diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-12 05:35:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-12 05:35:29 +0000 |
commit | 59203c63bb777a3bacec32fb8830fba33540e809 (patch) | |
tree | 58298e711c0ff0575818c30485b44a2f21bf28a0 /supply-chain | |
parent | Adding upstream version 126.0.1. (diff) | |
download | firefox-59203c63bb777a3bacec32fb8830fba33540e809.tar.xz firefox-59203c63bb777a3bacec32fb8830fba33540e809.zip |
Adding upstream version 127.0.upstream/127.0
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'supply-chain')
-rw-r--r-- | supply-chain/audits.toml | 220 | ||||
-rw-r--r-- | supply-chain/config.toml | 42 | ||||
-rw-r--r-- | supply-chain/imports.lock | 179 |
3 files changed, 339 insertions, 102 deletions
diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index b21bde4f10..02f5c85bb5 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -275,6 +275,14 @@ start = "2020-11-03" end = "2024-03-31" notes = "Maintained by the DevTools team at Mozilla and has no unsafe code." +[[wildcard-audits.minidump-common]] +who = "Alex Franchuk <afranchuk@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 72814 # Gabriele Svelto (gabrielesvelto) +start = "2022-11-30" +end = "2025-02-28" +notes = "This crate is written and maintained by mozilla employees." + [[wildcard-audits.mozdevice]] who = "Henrik Skupin <mail@hskupin.info>" criteria = "safe-to-run" @@ -534,6 +542,11 @@ who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" delta = "0.7.6 -> 0.7.8" +[[audits.ahash]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.8.7 -> 0.8.11" + [[audits.aho-corasick]] who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" @@ -588,6 +601,19 @@ who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" delta = "0.1.4 -> 0.1.5" +[[audits.any_all_workaround]] +who = "Henri Sivonen <hsivonen@hsivonen.fi>" +criteria = "safe-to-deploy" +version = "0.1.0" +notes = "The little code that is in this crate I reviewed and modified from packed_simd (which has previously been vendored in full instead of just this small part)." + +[[audits.any_all_workaround]] +who = "Henri Sivonen <hsivonen@hsivonen.fi>" +criteria = "safe-to-deploy" +delta = "0.1.0 -> 0.1.0@git:7fb1b7034c9f172aade21ee1c8554e8d8a48af80" +importable = false +notes = "This is a trivial workaround copied from elsewhere in m-c, specifically qcms." + [[audits.anyhow]] who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" @@ -742,6 +768,12 @@ who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" delta = "0.1.2 -> 0.1.3" +[[audits.audio-mixer]] +who = "Paul Adenot <paul@paul.cx>" +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.2.0" +notes = "(I wrote all of this code)" + [[audits.authenticator]] who = "John M. Schanck <jschanck@mozilla.com>" criteria = "safe-to-deploy" @@ -962,6 +994,12 @@ who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-run" delta = "0.16.0 -> 0.16.2" +[[audits.core-foundation]] +who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.9.3 -> 0.9.4" +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + [[audits.core-graphics]] who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" criteria = "safe-to-deploy" @@ -972,6 +1010,12 @@ who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" criteria = "safe-to-deploy" delta = "0.1.1 -> 0.1.2" +[[audits.core-graphics-types]] +who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.1.2 -> 0.1.3" +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + [[audits.core-text]] who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" criteria = "safe-to-deploy" @@ -1147,6 +1191,12 @@ criteria = "safe-to-deploy" delta = "0.33.0 -> 0.33.0@git:aaa966d9d6ae70c4b8a62bb5e3a14c068bb7dff0" notes = "Only one minimal change exposing a previously-private enumeration." +[[audits.cssparser]] +who = "Emilio Cobos Álvarez <emilio@crisal.io>" +criteria = "safe-to-deploy" +delta = "0.33.0 -> 0.34.0" +notes = "I'm the publisher of the crate, and either myself or other Mozilla folks have been authors or reviewers of all the changes." + [[audits.cssparser-color]] who = "Emilio Cobos Álvarez <emilio@crisal.io>" criteria = "safe-to-deploy" @@ -1325,11 +1375,21 @@ who = [ "Erich Gubler <egubler@mozilla.com>", "Jim Blandy <jimb@red-bean.com>", "Nicolas Silva <nical@fastmail.com>", - "Teodor Tanasoaia <ttanasoaia@mozilla.com>", "Erich Gubler <erichdongubler@gmail.com>", + "Teodor Tanasoaia <ttanasoaia@mozilla.com>", ] criteria = "safe-to-deploy" -delta = "0.7.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4" +delta = "0.7.0 -> 0.19.0" + +[[audits.d3d12]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.19.0 -> 0.20.0" + +[[audits.d3d12]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.20.0 -> 0.20.0@git:d5d683d3c491ec8cd2f5cdb43ac61e526cb7c231" importable = false [[audits.darling]] @@ -1638,6 +1698,12 @@ criteria = "safe-to-deploy" delta = "0.4.5 -> 0.4.6" notes = "The changes in this version are mine." +[[audits.fallible_collections]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.4.6 -> 0.4.9" +notes = "Mostly soundness fixes." + [[audits.fastrand]] who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" @@ -2029,6 +2095,12 @@ who = "Gabriele Svelto <gsvelto@mozilla.com>" criteria = "safe-to-deploy" delta = "0.6.0 -> 0.7.1" +[[audits.goblin]] +who = "Alex Franchuk <afranchuk@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.8.0" +notes = "Fairly straightforward feature improvements." + [[audits.gpu-alloc]] who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" criteria = "safe-to-deploy" @@ -2049,6 +2121,28 @@ who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" delta = "0.2.2 -> 0.2.3" +[[audits.gpu-descriptor]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.2.3 -> 0.3.0" + +[[audits.gpu-descriptor]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.3.0@git:7b71a4e47c81903ad75e2c53deb5ab1310f6ff4d" +importable = false + +[[audits.gpu-descriptor-types]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.1.1 -> 0.2.0" + +[[audits.gpu-descriptor-types]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.2.0 -> 0.2.0@git:7b71a4e47c81903ad75e2c53deb5ab1310f6ff4d" +importable = false + [[audits.guid_win]] who = "Bobby Holley <bobbyholley@gmail.com>" criteria = "safe-to-deploy" @@ -2091,6 +2185,12 @@ who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" delta = "0.7.0 -> 0.8.1" +[[audits.hashlink]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "0.8.1 -> 0.8.2" +notes = "Only dependency changes." + [[audits.headers]] who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-run" @@ -2370,6 +2470,11 @@ who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" delta = "0.7.3 -> 0.7.4" +[[audits.libloading]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.7.4 -> 0.8.3" + [[audits.libm]] who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" criteria = "safe-to-deploy" @@ -2539,6 +2644,17 @@ who = "Nicolas Silva <nical@fastmail.com>, Jim Blandy <jimb@red-bean.com>" criteria = "safe-to-deploy" delta = "0.26.0 -> 0.27.0" +[[audits.metal]] +who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.27.0 -> 0.27.0@git:ff8fd3d6dc7792852f8a015458d7e6d42d7fb352" + +[[audits.metal]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.27.0 -> 0.28.0" +notes = "No significantly changed functionality. Some warnings resolved, bumped `core-graphics-types`, newer versions of Metal supported." + [[audits.midir]] who = "Bobby Holley <bobbyholley@gmail.com>" criteria = "safe-to-deploy" @@ -2606,6 +2722,12 @@ criteria = "safe-to-deploy" delta = "0.8.1 -> 0.8.3" notes = "All changes were authored or reviewed by Mozilla employees" +[[audits.minidump-writer]] +who = "Alex Franchuk <afranchuk@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.8.3 -> 0.8.9" +notes = "Mainly dependency updates and a few small features (in support of mozilla bugs)." + [[audits.miniz_oxide]] who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" @@ -2676,14 +2798,24 @@ criteria = "safe-to-deploy" delta = "0.13.0 -> 0.14.0" [[audits.naga]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.14.0 -> 0.19.2" + +[[audits.naga]] who = [ "Jim Blandy <jimb@red-bean.com>", "Nicolas Silva <nical@fastmail.com>", - "Teodor Tanasoaia <ttanasoaia@mozilla.com>", "Erich Gubler <erichdongubler@gmail.com>", + "Teodor Tanasoaia <ttanasoaia@mozilla.com>", ] criteria = "safe-to-deploy" -delta = "0.14.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4" +delta = "0.19.2 -> 0.20.0" + +[[audits.naga]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.20.0 -> 0.20.0@git:d5d683d3c491ec8cd2f5cdb43ac61e526cb7c231" importable = false [[audits.net2]] @@ -2718,6 +2850,15 @@ who = "Gabriele Svelto <gsvelto@mozilla.com>" criteria = "safe-to-deploy" delta = "0.26.2 -> 0.27.1" +[[audits.nix]] +who = "Alex Franchuk <afranchuk@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.27.1 -> 0.28.0" +notes = """ +Many new features and bugfixes. Obviously there's a lot of unsafe code calling +libc, but the usage looks correct. +""" + [[audits.nom]] who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" @@ -3156,6 +3297,11 @@ who = "Kershaw Chang <kershaw@mozilla.com>" criteria = "safe-to-deploy" delta = "0.11.0 -> 0.12.0" +[[audits.qlog]] +who = "Kershaw Chang <kershaw@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.12.0 -> 0.13.0" + [[audits.quote]] who = "Nika Layzell <nika@thelayzells.com>" criteria = "safe-to-deploy" @@ -3605,6 +3751,12 @@ who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" delta = "0.9.2 -> 0.9.3" +[[audits.sfv]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.9.3 -> 0.9.4" +notes = "Only an update of `indexmap` 1 → 2." + [[audits.sha1]] who = "Dana Keeler <dkeeler@mozilla.com>" criteria = "safe-to-deploy" @@ -4495,14 +4647,24 @@ criteria = "safe-to-deploy" delta = "0.17.0 -> 0.18.0" [[audits.wgpu-core]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.18.0 -> 0.19.3" + +[[audits.wgpu-core]] who = [ "Jim Blandy <jimb@red-bean.com>", "Nicolas Silva <nical@fastmail.com>", - "Teodor Tanasoaia <ttanasoaia@mozilla.com>", "Erich Gubler <erichdongubler@gmail.com>", + "Teodor Tanasoaia <ttanasoaia@mozilla.com>", ] criteria = "safe-to-deploy" -delta = "0.18.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4" +delta = "0.19.3 -> 0.20.0" + +[[audits.wgpu-core]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.20.0 -> 0.20.0@git:d5d683d3c491ec8cd2f5cdb43ac61e526cb7c231" importable = false [[audits.wgpu-hal]] @@ -4549,14 +4711,24 @@ criteria = "safe-to-deploy" delta = "0.17.0 -> 0.18.0" [[audits.wgpu-hal]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.18.0 -> 0.19.3" + +[[audits.wgpu-hal]] who = [ "Jim Blandy <jimb@red-bean.com>", "Nicolas Silva <nical@fastmail.com>", - "Teodor Tanasoaia <ttanasoaia@mozilla.com>", "Erich Gubler <erichdongubler@gmail.com>", + "Teodor Tanasoaia <ttanasoaia@mozilla.com>", ] criteria = "safe-to-deploy" -delta = "0.18.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4" +delta = "0.19.3 -> 0.20.0" + +[[audits.wgpu-hal]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.20.0 -> 0.20.0@git:d5d683d3c491ec8cd2f5cdb43ac61e526cb7c231" importable = false [[audits.wgpu-types]] @@ -4603,14 +4775,24 @@ criteria = "safe-to-deploy" delta = "0.17.0 -> 0.18.0" [[audits.wgpu-types]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.18.0 -> 0.19.2" + +[[audits.wgpu-types]] who = [ "Jim Blandy <jimb@red-bean.com>", "Nicolas Silva <nical@fastmail.com>", - "Teodor Tanasoaia <ttanasoaia@mozilla.com>", "Erich Gubler <erichdongubler@gmail.com>", + "Teodor Tanasoaia <ttanasoaia@mozilla.com>", ] criteria = "safe-to-deploy" -delta = "0.18.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4" +delta = "0.19.2 -> 0.20.0" + +[[audits.wgpu-types]] +who = "Erich Gubler <erichdongubler@gmail.com>" +criteria = "safe-to-deploy" +delta = "0.20.0 -> 0.20.0@git:d5d683d3c491ec8cd2f5cdb43ac61e526cb7c231" importable = false [[audits.whatsys]] @@ -4686,6 +4868,24 @@ who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" criteria = "safe-to-deploy" version = "0.7.3" +[[audits.zerocopy]] +who = "Alex Franchuk <afranchuk@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.7.32" +notes = """ +This crate is `no_std` so doesn't use any side-effectful std functions. It +contains quite a lot of `unsafe` code, however. I verified portions of this. It +also has a large, thorough test suite. The project claims to run tests with +Miri to have stronger soundness checks, and also claims to use formal +verification tools to prove correctness. +""" + +[[audits.zerocopy-derive]] +who = "Alex Franchuk <afranchuk@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.7.32" +notes = "Clean, safe macros for zerocopy." + [[audits.zerofrom]] who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>" criteria = "safe-to-deploy" diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 20b62a8210..ceba9cf6d9 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -19,10 +19,18 @@ url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/au [imports.mozilla] url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" +[policy.any_all_workaround] +audit-as-crates-io = true +notes = "This is the upstream code plus the ARM intrinsics workaround from qcms, see bug 1882209." + [policy.autocfg] audit-as-crates-io = true notes = "This is the upstream code plus a few local fixes, see bug 1685697." +[policy."bindgen:0.69.4"] +audit-as-crates-io = true +notes = "This is the upstream code plus a fix for clang trunk. See bug 1894093." + [policy.chardetng] audit-as-crates-io = true notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that." @@ -39,14 +47,6 @@ notes = "This is a pinned version of the upstream code, presumably to get a fix audit-as-crates-io = true notes = "This is upstream plus a warning fix from bug 1823866." -[policy.cssparser] -audit-as-crates-io = true -notes = "Upstream release plus a couple unpublished changes" - -[policy.cssparser-macros] -audit-as-crates-io = true -notes = "Upstream release plus a couple unpublished changes" - [policy.d3d12] audit-as-crates-io = true notes = "Part of the wgpu repository, pinned as the rest of wgpu crates." @@ -72,6 +72,12 @@ notes = "The dependencies on tokio-reactor and tokio-threadpools are just a hack criteria = "safe-to-run" notes = "Used for fuzzing." +[policy.gpu-descriptor] +audit-as-crates-io = true + +[policy.gpu-descriptor-types] +audit-as-crates-io = true + [policy.http3server] criteria = "safe-to-run" notes = "Used for testing." @@ -157,6 +163,10 @@ audit-as-crates-io = false [policy.peek-poke-derive] audit-as-crates-io = false +[policy.plist] +audit-as-crates-io = true +notes = "This is the upstream code plus one local fix, see bug 1874167." + [policy.pulse] audit-as-crates-io = false notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name." @@ -269,10 +279,6 @@ criteria = "safe-to-deploy" version = "1.3.3" criteria = "safe-to-deploy" -[[exemptions.bitflags]] -version = "1.3.2" -criteria = "safe-to-deploy" - [[exemptions.bitreader]] version = "0.3.6" criteria = "safe-to-deploy" @@ -606,10 +612,6 @@ criteria = "safe-to-deploy" version = "0.2.7" criteria = "safe-to-deploy" -[[exemptions.objc_exception]] -version = "0.1.2" -criteria = "safe-to-deploy" - [[exemptions.object]] version = "0.28.4" criteria = "safe-to-deploy" @@ -618,14 +620,6 @@ criteria = "safe-to-deploy" version = "1.12.0" criteria = "safe-to-deploy" -[[exemptions.owning_ref]] -version = "0.4.1" -criteria = "safe-to-deploy" - -[[exemptions.packed_simd]] -version = "0.3.8" -criteria = "safe-to-deploy" - [[exemptions.phf]] version = "0.10.1" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 73065c6c4f..627efa0f44 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -65,8 +65,8 @@ user-login = "fitzgen" user-name = "Nick Fitzgerald" [[publisher.byteorder]] -version = "1.4.3" -when = "2021-03-10" +version = "1.5.0" +when = "2023-10-06" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" @@ -128,11 +128,11 @@ user-login = "jrmuizel" user-name = "Jeff Muizelaar" [[publisher.core-foundation-sys]] -version = "0.8.3" -when = "2021-10-12" -user-id = 2396 -user-login = "jdm" -user-name = "Josh Matthews" +version = "0.8.4" +when = "2023-04-03" +user-id = 5946 +user-login = "jrmuizel" +user-name = "Jeff Muizelaar" [[publisher.core-graphics]] version = "0.22.3" @@ -177,8 +177,8 @@ user-login = "dtolnay" user-name = "David Tolnay" [[publisher.encoding_rs]] -version = "0.8.33" -when = "2023-08-23" +version = "0.8.34" +when = "2024-04-10" user-id = 4484 user-login = "hsivonen" user-name = "Henri Sivonen" @@ -226,15 +226,15 @@ user-login = "jrmuizel" user-name = "Jeff Muizelaar" [[publisher.glean]] -version = "59.0.0" -when = "2024-03-28" +version = "60.0.1" +when = "2024-05-31" user-id = 48 user-login = "badboy" user-name = "Jan-Erik Rediger" [[publisher.glean-core]] -version = "59.0.0" -when = "2024-03-28" +version = "60.0.1" +when = "2024-05-31" user-id = 48 user-login = "badboy" user-name = "Jan-Erik Rediger" @@ -253,6 +253,13 @@ user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" +[[publisher.hashbrown]] +version = "0.14.5" +when = "2024-04-28" +user-id = 2915 +user-login = "Amanieu" +user-name = "Amanieu d'Antras" + [[publisher.headers]] version = "0.3.9" when = "2023-08-31" @@ -268,8 +275,8 @@ user-login = "seanmonstar" user-name = "Sean McArthur" [[publisher.indexmap]] -version = "1.9.3" -when = "2023-03-24" +version = "2.2.6" +when = "2024-03-23" user-id = 539 user-login = "cuviper" user-name = "Josh Stone" @@ -303,8 +310,8 @@ user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.libc]] -version = "0.2.152" -when = "2024-01-07" +version = "0.2.153" +when = "2024-01-31" user-id = 51017 user-login = "JohnTitor" user-name = "Yuki Okushi" @@ -337,6 +344,13 @@ user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" +[[publisher.minidump-common]] +version = "0.21.1" +when = "2024-03-01" +user-id = 72814 +user-login = "gabrielesvelto" +user-name = "Gabriele Svelto" + [[publisher.mio]] version = "0.6.21" when = "2019-11-27" @@ -400,8 +414,8 @@ user-id = 52553 user-login = "embark-studios" [[publisher.prio]] -version = "0.15.3" -when = "2023-10-03" +version = "0.16.2" +when = "2024-03-19" user-id = 213776 user-login = "divviup-github-automation" @@ -483,8 +497,8 @@ user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.serde]] -version = "1.0.197" -when = "2024-02-20" +version = "1.0.198" +when = "2024-04-16" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" @@ -497,15 +511,15 @@ user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_derive]] -version = "1.0.197" -when = "2024-02-20" +version = "1.0.198" +when = "2024-04-16" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_json]] -version = "1.0.93" -when = "2023-02-08" +version = "1.0.116" +when = "2024-04-16" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" @@ -546,15 +560,15 @@ user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.thiserror]] -version = "1.0.57" -when = "2024-02-11" +version = "1.0.59" +when = "2024-04-20" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.thiserror-impl]] -version = "1.0.57" -when = "2024-02-11" +version = "1.0.59" +when = "2024-04-20" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" @@ -693,20 +707,20 @@ user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasm-encoder]] -version = "0.201.0" -when = "2024-02-27" +version = "0.205.0" +when = "2024-04-18" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wasm-smith]] -version = "0.201.0" -when = "2024-02-27" +version = "0.205.0" +when = "2024-04-18" user-id = 73222 user-login = "wasmtime-publish" [[publisher.wast]] -version = "201.0.0" -when = "2024-02-27" +version = "205.0.0" +when = "2024-04-18" user-id = 73222 user-login = "wasmtime-publish" @@ -780,6 +794,20 @@ criteria = "safe-to-deploy" version = "1.0.2" notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm." +[[audits.bytecode-alliance.audits.ahash]] +who = "Chris Fallin <chris@cfallin.org>" +criteria = "safe-to-deploy" +delta = "0.7.6 -> 0.8.2" + +[[audits.bytecode-alliance.audits.ahash]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +delta = "0.8.2 -> 0.8.7" +notes = """ +Shuffling of features in this update and while there are updates to `unsafe` +code it's no different than before and the usage remains the same. +""" + [[audits.bytecode-alliance.audits.arrayref]] who = "Nick Fitzgerald <fitzgen@gmail.com>" criteria = "safe-to-deploy" @@ -804,25 +832,6 @@ criteria = "safe-to-deploy" version = "0.21.0" notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." -[[audits.bytecode-alliance.audits.bitflags]] -who = "Jamey Sharp <jsharp@fastly.com>" -criteria = "safe-to-deploy" -delta = "2.1.0 -> 2.2.1" -notes = """ -This version adds unsafe impls of traits from the bytemuck crate when built -with that library enabled, but I believe the impls satisfy the documented -safety requirements for bytemuck. The other changes are minor. -""" - -[[audits.bytecode-alliance.audits.bitflags]] -who = "Alex Crichton <alex@alexcrichton.com>" -criteria = "safe-to-deploy" -delta = "2.3.2 -> 2.3.3" -notes = """ -Nothing outside the realm of what one would expect from a bitflags generator, -all as expected. -""" - [[audits.bytecode-alliance.audits.block-buffer]] who = "Benjamin Bouvier <public@benj.me>" criteria = "safe-to-deploy" @@ -846,6 +855,15 @@ criteria = "safe-to-deploy" version = "0.11.1" notes = "This library uses `forbid(unsafe_code)` and has no filesystem or network I/O." +[[audits.bytecode-alliance.audits.core-foundation-sys]] +who = "Dan Gohman <dev@sunfishcode.online>" +criteria = "safe-to-deploy" +delta = "0.8.4 -> 0.8.6" +notes = """ +The changes here are all typical bindings updates: new functions, types, and +constants. I have not audited all the bindings for ABI conformance. +""" + [[audits.bytecode-alliance.audits.cpufeatures]] who = "Alex Crichton <alex@alexcrichton.com>" criteria = "safe-to-deploy" @@ -1123,6 +1141,35 @@ version = "0.37.0+1.3.209" notes = "Reviewed on https://fxrev.dev/694269" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.bitflags]] +who = "Lukasz Anforowicz <lukasza@chromium.org>" +criteria = "safe-to-deploy" +version = "2.4.2" +notes = """ +Audit notes: + +* I've checked for any discussion in Google-internal cl/546819168 (where audit + of version 2.3.3 happened) +* `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]` +* There are 2 cases of `unsafe` in `src/external.rs` but they seem to be + correct in a straightforward way - they just propagate the marker trait's + impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type +* Additional discussion and/or notes may be found in https://crrev.com/c/5238056 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.bitflags]] +who = "Adrian Taylor <adetaylor@chromium.org>" +criteria = "safe-to-deploy" +delta = "2.4.2 -> 2.5.0" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.equivalent]] +who = "George Burgess IV <gbiv@google.com>" +criteria = "safe-to-deploy" +version = "1.0.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.fastrand]] who = "George Burgess IV <gbiv@google.com>" criteria = "safe-to-deploy" @@ -1343,6 +1390,16 @@ criteria = "safe-to-deploy" delta = "0.2.9 -> 0.2.10" notes = "These changes include some new `unsafe` code for the `emscripten` and `psvita` targets, but all it does is call `libc::getentropy`." +[[audits.isrg.audits.getrandom]] +who = "David Cook <dcook@divviup.org>" +criteria = "safe-to-deploy" +delta = "0.2.11 -> 0.2.12" + +[[audits.isrg.audits.getrandom]] +who = "David Cook <dcook@divviup.org>" +criteria = "safe-to-deploy" +delta = "0.2.12 -> 0.2.14" + [[audits.isrg.audits.keccak]] who = "David Cook <dcook@divviup.org>" criteria = "safe-to-deploy" @@ -1514,13 +1571,6 @@ version = "0.1.2" notes = "TOML parser, forked from toml 0.5" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" -[[audits.mozilla.audits.bitflags]] -who = "Jan-Erik Rediger <jrediger@mozilla.com>" -criteria = "safe-to-deploy" -delta = "2.4.0 -> 2.4.1" -notes = "Only allowing new clippy lints" -aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" - [[audits.mozilla.audits.either]] who = "Nika Layzell <nika@thelayzells.com>" criteria = "safe-to-deploy" @@ -1531,13 +1581,6 @@ no unsafe code. """ aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" -[[audits.mozilla.audits.goblin]] -who = "Jan-Erik Rediger <jrediger@mozilla.com>" -criteria = "safe-to-deploy" -delta = "0.7.1 -> 0.8.0" -notes = "MSRV bump, no unsafe changes" -aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" - [[audits.mozilla.audits.lazy_static]] who = "Nika Layzell <nika@thelayzells.com>" criteria = "safe-to-deploy" |