-deploy" +delta = "20.0.0 -> 20.1.0" +notes = """ +The bulk of the 20.0.0 -> 20.1.0 changes were purely cosmetic clippy and rustfmt changes. + +The only substantive change was the addition of wrappers to expose two additional Core Text APIs, +the variants of CTFontCreateWithName and CTFontCreateWithFontDescriptor that accept a CTFontOptions +parameter. These are directly parallel to the existing versions without CTFontOptions, and do not +introduce any new forms of risk. +""" + +[[audits.core_maths]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.1.0" + +[[audits.coreaudio-sys]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.10 -> 0.2.11" + +[[audits.coreaudio-sys]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.11 -> 0.2.12" + +[[audits.coreaudio-sys]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.12 -> 0.2.13" + +[[audits.coreaudio-sys]] +who = "Andreas Pehrson <apehrson@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.2.13 -> 0.2.14" + +[[audits.cose]] +who = "Mathew Hodson <mathew.hodson@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.1.4 -> 0.1.4@git:43c22248d136c8b38fe42ea709d08da6355cf04b" + +[[audits.cpufeatures]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.2 -> 0.2.4" + +[[audits.cpufeatures]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.4 -> 0.2.5" + +[[audits.cpufeatures]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.2.7 -> 0.2.8" +notes = "This release contains a single fix for an issue that affected Firefox" + +[[audits.crash-context]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.5.1" +notes = "Mozilla employees contributed to this crate and the remaining code was fully audited" + +[[audits.crash-context]] +who = "Alex Franchuk <afranchuk@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.5.1 -> 0.6.0" +notes = """ +There are few changes. The main change is the removal of `winapi` in favor of +manually-generated bindings (which are minimal). The few small bugfixes are +sound. +""" + +[[audits.crash-context]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.6.0 -> 0.6.1" + +[[audits.crossbeam-channel]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.5.4 -> 0.5.6" + +[[audits.crossbeam-deque]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.8.1 -> 0.8.2" + +[[audits.crossbeam-epoch]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.9.8 -> 0.9.10" + +[[audits.crossbeam-epoch]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.9.10 -> 0.9.13" + +[[audits.crossbeam-epoch]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.9.13 -> 0.9.14" + +[[audits.crossbeam-queue]] +who = "Matthew Gregan <kinetik@flim.org>" +criteria = "safe-to-deploy" +version = "0.3.8" + +[[audits.crossbeam-utils]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.8.8 -> 0.8.11" + +[[audits.crossbeam-utils]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.8.11 -> 0.8.14" + +[[audits.crypto-common]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.1.6" + +[[audits.cssparser]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +version = "0.29.6" +notes = """ +I've reviewed or authored most of the recent changes to this library, and it +was developed by other mozilla folks. Unsafe code there is reasonable (utf-8 +casts for serialization and parsing). +""" + +[[audits.cssparser]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.29.6 -> 0.31.0" +notes = """ +All the changes in this release were authored by Mozilla staff, except the +uninit_array stuff, which looks fine. +""" + +[[audits.cssparser]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.31.0 -> 0.31.2" + +[[audits.cssparser]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +delta = "0.31.2 -> 0.32.0" +notes = "All changes were either authored or reviewed by Mozilla employees." + +[[audits.cssparser]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +delta = "0.32.0 -> 0.33.0" +notes = """ +Mozilla authored. Breaking changes from 0.32 involve splitting color APIs into +their own crate and removing an unused line number offset mechanism. +""" + +[[audits.cssparser]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +delta = "0.33.0 -> 0.33.0@git:aaa966d9d6ae70c4b8a62bb5e3a14c068bb7dff0" +notes = "Only one minimal change exposing a previously-private enumeration." + +[[audits.cssparser-color]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +version = "0.1.0" +notes = "This code used to live in cssparser's color module. Only moved out. Mozilla-authored." + +[[audits.cssparser-macros]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +version = "0.6.0" +notes = """ +Trivial crate with a single proc macro to compute the max length of the inputs +to a match expression. +""" + +[[audits.cssparser-macros]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.6.0 -> 0.6.1" + +[[audits.cssparser-macros]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +delta = "0.6.1 -> 0.6.1@git:aaa966d9d6ae70c4b8a62bb5e3a14c068bb7dff0" +notes = "No changes from already-certified upstream, but needed because it lives in the same git repo as the cssparser crate." + +[[audits.cstr]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +version = "0.2.10" +notes = """ +I've reviewed the code of the crate thoroughly. It generates an unsafe block +which is statically guaranteed to be safe. Inputs to the macro have to be +static so there's no uncontrolled input whatsoever. +""" + +[[audits.cstr]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.10 -> 0.2.11" + +[[audits.cubeb]] +who = "Matthew Gregan <kinetik@flim.org>" +criteria = "safe-to-deploy" +version = "0.10.1" +notes = """ +Mozilla-developed package. +""" + +[[audits.cubeb]] +who = "Matthew Gregan <kinetik@flim.org>" +criteria = "safe-to-deploy" +delta = "0.10.1 -> 0.10.2" + +[[audits.cubeb]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.10.2 -> 0.10.3" + +[[audits.cubeb]] +who = "Andreas Pehrson <apehrson@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.10.3 -> 0.12.0" + +[[audits.cubeb-backend]] +who = "Matthew Gregan <kinetik@flim.org>" +criteria = "safe-to-deploy" +version = "0.10.1" +notes = """ +Mozilla-developed package. +""" + +[[audits.cubeb-backend]] +who = "Matthew Gregan <kinetik@flim.org>" +criteria = "safe-to-deploy" +delta = "0.10.1 -> 0.10.2" + +[[audits.cubeb-backend]] +who = "Paul Adenot <paul@paul.cx>" +criteria = "safe-to-deploy" +delta = "0.10.2 -> 0.10.3" +notes = """ +Mozilla-developed package. +""" + +[[audits.cubeb-backend]] +who = "Andreas Pehrson <apehrson@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.10.3 -> 0.10.7" + +[[audits.cubeb-backend]] +who = "Andreas Pehrson <apehrson@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.10.7 -> 0.12.0" + +[[audits.cubeb-core]] +who = "Matthew Gregan <kinetik@flim.org>" +criteria = "safe-to-deploy" +version = "0.10.1" +notes = """ +Mozilla-developed package. +""" + +[[audits.cubeb-core]] +who = "Matthew Gregan <kinetik@flim.org>" +criteria = "safe-to-deploy" +delta = "0.10.1 -> 0.10.2" + +[[audits.cubeb-core]] +who = "Paul Adenot <paul@paul.cx>" +criteria = "safe-to-deploy" +delta = "0.10.2 -> 0.10.3" +notes = """ +Mozilla-developed package. +""" + +[[audits.cubeb-core]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.10.3 -> 0.10.4" + +[[audits.cubeb-core]] +who = "Andreas Pehrson <apehrson@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.10.4 -> 0.10.7" + +[[audits.cubeb-core]] +who = "Andreas Pehrson <apehrson@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.10.7 -> 0.12.0" + +[[audits.cubeb-sys]] +who = "Matthew Gregan <kinetik@flim.org>" +criteria = "safe-to-deploy" +version = "0.10.1" +notes = """ +Mozilla-developed package. +""" + +[[audits.cubeb-sys]] +who = "Matthew Gregan <kinetik@flim.org>" +criteria = "safe-to-deploy" +delta = "0.10.1 -> 0.10.2" + +[[audits.cubeb-sys]] +who = "Paul Adenot <paul@paul.cx>" +criteria = "safe-to-deploy" +delta = "0.10.2 -> 0.10.3" +notes = """ +Mozilla-developed package. +""" + +[[audits.cubeb-sys]] +who = "Andreas Pehrson <apehrson@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.10.3 -> 0.10.7" + +[[audits.cubeb-sys]] +who = "Andreas Pehrson <apehrson@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.10.7 -> 0.12.0" + +[[audits.d3d12]] +who = "Jim Blandy <jimb@red-bean.com>" +criteria = "safe-to-deploy" +delta = "0.4.1 -> 0.5.0" +notes = "The commits between 0.4.1 and 0.5.0 were all audited by Dzmitry Malyshau or myself." + +[[audits.d3d12]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.5.0 -> 0.7.0" + +[[audits.d3d12]] +who = [ + "Erich Gubler <egubler@mozilla.com>", + "Teodor Tanasoaia <ttanasoaia@mozilla.com>", + "Erich Gubler <erichdongubler@gmail.com>", + "Jim Blandy <jimb@red-bean.com>", + "Nicolas Silva <nical@fastmail.com>", +] +criteria = "safe-to-deploy" +delta = "0.7.0 -> 0.19.0@git:07e59eb6fc7de3f682f1c401b9cf9f0da9ee4b4a" +importable = false + +[[audits.darling]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.13.4 -> 0.14.2" + +[[audits.darling]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.14.2 -> 0.14.3" + +[[audits.darling]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.14.3 -> 0.20.1" + +[[audits.darling_core]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.13.4 -> 0.14.2" + +[[audits.darling_core]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.14.2 -> 0.14.3" + +[[audits.darling_core]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.14.3 -> 0.20.1" + +[[audits.darling_macro]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.13.4 -> 0.14.2" + +[[audits.darling_macro]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.14.2 -> 0.14.3" + +[[audits.darling_macro]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.14.3 -> 0.20.1" + +[[audits.data-encoding]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "2.3.2 -> 2.3.3" + +[[audits.debugid]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.8.0" +notes = "This crates was written by Sentry and I've fully audited it as Firefox crash reporting machinery relies on it." + +[[audits.derive_arbitrary]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.1.0 -> 1.1.1" + +[[audits.derive_arbitrary]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.1.1 -> 1.1.3" + +[[audits.derive_arbitrary]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.1.3 -> 1.2.1" + +[[audits.derive_arbitrary]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.2.1 -> 1.2.3" + +[[audits.derive_arbitrary]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.3.0 -> 1.3.1" + +[[audits.derive_more]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.99.17 -> 1.0.0-beta.2" + +[[audits.devd-rs]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.4 -> 0.3.5" + +[[audits.devd-rs]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.5 -> 0.3.6" + +[[audits.digest]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.10.3 -> 0.10.6" + +[[audits.diplomat]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.5.2" +notes = "This crate is FFI wrapper generator using by ICU4X ffi libraries. This uses unsafe code to convert paramenters, I have reviewed this and generated headers." + +[[audits.diplomat]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "0.5.2 -> 0.5.2@git:8d125999893fedfdf30595e97334c21ec4b18da9" + +[[audits.diplomat]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "0.5.2 -> 0.7.0" + +[[audits.diplomat-runtime]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.5.2" +notes = "This crate is FFI wrapper generator runtime using by ICU4X ffi libraries. This uses unsafe code for memory access of FFI. I have reviewed carefully." + +[[audits.diplomat-runtime]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "0.5.2 -> 0.5.2@git:8d125999893fedfdf30595e97334c21ec4b18da9" + +[[audits.diplomat-runtime]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "0.5.2 -> 0.7.0" + +[[audits.diplomat_core]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.5.2" +notes = "This crate contains unsafe code, no network and no file access." + +[[audits.diplomat_core]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "0.5.2 -> 0.5.2@git:8d125999893fedfdf30595e97334c21ec4b18da9" + +[[audits.diplomat_core]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "0.5.2 -> 0.7.0" + +[[audits.displaydoc]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.2.3" +notes = """ +This crate is convenient macros to implement core::fmt::Display trait. +Although `unsafe` is used for test code to call `libc::abort()`, it has no `unsafe` code in this crate. And there is no file access. +It meets the criteria for safe-to-deploy. +""" + +[[audits.displaydoc]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.3 -> 0.2.4" + +[[audits.dogear]] +who = "Sammy Khamis <skhamis@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.4.0 -> 0.5.0" +notes = "The repository for this crate belongs in the Mozilla org." + +[[audits.dtoa-short]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "0.3.3" + +[[audits.dwrote]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "0.11.0" +notes = "All code written or reviewed by Mozilla staff." + +[[audits.either]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.6.1 -> 1.7.0" + +[[audits.either]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.7.0 -> 1.8.0" + +[[audits.either]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.8.0 -> 1.8.1" + +[[audits.encoding_c]] +who = "Henri Sivonen <hsivonen@hsivonen.fi>" +criteria = "safe-to-deploy" +version = "0.9.8" +notes = "I, Henri Sivonen, wrote encoding_c for Gecko even though it is published via crates.io. There are two caveats: 1) the C API is designed to be used together with mozilla::Span and is unidiomatic for zero-length inputs otherwise. 2) It is idiomatic in C and C++ to pass uninitialized buffers as output buffers. This is generally documented to be UB in Rust, but idiomatic C and C++ usage here relies on this not actually being UB for buffers of integers (which these buffers are). See https://github.com/hsivonen/encoding_rs/issues/79#issuecomment-1211870361" + +[[audits.encoding_c_mem]] +who = "Henri Sivonen <hsivonen@hsivonen.fi>" +criteria = "safe-to-deploy" +version = "0.2.6" +notes = """ +I, Henri Sivonen, wrote encoding_c_mem for Gecko even though it is published via crates.io. There are two caveats: 1) the C API is designed to be used together with mozilla::Span and is unidiomatic for zero-length inputs otherwise. 2) It is idiomatic in C and C +++ to pass uninitialized buffers as output buffers. This is generally documented to be UB in Rust, but idiomatic C and C++ usage here relies on this not actually being UB for buffers of integers (which these buffers are). See https://github.com/hsivonen/encoding_rs/i +ssues/79#issuecomment-1211870361 +""" + +[[audits.encoding_rs]] +who = "Henri Sivonen <hsivonen@hsivonen.fi>" +criteria = "safe-to-deploy" +version = "0.8.31" +notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ." + +[[audits.encoding_rs]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.8.31 -> 0.8.32" + +[[audits.enum-map]] +who = "Kershaw Chang <kershaw@mozilla.com>" +criteria = "safe-to-deploy" +version = "2.7.3" + +[[audits.enum-map-derive]] +who = "Kershaw Chang <kershaw@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.17.0" + +[[audits.enum-primitive-derive]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.2.2" + +[[audits.enumset]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.11 -> 1.0.12" + +[[audits.enumset]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.12 -> 1.1.2" + +[[audits.enumset_derive]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.6.0 -> 0.6.1" + +[[audits.enumset_derive]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.6.1 -> 0.8.1" + +[[audits.env_logger]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.9.0 -> 0.9.3" + +[[audits.env_logger]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.9.3 -> 0.10.0" + +[[audits.errno]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.1 -> 0.3.3" + +[[audits.extend]] +who = "Ben Dean-Kawamura <bdk@mozilla.com>" +criteria = "safe-to-deploy" +version = "1.1.2" +notes = "Inspected the crate and noted that the impl block comes directly from the proc-macro input. If no new code can be added by this crate, I don't think there can be any issues." + +[[audits.extend]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.1.2 -> 1.2.0" + +[[audits.fallible_collections]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.4.4 -> 0.4.5" + +[[audits.fallible_collections]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.4.5 -> 0.4.6" +notes = "The changes in this version are mine." + +[[audits.fastrand]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.7.0 -> 1.8.0" + +[[audits.fastrand]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.8.0 -> 1.9.0" + +[[audits.fastrand]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.9.0 -> 2.0.0" + +[[audits.filetime_win]] +who = "Nick Alexander <nalexander@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.2.0" +notes = """ +filetime_win was written by Adam Gashlin for Mozilla's use. The `unsafe` code +blocks in filetime_win 0.2.0 are straight-forward invocations of `mem::zeroed` +and expected invocations of Win32 APIs (with error handling as appropriate). +""" + +[[audits.flagset]] +who = "Ryan Hunt <rhunt@eqrion.net>" +criteria = "safe-to-deploy" +version = "0.4.3" +notes = "Uses no ambient capabilities, vetted the one instance of unsafe." + +[[audits.flate2]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.24 -> 1.0.25" + +[[audits.fluent]] +who = "Zibi Braniecki <zibi@unicode.org>" +criteria = "safe-to-deploy" +version = "0.16.0" + +[[audits.fluent-bundle]] +who = "Zibi Braniecki <zibi@unicode.org>" +criteria = "safe-to-deploy" +version = "0.15.2" + +[[audits.fluent-fallback]] +who = "Zibi Braniecki <zibi@unicode.org>" +criteria = "safe-to-deploy" +version = "0.6.0" + +[[audits.fluent-fallback]] +who = "Greg Tatum <tatum.creative@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.6.0 -> 0.7.0" + +[[audits.fluent-langneg]] +who = "Zibi Braniecki <zibi@unicode.org>" +criteria = "safe-to-deploy" +version = "0.13.0" + +[[audits.fluent-pseudo]] +who = "Zibi Braniecki <zibi@unicode.org>" +criteria = "safe-to-deploy" +version = "0.3.1" + +[[audits.fluent-syntax]] +who = "Zibi Braniecki <zibi@unicode.org>" +criteria = "safe-to-deploy" +version = "0.11.0" + +[[audits.fluent-testing]] +who = "Zibi Braniecki <zibi@unicode.org>" +criteria = "safe-to-run" +version = "0.0.2" + +[[audits.fluent-testing]] +who = "Greg Tatum <tatum.creative@gmail.com>" +criteria = "safe-to-run" +delta = "0.0.2 -> 0.0.3" + +[[audits.fnv]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "1.0.7" +notes = "Simple hasher implementation with no unsafe code." + +[[audits.foreign-types]] +who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.3.2 -> 0.5.0" + +[[audits.foreign-types-macros]] +who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.2.3" + +[[audits.foreign-types-shared]] +who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.1.1 -> 0.3.1" + +[[audits.form_urlencoded]] +who = "Valentin Gosu <valentin.gosu@gmail.com>" +criteria = "safe-to-deploy" +version = "1.2.0" + +[[audits.form_urlencoded]] +who = "Valentin Gosu <valentin.gosu@gmail.com>" +criteria = "safe-to-deploy" +delta = "1.2.0 -> 1.2.1" + +[[audits.fs-err]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "2.7.0 -> 2.8.1" + +[[audits.fs-err]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "2.8.1 -> 2.9.0" + +[[audits.futures]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.21 -> 0.3.23" + +[[audits.futures]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.23 -> 0.3.25" + +[[audits.futures]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" + +[[audits.futures]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.26 -> 0.3.28" + +[[audits.futures-channel]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.21 -> 0.3.23" + +[[audits.futures-channel]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.23 -> 0.3.25" + +[[audits.futures-channel]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" + +[[audits.futures-channel]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.26" + +[[audits.futures-channel]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.28" + +[[audits.futures-core]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.21 -> 0.3.23" + +[[audits.futures-core]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.23 -> 0.3.25" + +[[audits.futures-core]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" + +[[audits.futures-core]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.26" + +[[audits.futures-core]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.28" + +[[audits.futures-executor]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.21 -> 0.3.23" + +[[audits.futures-executor]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.23 -> 0.3.25" + +[[audits.futures-executor]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" + +[[audits.futures-executor]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.23" + +[[audits.futures-executor]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.28" + +[[audits.futures-io]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.21 -> 0.3.23" + +[[audits.futures-io]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.23 -> 0.3.25" + +[[audits.futures-io]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" + +[[audits.futures-io]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.23" + +[[audits.futures-io]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.28" + +[[audits.futures-macro]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.21 -> 0.3.23" + +[[audits.futures-macro]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.23 -> 0.3.25" + +[[audits.futures-macro]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" + +[[audits.futures-macro]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.26 -> 0.3.28" + +[[audits.futures-sink]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.21 -> 0.3.23" + +[[audits.futures-sink]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.23 -> 0.3.25" + +[[audits.futures-sink]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" + +[[audits.futures-sink]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.23" + +[[audits.futures-sink]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.28" + +[[audits.futures-task]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.21 -> 0.3.23" + +[[audits.futures-task]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.23 -> 0.3.25" + +[[audits.futures-task]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" + +[[audits.futures-task]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.26 -> 0.3.28" + +[[audits.futures-util]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.21 -> 0.3.23" + +[[audits.futures-util]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.23 -> 0.3.25" + +[[audits.futures-util]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" + +[[audits.futures-util]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.26 -> 0.3.28" + +[[audits.fxhash]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "0.2.1" +notes = "Straightforward crate with no unsafe code, does what it says on the tin." + +[[audits.generic-array]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.14.5 -> 0.14.6" + +[[audits.getrandom]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.6 -> 0.2.7" + +[[audits.getrandom]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.7 -> 0.2.8" + +[[audits.getrandom]] +who = "Yannis Juglaret <yjuglaret@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.2.8 -> 0.2.9" + +[[audits.getrandom]] +who = "Simon Friedberger <simon@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.2.10 -> 0.2.11" + +[[audits.gleam]] +who = "Jamie Nicol <jnicol@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.13.1 -> 0.15.0" + +[[audits.glob]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.3.1" + +[[audits.glsl]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "6.0.1 -> 6.0.2" +notes = "I'm the author of the changes in this version of the crate." + +[[audits.goblin]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.5.4" +notes = "Several bugfixes since 2019. This version is also in use by Mozilla's crash reporting tooling, e.g. minidump-writer" + +[[audits.goblin]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.5.4 -> 0.6.0" +notes = "Mostly bug fixes and some added functionality" + +[[audits.goblin]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.6.0 -> 0.7.1" + +[[audits.gpu-alloc]] +who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.5.3 -> 0.6.0" + +[[audits.gpu-alloc-types]] +who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.2.0 -> 0.3.0" + +[[audits.gpu-allocator]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +version = "0.25.0" + +[[audits.gpu-descriptor]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.2 -> 0.2.3" + +[[audits.guid_win]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "0.2.0" +notes = """ +This crate has some unsafe code for the FFI bits, which I've reviewed carefully. +It uses the deprecated mem::uninitialized(), which is generally sketchy. However +the usage is pretty straightforward and while it's technically UB, it seems no +more likely to lead to miscompilation than any other use of mem::uninitialized. +""" + +[[audits.h2]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.3.13 -> 0.3.14" + +[[audits.h2]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.3.14 -> 0.3.15" + +[[audits.half]] +who = "John M. Schanck <jschanck@mozilla.com>" +criteria = "safe-to-deploy" +version = "1.8.2" +notes = """ +This crate contains unsafe code for bitwise casts to/from binary16 floating-point +format. I've reviewed these and found no issues. There are no uses of ambient +capabilities. +""" + +[[audits.hashbrown]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +version = "0.12.3" +notes = "This version is used in rust's libstd, so effectively we're already trusting it" + +[[audits.hashlink]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.7.0 -> 0.8.1" + +[[audits.headers]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.3.7 -> 0.3.8" + +[[audits.headers-core]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "0.2.0" +notes = "Trivial crate, no unsafe code." + +[[audits.heck]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.4.0 -> 0.4.1" + +[[audits.hermit-abi]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.19 -> 0.2.6" + +[[audits.hex]] +who = "Simon Friedberger <simon@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.4.3" + +[[audits.http]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.2.8 -> 0.2.9" + +[[audits.httparse]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.7.1 -> 1.8.0" + +[[audits.hyper]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.14.19 -> 0.14.20" + +[[audits.hyper]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.14.20 -> 0.14.22" + +[[audits.hyper]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.14.22 -> 0.14.23" + +[[audits.hyper]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.14.23 -> 0.14.24" + +[[audits.icu_capi]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "1.2.2" +notes = "This crate is C/C++ FFI for ICU4X using diplomat crate. no unsafe and no file access etc on this crate." + +[[audits.icu_capi]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "1.2.2 -> 1.4.0" + +[[audits.icu_collections]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "1.2.0" +notes = "This crate is used by ICU4X for internal data structure. There is no fileaccess and network access. This uses unsafe block, but we confirm data is valid before." + +[[audits.icu_collections]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "1.2.0 -> 1.4.0" + +[[audits.icu_locid]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "1.2.0" +notes = "This has unsafe block to handle ascii string in utf-8 string. I've vetted the one instance of unsafe code." + +[[audits.icu_locid]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "1.2.0 -> 1.4.0" + +[[audits.icu_locid_transform]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "This crate doesn't contain network and file access. Although this has unsafe block, the reason is added in the comment block. I audited code." + +[[audits.icu_locid_transform_data]] +who = "Jonathan Kew <jkew@mozilla.com>" +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "Compile-time static for the icu_locid_transform crate." + +[[audits.icu_properties]] +who = "Jonathan Kew <jkew@mozilla.com>" +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "This is used by ICU4X for character property lookup. The few (4) usages of unsafe have comments clarifying their safety." + +[[audits.icu_properties_data]] +who = "Jonathan Kew <jkew@mozilla.com>" +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "Compile-time static data for the icu_properties crate." + +[[audits.icu_provider]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "1.2.0" +notes = "Although this has unsafe block, this has a commnet why this is safety and I audited code. Also, this doesn't have file access and network access." + +[[audits.icu_provider]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "1.2.0 -> 1.4.0" + +[[audits.icu_provider_adapters]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "1.2.0" +notes = "This is one of ICU4X data provider crates that depends on data type. This has no unsafe code and uses no ambient capabilities." + +[[audits.icu_provider_adapters]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "1.2.0 -> 1.4.0" + +[[audits.icu_provider_macros]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "1.2.0" +notes = "This crate is macros for ICU4X's data provider implementer. This has no unsafe code and uses no ambient capabilities." + +[[audits.icu_provider_macros]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "1.2.0 -> 1.2.0@git:14e9a3a9857be74582abe2dfa7ab799c5eaac873" + +[[audits.icu_provider_macros]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "1.2.0 -> 1.4.0" + +[[audits.icu_segmenter]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "1.2.1" +notes = "Original authors are Makoto Kato and Ting-Yu Lin who work at Mozilla. This crate uses unsafe to matrix calculation, but it is safety to check length. And there is no filesystem / network access." + +[[audits.icu_segmenter]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "1.2.1 -> 1.4.0" + +[[audits.icu_segmenter_data]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "This crate is data only for icu_segmenter. There is no filesystem / network access." + +[[audits.idna]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.2.3" +notes = "Backwards diff with some algorithm changes, no unsafe code." + +[[audits.idna]] +who = "Valentin Gosu <valentin.gosu@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.4.0 -> 0.5.0" + +[[audits.indexmap]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.8.2 -> 1.9.1" + +[[audits.indexmap]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.9.1 -> 1.9.2" + +[[audits.inherent]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.1 -> 1.0.2" + +[[audits.inherent]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.2 -> 1.0.3" + +[[audits.inherent]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.3 -> 1.0.4" + +[[audits.inplace_it]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.3 -> 0.3.4" + +[[audits.intl-memoizer]] +who = "Zibi Braniecki <zibi@unicode.org>" +criteria = "safe-to-deploy" +version = "0.5.1" + +[[audits.intl_pluralrules]] +who = "Zibi Braniecki <zibi@unicode.org>" +criteria = "safe-to-deploy" +version = "7.0.1" + +[[audits.intl_pluralrules]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "7.0.1 -> 7.0.2" + +[[audits.itertools]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.10.3 -> 0.10.5" + +[[audits.itoa]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.2 -> 1.0.3" + +[[audits.itoa]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.3 -> 1.0.5" + +[[audits.jobserver]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.24 -> 0.1.25" + +[[audits.keccak]] +who = "Simon Friedberger <simon@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.1.2 -> 0.1.3" + +[[audits.khronos-egl]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "4.1.0 -> 6.0.0" + +[[audits.libc]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.126 -> 0.2.132" + +[[audits.libc]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.132 -> 0.2.138" + +[[audits.libc]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.138 -> 0.2.139" + +[[audits.libc]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.147 -> 0.2.148" + +[[audits.libloading]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.7.3 -> 0.7.4" + +[[audits.libm]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.2.6" +notes = "This crate uses unsafe block, but this doesn't have network and file access. I audited code." + +[[audits.libsqlite3-sys]] +who = "Ben Dean-Kawamura <bdk@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.25.2 -> 0.26.0" + +[[audits.libsqlite3-sys]] +who = "Mark Hammond <mhammond@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.26.0 -> 0.27.0" + +[[audits.linked-hash-map]] +who = "Aria Beingessner <a.beingessner@gmail.com>" +criteria = "safe-to-deploy" +version = "0.5.4" +notes = "I own this crate (I am contain-rs) and 0.5.4 passes miri. This code is very old and used by lots of people, so I'm pretty confident in it, even though it's in maintenance-mode and missing some nice-to-have APIs." + +[[audits.linked-hash-map]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.5.4 -> 0.5.6" + +[[audits.litemap]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.7.0" +notes = "This crete has no unsafe code, no file acceess and no network access." + +[[audits.litemap]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "0.7.0 -> 0.7.2" + +[[audits.lmdb-rkv]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "0.14.0" +notes = "Victor and Myk developed this crate at Mozilla." + +[[audits.lock_api]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.4.7 -> 0.4.9" + +[[audits.log]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +version = "0.4.17" + +[[audits.mach2]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.4.1" + +[[audits.malloc_buf]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "0.0.6" +notes = """ +Very small crate for managing malloc-ed buffers, primarily for use in the objc crate. +There is an edge-case condition that passes slice::from_raw_parts(0x1, 0) which I'm +not entirely certain is technically sound, but in either case I am reasonably confident +it's not exploitable. +""" + +[[audits.malloc_size_of_derive]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "0.1.2" +notes = """ +This was originally servo code which I put on crates.io some years ago but didn't +examine at the time, so I examined it now. I didn't perform a full logic review +but convinced myself that any generated code will be entirely safe to deploy. +""" + +[[audits.matches]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "0.1.9" +notes = "This is a trivial crate." + +[[audits.matches]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.9 -> 0.1.10" + +[[audits.md-5]] +who = "Dana Keeler <dkeeler@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.10.5" + +[[audits.memmap2]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.5.4 -> 0.5.7" + +[[audits.memmap2]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.5.7 -> 0.5.8" + +[[audits.memmap2]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.5.8 -> 0.5.9" + +[[audits.memmap2]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.5.9 -> 0.8.0" + +[[audits.memmap2]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.9.3" + +[[audits.memoffset]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.6.5 -> 0.7.1" + +[[audits.memoffset]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.9.0" + +[[audits.metal]] +who = "Jim Blandy <jimb@red-bean.com>" +criteria = "safe-to-deploy" +version = "0.23.1" +notes = "This audit treats Dzmitry Malyshau (kvark) as a trusted reviewer." + +[[audits.metal]] +who = "Jim Blandy <jimb@red-bean.com>" +criteria = "safe-to-deploy" +delta = "0.23.1 -> 0.24.0" +notes = "This audit treats Dzmitry Malyshau (kvark) as a trusted reviewer." + +[[audits.metal]] +who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.24.0 -> 0.25.0" + +[[audits.metal]] +who = "Erich Gubler <egubler@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.25.0 -> 0.26.0" + +[[audits.metal]] +who = "Nicolas Silva <nical@fastmail.com>, Jim Blandy <jimb@red-bean.com>" +criteria = "safe-to-deploy" +delta = "0.26.0 -> 0.27.0" + +[[audits.midir]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.7.0 -> 0.7.0@git:519e651241e867af3391db08f9ae6400bc023e18" + +[[audits.midir]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.7.0 -> 0.7.0@git:85156e360a37d851734118104619f86bd18e94c6" +importable = false + +[[audits.minidump-common]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.15.2" +notes = "The code in this crate was written or reviewed by Mozilla employees." + +[[audits.minidump-common]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.15.2 -> 0.17.0" + +[[audits.minidump-common]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.17.0 -> 0.17.0@git:87a29fba5e19cfae5ebf73a57ba31504a3872545" + +[[audits.minidump-common]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.17.0 -> 0.19.1" +notes = "All the changes have been authored or reviewed by Mozilla employees" + +[[audits.minidump-common]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.17.0@git:87a29fba5e19cfae5ebf73a57ba31504a3872545 -> 0.17.0@git:6ae42a7f992e8a88ebee661bc77bcedb95cd671f" + +[[audits.minidump-writer]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.7.0" +notes = "The code in this crate was written or reviewed by Mozilla employees, the crate it evolved from was written specifically for gecko." + +[[audits.minidump-writer]] +who = "Alex Franchuk <afranchuk@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.7.0 -> 0.8.0" +notes = "The code in this crate was written or reviewed by Mozilla employees, the crate it evolved from was written specifically for gecko." + +[[audits.minidump-writer]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.8.1" + +[[audits.minidump-writer]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.8.1 -> 0.8.1@git:491eb330e78e310c32927e5cc3bd2350af1e93f8" +notes = "All the changes were written by a Mozilla employee (me)" + +[[audits.minidump-writer]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.8.1 -> 0.8.3" +notes = "All changes were authored or reviewed by Mozilla employees" + +[[audits.miniz_oxide]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.5.3 -> 0.6.2" + +[[audits.mio]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-run" +delta = "0.6.21 -> 0.6.23" + +[[audits.mio]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.8.6" + +[[audits.mio]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.8.8 -> 0.8.8@git:9a2ef335c366044ffe73b1c4acabe50a1daefe05" +importable = false + +[[audits.moz_cbor]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "0.1.2" +notes = "Developed by Mozilla staff." + +[[audits.naga]] +who = "Dzmitry Malyshau <kvark@fastmail.com>" +criteria = "safe-to-deploy" +version = "0.8.0" +notes = """ +This crate, up through the indicated version, was written or reviewed +by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left +Mozilla at the beginning of February 2022. This audit statement was +collected by Jim Blandy, a Mozilla employee, over email in July 2022: +Dzmitry was shown, and agreed to, the 'safe-to-deploy' text. +""" + +[[audits.naga]] +who = "Jim Blandy <jimb@red-bean.com>" +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.9.0" + +[[audits.naga]] +who = "Jim Blandy <jimb@red-bean.com>" +criteria = "safe-to-deploy" +delta = "0.9.0 -> 0.10.0" + +[[audits.naga]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.10.0 -> 0.11.0" + +[[audits.naga]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.11.0 -> 0.12.0" + +[[audits.naga]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.12.0 -> 0.13.0" + +[[audits.naga]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.13.0 -> 0.14.0" + +[[audits.naga]] +who = [ + "Teodor Tanasoaia <ttanasoaia@mozilla.com>", + "Erich Gubler <erichdongubler@gmail.com>", + "Jim Blandy <jimb@red-bean.com>", + "Nicolas Silva <nical@fastmail.com>", +] +criteria = "safe-to-deploy" +delta = "0.14.0 -> 0.19.0@git:07e59eb6fc7de3f682f1c401b9cf9f0da9ee4b4a" +importable = false + +[[audits.net2]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.2.37 -> 0.2.38" + +[[audits.new_debug_unreachable]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "1.0.4" +notes = "This is a trivial crate." + +[[audits.nix]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.15.0 -> 0.25.0" +notes = "Plenty of new bindings but also several important bug fixes (including buffer overflows). New unsafe sections are restricted to wrappers and are no more dangerous than calling the C functions." + +[[audits.nix]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.25.0 -> 0.25.1" + +[[audits.nix]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.25.1 -> 0.26.2" + +[[audits.nix]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.26.2 -> 0.27.1" + +[[audits.nom]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "7.1.1 -> 7.1.3" + +[[audits.nss-gk-api]] +who = "John M. Schanck <jschanck@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.2.1" +notes = "Maintained by the CryptoEng team at Mozilla." + +[[audits.ntapi]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.7 -> 0.4.0" + +[[audits.num]] +who = "Josh Stone <jistone@redhat.com>" +criteria = "safe-to-deploy" +version = "0.4.0" +notes = "All code written or reviewed by Josh Stone." + +[[audits.num-bigint]] +who = "Josh Stone <jistone@redhat.com>" +criteria = "safe-to-deploy" +version = "0.2.6" +notes = "All code written or reviewed by Josh Stone." + +[[audits.num-bigint]] +who = "Josh Stone <jistone@redhat.com>" +criteria = "safe-to-deploy" +version = "0.4.3" +notes = "All code written or reviewed by Josh Stone." + +[[audits.num-complex]] +who = "Josh Stone <jistone@redhat.com>" +criteria = "safe-to-deploy" +version = "0.4.2" +notes = "All code written or reviewed by Josh Stone." + +[[audits.num-derive]] +who = "Josh Stone <jistone@redhat.com>" +criteria = "safe-to-deploy" +version = "0.3.3" +notes = "All code written or reviewed by Josh Stone." + +[[audits.num-derive]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.3 -> 0.4.0" + +[[audits.num-integer]] +who = "Josh Stone <jistone@redhat.com>" +criteria = "safe-to-deploy" +version = "0.1.45" +notes = "All code written or reviewed by Josh Stone." + +[[audits.num-iter]] +who = "Josh Stone <jistone@redhat.com>" +criteria = "safe-to-deploy" +version = "0.1.43" +notes = "All code written or reviewed by Josh Stone." + +[[audits.num-macros]] +who = "Josh Stone <jistone@redhat.com>" +criteria = "safe-to-deploy" +version = "0.1.40" +notes = "All code written or reviewed by Josh Stone." + +[[audits.num-rational]] +who = "Josh Stone <jistone@redhat.com>" +criteria = "safe-to-deploy" +version = "0.4.1" +notes = "All code written or reviewed by Josh Stone." + +[[audits.num-traits]] +who = "Josh Stone <jistone@redhat.com>" +criteria = "safe-to-deploy" +version = "0.2.15" +notes = "All code written or reviewed by Josh Stone." + +[[audits.num_cpus]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.13.1 -> 1.14.0" + +[[audits.num_cpus]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.14.0 -> 1.15.0" + +[[audits.object]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.28.4 -> 0.30.0" + +[[audits.object]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.30.0 -> 0.30.3" + +[[audits.once_cell]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.12.0 -> 1.13.1" + +[[audits.once_cell]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.13.1 -> 1.16.0" + +[[audits.once_cell]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.16.0 -> 1.17.1" + +[[audits.oneshot]] +who = "Ben Dean-Kawamura <bdk@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.1.5" +notes = "Small crate, reviewed by bendk. There is a decent amount of unsafe code, but it's well tested and the crate has been well-used over the years." + +[[audits.oneshot]] +who = "Ben Dean-Kawamura <bdk@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.1.5@git:1f3c657c8073aec4f0b6ebac7be33b4851644745" +notes = """ +Small crate, reviewed by bendk. There is a decent amount of unsafe code, but it's well tested and the crate has been well-used over the years. + +The git branch is my fork of the official code that removes the `loom` target to avoid pulling in that crate and its dependencies into moz-central. +This doesn't change any of the functionality -- the `loom` target is only used for testing. +""" + +[[audits.oneshot-uniffi]] +who = "Ben Dean-Kawamura <bdk@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.1.5" +notes = "This is the essentially same code as `oneshot version 0.1.5` which has already been audited. The only difference is that it won't pull in `loom` and related dependencies when `mach vendor rust` is run." + +[[audits.ordered-float]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "3.0.0 -> 3.4.0" + +[[audits.origin-trial-token]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +version = "0.1.1" +notes = """ +I'm the author of the crate. The only unsafe code is a view over a byte array +which is properly validated. + +Cryptography shenanigans are delegated to the caller so there's no possible +unsoundness there. +""" + +[[audits.os_str_bytes]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "6.1.0 -> 6.3.0" + +[[audits.os_str_bytes]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "6.3.0 -> 6.4.1" + +[[audits.oxilangtag]] +who = "Jonathan Kew <jkew@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.1.3" +notes = """ +I have reviewed all the code in this (small) crate. +There is no unsafe code present. +""" + +[[audits.packed_simd]] +who = "Henri Sivonen <hsivonen@hsivonen.fi>" +criteria = "safe-to-deploy" +delta = "0.3.8 -> 0.3.9" +notes = "The update from 0.3.8 to 0.3.9 makes mechanical changes to accommodate renaming, compiler updates, and CI service updates." + +[[audits.packed_simd]] +who = "Henri Sivonen <hsivonen@hsivonen.fi>" +criteria = "safe-to-deploy" +delta = "0.3.9 -> 0.3.9@git:e588ceb568878e1a3156ea9ce551d5b63ef0cdc4" +notes = "The patch on top of crates.io version 0.3.9 merely deletes code for a feature that Firefox does not use." + +[[audits.packed_simd_2]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.7 -> 0.3.8" + +[[audits.packed_simd_2]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.3.8 -> 0.3.8@git:412f9a0aa556611de021bde89dee8fefe6e0fbbd" + +[[audits.parking_lot_core]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.8.5 -> 0.8.6" + +[[audits.paste]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.7 -> 1.0.8" + +[[audits.paste]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.8 -> 1.0.11" + +[[audits.peeking_take_while]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +delta = "1.0.0 -> 0.1.2" +notes = "Small refactor of some simple iterator logic, no unsafe code or capabilities." + +[[audits.percent-encoding]] +who = "Valentin Gosu <valentin.gosu@gmail.com>" +criteria = "safe-to-deploy" +delta = "2.2.0 -> 2.3.0" + +[[audits.percent-encoding]] +who = "Valentin Gosu <valentin.gosu@gmail.com>" +criteria = "safe-to-deploy" +delta = "2.3.0 -> 2.3.1" + +[[audits.phf]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.10.1 -> 0.11.2" + +[[audits.phf_codegen]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.10.0 -> 0.11.2" + +[[audits.phf_generator]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.10.0 -> 0.11.2" + +[[audits.phf_macros]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.10.0 -> 0.11.2" + +[[audits.phf_shared]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.10.0 -> 0.11.2" + +[[audits.pin-project]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.0.10 -> 1.0.12" + +[[audits.pin-project]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.0.12 -> 1.1.0" + +[[audits.pin-project-internal]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.0.10 -> 1.0.12" + +[[audits.pin-project-internal]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.0.12 -> 1.1.0" + +[[audits.pkcs11-bindings]] +who = "Dana Keeler <dkeeler@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.1.0" +notes = """ +This crate consists of declarations of types and constants that are +auto-generated by running bindgen on the PKCS#11 specification headers. Other +than the tests generated by bindgen, it consists of no runnable code. +""" + +[[audits.pkcs11-bindings]] +who = "John M. Schanck <jmschanck@gmail.com>" +criteria = "safe-to-deploy" +version = "0.1.1" + +[[audits.pkcs11-bindings]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.1 -> 0.1.4" + +[[audits.pkcs11-bindings]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.4 -> 0.1.5" + +[[audits.pkg-config]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" + +[[audits.plane-split]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +version = "0.18.0" +notes = "Mozilla-developed package, no unsafe code, no access to file system, network or other far reaching APIs." + +[[audits.ppv-lite86]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.16 -> 0.2.17" + +[[audits.precomputed-hash]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "0.1.1" +notes = "This is a trivial crate." + +[[audits.prio]] +who = "Simon Friedberger <simon@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.8.4" +notes = "The crate does not use any unsafe code or ambient capabilities and thus meets the criteria for safe-to-deploy. The cryptography itself should be considered experimental at this phase and is currently undergoing a thorough audit organized by Cloudflare." + +[[audits.prio]] +who = "Simon Friedberger <simon@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.9.1" + +[[audits.proc-macro-hack]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.5.19 -> 0.5.20+deprecated" + +[[audits.proc-macro2]] +who = "Nika Layzell <nika@thelayzells.com>" +criteria = "safe-to-deploy" +version = "1.0.39" +notes = """ +`proc-macro2` acts as either a thin(-ish) wrapper around the std-provided +`proc_macro` crate, or as a fallback implementation of the crate, depending on +where it is used. + +If using this crate on older versions of rustc (1.56 and earlier), it will +temporarily replace the panic handler while initializing in order to detect if +it is running within a `proc_macro`, which could lead to surprising behaviour. +This should not be an issue for more recent compiler versions, which support +`proc_macro::is_available()`. + +The `proc-macro2` crate's fallback behaviour is not identical to the complex +behaviour of the rustc compiler (e.g. it does not perform unicode normalization +for identifiers), however it behaves well enough for its intended use-case +(tests and scripts processing rust code). + +`proc-macro2` does not use unsafe code, however exposes one `unsafe` API to +allow bypassing checks in the fallback implementation when constructing +`Literal` using `from_str_unchecked`. This was intended to only be used by the +`quote!` macro, however it has been removed +(https://github.com/dtolnay/quote/commit/f621fe64a8a501cae8e95ebd6848e637bbc79078), +and is likely completely unused. Even when used, this API shouldn't be able to +cause unsoundness. +""" + +[[audits.proc-macro2]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.39 -> 1.0.43" + +[[audits.proc-macro2]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.43 -> 1.0.49" + +[[audits.proc-macro2]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.49 -> 1.0.51" + +[[audits.procfs-core]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.16.0-RC1" + +[[audits.procfs-core]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.16.0-RC1 -> 0.16.0" + +[[audits.profiling]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.6 -> 1.0.7" + +[[audits.prost]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.11.9" +notes = "Mostly internal refactorings. Minimal new unsafe code, but with the invariants explicitly checked in code" + +[[audits.prost]] +who = "Drew Willcoxon <adw@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.11.9 -> 0.12.1" + +[[audits.prost-derive]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.11.9" +notes = "Documentation and internal refactoring changes only" + +[[audits.prost-derive]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.11.9 -> 0.11.9@git:95964e9d33df3c2a9c3f14285e262867cab6f96b" +notes = "Changes against 0.11.9 are mine." + +[[audits.prost-derive]] +who = "Drew Willcoxon <adw@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.11.9 -> 0.12.1" + +[[audits.qlog]] +who = "Kershaw Chang <kershaw@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.9.0" + +[[audits.qlog]] +who = "Kershaw Chang <kershaw@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.9.0 -> 0.11.0" + +[[audits.qlog]] +who = "Kershaw Chang <kershaw@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.11.0 -> 0.11.0@git:09ea4b244096a013071cfe2175bbf2945fb7f8d1" +importable = false + +[[audits.quote]] +who = "Nika Layzell <nika@thelayzells.com>" +criteria = "safe-to-deploy" +version = "1.0.18" +notes = """ +`quote` is a utility crate used by proc-macros to generate TokenStreams +conveniently from source code. The bulk of the logic is some complex +interlocking `macro_rules!` macros which are used to parse and build the +`TokenStream` within the proc-macro. + +This crate contains no unsafe code, and the internal logic, while difficult to +read, is generally straightforward. I have audited the the quote macros, ident +formatter, and runtime logic. +""" + +[[audits.quote]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.18 -> 1.0.21" + +[[audits.quote]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.21 -> 1.0.23" + +[[audits.radium]] +who = "Nika Layzell <nika@thelayzells.com>" +criteria = "safe-to-deploy" +version = "0.5.3" +notes = """ +I am no longer the primary maintainer of `radium`, however I have audited the +code to ensure it is still correct. The implementation contains no `unsafe` +logic, and will not abstract away `Sync` trait bounds. + +The core logic is very simple, and acts as an abstraction trait for `Cell<T>` +and `AtomicT`. +""" + +[[audits.rand_core]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.6.3 -> 0.6.4" + +[[audits.range-alloc]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "0.1.2" +notes = "Dzmitry authored this crate while he was staff at Mozilla." + +[[audits.range-alloc]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.2 -> 0.1.3" + +[[audits.range-map]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.2.0" + +[[audits.raw-window-handle]] +who = "Jim Blandy <jimb@red-bean.com>" +criteria = "safe-to-deploy" +version = "0.5.0" +notes = "I looked through all the sources of the v0.5.0 crate." + +[[audits.raw-window-handle]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.5.0 -> 0.5.2" + +[[audits.raw-window-handle]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.5.2 -> 0.6.0" + +[[audits.rayon]] +who = "Josh Stone <jistone@redhat.com>" +criteria = "safe-to-deploy" +version = "1.5.3" +notes = "All code written or reviewed by Josh Stone or Niko Matsakis." + +[[audits.rayon]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.5.3 -> 1.6.1" + +[[audits.rayon-core]] +who = "Josh Stone <jistone@redhat.com>" +criteria = "safe-to-deploy" +version = "1.9.3" +notes = "All code written or reviewed by Josh Stone or Niko Matsakis." + +[[audits.rayon-core]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.9.3 -> 1.10.1" + +[[audits.rayon-core]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.10.1 -> 1.10.2" + +[[audits.redox_syscall]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.13 -> 0.2.16" + +[[audits.regex]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.5.6 -> 1.6.0" + +[[audits.regex]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.6.0 -> 1.7.0" + +[[audits.regex]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.7.0 -> 1.7.1" + +[[audits.regex-syntax]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.6.26 -> 0.6.27" + +[[audits.regex-syntax]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.6.27 -> 0.6.28" + +[[audits.rkv]] +who = "Chris H-C <chutten@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.18.2" +notes = "Maintained by Jan-Erik and :krosylight." + +[[audits.rkv]] +who = "Chris H-C <chutten@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.18.4" + +[[audits.ron]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.7.0 -> 0.7.1" + +[[audits.ron]] +who = "Jim Blandy <jimb@red-bean.com>" +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.8.0" + +[[audits.ron]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.8.1" + +[[audits.rure]] +who = "Nika Layzell <nika@thelayzells.com>" +criteria = "safe-to-deploy" +version = "0.2.2" +notes = """ +This is a fairly straightforward FFI wrapper crate for `regex`, maintained by +the `regex` developers in the same repository. + +This crate is explicitly designed for FFI use, and should not be used directly +by Rust code. The exported `extern \"C\"` functions are not marked as `unsafe`, +meaning that it is technically incorrect to use them from within Rust code, +however they are reasonable to use from C code. + +The unsafe code in this crate heavily depends on the C caller maintaining +invariants, however these invariants are clearly documented in the `rure.h` +file, bundled with the crate. + +I have checked the signatures of each function both in C++ and in the Rust to +ensure they match. In some places, the c `rure.h` header file is missing a +`const` qualifier which could be present given the Rust code, however this will +have no impact on ABI, and is fairly normal for FFI crates. + +Panics are handled in all Rust FFI methods, meaning that projects which do not +disable unwinding will still consistently abort (using `libc::abort()`) if a +panic occurs in the Rust code. +""" + +[[audits.rusqlite]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.27.0 -> 0.28.0" + +[[audits.rusqlite]] +who = "Ben Dean-Kawamura <bdk@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.28.0 -> 0.29.0" + +[[audits.rusqlite]] +who = "Mark Hammond <mhammond@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.29.0 -> 0.30.0" + +[[audits.rust_cascade]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.4.0 -> 1.5.0" + +[[audits.rust_decimal]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.24.0 -> 1.25.0" + +[[audits.rust_decimal]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.25.0 -> 1.26.1" + +[[audits.rust_decimal]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.26.1 -> 1.27.0" + +[[audits.rust_decimal]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.27.0 -> 1.28.1" + +[[audits.rustc-hash]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "1.1.0" +notes = "Straightforward crate with no unsafe code, does what it says on the tin." + +[[audits.rustc_version]] +who = "Nika Layzell <nika@thelayzells.com>" +criteria = "safe-to-run" +version = "0.4.0" +notes = """ +Straightforward crate which runs `$RUSTC -vV` and parses the output into a +machine-interpretable form for build scripts. +""" + +[[audits.rustversion]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "1.0.9" +notes = """ +This crate has a build-time component and procedural macro logic, which I looked +at enough to convince myself it wasn't going to do anything dramatically wrong. +I don't think logic bugs in the version parsing etc can realistically introduce +a security vulnerability. +""" + +[[audits.rustversion]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.0.9 -> 1.0.11" + +[[audits.ryu]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.10 -> 1.0.11" + +[[audits.ryu]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.11 -> 1.0.12" + +[[audits.safemem]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-run" +version = "0.3.3" +notes = "I didn't review the allocation code carefully but it's not malicious." + +[[audits.scoped-tls]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.0.0 -> 1.0.1" + +[[audits.scroll]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.10.2 -> 0.11.0" +notes = "Small changes to exposed traits, that look reasonable and have additional buffer boundary checks. No unsafe code touched." + +[[audits.scroll_derive]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.10.5 -> 0.11.0" +notes = "No code changes. Tagged together with its parent crate scroll." + +[[audits.scroll_derive]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.11.0 -> 0.11.1" + +[[audits.selectors]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +version = "0.22.0" +notes = """ +This crate is basically developed in-tree. Mozilla employees have either +reviewed or written virtually all of the code. +""" + +[[audits.semver]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.9 -> 1.0.10" + +[[audits.semver]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.10 -> 1.0.13" + +[[audits.semver]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.13 -> 1.0.16" + +[[audits.semver]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +delta = "1.0.17 -> 1.0.16" + +[[audits.serde]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.137 -> 1.0.143" + +[[audits.serde]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.143 -> 1.0.144" + +[[audits.serde]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.144 -> 1.0.151" + +[[audits.serde]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.151 -> 1.0.152" + +[[audits.serde_bytes]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.11.6 -> 0.11.7" + +[[audits.serde_bytes]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.11.7 -> 0.11.8" + +[[audits.serde_bytes]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.11.8 -> 0.11.9" + +[[audits.serde_cbor]] +who = "R. Martinho Fernandes <bugs@rmf.io>" +criteria = "safe-to-deploy" +version = "0.11.1" + +[[audits.serde_cbor]] +who = "John M. Schanck <jschanck@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.11.1 -> 0.11.2" + +[[audits.serde_derive]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.137 -> 1.0.143" + +[[audits.serde_derive]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.143 -> 1.0.144" + +[[audits.serde_derive]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.144 -> 1.0.151" + +[[audits.serde_derive]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.151 -> 1.0.152" + +[[audits.serde_json]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.81 -> 1.0.83" + +[[audits.serde_json]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.83 -> 1.0.85" + +[[audits.serde_json]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.85 -> 1.0.91" + +[[audits.serde_json]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.91 -> 1.0.93" + +[[audits.serde_path_to_error]] +who = "Ben Dean-Kawamura <bdk@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.1.11" + +[[audits.serde_repr]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.1.8 -> 0.1.9" + +[[audits.serde_repr]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.1.9 -> 0.1.10" + +[[audits.serde_with]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.14.0 -> 3.0.0" + +[[audits.serde_with_macros]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.5.2 -> 3.0.0" + +[[audits.serde_yaml]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.8.24 -> 0.8.26" + +[[audits.servo_arc]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +version = "0.1.1" +notes = "Developed in-tree, effectively." + +[[audits.sfv]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.9.2 -> 0.9.3" + +[[audits.sha1]] +who = "Dana Keeler <dkeeler@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.10.5" + +[[audits.sha1]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.10.0 -> 0.10.5" + +[[audits.sha2]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.10.2 -> 0.10.6" + +[[audits.sha3]] +who = "Simon Friedberger <simon@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.10.6 -> 0.10.7" + +[[audits.slab]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.4.6 -> 0.4.7" + +[[audits.slab]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.4.7 -> 0.4.8" + +[[audits.smallbitvec]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "2.5.0" +notes = "All code written or reviewed by Mozilla staff." + +[[audits.smallbitvec]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +delta = "2.5.0 -> 2.5.1" + +[[audits.smallvec]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.8.0 -> 1.9.0" + +[[audits.smallvec]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.9.0 -> 1.10.0" + +[[audits.smart-default]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.6.0" + +[[audits.smart-default]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.6.0 -> 0.7.1" + +[[audits.socket2]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.4.4 -> 0.4.7" + +[[audits.spirv]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.2.0+1.5.4 -> 0.3.0+sdk-1.3.268.0" + +[[audits.strck]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.1.2" +notes = "This crate uses unsafe lock to keep invariant. I auditted code. Also, this doesn't have file access and network access." + +[[audits.strck_ident]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.1.2" +notes = "This crate doesn't use unsafe block, network access and filesystem access." + +[[audits.subtle]] +who = "Simon Friedberger <simon@mozilla.com>" +criteria = "safe-to-deploy" +version = "2.5.0" +notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation." + +[[audits.svg_fmt]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "0.4.1" +notes = "Simple string processing with no unsafe code or ambient capability usage." + +[[audits.syn]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.96 -> 1.0.99" + +[[audits.syn]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.99 -> 1.0.107" + +[[audits.synstructure]] +who = "Nika Layzell <nika@thelayzells.com>" +criteria = "safe-to-deploy" +version = "0.12.6" +notes = """ +I am the primary author of the `synstructure` crate, and its current +maintainer. The one use of `unsafe` is unnecessary, but documented and +harmless. It will be removed in the next version. +""" + +[[audits.synstructure]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.12.6 -> 0.13.0" + +[[audits.tempfile]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "3.6.0 -> 3.8.0" + +[[audits.tempfile]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "3.8.0 -> 3.9.0" + +[[audits.termcolor]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.1.3 -> 1.2.0" + +[[audits.textwrap]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.15.0 -> 0.15.2" + +[[audits.textwrap]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.15.2 -> 0.16.0" + +[[audits.thin-vec]] +who = "Aria Beingessner <a.beingessner@gmail.com>" +criteria = "safe-to-deploy" +version = "0.2.5" +notes = "I own this crate, and most of its versions were codeveloped and reviewed by Nika Layzell. This version was not explicitly reviewed by her, but it was specifically a release that made the code pass miri and was reviewed by me. Firefox uses it in the gecko-ffi configuration which is less thoroughly tested and more dangerous but we're reasonably confident in it. The real danger is from C++ code failing to use it correctly in FFI but that's just how FFI is." + +[[audits.thin-vec]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.5 -> 0.2.7" + +[[audits.thin-vec]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.7 -> 0.2.12" + +[[audits.thiserror]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.31 -> 1.0.32" + +[[audits.thiserror]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.32 -> 1.0.38" + +[[audits.thiserror-impl]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.31 -> 1.0.32" + +[[audits.thiserror-impl]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.32 -> 1.0.38" + +[[audits.threadbound]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.1.4" + +[[audits.threadbound]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.4 -> 0.1.5" + +[[audits.time]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.44 -> 0.1.45" + +[[audits.time]] +who = "Kershaw Chang <kershaw@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.1.45 -> 0.3.17" + +[[audits.time]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.3.9 -> 0.3.17" + +[[audits.time]] +who = "Kershaw Chang <kershaw@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.3.17 -> 0.3.23" + +[[audits.time-core]] +who = "Kershaw Chang <kershaw@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.1.0" + +[[audits.time-core]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +version = "0.1.0" + +[[audits.time-core]] +who = "Kershaw Chang <kershaw@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.1.0 -> 0.1.1" + +[[audits.time-macros]] +who = "Kershaw Chang <kershaw@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.2.6" + +[[audits.time-macros]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.2.4 -> 0.2.6" + +[[audits.time-macros]] +who = "Kershaw Chang <kershaw@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.2.6 -> 0.2.10" + +[[audits.tinystr]] +who = "Zibi Braniecki <zibi@unicode.org>" +criteria = "safe-to-deploy" +version = "0.3.4" + +[[audits.tinystr]] +who = "Zibi Braniecki <zibi@unicode.org>" +criteria = "safe-to-deploy" +version = "0.6.0" + +[[audits.tinystr]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.7.0" +notes = "One of original auther was Zibi Braniecki who worked at Mozilla and maintained by ICU4X developers (Google and Mozilla). I've vetted the one instance of unsafe code." + +[[audits.tinystr]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.7.0 -> 0.7.1" + +[[audits.tinystr]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.7.4" + +[[audits.tokio-macros]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "1.8.0 -> 1.8.2" + +[[audits.tokio-stream]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.1.9 -> 0.1.11" + +[[audits.tokio-stream]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.1.11 -> 0.1.12" + +[[audits.toml]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.5.7 -> 0.5.9" + +[[audits.toml]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.5.9 -> 0.5.10" + +[[audits.toml]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.5.10 -> 0.5.11" + +[[audits.topological-sort]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "0.1.0" +notes = "Simple algorithm crate with no unsafe code or capability usage." + +[[audits.tower-service]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.3.1 -> 0.3.2" + +[[audits.tracing]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.1.35 -> 0.1.36" + +[[audits.tracing]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.1.36 -> 0.1.37" + +[[audits.tracing-attributes]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.1.21 -> 0.1.22" + +[[audits.tracing-attributes]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.1.22 -> 0.1.23" + +[[audits.tracing-attributes]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.1.23 -> 0.1.24" + +[[audits.tracing-core]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.1.27 -> 0.1.29" + +[[audits.tracing-core]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.1.29 -> 0.1.30" + +[[audits.tracy-rs]] +who = "Glenn Watson <git@intuitionlibrary.com>" +criteria = "safe-to-deploy" +version = "0.1.2" + +[[audits.try-lock]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.2.3 -> 0.2.4" + +[[audits.typed-arena-nomut]] +who = "Lee Salzman <lsalzman@gmail.com>" +criteria = "safe-to-deploy" +version = "0.1.0" + +[[audits.typenum]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.15.0 -> 1.16.0" + +[[audits.uluru]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +version = "3.0.0" +notes = """ +I've reviewed multiple patches in this crate, including the initial +implementation back in the day. It has no unsafe code at all nowadays. +""" + +[[audits.unic-langid]] +who = "Zibi Braniecki <zibi@unicode.org>" +criteria = "safe-to-deploy" +version = "0.9.0" + +[[audits.unic-langid]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.9.0 -> 0.9.1" + +[[audits.unic-langid-impl]] +who = "Zibi Braniecki <zibi@unicode.org>" +criteria = "safe-to-deploy" +version = "0.9.0" + +[[audits.unic-langid-impl]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "0.9.0 -> 0.9.1" + +[[audits.unic-langid-macros]] +who = "Zibi Braniecki <zibi@unicode.org>" +criteria = "safe-to-deploy" +version = "0.9.0" + +[[audits.unic-langid-macros]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "0.9.0 -> 0.9.1" + +[[audits.unic-langid-macros-impl]] +who = "Zibi Braniecki <zibi@unicode.org>" +criteria = "safe-to-deploy" +version = "0.9.0" + +[[audits.unic-langid-macros-impl]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.9.0 -> 0.9.1" + +[[audits.unicode-bidi]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "0.3.8 -> 0.3.13" + +[[audits.unicode-bidi]] +who = "Jonathan Kew <jkew@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.3.13 -> 0.3.14" +notes = "I am the author of the bulk of the upstream changes in this version, and also checked the remaining post-0.3.13 changes." + +[[audits.unicode-bidi]] +who = "Jonathan Kew <jfkthame@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.3.14 -> 0.3.15" + +[[audits.unicode-ident]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.0 -> 1.0.1" + +[[audits.unicode-ident]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.1 -> 1.0.3" + +[[audits.unicode-ident]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.0.3 -> 1.0.6" + +[[audits.unicode-normalization]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.19 -> 0.1.20" +notes = "I am the author of most of these changes upstream, and prepared the release myself, at which point I looked at the other changes since 0.1.19." + +[[audits.unicode-normalization]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.20 -> 0.1.21" + +[[audits.unicode-normalization]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.21 -> 0.1.22" + +[[audits.unicode-segmentation]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.9.0 -> 1.10.0" + +[[audits.unicode-width]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.1.9 -> 0.1.10" + +[[audits.unicode-xid]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.2.3 -> 0.2.4" + +[[audits.uniffi]] +who = "Travis Long <tlong@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.19.3" +notes = "Maintained by the Glean and Application Services teams" + +[[audits.uniffi]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.19.3 -> 0.19.6" +notes = "Maintained by the Glean and Application Services team." + +[[audits.uniffi]] +who = "Perry McManis <pmcmanis@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.19.6 -> 0.20.0" + +[[audits.uniffi]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.20.0 -> 0.21.0" +notes = "Maintained by the Glean and Application Services team." + +[[audits.uniffi]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.21.0 -> 0.21.1" +notes = "No changes." + +[[audits.uniffi]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.21.1 -> 0.23.0" +notes = "Maintained by the Glean and Application Services team." + +[[audits.uniffi_bindgen]] +who = "Travis Long <tlong@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.19.3" +notes = "Maintained by the Glean and Application Services teams." + +[[audits.uniffi_bindgen]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.19.3 -> 0.19.6" +notes = "Maintained by the Glean and Application Services team." + +[[audits.uniffi_bindgen]] +who = "Perry McManis <pmcmanis@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.19.6 -> 0.20.0" + +[[audits.uniffi_bindgen]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.20.0 -> 0.21.0" +notes = "Maintained by the Glean and Application Services team." + +[[audits.uniffi_bindgen]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.21.0 -> 0.21.1" +notes = "I authored the changes in this version." + +[[audits.uniffi_bindgen]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.21.1 -> 0.23.0" +notes = "Maintained by the Glean and Application Services team." + +[[audits.uniffi_build]] +who = "Travis Long <tlong@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.19.3" +notes = "Maintained by the Glean and Application Services teams." + +[[audits.uniffi_build]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.19.3 -> 0.19.6" +notes = "Maintained by the Glean and Application Services team." + +[[audits.uniffi_build]] +who = "Perry McManis <pmcmanis@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.19.6 -> 0.20.0" + +[[audits.uniffi_build]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.20.0 -> 0.21.0" +notes = "Maintained by the Glean and Application Services team." + +[[audits.uniffi_build]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.21.0 -> 0.21.1" +notes = "No changes." + +[[audits.uniffi_build]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.21.1 -> 0.23.0" +notes = "Maintained by the Glean and Application Services team." + +[[audits.uniffi_checksum_derive]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +version = "0.21.1" +notes = "I authored this crate." + +[[audits.uniffi_checksum_derive]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.21.1 -> 0.23.0" +notes = "Maintained by the Glean and Application Services team." + +[[audits.uniffi_core]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.23.0" +notes = "Maintained by the Glean and Application Services teams." + +[[audits.uniffi_macros]] +who = "Travis Long <tlong@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.19.3" +notes = "Maintained by the Glean and Application Services teams." + +[[audits.uniffi_macros]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.19.3 -> 0.19.6" +notes = "Maintained by the Glean and Application Services team." + +[[audits.uniffi_macros]] +who = "Perry McManis <pmcmanis@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.19.6 -> 0.20.0" + +[[audits.uniffi_macros]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.20.0 -> 0.21.0" +notes = "Maintained by the Glean and Application Services team." + +[[audits.uniffi_macros]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.21.0 -> 0.21.1" +notes = "No changes." + +[[audits.uniffi_macros]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.21.1 -> 0.23.0" +notes = "Maintained by the Glean and Application Services team." + +[[audits.uniffi_meta]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.19.6" +notes = "Maintained by the Glean and Application Services team." + +[[audits.uniffi_meta]] +who = "Perry McManis <pmcmanis@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.19.6 -> 0.20.0" + +[[audits.uniffi_meta]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.20.0 -> 0.21.0" +notes = "Maintained by the Glean and Application Services team." + +[[audits.uniffi_meta]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.21.0 -> 0.21.1" +notes = "I authored the changes in this version." + +[[audits.uniffi_meta]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.21.1 -> 0.23.0" +notes = "Maintained by the Glean and Application Services team." + +[[audits.uniffi_testing]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.23.0" +notes = "Maintained by the Glean and Application Services team." + +[[audits.url]] +who = "Valentin Gosu <valentin.gosu@gmail.com>" +criteria = "safe-to-deploy" +version = "2.4.0" + +[[audits.url]] +who = "Valentin Gosu <valentin.gosu@gmail.com>" +criteria = "safe-to-deploy" +delta = "2.4.0 -> 2.4.1" + +[[audits.url]] +who = "Valentin Gosu <valentin.gosu@gmail.com>" +criteria = "safe-to-deploy" +delta = "2.4.1 -> 2.5.0" + +[[audits.uuid]] +who = "Gabriele Svelto <gsvelto@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.8.2 -> 1.2.2" + +[[audits.uuid]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "1.2.2 -> 1.3.0" + +[[audits.void]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "1.0.2" +notes = "Very small crate, just hosts the Void type for easier cross-crate interfacing." + +[[audits.warp]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.3.2 -> 0.3.3" + +[[audits.warp]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-run" +delta = "0.3.3 -> 0.3.3@git:4af45fae95bc98b0eba1ef0db17e1dac471bb23d" + +[[audits.warp]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.3.6 -> 0.3.6@git:9d081461ae1167eb321585ce424f4fef6cf0092b" + +[[audits.wasm-encoder]] +who = "Ryan Hunt <rhunt@eqrion.net>" +criteria = "safe-to-deploy" +version = "0.7.0" +notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. This has no unsafe code and uses no ambient capabilities." + +[[audits.wasm-encoder]] +who = "Ryan Hunt <rhunt@eqrion.net>" +criteria = "safe-to-deploy" +delta = "0.7.0 -> 0.14.0" +notes = "wasm-encoder has no unsafe code and uses no ambient capabilities." + +[[audits.wasm-encoder]] +who = "Yury Delendik <ydelendik@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.14.0 -> 0.15.0" + +[[audits.wasm-encoder]] +who = "Yury Delendik <ydelendik@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.16.0 -> 0.17.0" + +[[audits.wasm-encoder]] +who = "Ryan Hunt <rhunt@eqrion.net>" +criteria = "safe-to-deploy" +delta = "0.19.0 -> 0.19.1" + +[[audits.wasm-smith]] +who = "Ryan Hunt <rhunt@eqrion.net>" +criteria = "safe-to-deploy" +version = "0.11.2" +notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. I've vetted the one instance of unsafe code." + +[[audits.wasm-smith]] +who = "Yury Delendik <ydelendik@mozilla.com>" +criteria = "safe-to-run" +delta = "0.11.2 -> 0.11.3" + +[[audits.wasm-smith]] +who = "Yury Delendik <ydelendik@mozilla.com>" +criteria = "safe-to-run" +delta = "0.11.4 -> 0.11.5" + +[[audits.wasm-smith]] +who = "Ryan Hunt <rhunt@eqrion.net>" +criteria = "safe-to-run" +delta = "0.11.7 -> 0.11.8" + +[[audits.wasmparser]] +who = "Ryan Hunt <rhunt@eqrion.net>" +criteria = "safe-to-deploy" +version = "0.87.0" +notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. I've vetted the one instance of unsafe code." + +[[audits.wasmparser]] +who = "Yury Delendik <ydelendik@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.87.0 -> 0.88.0" + +[[audits.wasmparser]] +who = "Yury Delendik <ydelendik@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.89.1 -> 0.91.0" + +[[audits.wasmparser]] +who = "Ryan Hunt <rhunt@eqrion.net>" +criteria = "safe-to-deploy" +delta = "0.93.0 -> 0.94.0" + +[[audits.wast]] +who = "Ryan Hunt <rhunt@eqrion.net>" +criteria = "safe-to-deploy" +version = "44.0.0" + +[[audits.wast]] +who = "Ryan Hunt <rhunt@eqrion.net>" +criteria = "safe-to-deploy" +version = "44.0.0" +notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. wast has no unsafe code and the only ambient capability it uses is to read the full contents of a file that is given to it." + +[[audits.wast]] +who = "Yury Delendik <ydelendik@mozilla.com>" +criteria = "safe-to-deploy" +delta = "44.0.0 -> 45.0.0" + +[[audits.wast]] +who = "Yury Delendik <ydelendik@mozilla.com>" +criteria = "safe-to-deploy" +delta = "46.0.0 -> 47.0.0" + +[[audits.wast]] +who = "Ryan Hunt <rhunt@eqrion.net>" +criteria = "safe-to-deploy" +delta = "48.0.0 -> 49.0.0" + +[[audits.wast]] +who = "Ben Visness <bvisness@mozilla.com>" +criteria = "safe-to-deploy" +delta = "55.0.0 -> 56.0.0" + +[[audits.webrtc-sdp]] +who = "Byron Campen <docfaraday@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.3.9 -> 0.3.10" + +[[audits.webrtc-sdp]] +who = "Nicolas Grunbaum <ngrunbaum@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.3.10 -> 0.3.11" + +[[audits.weedle2]] +who = "Travis Long <tlong@mozilla.com>" +criteria = "safe-to-deploy" +version = "3.0.0" +notes = "Maintained by the Glean and Application Services teams." + +[[audits.weedle2]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "3.0.0 -> 4.0.0" +notes = "Maintained by the Glean and Application Services team." + +[[audits.wgpu-core]] +who = "Dzmitry Malyshau <kvark@fastmail.com>" +criteria = "safe-to-deploy" +version = "0.12.0" +notes = """ +This crate, up through the indicated version, was written or reviewed +by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left +Mozilla at the beginning of February 2022. This audit statement was +collected by Jim Blandy, a Mozilla employee, over email in July 2022: +Dzmitry was shown, and agreed to, the 'safe-to-deploy' text. +""" + +[[audits.wgpu-core]] +who = "Jim Blandy <jimb@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.12.0 -> 0.13.0" + +[[audits.wgpu-core]] +who = "Jim Blandy <jimb@red-bean.com>" +criteria = "safe-to-deploy" +delta = "0.13.0 -> 0.14.0" +notes = "Audit by Erich Gubler, Jim Blandy, Nicolas Silva, and Teodor Tanasoaia." + +[[audits.wgpu-core]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.14.0 -> 0.15.0" + +[[audits.wgpu-core]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.15.0 -> 0.16.0" + +[[audits.wgpu-core]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.16.0 -> 0.17.0" + +[[audits.wgpu-core]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.17.0 -> 0.18.0" + +[[audits.wgpu-core]] +who = [ + "Teodor Tanasoaia <ttanasoaia@mozilla.com>", + "Erich Gubler <erichdongubler@gmail.com>", + "Jim Blandy <jimb@red-bean.com>", + "Nicolas Silva <nical@fastmail.com>", +] +criteria = "safe-to-deploy" +delta = "0.18.0 -> 0.19.0@git:07e59eb6fc7de3f682f1c401b9cf9f0da9ee4b4a" +importable = false + +[[audits.wgpu-hal]] +who = "Dzmitry Malyshau <kvark@fastmail.com>" +criteria = "safe-to-deploy" +version = "0.12.0" +notes = """ +This crate, up through the indicated version, was written or reviewed +by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left +Mozilla at the beginning of February 2022. This audit statement was +collected by Jim Blandy, a Mozilla employee, over email in July 2022: +Dzmitry was shown, and agreed to, the 'safe-to-deploy' text. +""" + +[[audits.wgpu-hal]] +who = "Jim Blandy <jimb@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.12.0 -> 0.13.0" + +[[audits.wgpu-hal]] +who = "Jim Blandy <jimb@red-bean.com>" +criteria = "safe-to-deploy" +delta = "0.13.0 -> 0.14.0" +notes = "Audit by Erich Gubler, Jim Blandy, Nicolas Silva, and Teodor Tanasoaia." + +[[audits.wgpu-hal]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.14.0 -> 0.15.0" + +[[audits.wgpu-hal]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.15.0 -> 0.16.0" + +[[audits.wgpu-hal]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.16.0 -> 0.17.0" + +[[audits.wgpu-hal]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.17.0 -> 0.18.0" + +[[audits.wgpu-hal]] +who = [ + "Teodor Tanasoaia <ttanasoaia@mozilla.com>", + "Erich Gubler <erichdongubler@gmail.com>", + "Jim Blandy <jimb@red-bean.com>", + "Nicolas Silva <nical@fastmail.com>", +] +criteria = "safe-to-deploy" +delta = "0.18.0 -> 0.19.0@git:07e59eb6fc7de3f682f1c401b9cf9f0da9ee4b4a" +importable = false + +[[audits.wgpu-types]] +who = "Dzmitry Malyshau <kvark@fastmail.com>" +criteria = "safe-to-deploy" +version = "0.12.0" +notes = """ +This crate, up through the indicated version, was written or reviewed +by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left +Mozilla at the beginning of February 2022. This audit statement was +collected by Jim Blandy, a Mozilla employee, over email in July 2022: +Dzmitry was shown, and agreed to, the 'safe-to-deploy' text. +""" + +[[audits.wgpu-types]] +who = "Jim Blandy <jimb@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.12.0 -> 0.13.0" + +[[audits.wgpu-types]] +who = "Jim Blandy <jimb@red-bean.com>" +criteria = "safe-to-deploy" +delta = "0.13.0 -> 0.14.0" +notes = "Audit by Erich Gubler, Jim Blandy, Nicolas Silva, and Teodor Tanasoaia." + +[[audits.wgpu-types]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.14.0 -> 0.15.0" + +[[audits.wgpu-types]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.15.0 -> 0.16.0" + +[[audits.wgpu-types]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.16.0 -> 0.17.0" + +[[audits.wgpu-types]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "0.17.0 -> 0.18.0" + +[[audits.wgpu-types]] +who = [ + "Teodor Tanasoaia <ttanasoaia@mozilla.com>", + "Erich Gubler <erichdongubler@gmail.com>", + "Jim Blandy <jimb@red-bean.com>", + "Nicolas Silva <nical@fastmail.com>", +] +criteria = "safe-to-deploy" +delta = "0.18.0 -> 0.19.0@git:07e59eb6fc7de3f682f1c401b9cf9f0da9ee4b4a" +importable = false + +[[audits.whatsys]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +version = "0.1.2" +notes = """ +Contains platform-specific FFI code for apple, mac, and windows. The windows code +also contains a small C file compiled at build-time. I audited all of it and it +looks correct. +""" + +[[audits.whatsys]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.1.2 -> 0.3.1" +notes = "Maintained by me. I have written or reviewed all of the code." + +[[audits.winreg]] +who = "Ray Kraesig <rkraesig@mozilla.com>" +criteria = "safe-to-run" +version = "0.10.1" +notes = """ +This crate uses a lot of `unsafe`; not all of it is necessary, and not all of it +is correct. (In particular, the alignment of data buffers does not seem to be +correctly ensured at type-conversion time.) However, the code is not deceptive, +and any more subtle issues do not appear to be exploitable -- certainly not from +a test environment. +""" + +[[audits.wpf-gpu-raster]] +who = "Lee Salzman <lsalzman@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.1.0" +notes = "Written and maintained by Gfx team at Mozilla." + +[[audits.writeable]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.5.2" +notes = "writeable is a variation of fmt::Write with sink version. This uses `unsafe` block to handle potentially-invalid UTF-8 character. I've vetted the one instance of unsafe code." + +[[audits.writeable]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "0.5.2 -> 0.5.4" + +[[audits.xmldecl]] +who = "Henri Sivonen <hsivonen@hsivonen.fi>" +criteria = "safe-to-deploy" +version = "0.2.0" +notes = "I, Henri Sivonen, wrote this crate myself for Gecko even though it's published on crates.io." + +[[audits.yoke]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.7.1" +notes = "This crate is for zero-copy serialization for ICU4X data structure, and maintained by ICU4X team. Since this uses unsafe block for serialization, I audited code." + +[[audits.yoke]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.7.3" + +[[audits.yoke-derive]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.7.1@git:14e9a3a9857be74582abe2dfa7ab799c5eaac873" +notes = "This crate is a helper for yoke crate that is ICU4X data structure, and maintained by ICU4X team. Since this uses unsafe block for serialization, all has the comment why this uses unsafe and I audited code." + +[[audits.yoke-derive]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.7.3" + +[[audits.zerofrom]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.1.2" +notes = "This crate is zero-copy version of \"From\". This has no unsafe code and uses no ambient capabilities." + +[[audits.zerofrom-derive]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.1.2@git:14e9a3a9857be74582abe2dfa7ab799c5eaac873" +notes = "This is custom derives for `ZeroFrom` that is from zerofrom crate. This has no unsafe code and uses no ambient capabilities." + +[[audits.zerofrom-derive]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.1.3" + +[[audits.zerovec]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.9.4" +notes = "This crate is zero-copy data structure implmentation. Although this uses unsafe block in several code, it requires for zero-copy. And this has a comment in code why this uses unsafe and I audited code." + +[[audits.zerovec]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +delta = "0.9.4 -> 0.10.1" + +[[audits.zerovec-derive]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.9.4@git:14e9a3a9857be74582abe2dfa7ab799c5eaac873" +notes = "This is custom derives for `ZeroVec` that is from zerovec crate. Although this uses unsafe block for zero-copy, this has a comment in code why this uses unsafe and I audited code." + +[[audits.zerovec-derive]] +who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" +criteria = "safe-to-deploy" +version = "0.10.1" + +[[audits.zip]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.6.2 -> 0.6.3" + +[[audits.zip]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-run" +delta = "0.6.3 -> 0.6.4" + +[[trusted.aho-corasick]] +criteria = "safe-to-deploy" +user-id = 189 # Andrew Gallant (BurntSushi) +start = "2019-03-28" +end = "2024-05-03" + +[[trusted.anstyle]] +criteria = "safe-to-deploy" +user-id = 6743 # Ed Page (epage) +start = "2022-05-18" +end = "2024-09-28" + +[[trusted.async-trait]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-07-23" +end = "2024-04-25" + +[[trusted.atomic]] +criteria = "safe-to-deploy" +user-id = 2915 # Amanieu d'Antras (Amanieu) +start = "2019-02-22" +end = "2024-05-05" + +[[trusted.byteorder]] +criteria = "safe-to-deploy" +user-id = 189 # Andrew Gallant (BurntSushi) +start = "2019-06-09" +end = "2024-05-03" + +[[trusted.bytes]] +criteria = "safe-to-deploy" +user-id = 6741 # Alice Ryhl (Darksonn) +start = "2021-01-11" +end = "2024-05-05" + +[[trusted.clap]] +criteria = "safe-to-deploy" +user-id = 6743 # Ed Page (epage) +start = "2021-12-08" +end = "2024-06-02" + +[[trusted.clap_builder]] +criteria = "safe-to-deploy" +user-id = 6743 # Ed Page (epage) +start = "2023-03-28" +end = "2024-06-02" + +[[trusted.clap_derive]] +criteria = "safe-to-deploy" +user-id = 6743 # Ed Page (epage) +start = "2021-12-08" +end = "2024-06-02" + +[[trusted.clap_lex]] +criteria = "safe-to-deploy" +user-id = 6743 # Ed Page (epage) +start = "2022-04-15" +end = "2024-06-02" + +[[trusted.dtoa]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-05-02" +end = "2024-04-25" + +[[trusted.equivalent]] +criteria = "safe-to-deploy" +user-id = 539 # Josh Stone (cuviper) +start = "2023-02-05" +end = "2024-07-17" + +[[trusted.errno]] +criteria = "safe-to-deploy" +user-id = 6825 # Dan Gohman (sunfishcode) +start = "2023-08-29" +end = "2025-01-11" + +[[trusted.flate2]] +criteria = "safe-to-deploy" +user-id = 4333 # Josh Triplett (joshtriplett) +start = "2020-09-30" +end = "2024-05-05" + +[[trusted.h2]] +criteria = "safe-to-deploy" +user-id = 359 # Sean McArthur (seanmonstar) +start = "2019-03-13" +end = "2024-12-05" + +[[trusted.hashbrown]] +criteria = "safe-to-deploy" +user-id = 2915 # Amanieu d'Antras (Amanieu) +start = "2019-04-02" +end = "2024-07-17" + +[[trusted.headers]] +criteria = "safe-to-deploy" +user-id = 359 # Sean McArthur (seanmonstar) +start = "2019-09-09" +end = "2024-04-25" + +[[trusted.httparse]] +criteria = "safe-to-deploy" +user-id = 359 # Sean McArthur (seanmonstar) +start = "2019-07-03" +end = "2024-04-25" + +[[trusted.indexmap]] +criteria = "safe-to-deploy" +user-id = 539 # Josh Stone (cuviper) +start = "2020-01-15" +end = "2024-05-05" + +[[trusted.inherent]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-07-14" +end = "2024-04-25" + +[[trusted.iovec]] +criteria = "safe-to-deploy" +user-id = 10 # Carl Lerche (carllerche) +start = "2019-10-09" +end = "2024-05-05" + +[[trusted.itoa]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-05-02" +end = "2024-04-25" + +[[trusted.jobserver]] +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2019-03-15" +end = "2024-05-05" + +[[trusted.libc]] +criteria = "safe-to-deploy" +user-id = 2915 # Amanieu d'Antras (Amanieu) +start = "2021-01-27" +end = "2024-05-05" + +[[trusted.libc]] +criteria = "safe-to-deploy" +user-id = 51017 # Yuki Okushi (JohnTitor) +start = "2020-03-17" +end = "2024-10-25" + +[[trusted.linux-raw-sys]] +criteria = "safe-to-deploy" +user-id = 6825 # Dan Gohman (sunfishcode) +start = "2021-06-12" +end = "2024-09-08" + +[[trusted.lock_api]] +criteria = "safe-to-deploy" +user-id = 2915 # Amanieu d'Antras (Amanieu) +start = "2019-05-04" +end = "2024-05-05" + +[[trusted.memchr]] +criteria = "safe-to-deploy" +user-id = 189 # Andrew Gallant (BurntSushi) +start = "2019-07-07" +end = "2024-05-03" + +[[trusted.mime]] +criteria = "safe-to-deploy" +user-id = 359 # Sean McArthur (seanmonstar) +start = "2019-09-09" +end = "2024-04-25" + +[[trusted.mio]] +criteria = "safe-to-deploy" +user-id = 10 # Carl Lerche (carllerche) +start = "2019-05-15" +end = "2024-05-06" + +[[trusted.num_cpus]] +criteria = "safe-to-deploy" +user-id = 359 # Sean McArthur (seanmonstar) +start = "2019-06-10" +end = "2024-04-25" + +[[trusted.ordered-float]] +criteria = "safe-to-deploy" +user-id = 2017 # Matt Brubeck (mbrubeck) +start = "2019-03-13" +end = "2024-05-06" + +[[trusted.parking_lot]] +criteria = "safe-to-deploy" +user-id = 2915 # Amanieu d'Antras (Amanieu) +start = "2019-05-04" +end = "2024-05-05" + +[[trusted.parking_lot_core]] +criteria = "safe-to-deploy" +user-id = 2915 # Amanieu d'Antras (Amanieu) +start = "2019-05-04" +end = "2024-05-05" + +[[trusted.paste]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-03-19" +end = "2024-04-25" + +[[trusted.proc-macro-hack]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-04-16" +end = "2024-04-25" + +[[trusted.proc-macro2]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-04-23" +end = "2024-05-30" + +[[trusted.quote]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-04-09" +end = "2024-05-30" + +[[trusted.regex]] +criteria = "safe-to-deploy" +user-id = 189 # Andrew Gallant (BurntSushi) +start = "2019-02-27" +end = "2024-05-03" + +[[trusted.regex-automata]] +criteria = "safe-to-deploy" +user-id = 189 # Andrew Gallant (BurntSushi) +start = "2019-02-25" +end = "2024-09-20" + +[[trusted.regex-syntax]] +criteria = "safe-to-deploy" +user-id = 189 # Andrew Gallant (BurntSushi) +start = "2019-03-30" +end = "2024-05-03" + +[[trusted.rustix]] +criteria = "safe-to-deploy" +user-id = 6825 # Dan Gohman (sunfishcode) +start = "2021-10-29" +end = "2024-09-08" + +[[trusted.ryu]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-05-02" +end = "2024-04-25" + +[[trusted.same-file]] +criteria = "safe-to-deploy" +user-id = 189 # Andrew Gallant (BurntSushi) +start = "2019-07-16" +end = "2024-05-03" + +[[trusted.scopeguard]] +criteria = "safe-to-deploy" +user-id = 2915 # Amanieu d'Antras (Amanieu) +start = "2020-02-16" +end = "2024-05-05" + +[[trusted.serde]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-03-01" +end = "2024-04-25" + +[[trusted.serde_bytes]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-02-25" +end = "2024-04-25" + +[[trusted.serde_derive]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-03-01" +end = "2024-04-25" + +[[trusted.serde_json]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-02-28" +end = "2024-04-25" + +[[trusted.serde_repr]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-04-26" +end = "2024-04-25" + +[[trusted.serde_yaml]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-05-02" +end = "2024-04-25" + +[[trusted.smallvec]] +criteria = "safe-to-deploy" +user-id = 2017 # Matt Brubeck (mbrubeck) +start = "2019-10-28" +end = "2024-05-06" + +[[trusted.syn]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-03-01" +end = "2024-04-25" + +[[trusted.termcolor]] +criteria = "safe-to-deploy" +user-id = 189 # Andrew Gallant (BurntSushi) +start = "2019-06-04" +end = "2024-05-03" + +[[trusted.thiserror]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-10-09" +end = "2024-04-25" + +[[trusted.thiserror-impl]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-10-09" +end = "2024-04-25" + +[[trusted.threadbound]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2020-06-16" +end = "2024-04-25" + +[[trusted.tokio-macros]] +criteria = "safe-to-deploy" +user-id = 6741 # Alice Ryhl (Darksonn) +start = "2020-10-26" +end = "2024-05-05" + +[[trusted.tokio-util]] +criteria = "safe-to-deploy" +user-id = 6741 # Alice Ryhl (Darksonn) +start = "2021-01-12" +end = "2024-05-05" + +[[trusted.toml]] +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2019-05-16" +end = "2024-05-06" + +[[trusted.unicode-ident]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2021-10-02" +end = "2024-04-25" + +[[trusted.walkdir]] +criteria = "safe-to-deploy" +user-id = 189 # Andrew Gallant (BurntSushi) +start = "2019-06-09" +end = "2024-05-03" + +[[trusted.warp]] +criteria = "safe-to-deploy" +user-id = 359 # Sean McArthur (seanmonstar) +start = "2019-03-20" +end = "2024-05-08" + +[[trusted.wasi]] +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2020-06-03" +end = "2024-05-05" + +[[trusted.winapi-util]] +criteria = "safe-to-deploy" +user-id = 189 # Andrew Gallant (BurntSushi) +start = "2020-01-11" +end = "2024-05-03" + +[[trusted.windows]] +criteria = "safe-to-deploy" +user-id = 64539 # Kenny Kerr (kennykerr) +start = "2021-01-15" +end = "2025-01-30" + +[[trusted.windows-core]] +criteria = "safe-to-deploy" +user-id = 64539 # Kenny Kerr (kennykerr) +start = "2021-11-15" +end = "2024-09-20" + +[[trusted.windows-sys]] +criteria = "safe-to-deploy" +user-id = 64539 # Kenny Kerr (kennykerr) +start = "2021-11-15" +end = "2024-09-12" diff --git a/supply-chain/config.toml b/supply-chain/config.toml new file mode 100644 index 0000000000..9c863175c4 --- /dev/null +++ b/supply-chain/config.toml @@ -0,0 +1,824 @@ + +# cargo-vet config file + +[cargo-vet] +version = "0.9" + +[imports.bytecode-alliance] +url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[imports.embark-studios] +url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + +[imports.google] +url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" + +[imports.isrg] +url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[imports.mozilla] +url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" + +[policy.autocfg] +audit-as-crates-io = true +notes = "This is the upstream code plus a few local fixes, see bug 1685697." + +[policy.chardetng] +audit-as-crates-io = true +notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that." + +[policy.chardetng_c] +audit-as-crates-io = true +notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that." + +[policy.coremidi] +audit-as-crates-io = true +notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release." + +[policy.cose] +audit-as-crates-io = true +notes = "This is upstream plus a warning fix from bug 1823866." + +[policy.cssparser] +audit-as-crates-io = true +notes = "Upstream release plus a couple unpublished changes" + +[policy.cssparser-macros] +audit-as-crates-io = true +notes = "Upstream release plus a couple unpublished changes" + +[policy.d3d12] +audit-as-crates-io = true +notes = "Part of the wgpu repository, pinned as the rest of wgpu crates." + +[policy.firefox-on-glean] +audit-as-crates-io = false +notes = "The crates.io version of this is just a placeholder to allow public crates to depend on firefox-on-glean." + +[policy.geckodriver] +audit-as-crates-io = false +criteria = "safe-to-run" +notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run." + +[policy.gkrust-gtest] +criteria = "safe-to-run" +notes = "Used for testing." + +[policy.gkrust-shared] +dependency-criteria = { tokio-reactor = [], tokio-threadpool = [] } +notes = "The dependencies on tokio-reactor and tokio-threadpools are just a hack to pin the version used by audioipc-{client,server}. Suppress vetting on those for the same reasons behind the policy entries." + +[policy.gluesmith] +criteria = "safe-to-run" +notes = "Used for fuzzing." + +[policy.http3server] +criteria = "safe-to-run" +notes = "Used for testing." + +[policy.icu_capi] +audit-as-crates-io = true +notes = "Patched version of upstream" + +[policy.icu_segmenter_data] +audit-as-crates-io = true +notes = "Patched version of upstream" + +[policy.l10nregistry] +dependency-criteria = { fluent-testing = "safe-to-run", tokio = "safe-to-run" } +notes = "This crate has two testing-only dependencies which are specified as regular-but-optional rather than a dev-dependencies, because they need to be available to both benchmarks and integration tests." + +[policy.libudev-sys] +audit-as-crates-io = false +notes = "This override is an api-compatible fork with an orthogonal implementation." + +[policy.malloc_size_of_derive] +audit-as-crates-io = false +notes = "This was originally servo code which Bobby Holley put on crates.io some years ago and that was moved in-tree as first-party code later on." + +[policy.marionette] +audit-as-crates-io = false +notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." + +[policy.midir] +audit-as-crates-io = true +notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release." + +[policy."mio:0.6.23"] +audit-as-crates-io = true +notes = "Version 0.6.23 is a local fork of upstream which just twiddles some dependencies." + +[policy."mio:0.8.8@git:9a2ef335c366044ffe73b1c4acabe50a1daefe05"] +audit-as-crates-io = true +notes = "This is 0.8.8 + https://github.com/tokio-rs/mio/commit/eea9e3e0c469480e5c59c01e6c3c7e5fd88f0848." + +[policy.mozbuild] +audit-as-crates-io = false +notes = "The crates.io version of this is just a placeholder to allow public crates to depend on mozbuild." + +[policy.mozdevice] +audit-as-crates-io = false +notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." + +[policy.mozglue-static] +dependency-criteria = { rustc_version = "safe-to-run" } +notes = "The rustc_version dependency is only used in the build script, and does not generate any runtime code" + +[policy.mozilla-central-workspace-hack] +audit-as-crates-io = false +criteria = "safe-to-run" +notes = "This is a first-party crate which is also published to crates.io as a convenience for other in-tree crates that depend on it and are published as well. The dependencies from this crate are dependencies of other crates that will get the right criteria through them, but using safe-to-deploy for this one would be too broad." + +[policy.mozprofile] +audit-as-crates-io = false +notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." + +[policy.mozrunner] +audit-as-crates-io = false +notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." + +[policy.mozversion] +audit-as-crates-io = false +notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." + +[policy.mp4parse] +audit-as-crates-io = false + +[policy.mp4parse_capi] +audit-as-crates-io = false + +[policy.naga] +audit-as-crates-io = true +notes = "Part of the wgpu repository, pinned as the rest of wgpu crates." + +[policy.peek-poke] +audit-as-crates-io = false + +[policy.peek-poke-derive] +audit-as-crates-io = false + +[policy.pulse] +audit-as-crates-io = false +notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name." + +[policy.qcms] +audit-as-crates-io = true +notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem." + +[policy.qlog] +audit-as-crates-io = true +notes = "Use this revision (09ea4b244096a013071cfe2175bbf2945fb7f8d1) of qlog temporarily." + +[policy.rure] +audit-as-crates-io = true +notes = "Identical to upstream, but with cdylib and staticlib targets disabled to avoid unnecessary build artifacts and linker errors." + +[policy.selectors] +audit-as-crates-io = true +notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem." + +[policy.servo_arc] +audit-as-crates-io = true +notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem." + +[policy.smoosh] +criteria = "safe-to-run" +notes = "We're not shipping this and have no plans to ship it." + +[policy.storage] +audit-as-crates-io = false +notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name." + +[policy.tabs] +audit-as-crates-io = false +notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name." + +[policy.viaduct] +audit-as-crates-io = false +notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name." + +[policy.warp] +audit-as-crates-io = true +notes = "This is a third-party crate, with an extra patch." + +[policy.webdriver] +audit-as-crates-io = false +criteria = "safe-to-run" +notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run." + +[policy.webrender] +audit-as-crates-io = false + +[policy.webrender_api] +audit-as-crates-io = false + +[policy.webrender_build] +audit-as-crates-io = false + +[policy.wgpu-core] +audit-as-crates-io = true +notes = "Upstream project which we pin." + +[policy.wgpu-hal] +audit-as-crates-io = true +notes = "Upstream project which we pin." + +[policy.wgpu-types] +audit-as-crates-io = true +notes = "Upstream project which we pin." + +[policy.windows] +audit-as-crates-io = true +notes = "Local override of the crates.io crate that uses a non-vendored local copy of the downloaded crate" + +[policy.wr_malloc_size_of] +audit-as-crates-io = false + +[[exemptions.ahash]] +version = "0.7.6" +criteria = "safe-to-deploy" + +[[exemptions.alsa]] +version = "0.4.3" +criteria = "safe-to-deploy" + +[[exemptions.alsa-sys]] +version = "0.3.1" +criteria = "safe-to-deploy" + +[[exemptions.android_log-sys]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.askama_derive]] +version = "0.11.2" +criteria = "safe-to-deploy" + +[[exemptions.askama_escape]] +version = "0.10.3" +criteria = "safe-to-deploy" + +[[exemptions.async-task]] +version = "4.0.3" +criteria = "safe-to-deploy" + +[[exemptions.bincode]] +version = "1.3.3" +criteria = "safe-to-deploy" + +[[exemptions.bitflags]] +version = "1.3.2" +criteria = "safe-to-deploy" + +[[exemptions.bitreader]] +version = "0.3.6" +criteria = "safe-to-deploy" + +[[exemptions.block]] +version = "0.1.6" +criteria = "safe-to-deploy" + +[[exemptions.cache-padded]] +version = "1.2.0" +criteria = "safe-to-deploy" + +[[exemptions.camino]] +version = "1.0.9" +criteria = "safe-to-deploy" + +[[exemptions.chrono]] +version = "0.4.19" +criteria = "safe-to-deploy" + +[[exemptions.chunky-vec]] +version = "0.1.0" +criteria = "safe-to-deploy" + +[[exemptions.clang-sys]] +version = "1.3.3" +criteria = "safe-to-deploy" + +[[exemptions.cookie]] +version = "0.16.0" +criteria = "safe-to-run" + +[[exemptions.coreaudio-sys]] +version = "0.2.10" +criteria = "safe-to-deploy" + +[[exemptions.coremidi]] +version = "0.6.0@git:fc68464b5445caf111e41f643a2e69ccce0b4f83" +criteria = "safe-to-deploy" + +[[exemptions.coremidi-sys]] +version = "3.1.0" +criteria = "safe-to-deploy" + +[[exemptions.cose]] +version = "0.1.4" +criteria = "safe-to-deploy" + +[[exemptions.cose-c]] +version = "0.1.5" +criteria = "safe-to-deploy" + +[[exemptions.cpufeatures]] +version = "0.2.2" +criteria = "safe-to-deploy" + +[[exemptions.crc32fast]] +version = "1.3.2" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-channel]] +version = "0.5.4" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-deque]] +version = "0.8.1" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-epoch]] +version = "0.9.8" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-utils]] +version = "0.8.8" +criteria = "safe-to-deploy" + +[[exemptions.d3d12]] +version = "0.4.1" +criteria = "safe-to-deploy" + +[[exemptions.darling]] +version = "0.13.4" +criteria = "safe-to-deploy" + +[[exemptions.darling_core]] +version = "0.13.4" +criteria = "safe-to-deploy" + +[[exemptions.darling_macro]] +version = "0.13.4" +criteria = "safe-to-deploy" + +[[exemptions.data-encoding]] +version = "2.3.2" +criteria = "safe-to-deploy" + +[[exemptions.dbus]] +version = "0.6.5" +criteria = "safe-to-deploy" + +[[exemptions.derive_more-impl]] +version = "1.0.0-beta.2" +criteria = "safe-to-deploy" +notes = "The crate is new to version 1.0.x, and derived from older versions of derive_more. The differences against 0.99.17 have been audited, but cargo-vet cannot record this information." + +[[exemptions.devd-rs]] +version = "0.3.4" +criteria = "safe-to-deploy" + +[[exemptions.digest]] +version = "0.10.3" +criteria = "safe-to-deploy" + +[[exemptions.dirs]] +version = "4.0.0" +criteria = "safe-to-deploy" + +[[exemptions.dirs-sys]] +version = "0.3.7" +criteria = "safe-to-deploy" + +[[exemptions.dns-parser]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.enumset]] +version = "1.0.11" +criteria = "safe-to-deploy" + +[[exemptions.enumset_derive]] +version = "0.6.0" +criteria = "safe-to-deploy" + +[[exemptions.env_logger]] +version = "0.9.0" +criteria = "safe-to-deploy" + +[[exemptions.error-chain]] +version = "0.12.4" +criteria = "safe-to-deploy" + +[[exemptions.fallible-iterator]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.fallible-streaming-iterator]] +version = "0.1.9" +criteria = "safe-to-deploy" + +[[exemptions.fallible_collections]] +version = "0.4.4" +criteria = "safe-to-deploy" + +[[exemptions.ffi-support]] +version = "0.4.4" +criteria = "safe-to-deploy" + +[[exemptions.float-cmp]] +version = "0.6.0" +criteria = "safe-to-deploy" + +[[exemptions.fs-err]] +version = "2.7.0" +criteria = "safe-to-deploy" + +[[exemptions.fuchsia-zircon]] +version = "0.3.3" +criteria = "safe-to-run" + +[[exemptions.fuchsia-zircon-sys]] +version = "0.3.3" +criteria = "safe-to-run" + +[[exemptions.futures-macro]] +version = "0.3.21" +criteria = "safe-to-deploy" + +[[exemptions.futures-task]] +version = "0.3.21" +criteria = "safe-to-deploy" + +[[exemptions.futures-util]] +version = "0.3.21" +criteria = "safe-to-deploy" + +[[exemptions.generic-array]] +version = "0.14.5" +criteria = "safe-to-deploy" + +[[exemptions.getrandom]] +version = "0.2.6" +criteria = "safe-to-deploy" + +[[exemptions.gl_generator]] +version = "0.14.0" +criteria = "safe-to-deploy" + +[[exemptions.glsl]] +version = "6.0.1" +criteria = "safe-to-deploy" + +[[exemptions.goblin]] +version = "0.1.3" +criteria = "safe-to-deploy" + +[[exemptions.gpu-alloc]] +version = "0.5.3" +criteria = "safe-to-deploy" + +[[exemptions.gpu-alloc-types]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.gpu-descriptor]] +version = "0.2.2" +criteria = "safe-to-deploy" + +[[exemptions.gpu-descriptor-types]] +version = "0.1.1" +criteria = "safe-to-deploy" + +[[exemptions.hashlink]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.hermit-abi]] +version = "0.1.19" +criteria = "safe-to-deploy" + +[[exemptions.hexf-parse]] +version = "0.2.1" +criteria = "safe-to-deploy" + +[[exemptions.ioctl-sys]] +version = "0.7.1" +criteria = "safe-to-deploy" + +[[exemptions.itertools]] +version = "0.10.3" +criteria = "safe-to-deploy" + +[[exemptions.khronos-egl]] +version = "4.1.0" +criteria = "safe-to-deploy" + +[[exemptions.khronos_api]] +version = "3.1.0" +criteria = "safe-to-deploy" + +[[exemptions.lazycell]] +version = "1.3.0" +criteria = "safe-to-deploy" + +[[exemptions.libdbus-sys]] +version = "0.2.2" +criteria = "safe-to-deploy" + +[[exemptions.libloading]] +version = "0.7.3" +criteria = "safe-to-deploy" + +[[exemptions.libsqlite3-sys]] +version = "0.25.2" +criteria = "safe-to-deploy" +suggest = false +notes = "The in-gecko feature that we enable makes only pre-built bindings used, and none of the embedded C code is built. The build script was audited and is not doing anything besides exposing those bindings" + +[[exemptions.libudev]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.lmdb-rkv-sys]] +version = "0.11.2" +criteria = "safe-to-deploy" +suggest = false +notes = "This crate is forked from another crate and not developed in-house. Given that LMDB-backed RKV is going away, we will probably never bother auditing this" + +[[exemptions.mach]] +version = "0.3.2" +criteria = "safe-to-deploy" + +[[exemptions.memalloc]] +version = "0.1.0" +criteria = "safe-to-deploy" + +[[exemptions.memmap2]] +version = "0.5.4" +criteria = "safe-to-deploy" + +[[exemptions.memoffset]] +version = "0.6.5" +criteria = "safe-to-deploy" + +[[exemptions.midir]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.mime_guess]] +version = "2.0.4" +criteria = "safe-to-deploy" + +[[exemptions.minimal-lexical]] +version = "0.2.1" +criteria = "safe-to-deploy" + +[[exemptions.mio]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.mio-extras]] +version = "2.0.6" +criteria = "safe-to-run" + +[[exemptions.miow]] +version = "0.3.7" +criteria = "safe-to-run" + +[[exemptions.murmurhash3]] +version = "0.0.5" +criteria = "safe-to-deploy" + +[[exemptions.net2]] +version = "0.2.37" +criteria = "safe-to-run" + +[[exemptions.nix]] +version = "0.15.0" +criteria = "safe-to-deploy" + +[[exemptions.nom]] +version = "7.1.1" +criteria = "safe-to-deploy" + +[[exemptions.objc]] +version = "0.2.7" +criteria = "safe-to-deploy" + +[[exemptions.objc_exception]] +version = "0.1.2" +criteria = "safe-to-deploy" + +[[exemptions.object]] +version = "0.28.4" +criteria = "safe-to-deploy" + +[[exemptions.once_cell]] +version = "1.12.0" +criteria = "safe-to-deploy" + +[[exemptions.owning_ref]] +version = "0.4.1" +criteria = "safe-to-deploy" + +[[exemptions.packed_simd]] +version = "0.3.8" +criteria = "safe-to-deploy" + +[[exemptions.phf]] +version = "0.10.1" +criteria = "safe-to-deploy" + +[[exemptions.phf_codegen]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.phf_generator]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.phf_macros]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.phf_shared]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.plain]] +version = "0.2.3" +criteria = "safe-to-deploy" + +[[exemptions.plist]] +version = "1.3.1" +criteria = "safe-to-run" + +[[exemptions.ppv-lite86]] +version = "0.2.16" +criteria = "safe-to-deploy" + +[[exemptions.profiling]] +version = "1.0.6" +criteria = "safe-to-deploy" + +[[exemptions.prost]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.prost-derive]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.quick-error]] +version = "1.2.3" +criteria = "safe-to-deploy" + +[[exemptions.rand]] +version = "0.8.5" +criteria = "safe-to-deploy" + +[[exemptions.remove_dir_all]] +version = "0.5.3" +criteria = "safe-to-deploy" + +[[exemptions.replace_with]] +version = "0.1.7" +criteria = "safe-to-deploy" + +[[exemptions.ringbuf]] +version = "0.2.8" +criteria = "safe-to-deploy" + +[[exemptions.ron]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.runloop]] +version = "0.1.0" +criteria = "safe-to-deploy" + +[[exemptions.rusqlite]] +version = "0.27.0" +criteria = "safe-to-deploy" + +[[exemptions.rust-ini]] +version = "0.10.3" +criteria = "safe-to-deploy" + +[[exemptions.rust_decimal]] +version = "1.24.0" +criteria = "safe-to-deploy" + +[[exemptions.scroll]] +version = "0.10.2" +criteria = "safe-to-deploy" + +[[exemptions.scroll_derive]] +version = "0.10.5" +criteria = "safe-to-deploy" + +[[exemptions.self_cell]] +version = "0.10.2" +criteria = "safe-to-deploy" + +[[exemptions.serde_with]] +version = "1.14.0" +criteria = "safe-to-deploy" + +[[exemptions.serde_with_macros]] +version = "1.5.2" +criteria = "safe-to-deploy" + +[[exemptions.sfv]] +version = "0.9.2" +criteria = "safe-to-deploy" + +[[exemptions.shlex]] +version = "1.1.0" +criteria = "safe-to-deploy" + +[[exemptions.siphasher]] +version = "0.3.10" +criteria = "safe-to-deploy" + +[[exemptions.socket2]] +version = "0.4.4" +criteria = "safe-to-deploy" + +[[exemptions.spirv]] +version = "0.2.0+1.5.4" +criteria = "safe-to-deploy" + +[[exemptions.stable_deref_trait]] +version = "1.2.0" +criteria = "safe-to-deploy" + +[[exemptions.static_assertions]] +version = "1.1.0" +criteria = "safe-to-deploy" + +[[exemptions.strsim]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.tempfile]] +version = "3.3.0" +criteria = "safe-to-deploy" + +[[exemptions.time]] +version = "0.1.44" +criteria = "safe-to-deploy" + +[[exemptions.triple_buffer]] +version = "5.0.6" +criteria = "safe-to-deploy" + +[[exemptions.type-map]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.typenum]] +version = "1.15.0" +criteria = "safe-to-deploy" + +[[exemptions.unix_path]] +version = "1.0.1" +criteria = "safe-to-run" + +[[exemptions.unix_str]] +version = "1.0.0" +criteria = "safe-to-run" + +[[exemptions.uuid]] +version = "0.8.2" +criteria = "safe-to-deploy" + +[[exemptions.webrtc-sdp]] +version = "0.3.9" +criteria = "safe-to-deploy" + +[[exemptions.winapi]] +version = "0.3.9" +criteria = "safe-to-deploy" + +[[exemptions.winapi-i686-pc-windows-gnu]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.winapi-x86_64-pc-windows-gnu]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.wio]] +version = "0.2.2" +criteria = "safe-to-deploy" + +[[exemptions.xml-rs]] +version = "0.8.4" +criteria = "safe-to-deploy" + +[[exemptions.zip]] +version = "0.6.2" +criteria = "safe-to-run" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock new file mode 100644 index 0000000000..2819ea159e --- /dev/null +++ b/supply-chain/imports.lock @@ -0,0 +1,1460 @@ + +# cargo-vet imports lock + +[[publisher.aho-corasick]] +version = "1.1.0" +when = "2023-09-18" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.anstyle]] +version = "1.0.3" +when = "2023-09-11" +user-id = 6743 +user-login = "epage" +user-name = "Ed Page" + +[[publisher.arbitrary]] +version = "1.3.0" +when = "2023-03-13" +user-id = 696 +user-login = "fitzgen" +user-name = "Nick Fitzgerald" + +[[publisher.async-trait]] +version = "0.1.68" +when = "2023-03-24" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.atomic]] +version = "0.4.6" +when = "2020-07-05" +user-id = 2915 +user-login = "Amanieu" +user-name = "Amanieu d'Antras" + +[[publisher.audio_thread_priority]] +version = "0.31.0" +when = "2024-01-17" +user-id = 1258 +user-login = "padenot" +user-name = "Paul Adenot" + +[[publisher.authenticator]] +version = "0.4.0-alpha.24" +when = "2023-11-29" +user-id = 175410 +user-login = "jschanck" +user-name = "John Schanck" + +[[publisher.bhttp]] +version = "0.3.1" +when = "2023-02-23" +user-id = 128763 +user-login = "martinthomson" +user-name = "Martin Thomson" + +[[publisher.byteorder]] +version = "1.4.3" +when = "2021-03-10" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.bytes]] +version = "1.4.0" +when = "2023-01-31" +user-id = 6741 +user-login = "Darksonn" +user-name = "Alice Ryhl" + +[[publisher.cexpr]] +version = "0.6.0" +when = "2021-10-11" +user-id = 3788 +user-login = "emilio" +user-name = "Emilio Cobos Álvarez" + +[[publisher.clap]] +version = "4.4.5" +when = "2023-09-25" +user-id = 6743 +user-login = "epage" +user-name = "Ed Page" + +[[publisher.clap_builder]] +version = "4.4.5" +when = "2023-09-25" +user-id = 6743 +user-login = "epage" +user-name = "Ed Page" + +[[publisher.clap_derive]] +version = "4.4.2" +when = "2023-08-31" +user-id = 6743 +user-login = "epage" +user-name = "Ed Page" + +[[publisher.clap_lex]] +version = "0.5.1" +when = "2023-08-24" +user-id = 6743 +user-login = "epage" +user-name = "Ed Page" + +[[publisher.core-foundation]] +version = "0.9.3" +when = "2022-02-07" +user-id = 5946 +user-login = "jrmuizel" +user-name = "Jeff Muizelaar" + +[[publisher.core-foundation-sys]] +version = "0.8.3" +when = "2021-10-12" +user-id = 2396 +user-login = "jdm" +user-name = "Josh Matthews" + +[[publisher.core-graphics]] +version = "0.22.3" +when = "2021-11-02" +user-id = 5946 +user-login = "jrmuizel" +user-name = "Jeff Muizelaar" + +[[publisher.core-graphics-types]] +version = "0.1.1" +when = "2020-09-15" +user-id = 2396 +user-login = "jdm" +user-name = "Josh Matthews" + +[[publisher.core-text]] +version = "19.2.0" +when = "2021-02-14" +user-id = 5946 +user-login = "jrmuizel" +user-name = "Jeff Muizelaar" + +[[publisher.derive_arbitrary]] +version = "1.3.0" +when = "2023-03-13" +user-id = 696 +user-login = "fitzgen" +user-name = "Nick Fitzgerald" + +[[publisher.dogear]] +version = "0.4.0" +when = "2019-09-16" +user-id = 27901 +user-login = "linabutler" +user-name = "Lina Butler" + +[[publisher.dtoa]] +version = "0.4.8" +when = "2021-03-29" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.encoding_rs]] +version = "0.8.33" +when = "2023-08-23" +user-id = 4484 +user-login = "hsivonen" +user-name = "Henri Sivonen" + +[[publisher.errno]] +version = "0.3.8" +when = "2023-11-28" +user-id = 6825 +user-login = "sunfishcode" +user-name = "Dan Gohman" + +[[publisher.etagere]] +version = "0.2.7" +when = "2022-05-04" +user-id = 1281 +user-login = "nical" +user-name = "Nicolas Silva" + +[[publisher.euclid]] +version = "0.22.7" +when = "2022-04-04" +user-id = 1281 +user-login = "nical" +user-name = "Nicolas Silva" + +[[publisher.flate2]] +version = "1.0.26" +when = "2023-04-28" +user-id = 4333 +user-login = "joshtriplett" +user-name = "Josh Triplett" + +[[publisher.freetype]] +version = "0.7.0" +when = "2020-07-14" +user-id = 2396 +user-login = "jdm" +user-name = "Josh Matthews" + +[[publisher.gleam]] +version = "0.15.0" +when = "2023-04-21" +user-id = 5946 +user-login = "jrmuizel" +user-name = "Jeff Muizelaar" + +[[publisher.glean]] +version = "56.1.0" +when = "2024-01-17" +user-id = 48 +user-login = "badboy" +user-name = "Jan-Erik Rediger" + +[[publisher.glean]] +version = "57.0.0" +when = "2024-02-12" +user-id = 66068 +user-login = "travis79" +user-name = "Travis Long" + +[[publisher.glean-core]] +version = "56.1.0" +when = "2024-01-17" +user-id = 48 +user-login = "badboy" +user-name = "Jan-Erik Rediger" + +[[publisher.glean-core]] +version = "57.0.0" +when = "2024-02-12" +user-id = 66068 +user-login = "travis79" +user-name = "Travis Long" + +[[publisher.glslopt]] +version = "0.1.9" +when = "2021-03-17" +user-id = 84794 +user-login = "jamienicol" +user-name = "Jamie Nicol" + +[[publisher.h2]] +version = "0.3.22" +when = "2023-11-15" +user-id = 359 +user-login = "seanmonstar" +user-name = "Sean McArthur" + +[[publisher.headers]] +version = "0.3.9" +when = "2023-08-31" +user-id = 359 +user-login = "seanmonstar" +user-name = "Sean McArthur" + +[[publisher.httparse]] +version = "1.8.0" +when = "2022-08-30" +user-id = 359 +user-login = "seanmonstar" +user-name = "Sean McArthur" + +[[publisher.indexmap]] +version = "1.9.3" +when = "2023-03-24" +user-id = 539 +user-login = "cuviper" +user-name = "Josh Stone" + +[[publisher.inherent]] +version = "1.0.7" +when = "2023-03-25" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.iovec]] +version = "0.1.4" +when = "2019-10-09" +user-id = 10 +user-login = "carllerche" +user-name = "Carl Lerche" + +[[publisher.itoa]] +version = "1.0.5" +when = "2022-12-17" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.jobserver]] +version = "0.1.25" +when = "2022-09-23" +user-id = 1 +user-login = "alexcrichton" +user-name = "Alex Crichton" + +[[publisher.libc]] +version = "0.2.152" +when = "2024-01-07" +user-id = 51017 +user-login = "JohnTitor" +user-name = "Yuki Okushi" + +[[publisher.linux-raw-sys]] +version = "0.4.12" +when = "2023-11-30" +user-id = 6825 +user-login = "sunfishcode" +user-name = "Dan Gohman" + +[[publisher.lock_api]] +version = "0.4.9" +when = "2022-09-20" +user-id = 2915 +user-login = "Amanieu" +user-name = "Amanieu d'Antras" + +[[publisher.memchr]] +version = "2.5.0" +when = "2022-04-30" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.mime]] +version = "0.3.16" +when = "2020-01-07" +user-id = 359 +user-login = "seanmonstar" +user-name = "Sean McArthur" + +[[publisher.mio]] +version = "0.6.21" +when = "2019-11-27" +user-id = 10 +user-login = "carllerche" +user-name = "Carl Lerche" + +[[publisher.nss-gk-api]] +version = "0.3.0" +when = "2023-06-14" +user-id = 175410 +user-login = "jschanck" +user-name = "John Schanck" + +[[publisher.num_cpus]] +version = "1.15.0" +when = "2022-12-20" +user-id = 359 +user-login = "seanmonstar" +user-name = "Sean McArthur" + +[[publisher.ohttp]] +version = "0.3.1" +when = "2023-02-23" +user-id = 128763 +user-login = "martinthomson" +user-name = "Martin Thomson" + +[[publisher.ordered-float]] +version = "3.4.0" +when = "2022-11-06" +user-id = 2017 +user-login = "mbrubeck" +user-name = "Matt Brubeck" + +[[publisher.parking_lot]] +version = "0.12.1" +when = "2022-05-31" +user-id = 2915 +user-login = "Amanieu" +user-name = "Amanieu d'Antras" + +[[publisher.parking_lot_core]] +version = "0.9.9" +when = "2023-10-17" +user-id = 2915 +user-login = "Amanieu" +user-name = "Amanieu d'Antras" + +[[publisher.paste]] +version = "1.0.11" +when = "2022-12-17" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.presser]] +version = "0.3.1" +when = "2022-10-16" +user-id = 52553 +user-login = "embark-studios" + +[[publisher.prio]] +version = "0.15.3" +when = "2023-10-03" +user-id = 213776 +user-login = "divviup-github-automation" + +[[publisher.proc-macro2]] +version = "1.0.74" +when = "2024-01-02" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.qcms]] +version = "0.3.0" +when = "2024-01-09" +user-id = 5946 +user-login = "jrmuizel" +user-name = "Jeff Muizelaar" + +[[publisher.quote]] +version = "1.0.35" +when = "2024-01-02" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.regex]] +version = "1.9.4" +when = "2023-08-26" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.regex-automata]] +version = "0.3.7" +when = "2023-08-26" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.regex-syntax]] +version = "0.7.5" +when = "2023-08-26" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.rust_cascade]] +version = "1.5.0" +when = "2023-04-05" +user-id = 57462 +user-login = "mozkeeler" +user-name = "Dana Keeler" + +[[publisher.rustix]] +version = "0.38.28" +when = "2023-12-09" +user-id = 6825 +user-login = "sunfishcode" +user-name = "Dan Gohman" + +[[publisher.ryu]] +version = "1.0.12" +when = "2022-12-17" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.same-file]] +version = "1.0.6" +when = "2020-01-11" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.scopeguard]] +version = "1.1.0" +when = "2020-02-16" +user-id = 2915 +user-login = "Amanieu" +user-name = "Amanieu d'Antras" + +[[publisher.serde]] +version = "1.0.195" +when = "2024-01-06" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.serde_bytes]] +version = "0.11.9" +when = "2023-02-05" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.serde_derive]] +version = "1.0.195" +when = "2024-01-06" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.serde_json]] +version = "1.0.93" +when = "2023-02-08" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.serde_repr]] +version = "0.1.12" +when = "2023-03-18" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.serde_yaml]] +version = "0.8.26" +when = "2022-07-16" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.smallvec]] +version = "1.11.1" +when = "2023-09-20" +user-id = 2017 +user-login = "mbrubeck" +user-name = "Matt Brubeck" + +[[publisher.syn]] +version = "2.0.46" +when = "2024-01-02" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.termcolor]] +version = "1.4.1" +when = "2024-01-10" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.thiserror]] +version = "1.0.56" +when = "2024-01-02" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.thiserror-impl]] +version = "1.0.56" +when = "2024-01-02" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.threadbound]] +version = "0.1.5" +when = "2022-12-17" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.tokio-util]] +version = "0.7.2" +when = "2022-05-15" +user-id = 6741 +user-login = "Darksonn" +user-name = "Alice Ryhl" + +[[publisher.toml]] +version = "0.5.7" +when = "2020-10-11" +user-id = 1 +user-login = "alexcrichton" +user-name = "Alex Crichton" + +[[publisher.unicode-ident]] +version = "1.0.6" +when = "2022-12-17" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.unicode-width]] +version = "0.1.10" +when = "2022-09-13" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + +[[publisher.unicode-xid]] +version = "0.2.4" +when = "2022-09-15" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + +[[publisher.uniffi]] +version = "0.25.3" +when = "2023-12-07" +user-id = 127697 +user-login = "bendk" + +[[publisher.uniffi_bindgen]] +version = "0.25.3" +when = "2023-12-07" +user-id = 127697 +user-login = "bendk" + +[[publisher.uniffi_build]] +version = "0.25.3" +when = "2023-12-07" +user-id = 127697 +user-login = "bendk" + +[[publisher.uniffi_checksum_derive]] +version = "0.25.3" +when = "2023-12-07" +user-id = 127697 +user-login = "bendk" + +[[publisher.uniffi_core]] +version = "0.25.3" +when = "2023-12-07" +user-id = 127697 +user-login = "bendk" + +[[publisher.uniffi_macros]] +version = "0.25.3" +when = "2023-12-07" +user-id = 127697 +user-login = "bendk" + +[[publisher.uniffi_meta]] +version = "0.25.3" +when = "2023-12-07" +user-id = 127697 +user-login = "bendk" + +[[publisher.uniffi_testing]] +version = "0.25.3" +when = "2023-12-07" +user-id = 127697 +user-login = "bendk" + +[[publisher.uniffi_udl]] +version = "0.25.3" +when = "2023-12-07" +user-id = 127697 +user-login = "bendk" + +[[publisher.utf8_iter]] +version = "1.0.3" +when = "2022-09-09" +user-id = 4484 +user-login = "hsivonen" +user-name = "Henri Sivonen" + +[[publisher.walkdir]] +version = "2.3.2" +when = "2021-03-22" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.warp]] +version = "0.3.6" +when = "2023-09-27" +user-id = 359 +user-login = "seanmonstar" +user-name = "Sean McArthur" + +[[publisher.wasi]] +version = "0.11.0+wasi-snapshot-preview1" +when = "2022-01-19" +user-id = 1 +user-login = "alexcrichton" +user-name = "Alex Crichton" + +[[publisher.wasm-encoder]] +version = "0.40.0" +when = "2024-01-24" +user-id = 1 +user-login = "alexcrichton" +user-name = "Alex Crichton" + +[[publisher.wasm-smith]] +version = "0.15.0" +when = "2024-01-24" +user-id = 1 +user-login = "alexcrichton" +user-name = "Alex Crichton" + +[[publisher.wast]] +version = "70.0.1" +when = "2024-01-24" +user-id = 1 +user-login = "alexcrichton" +user-name = "Alex Crichton" + +[[publisher.winapi-util]] +version = "0.1.5" +when = "2020-04-20" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.windows]] +version = "0.52.0" +when = "2023-11-15" +user-id = 64539 +user-login = "kennykerr" +user-name = "Kenny Kerr" + +[[publisher.windows-core]] +version = "0.52.0" +when = "2023-11-15" +user-id = 64539 +user-login = "kennykerr" +user-name = "Kenny Kerr" + +[[publisher.windows-sys]] +version = "0.52.0" +when = "2023-11-15" +user-id = 64539 +user-login = "kennykerr" +user-name = "Kenny Kerr" + +[[publisher.zeitstempel]] +version = "0.1.1" +when = "2021-03-18" +user-id = 48 +user-login = "badboy" +user-name = "Jan-Erik Rediger" + +[[audits.bytecode-alliance.wildcard-audits.arbitrary]] +who = "Nick Fitzgerald <fitzgen@gmail.com>" +criteria = "safe-to-deploy" +user-id = 696 # Nick Fitzgerald (fitzgen) +start = "2020-01-14" +end = "2024-04-21" +notes = "I am an author of this crate." + +[[audits.bytecode-alliance.wildcard-audits.derive_arbitrary]] +who = "Nick Fitzgerald <fitzgen@gmail.com>" +criteria = "safe-to-deploy" +user-id = 696 # Nick Fitzgerald (fitzgen) +start = "2020-01-14" +end = "2024-04-27" +notes = "I am an author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wasm-encoder]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2020-12-11" +end = "2024-04-14" +notes = """ +This is a Bytecode Alliance authored crate maintained in the `wasm-tools` +repository of which I'm one of the primary maintainers and publishers for. +I am employed by a member of the Bytecode Alliance and plan to continue doing +so and will actively maintain this crate over time. +""" + +[[audits.bytecode-alliance.wildcard-audits.wasm-smith]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2020-09-03" +end = "2024-04-14" +notes = """ +This is a Bytecode Alliance authored crate maintained in the `wasm-tools` +repository of which I'm one of the primary maintainers and publishers for. +I am employed by a member of the Bytecode Alliance and plan to continue doing +so and will actively maintain this crate over time. +""" + +[[audits.bytecode-alliance.wildcard-audits.wast]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2019-10-16" +end = "2024-04-14" +notes = """ +This is a Bytecode Alliance authored crate maintained in the `wasm-tools` +repository of which I'm one of the primary maintainers and publishers for. +I am employed by a member of the Bytecode Alliance and plan to continue doing +so and will actively maintain this crate over time. +""" + +[[audits.bytecode-alliance.audits.adler]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +version = "1.0.2" +notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm." + +[[audits.bytecode-alliance.audits.arrayref]] +who = "Nick Fitzgerald <fitzgen@gmail.com>" +criteria = "safe-to-deploy" +version = "0.3.6" +notes = """ +Unsafe code, but its logic looks good to me. Necessary given what it is +doing. Well tested, has quickchecks. +""" + +[[audits.bytecode-alliance.audits.arrayvec]] +who = "Nick Fitzgerald <fitzgen@gmail.com>" +criteria = "safe-to-deploy" +version = "0.7.2" +notes = """ +Well documented invariants, good assertions for those invariants in unsafe code, +and tested with MIRI to boot. LGTM. +""" + +[[audits.bytecode-alliance.audits.base64]] +who = "Pat Hickey <phickey@fastly.com>" +criteria = "safe-to-deploy" +version = "0.21.0" +notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." + +[[audits.bytecode-alliance.audits.bitflags]] +who = "Jamey Sharp <jsharp@fastly.com>" +criteria = "safe-to-deploy" +delta = "2.1.0 -> 2.2.1" +notes = """ +This version adds unsafe impls of traits from the bytemuck crate when built +with that library enabled, but I believe the impls satisfy the documented +safety requirements for bytemuck. The other changes are minor. +""" + +[[audits.bytecode-alliance.audits.bitflags]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +delta = "2.3.2 -> 2.3.3" +notes = """ +Nothing outside the realm of what one would expect from a bitflags generator, +all as expected. +""" + +[[audits.bytecode-alliance.audits.block-buffer]] +who = "Benjamin Bouvier <public@benj.me>" +criteria = "safe-to-deploy" +delta = "0.9.0 -> 0.10.2" + +[[audits.bytecode-alliance.audits.bumpalo]] +who = "Nick Fitzgerald <fitzgen@gmail.com>" +criteria = "safe-to-deploy" +version = "3.11.1" +notes = "I am the author of this crate." + +[[audits.bytecode-alliance.audits.cargo-platform]] +who = "Pat Hickey <phickey@fastly.com>" +criteria = "safe-to-deploy" +version = "0.1.2" +notes = "no build, no ambient capabilities, no unsafe" + +[[audits.bytecode-alliance.audits.cc]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +version = "1.0.73" +notes = "I am the author of this crate." + +[[audits.bytecode-alliance.audits.cfg-if]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +version = "1.0.0" +notes = "I am the author of this crate." + +[[audits.bytecode-alliance.audits.codespan-reporting]] +who = "Jamey Sharp <jsharp@fastly.com>" +criteria = "safe-to-deploy" +version = "0.11.1" +notes = "This library uses `forbid(unsafe_code)` and has no filesystem or network I/O." + +[[audits.bytecode-alliance.audits.cpufeatures]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +delta = "0.2.2 -> 0.2.7" +notes = """ +This is a minor update that looks to add some more detected CPU features and +various other minor portability fixes such as MIRI support. +""" + +[[audits.bytecode-alliance.audits.crypto-common]] +who = "Benjamin Bouvier <public@benj.me>" +criteria = "safe-to-deploy" +version = "0.1.3" + +[[audits.bytecode-alliance.audits.fallible-iterator]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +delta = "0.2.0 -> 0.3.0" +notes = """ +This major version update has a few minor breaking changes but everything +this crate has to do with iterators and `Result` and such. No `unsafe` or +anything like that, all looks good. +""" + +[[audits.bytecode-alliance.audits.foreign-types]] +who = "Pat Hickey <phickey@fastly.com>" +criteria = "safe-to-deploy" +version = "0.3.2" +notes = "This crate defined a macro-rules which creates wrappers working with FFI types. The implementation of this crate appears to be safe, but each use of this macro would need to be vetted for correctness as well." + +[[audits.bytecode-alliance.audits.foreign-types-shared]] +who = "Pat Hickey <phickey@fastly.com>" +criteria = "safe-to-deploy" +version = "0.1.1" + +[[audits.bytecode-alliance.audits.futures-channel]] +who = "Pat Hickey <phickey@fastly.com>" +criteria = "safe-to-deploy" +version = "0.3.27" +notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)" + +[[audits.bytecode-alliance.audits.futures-core]] +who = "Pat Hickey <phickey@fastly.com>" +criteria = "safe-to-deploy" +version = "0.3.27" +notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." + +[[audits.bytecode-alliance.audits.futures-executor]] +who = "Pat Hickey <phickey@fastly.com>" +criteria = "safe-to-deploy" +version = "0.3.27" +notes = "Unsafe used to implement the unpark mutex, which is well commented and not obviously incorrect. Like with futures-channel I wouldn't be able to certify it as correct without formal methods." + +[[audits.bytecode-alliance.audits.futures-io]] +who = "Pat Hickey <phickey@fastly.com>" +criteria = "safe-to-deploy" +version = "0.3.27" + +[[audits.bytecode-alliance.audits.futures-sink]] +who = "Pat Hickey <phickey@fastly.com>" +criteria = "safe-to-deploy" +version = "0.3.27" + +[[audits.bytecode-alliance.audits.heck]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +version = "0.4.0" +notes = "Contains `forbid_unsafe` and only uses `std::fmt` from the standard library. Otherwise only contains string manipulation." + +[[audits.bytecode-alliance.audits.id-arena]] +who = "Nick Fitzgerald <fitzgen@gmail.com>" +criteria = "safe-to-deploy" +version = "2.2.1" +notes = "I am the author of this crate." + +[[audits.bytecode-alliance.audits.idna]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +version = "0.3.0" +notes = """ +This is a crate without unsafe code or usage of the standard library. The large +size of this crate comes from the large generated unicode tables file. This +crate is broadly used throughout the ecosystem and does not contain anything +suspicious. +""" + +[[audits.bytecode-alliance.audits.leb128]] +who = "Nick Fitzgerald <fitzgen@gmail.com>" +criteria = "safe-to-deploy" +version = "0.2.5" +notes = "I am the author of this crate." + +[[audits.bytecode-alliance.audits.memoffset]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.8.0" +notes = "This was a small update to the crate which has to do with Rust language features and compiler versions, no substantial changes." + +[[audits.bytecode-alliance.audits.miniz_oxide]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +version = "0.7.1" +notes = """ +This crate is a Rust implementation of zlib compression/decompression and has +been used by default by the Rust standard library for quite some time. It's also +a default dependency of the popular `backtrace` crate for decompressing debug +information. This crate forbids unsafe code and does not otherwise access system +resources. It's originally a port of the `miniz.c` library as well, and given +its own longevity should be relatively hardened against some of the more common +compression-related issues. +""" + +[[audits.bytecode-alliance.audits.mio]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +delta = "0.8.6 -> 0.8.8" +notes = "Mostly OS portability updates along with some minor bugfixes." + +[[audits.bytecode-alliance.audits.object]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +delta = "0.30.3 -> 0.31.1" +notes = "A large-ish update to the crate but nothing out of the ordering. Support for new formats like xcoff, new constants, minor refactorings, etc. Nothing out of the ordinary." + +[[audits.bytecode-alliance.audits.object]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +delta = "0.31.1 -> 0.32.0" +notes = "Various new features and refactorings as one would expect from an object parsing crate, all looks good." + +[[audits.bytecode-alliance.audits.percent-encoding]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +version = "2.2.0" +notes = """ +This crate is a single-file crate that does what it says on the tin. There are +a few `unsafe` blocks related to utf-8 validation which are locally verifiable +as correct and otherwise this crate is good to go. +""" + +[[audits.bytecode-alliance.audits.pin-utils]] +who = "Pat Hickey <phickey@fastly.com>" +criteria = "safe-to-deploy" +version = "0.1.0" + +[[audits.bytecode-alliance.audits.pkg-config]] +who = "Pat Hickey <phickey@fastly.com>" +criteria = "safe-to-deploy" +version = "0.3.25" +notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably." + +[[audits.bytecode-alliance.audits.rustc-demangle]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +version = "0.1.21" +notes = "I am the author of this crate." + +[[audits.bytecode-alliance.audits.semver]] +who = "Pat Hickey <phickey@fastly.com>" +criteria = "safe-to-deploy" +version = "1.0.17" +notes = "plenty of unsafe pointer and vec tricks, but in well-structured and commented code that appears to be correct" + +[[audits.bytecode-alliance.audits.slab]] +who = "Pat Hickey <phickey@fastly.com>" +criteria = "safe-to-deploy" +version = "0.4.6" +notes = "provides a datastructure implemented using std's Vec. all uses of unsafe are just delegating to the underlying unsafe Vec methods." + +[[audits.bytecode-alliance.audits.socket2]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +delta = "0.4.7 -> 0.4.9" +notes = "Minor OS compat updates but otherwise nothing major here." + +[[audits.bytecode-alliance.audits.tempfile]] +who = "Pat Hickey <phickey@fastly.com>" +criteria = "safe-to-deploy" +delta = "3.3.0 -> 3.5.0" + +[[audits.bytecode-alliance.audits.tempfile]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +delta = "3.5.0 -> 3.6.0" +notes = "Dependency updates and new optimized trait implementations, but otherwise everything looks normal." + +[[audits.bytecode-alliance.audits.unicase]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +version = "2.6.0" +notes = """ +This crate contains no `unsafe` code and no unnecessary use of the standard +library. +""" + +[[audits.bytecode-alliance.audits.unicode-bidi]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +version = "0.3.8" +notes = """ +This crate has no unsafe code and does not use `std::*`. Skimming the crate it +does not attempt to out of the bounds of what it's already supposed to be doing. +""" + +[[audits.bytecode-alliance.audits.unicode-normalization]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +version = "0.1.19" +notes = """ +This crate contains one usage of `unsafe` which I have manually checked to see +it as correct. This crate's size comes in large part due to the generated +unicode tables that it contains. This crate is additionally widely used +throughout the ecosystem and skimming the crate shows no usage of `std::*` APIs +and nothing suspicious. +""" + +[[audits.embark-studios.wildcard-audits.presser]] +who = "Gray Olson <opensource@embark-studios.com>" +criteria = "safe-to-deploy" +user-id = 52553 # embark-studios +start = "2021-01-01" +end = "2024-05-23" +notes = """ +Small crate with no dependencies and no ambient capabilities. The safe interface of the crate +is gated behind unsafe implementation of a core trait, and care must be taken to ensure that +the relevant invariants are guaranteed when doing so. Maintained by the Ark team at Embark +and used in production. +""" + +[[audits.embark-studios.audits.anyhow]] +who = "Johan Andersson <opensource@embark-studios.com>" +criteria = "safe-to-deploy" +version = "1.0.58" + +[[audits.embark-studios.audits.cfg_aliases]] +who = "Johan Andersson <opensource@embark-studios.com>" +criteria = "safe-to-deploy" +version = "0.1.1" +notes = "No unsafe usage or ambient capabilities" + +[[audits.embark-studios.audits.derive_more]] +who = "Johan Andersson <opensource@embark-studios.com>" +criteria = "safe-to-deploy" +version = "0.99.17" +notes = "No unsafe usage or ambient capabilities" + +[[audits.embark-studios.audits.ident_case]] +who = "Johan Andersson <opensource@embark-studios.com>" +criteria = "safe-to-deploy" +version = "1.0.1" +notes = "No unsafe usage or ambient capabilities" + +[[audits.embark-studios.audits.idna]] +who = "Johan Andersson <opensource@embark-studios.com>" +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.4.0" +notes = "No unsafe usage or ambient capabilities" + +[[audits.embark-studios.audits.line-wrap]] +who = "Johan Andersson <opensource@embark-studios.com>" +criteria = "safe-to-deploy" +version = "0.1.1" +notes = "No unsafe usage or ambient capabilities" + +[[audits.embark-studios.audits.yaml-rust]] +who = "Johan Andersson <opensource@embark-studios.com>" +criteria = "safe-to-deploy" +version = "0.4.5" +notes = "No unsafe usage or ambient capabilities" + +[[audits.google.audits.ash]] +who = "David Koloski <dkoloski@google.com>" +criteria = "safe-to-deploy" +version = "0.37.0+1.3.209" +notes = "Reviewed on https://fxrev.dev/694269" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.fastrand]] +who = "George Burgess IV <gbiv@google.com>" +criteria = "safe-to-deploy" +version = "1.9.0" +notes = """ +`does-not-implement-crypto` is certified because this crate explicitly says +that the RNG here is not cryptographically secure. +""" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.futures]] +who = "George Burgess IV <gbiv@google.com>" +criteria = "safe-to-deploy" +version = "0.3.28" +notes = """ +`futures` has no logic other than tests - it simply `pub use`s things from +other crates. +""" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.glob]] +who = "George Burgess IV <gbiv@google.com>" +criteria = "safe-to-deploy" +version = "0.3.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.http]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.2.8" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.http-body]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.4.5" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.httpdate]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "1.0.2" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.hyper]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.14.20" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.pin-project]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "1.0.12" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.pin-project-internal]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "1.0.12" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.pin-project-lite]] +who = "David Koloski <dkoloski@google.com>" +criteria = "safe-to-deploy" +version = "0.2.9" +notes = "Reviewed on https://fxrev.dev/824504" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.scoped-tls]] +who = "George Burgess IV <gbiv@google.com>" +criteria = "safe-to-run" +version = "1.0.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.serde_urlencoded]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.7.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.tokio]] +who = "Vovo Yang <vovoy@google.com>" +criteria = "safe-to-run" +version = "1.29.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.tokio-stream]] +who = "David Koloski <dkoloski@google.com>" +criteria = "safe-to-deploy" +version = "0.1.11" +notes = "Reviewed on https://fxrev.dev/804724" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.tower-service]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.3.2" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.tracing]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.1.35" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.tracing-attributes]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.1.22" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.tracing-core]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.1.29" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.try-lock]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.2.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.version_check]] +who = "George Burgess IV <gbiv@google.com>" +criteria = "safe-to-deploy" +version = "0.9.4" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.want]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.3.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.isrg.wildcard-audits.prio]] +who = "David Cook <dcook@divviup.org>" +criteria = "safe-to-deploy" +user-id = 213776 # divviup-github-automation +start = "2020-09-28" +end = "2024-03-23" + +[[audits.isrg.audits.base64]] +who = "Tim Geoghegan <timg@letsencrypt.org>" +criteria = "safe-to-deploy" +delta = "0.21.0 -> 0.21.1" + +[[audits.isrg.audits.base64]] +who = "Brandon Pitman <bran@bran.land>" +criteria = "safe-to-deploy" +delta = "0.21.1 -> 0.21.2" + +[[audits.isrg.audits.base64]] +who = "David Cook <dcook@divviup.org>" +criteria = "safe-to-deploy" +delta = "0.21.2 -> 0.21.3" + +[[audits.isrg.audits.block-buffer]] +who = "David Cook <dcook@divviup.org>" +criteria = "safe-to-deploy" +version = "0.9.0" + +[[audits.isrg.audits.getrandom]] +who = "Tim Geoghegan <timg@letsencrypt.org>" +criteria = "safe-to-deploy" +delta = "0.2.9 -> 0.2.10" +notes = "These changes include some new `unsafe` code for the `emscripten` and `psvita` targets, but all it does is call `libc::getentropy`." + +[[audits.isrg.audits.keccak]] +who = "David Cook <dcook@divviup.org>" +criteria = "safe-to-deploy" +version = "0.1.2" + +[[audits.isrg.audits.keccak]] +who = "Brandon Pitman <bran@bran.land>" +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.1.4" + +[[audits.isrg.audits.once_cell]] +who = "Brandon Pitman <bran@bran.land>" +criteria = "safe-to-deploy" +delta = "1.17.1 -> 1.17.2" + +[[audits.isrg.audits.once_cell]] +who = "David Cook <dcook@divviup.org>" +criteria = "safe-to-deploy" +delta = "1.17.2 -> 1.18.0" + +[[audits.isrg.audits.once_cell]] +who = "Brandon Pitman <bran@bran.land>" +criteria = "safe-to-deploy" +delta = "1.18.0 -> 1.19.0" + +[[audits.isrg.audits.rand_chacha]] +who = "David Cook <dcook@divviup.org>" +criteria = "safe-to-deploy" +version = "0.3.1" + +[[audits.isrg.audits.rand_core]] +who = "David Cook <dcook@divviup.org>" +criteria = "safe-to-deploy" +version = "0.6.3" + +[[audits.isrg.audits.rayon-core]] +who = "Brandon Pitman <bran@bran.land>" +criteria = "safe-to-deploy" +delta = "1.10.2 -> 1.11.0" + +[[audits.isrg.audits.rayon-core]] +who = "David Cook <dcook@divviup.org>" +criteria = "safe-to-deploy" +delta = "1.11.0 -> 1.12.0" + +[[audits.isrg.audits.sha2]] +who = "David Cook <dcook@divviup.org>" +criteria = "safe-to-deploy" +version = "0.10.2" + +[[audits.isrg.audits.sha3]] +who = "David Cook <dcook@divviup.org>" +criteria = "safe-to-deploy" +version = "0.10.6" + +[[audits.isrg.audits.sha3]] +who = "Brandon Pitman <bran@bran.land>" +criteria = "safe-to-deploy" +delta = "0.10.7 -> 0.10.8" + +[[audits.mozilla.wildcard-audits.zeitstempel]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 48 # Jan-Erik Rediger (badboy) +start = "2021-03-03" +end = "2024-05-10" +notes = "Maintained by me" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.askama]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.11.1 -> 0.12.0" +notes = "No new unsafe usage, mostly dependency updates and smaller API changes" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.askama_derive]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.11.2 -> 0.12.1" +notes = "Dependency updates, a new toml dependency and some API changes. No unsafe use." +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.basic-toml]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.1.2" +notes = "TOML parser, forked from toml 0.5" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.bitflags]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "2.4.0 -> 2.4.1" +notes = "Only allowing new clippy lints" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.either]] +who = "Nika Layzell <nika@thelayzells.com>" +criteria = "safe-to-deploy" +version = "1.6.1" +notes = """ +Straightforward crate providing the Either enum and trait implementations with +no unsafe code. +""" +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.lazy_static]] +who = "Nika Layzell <nika@thelayzells.com>" +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "I have read over the macros, and audited the unsafe code." +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.log]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.4.17 -> 0.4.18" +notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed." +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.log]] +who = "Kagami Sascha Rosylight <krosylight@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.4.18 -> 0.4.20" +notes = "Only cfg attribute and internal macro changes and module refactorings" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.rkv]] +who = "Kagami Sascha Rosylight <krosylight@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.18.4 -> 0.19.0" +notes = "Maintained by Mozilla, no addition of unsafe blocks" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" diff --git a/supply-chain/moz.build b/supply-chain/moz.build new file mode 100644 index 0000000000..8366935dc8 --- /dev/null +++ b/supply-chain/moz.build @@ -0,0 +1,8 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +with Files("**"): + BUG_COMPONENT = ("Firefox Build System", "General") |