summaryrefslogtreecommitdiffstats
path: root/supply-chain
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-12 05:35:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-06-12 05:35:29 +0000
commit59203c63bb777a3bacec32fb8830fba33540e809 (patch)
tree58298e711c0ff0575818c30485b44a2f21bf28a0 /supply-chain
parentAdding upstream version 126.0.1. (diff)
downloadfirefox-59203c63bb777a3bacec32fb8830fba33540e809.tar.xz
firefox-59203c63bb777a3bacec32fb8830fba33540e809.zip
Adding upstream version 127.0.upstream/127.0
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'supply-chain')
-rw-r--r--supply-chain/audits.toml220
-rw-r--r--supply-chain/config.toml42
-rw-r--r--supply-chain/imports.lock179
3 files changed, 339 insertions, 102 deletions
diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml
index b21bde4f10..02f5c85bb5 100644
--- a/supply-chain/audits.toml
+++ b/supply-chain/audits.toml
@@ -275,6 +275,14 @@ start = "2020-11-03"
end = "2024-03-31"
notes = "Maintained by the DevTools team at Mozilla and has no unsafe code."
+[[wildcard-audits.minidump-common]]
+who = "Alex Franchuk <afranchuk@mozilla.com>"
+criteria = "safe-to-deploy"
+user-id = 72814 # Gabriele Svelto (gabrielesvelto)
+start = "2022-11-30"
+end = "2025-02-28"
+notes = "This crate is written and maintained by mozilla employees."
+
[[wildcard-audits.mozdevice]]
who = "Henrik Skupin <mail@hskupin.info>"
criteria = "safe-to-run"
@@ -534,6 +542,11 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.7.6 -> 0.7.8"
+[[audits.ahash]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.8.7 -> 0.8.11"
+
[[audits.aho-corasick]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
@@ -588,6 +601,19 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.4 -> 0.1.5"
+[[audits.any_all_workaround]]
+who = "Henri Sivonen <hsivonen@hsivonen.fi>"
+criteria = "safe-to-deploy"
+version = "0.1.0"
+notes = "The little code that is in this crate I reviewed and modified from packed_simd (which has previously been vendored in full instead of just this small part)."
+
+[[audits.any_all_workaround]]
+who = "Henri Sivonen <hsivonen@hsivonen.fi>"
+criteria = "safe-to-deploy"
+delta = "0.1.0 -> 0.1.0@git:7fb1b7034c9f172aade21ee1c8554e8d8a48af80"
+importable = false
+notes = "This is a trivial workaround copied from elsewhere in m-c, specifically qcms."
+
[[audits.anyhow]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
@@ -742,6 +768,12 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.2 -> 0.1.3"
+[[audits.audio-mixer]]
+who = "Paul Adenot <paul@paul.cx>"
+criteria = "safe-to-deploy"
+delta = "0.1.3 -> 0.2.0"
+notes = "(I wrote all of this code)"
+
[[audits.authenticator]]
who = "John M. Schanck <jschanck@mozilla.com>"
criteria = "safe-to-deploy"
@@ -962,6 +994,12 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-run"
delta = "0.16.0 -> 0.16.2"
+[[audits.core-foundation]]
+who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.9.3 -> 0.9.4"
+notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla."
+
[[audits.core-graphics]]
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
@@ -972,6 +1010,12 @@ who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.1.1 -> 0.1.2"
+[[audits.core-graphics-types]]
+who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.1.2 -> 0.1.3"
+notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla."
+
[[audits.core-text]]
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
@@ -1147,6 +1191,12 @@ criteria = "safe-to-deploy"
delta = "0.33.0 -> 0.33.0@git:aaa966d9d6ae70c4b8a62bb5e3a14c068bb7dff0"
notes = "Only one minimal change exposing a previously-private enumeration."
+[[audits.cssparser]]
+who = "Emilio Cobos Álvarez <emilio@crisal.io>"
+criteria = "safe-to-deploy"
+delta = "0.33.0 -> 0.34.0"
+notes = "I'm the publisher of the crate, and either myself or other Mozilla folks have been authors or reviewers of all the changes."
+
[[audits.cssparser-color]]
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
criteria = "safe-to-deploy"
@@ -1325,11 +1375,21 @@ who = [
"Erich Gubler <egubler@mozilla.com>",
"Jim Blandy <jimb@red-bean.com>",
"Nicolas Silva <nical@fastmail.com>",
- "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
"Erich Gubler <erichdongubler@gmail.com>",
+ "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
]
criteria = "safe-to-deploy"
-delta = "0.7.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4"
+delta = "0.7.0 -> 0.19.0"
+
+[[audits.d3d12]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.19.0 -> 0.20.0"
+
+[[audits.d3d12]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.20.0 -> 0.20.0@git:d5d683d3c491ec8cd2f5cdb43ac61e526cb7c231"
importable = false
[[audits.darling]]
@@ -1638,6 +1698,12 @@ criteria = "safe-to-deploy"
delta = "0.4.5 -> 0.4.6"
notes = "The changes in this version are mine."
+[[audits.fallible_collections]]
+who = "Mike Hommey <mh+mozilla@glandium.org>"
+criteria = "safe-to-deploy"
+delta = "0.4.6 -> 0.4.9"
+notes = "Mostly soundness fixes."
+
[[audits.fastrand]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
@@ -2029,6 +2095,12 @@ who = "Gabriele Svelto <gsvelto@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.6.0 -> 0.7.1"
+[[audits.goblin]]
+who = "Alex Franchuk <afranchuk@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.7.1 -> 0.8.0"
+notes = "Fairly straightforward feature improvements."
+
[[audits.gpu-alloc]]
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
@@ -2049,6 +2121,28 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.2.2 -> 0.2.3"
+[[audits.gpu-descriptor]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.2.3 -> 0.3.0"
+
+[[audits.gpu-descriptor]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.3.0 -> 0.3.0@git:7b71a4e47c81903ad75e2c53deb5ab1310f6ff4d"
+importable = false
+
+[[audits.gpu-descriptor-types]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.1.1 -> 0.2.0"
+
+[[audits.gpu-descriptor-types]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.2.0 -> 0.2.0@git:7b71a4e47c81903ad75e2c53deb5ab1310f6ff4d"
+importable = false
+
[[audits.guid_win]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
@@ -2091,6 +2185,12 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.7.0 -> 0.8.1"
+[[audits.hashlink]]
+who = "Mike Hommey <mh+mozilla@glandium.org>"
+criteria = "safe-to-deploy"
+delta = "0.8.1 -> 0.8.2"
+notes = "Only dependency changes."
+
[[audits.headers]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-run"
@@ -2370,6 +2470,11 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.7.3 -> 0.7.4"
+[[audits.libloading]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.7.4 -> 0.8.3"
+
[[audits.libm]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
@@ -2539,6 +2644,17 @@ who = "Nicolas Silva <nical@fastmail.com>, Jim Blandy <jimb@red-bean.com>"
criteria = "safe-to-deploy"
delta = "0.26.0 -> 0.27.0"
+[[audits.metal]]
+who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.27.0 -> 0.27.0@git:ff8fd3d6dc7792852f8a015458d7e6d42d7fb352"
+
+[[audits.metal]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.27.0 -> 0.28.0"
+notes = "No significantly changed functionality. Some warnings resolved, bumped `core-graphics-types`, newer versions of Metal supported."
+
[[audits.midir]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
@@ -2606,6 +2722,12 @@ criteria = "safe-to-deploy"
delta = "0.8.1 -> 0.8.3"
notes = "All changes were authored or reviewed by Mozilla employees"
+[[audits.minidump-writer]]
+who = "Alex Franchuk <afranchuk@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.8.3 -> 0.8.9"
+notes = "Mainly dependency updates and a few small features (in support of mozilla bugs)."
+
[[audits.miniz_oxide]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
@@ -2676,14 +2798,24 @@ criteria = "safe-to-deploy"
delta = "0.13.0 -> 0.14.0"
[[audits.naga]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.14.0 -> 0.19.2"
+
+[[audits.naga]]
who = [
"Jim Blandy <jimb@red-bean.com>",
"Nicolas Silva <nical@fastmail.com>",
- "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
"Erich Gubler <erichdongubler@gmail.com>",
+ "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
]
criteria = "safe-to-deploy"
-delta = "0.14.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4"
+delta = "0.19.2 -> 0.20.0"
+
+[[audits.naga]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.20.0 -> 0.20.0@git:d5d683d3c491ec8cd2f5cdb43ac61e526cb7c231"
importable = false
[[audits.net2]]
@@ -2718,6 +2850,15 @@ who = "Gabriele Svelto <gsvelto@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.26.2 -> 0.27.1"
+[[audits.nix]]
+who = "Alex Franchuk <afranchuk@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.27.1 -> 0.28.0"
+notes = """
+Many new features and bugfixes. Obviously there's a lot of unsafe code calling
+libc, but the usage looks correct.
+"""
+
[[audits.nom]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
@@ -3156,6 +3297,11 @@ who = "Kershaw Chang <kershaw@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.11.0 -> 0.12.0"
+[[audits.qlog]]
+who = "Kershaw Chang <kershaw@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.12.0 -> 0.13.0"
+
[[audits.quote]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
@@ -3605,6 +3751,12 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.9.2 -> 0.9.3"
+[[audits.sfv]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.9.3 -> 0.9.4"
+notes = "Only an update of `indexmap` 1 → 2."
+
[[audits.sha1]]
who = "Dana Keeler <dkeeler@mozilla.com>"
criteria = "safe-to-deploy"
@@ -4495,14 +4647,24 @@ criteria = "safe-to-deploy"
delta = "0.17.0 -> 0.18.0"
[[audits.wgpu-core]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.18.0 -> 0.19.3"
+
+[[audits.wgpu-core]]
who = [
"Jim Blandy <jimb@red-bean.com>",
"Nicolas Silva <nical@fastmail.com>",
- "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
"Erich Gubler <erichdongubler@gmail.com>",
+ "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
]
criteria = "safe-to-deploy"
-delta = "0.18.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4"
+delta = "0.19.3 -> 0.20.0"
+
+[[audits.wgpu-core]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.20.0 -> 0.20.0@git:d5d683d3c491ec8cd2f5cdb43ac61e526cb7c231"
importable = false
[[audits.wgpu-hal]]
@@ -4549,14 +4711,24 @@ criteria = "safe-to-deploy"
delta = "0.17.0 -> 0.18.0"
[[audits.wgpu-hal]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.18.0 -> 0.19.3"
+
+[[audits.wgpu-hal]]
who = [
"Jim Blandy <jimb@red-bean.com>",
"Nicolas Silva <nical@fastmail.com>",
- "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
"Erich Gubler <erichdongubler@gmail.com>",
+ "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
]
criteria = "safe-to-deploy"
-delta = "0.18.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4"
+delta = "0.19.3 -> 0.20.0"
+
+[[audits.wgpu-hal]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.20.0 -> 0.20.0@git:d5d683d3c491ec8cd2f5cdb43ac61e526cb7c231"
importable = false
[[audits.wgpu-types]]
@@ -4603,14 +4775,24 @@ criteria = "safe-to-deploy"
delta = "0.17.0 -> 0.18.0"
[[audits.wgpu-types]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.18.0 -> 0.19.2"
+
+[[audits.wgpu-types]]
who = [
"Jim Blandy <jimb@red-bean.com>",
"Nicolas Silva <nical@fastmail.com>",
- "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
"Erich Gubler <erichdongubler@gmail.com>",
+ "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
]
criteria = "safe-to-deploy"
-delta = "0.18.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4"
+delta = "0.19.2 -> 0.20.0"
+
+[[audits.wgpu-types]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.20.0 -> 0.20.0@git:d5d683d3c491ec8cd2f5cdb43ac61e526cb7c231"
importable = false
[[audits.whatsys]]
@@ -4686,6 +4868,24 @@ who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
version = "0.7.3"
+[[audits.zerocopy]]
+who = "Alex Franchuk <afranchuk@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "0.7.32"
+notes = """
+This crate is `no_std` so doesn't use any side-effectful std functions. It
+contains quite a lot of `unsafe` code, however. I verified portions of this. It
+also has a large, thorough test suite. The project claims to run tests with
+Miri to have stronger soundness checks, and also claims to use formal
+verification tools to prove correctness.
+"""
+
+[[audits.zerocopy-derive]]
+who = "Alex Franchuk <afranchuk@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "0.7.32"
+notes = "Clean, safe macros for zerocopy."
+
[[audits.zerofrom]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
diff --git a/supply-chain/config.toml b/supply-chain/config.toml
index 20b62a8210..ceba9cf6d9 100644
--- a/supply-chain/config.toml
+++ b/supply-chain/config.toml
@@ -19,10 +19,18 @@ url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/au
[imports.mozilla]
url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml"
+[policy.any_all_workaround]
+audit-as-crates-io = true
+notes = "This is the upstream code plus the ARM intrinsics workaround from qcms, see bug 1882209."
+
[policy.autocfg]
audit-as-crates-io = true
notes = "This is the upstream code plus a few local fixes, see bug 1685697."
+[policy."bindgen:0.69.4"]
+audit-as-crates-io = true
+notes = "This is the upstream code plus a fix for clang trunk. See bug 1894093."
+
[policy.chardetng]
audit-as-crates-io = true
notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that."
@@ -39,14 +47,6 @@ notes = "This is a pinned version of the upstream code, presumably to get a fix
audit-as-crates-io = true
notes = "This is upstream plus a warning fix from bug 1823866."
-[policy.cssparser]
-audit-as-crates-io = true
-notes = "Upstream release plus a couple unpublished changes"
-
-[policy.cssparser-macros]
-audit-as-crates-io = true
-notes = "Upstream release plus a couple unpublished changes"
-
[policy.d3d12]
audit-as-crates-io = true
notes = "Part of the wgpu repository, pinned as the rest of wgpu crates."
@@ -72,6 +72,12 @@ notes = "The dependencies on tokio-reactor and tokio-threadpools are just a hack
criteria = "safe-to-run"
notes = "Used for fuzzing."
+[policy.gpu-descriptor]
+audit-as-crates-io = true
+
+[policy.gpu-descriptor-types]
+audit-as-crates-io = true
+
[policy.http3server]
criteria = "safe-to-run"
notes = "Used for testing."
@@ -157,6 +163,10 @@ audit-as-crates-io = false
[policy.peek-poke-derive]
audit-as-crates-io = false
+[policy.plist]
+audit-as-crates-io = true
+notes = "This is the upstream code plus one local fix, see bug 1874167."
+
[policy.pulse]
audit-as-crates-io = false
notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name."
@@ -269,10 +279,6 @@ criteria = "safe-to-deploy"
version = "1.3.3"
criteria = "safe-to-deploy"
-[[exemptions.bitflags]]
-version = "1.3.2"
-criteria = "safe-to-deploy"
-
[[exemptions.bitreader]]
version = "0.3.6"
criteria = "safe-to-deploy"
@@ -606,10 +612,6 @@ criteria = "safe-to-deploy"
version = "0.2.7"
criteria = "safe-to-deploy"
-[[exemptions.objc_exception]]
-version = "0.1.2"
-criteria = "safe-to-deploy"
-
[[exemptions.object]]
version = "0.28.4"
criteria = "safe-to-deploy"
@@ -618,14 +620,6 @@ criteria = "safe-to-deploy"
version = "1.12.0"
criteria = "safe-to-deploy"
-[[exemptions.owning_ref]]
-version = "0.4.1"
-criteria = "safe-to-deploy"
-
-[[exemptions.packed_simd]]
-version = "0.3.8"
-criteria = "safe-to-deploy"
-
[[exemptions.phf]]
version = "0.10.1"
criteria = "safe-to-deploy"
diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock
index 73065c6c4f..627efa0f44 100644
--- a/supply-chain/imports.lock
+++ b/supply-chain/imports.lock
@@ -65,8 +65,8 @@ user-login = "fitzgen"
user-name = "Nick Fitzgerald"
[[publisher.byteorder]]
-version = "1.4.3"
-when = "2021-03-10"
+version = "1.5.0"
+when = "2023-10-06"
user-id = 189
user-login = "BurntSushi"
user-name = "Andrew Gallant"
@@ -128,11 +128,11 @@ user-login = "jrmuizel"
user-name = "Jeff Muizelaar"
[[publisher.core-foundation-sys]]
-version = "0.8.3"
-when = "2021-10-12"
-user-id = 2396
-user-login = "jdm"
-user-name = "Josh Matthews"
+version = "0.8.4"
+when = "2023-04-03"
+user-id = 5946
+user-login = "jrmuizel"
+user-name = "Jeff Muizelaar"
[[publisher.core-graphics]]
version = "0.22.3"
@@ -177,8 +177,8 @@ user-login = "dtolnay"
user-name = "David Tolnay"
[[publisher.encoding_rs]]
-version = "0.8.33"
-when = "2023-08-23"
+version = "0.8.34"
+when = "2024-04-10"
user-id = 4484
user-login = "hsivonen"
user-name = "Henri Sivonen"
@@ -226,15 +226,15 @@ user-login = "jrmuizel"
user-name = "Jeff Muizelaar"
[[publisher.glean]]
-version = "59.0.0"
-when = "2024-03-28"
+version = "60.0.1"
+when = "2024-05-31"
user-id = 48
user-login = "badboy"
user-name = "Jan-Erik Rediger"
[[publisher.glean-core]]
-version = "59.0.0"
-when = "2024-03-28"
+version = "60.0.1"
+when = "2024-05-31"
user-id = 48
user-login = "badboy"
user-name = "Jan-Erik Rediger"
@@ -253,6 +253,13 @@ user-id = 359
user-login = "seanmonstar"
user-name = "Sean McArthur"
+[[publisher.hashbrown]]
+version = "0.14.5"
+when = "2024-04-28"
+user-id = 2915
+user-login = "Amanieu"
+user-name = "Amanieu d'Antras"
+
[[publisher.headers]]
version = "0.3.9"
when = "2023-08-31"
@@ -268,8 +275,8 @@ user-login = "seanmonstar"
user-name = "Sean McArthur"
[[publisher.indexmap]]
-version = "1.9.3"
-when = "2023-03-24"
+version = "2.2.6"
+when = "2024-03-23"
user-id = 539
user-login = "cuviper"
user-name = "Josh Stone"
@@ -303,8 +310,8 @@ user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.libc]]
-version = "0.2.152"
-when = "2024-01-07"
+version = "0.2.153"
+when = "2024-01-31"
user-id = 51017
user-login = "JohnTitor"
user-name = "Yuki Okushi"
@@ -337,6 +344,13 @@ user-id = 359
user-login = "seanmonstar"
user-name = "Sean McArthur"
+[[publisher.minidump-common]]
+version = "0.21.1"
+when = "2024-03-01"
+user-id = 72814
+user-login = "gabrielesvelto"
+user-name = "Gabriele Svelto"
+
[[publisher.mio]]
version = "0.6.21"
when = "2019-11-27"
@@ -400,8 +414,8 @@ user-id = 52553
user-login = "embark-studios"
[[publisher.prio]]
-version = "0.15.3"
-when = "2023-10-03"
+version = "0.16.2"
+when = "2024-03-19"
user-id = 213776
user-login = "divviup-github-automation"
@@ -483,8 +497,8 @@ user-login = "Amanieu"
user-name = "Amanieu d'Antras"
[[publisher.serde]]
-version = "1.0.197"
-when = "2024-02-20"
+version = "1.0.198"
+when = "2024-04-16"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"
@@ -497,15 +511,15 @@ user-login = "dtolnay"
user-name = "David Tolnay"
[[publisher.serde_derive]]
-version = "1.0.197"
-when = "2024-02-20"
+version = "1.0.198"
+when = "2024-04-16"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"
[[publisher.serde_json]]
-version = "1.0.93"
-when = "2023-02-08"
+version = "1.0.116"
+when = "2024-04-16"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"
@@ -546,15 +560,15 @@ user-login = "BurntSushi"
user-name = "Andrew Gallant"
[[publisher.thiserror]]
-version = "1.0.57"
-when = "2024-02-11"
+version = "1.0.59"
+when = "2024-04-20"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"
[[publisher.thiserror-impl]]
-version = "1.0.57"
-when = "2024-02-11"
+version = "1.0.59"
+when = "2024-04-20"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"
@@ -693,20 +707,20 @@ user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wasm-encoder]]
-version = "0.201.0"
-when = "2024-02-27"
+version = "0.205.0"
+when = "2024-04-18"
user-id = 73222
user-login = "wasmtime-publish"
[[publisher.wasm-smith]]
-version = "0.201.0"
-when = "2024-02-27"
+version = "0.205.0"
+when = "2024-04-18"
user-id = 73222
user-login = "wasmtime-publish"
[[publisher.wast]]
-version = "201.0.0"
-when = "2024-02-27"
+version = "205.0.0"
+when = "2024-04-18"
user-id = 73222
user-login = "wasmtime-publish"
@@ -780,6 +794,20 @@ criteria = "safe-to-deploy"
version = "1.0.2"
notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm."
+[[audits.bytecode-alliance.audits.ahash]]
+who = "Chris Fallin <chris@cfallin.org>"
+criteria = "safe-to-deploy"
+delta = "0.7.6 -> 0.8.2"
+
+[[audits.bytecode-alliance.audits.ahash]]
+who = "Alex Crichton <alex@alexcrichton.com>"
+criteria = "safe-to-deploy"
+delta = "0.8.2 -> 0.8.7"
+notes = """
+Shuffling of features in this update and while there are updates to `unsafe`
+code it's no different than before and the usage remains the same.
+"""
+
[[audits.bytecode-alliance.audits.arrayref]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
@@ -804,25 +832,6 @@ criteria = "safe-to-deploy"
version = "0.21.0"
notes = "This crate has no dependencies, no build.rs, and contains no unsafe code."
-[[audits.bytecode-alliance.audits.bitflags]]
-who = "Jamey Sharp <jsharp@fastly.com>"
-criteria = "safe-to-deploy"
-delta = "2.1.0 -> 2.2.1"
-notes = """
-This version adds unsafe impls of traits from the bytemuck crate when built
-with that library enabled, but I believe the impls satisfy the documented
-safety requirements for bytemuck. The other changes are minor.
-"""
-
-[[audits.bytecode-alliance.audits.bitflags]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-delta = "2.3.2 -> 2.3.3"
-notes = """
-Nothing outside the realm of what one would expect from a bitflags generator,
-all as expected.
-"""
-
[[audits.bytecode-alliance.audits.block-buffer]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
@@ -846,6 +855,15 @@ criteria = "safe-to-deploy"
version = "0.11.1"
notes = "This library uses `forbid(unsafe_code)` and has no filesystem or network I/O."
+[[audits.bytecode-alliance.audits.core-foundation-sys]]
+who = "Dan Gohman <dev@sunfishcode.online>"
+criteria = "safe-to-deploy"
+delta = "0.8.4 -> 0.8.6"
+notes = """
+The changes here are all typical bindings updates: new functions, types, and
+constants. I have not audited all the bindings for ABI conformance.
+"""
+
[[audits.bytecode-alliance.audits.cpufeatures]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
@@ -1123,6 +1141,35 @@ version = "0.37.0+1.3.209"
notes = "Reviewed on https://fxrev.dev/694269"
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
+[[audits.google.audits.bitflags]]
+who = "Lukasz Anforowicz <lukasza@chromium.org>"
+criteria = "safe-to-deploy"
+version = "2.4.2"
+notes = """
+Audit notes:
+
+* I've checked for any discussion in Google-internal cl/546819168 (where audit
+ of version 2.3.3 happened)
+* `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]`
+* There are 2 cases of `unsafe` in `src/external.rs` but they seem to be
+ correct in a straightforward way - they just propagate the marker trait's
+ impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type
+* Additional discussion and/or notes may be found in https://crrev.com/c/5238056
+"""
+aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
+
+[[audits.google.audits.bitflags]]
+who = "Adrian Taylor <adetaylor@chromium.org>"
+criteria = "safe-to-deploy"
+delta = "2.4.2 -> 2.5.0"
+aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
+
+[[audits.google.audits.equivalent]]
+who = "George Burgess IV <gbiv@google.com>"
+criteria = "safe-to-deploy"
+version = "1.0.1"
+aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
+
[[audits.google.audits.fastrand]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
@@ -1343,6 +1390,16 @@ criteria = "safe-to-deploy"
delta = "0.2.9 -> 0.2.10"
notes = "These changes include some new `unsafe` code for the `emscripten` and `psvita` targets, but all it does is call `libc::getentropy`."
+[[audits.isrg.audits.getrandom]]
+who = "David Cook <dcook@divviup.org>"
+criteria = "safe-to-deploy"
+delta = "0.2.11 -> 0.2.12"
+
+[[audits.isrg.audits.getrandom]]
+who = "David Cook <dcook@divviup.org>"
+criteria = "safe-to-deploy"
+delta = "0.2.12 -> 0.2.14"
+
[[audits.isrg.audits.keccak]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
@@ -1514,13 +1571,6 @@ version = "0.1.2"
notes = "TOML parser, forked from toml 0.5"
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
-[[audits.mozilla.audits.bitflags]]
-who = "Jan-Erik Rediger <jrediger@mozilla.com>"
-criteria = "safe-to-deploy"
-delta = "2.4.0 -> 2.4.1"
-notes = "Only allowing new clippy lints"
-aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
-
[[audits.mozilla.audits.either]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
@@ -1531,13 +1581,6 @@ no unsafe code.
"""
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
-[[audits.mozilla.audits.goblin]]
-who = "Jan-Erik Rediger <jrediger@mozilla.com>"
-criteria = "safe-to-deploy"
-delta = "0.7.1 -> 0.8.0"
-notes = "MSRV bump, no unsafe changes"
-aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
-
[[audits.mozilla.audits.lazy_static]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"