summaryrefslogtreecommitdiffstats
path: root/supply-chain
diff options
context:
space:
mode:
Diffstat (limited to 'supply-chain')
-rw-r--r--supply-chain/audits.toml54
-rw-r--r--supply-chain/config.toml8
-rw-r--r--supply-chain/imports.lock316
3 files changed, 268 insertions, 110 deletions
diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml
index 31ca3fcf0f..b21bde4f10 100644
--- a/supply-chain/audits.toml
+++ b/supply-chain/audits.toml
@@ -1329,7 +1329,7 @@ who = [
"Erich Gubler <erichdongubler@gmail.com>",
]
criteria = "safe-to-deploy"
-delta = "0.7.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944"
+delta = "0.7.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4"
importable = false
[[audits.darling]]
@@ -1533,6 +1533,12 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.8.0 -> 1.8.1"
+[[audits.embed-manifest]]
+who = "Alex Franchuk <afranchuk@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "1.4.0"
+notes = "Necessary dependencies, all environment variable access is for build script vars set by cargo."
+
[[audits.encoding_c]]
who = "Henri Sivonen <hsivonen@hsivonen.fi>"
criteria = "safe-to-deploy"
@@ -2387,6 +2393,12 @@ version = "0.5.4"
notes = "I own this crate (I am contain-rs) and 0.5.4 passes miri. This code is very old and used by lots of people, so I'm pretty confident in it, even though it's in maintenance-mode and missing some nice-to-have APIs."
[[audits.linked-hash-map]]
+who = "Alex Franchuk <afranchuk@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.5.4 -> 0.5.6"
+notes = "New unsafe code has debug assertions and meets invariants. All other changes are formatting-related."
+
+[[audits.linked-hash-map]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-run"
delta = "0.5.4 -> 0.5.6"
@@ -2671,7 +2683,7 @@ who = [
"Erich Gubler <erichdongubler@gmail.com>",
]
criteria = "safe-to-deploy"
-delta = "0.14.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944"
+delta = "0.14.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4"
importable = false
[[audits.net2]]
@@ -3738,6 +3750,11 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.15.2 -> 0.16.0"
+[[audits.textwrap]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.16.0 -> 0.16.1"
+
[[audits.thin-vec]]
who = "Aria Beingessner <a.beingessner@gmail.com>"
criteria = "safe-to-deploy"
@@ -4485,7 +4502,7 @@ who = [
"Erich Gubler <erichdongubler@gmail.com>",
]
criteria = "safe-to-deploy"
-delta = "0.18.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944"
+delta = "0.18.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4"
importable = false
[[audits.wgpu-hal]]
@@ -4539,7 +4556,7 @@ who = [
"Erich Gubler <erichdongubler@gmail.com>",
]
criteria = "safe-to-deploy"
-delta = "0.18.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944"
+delta = "0.18.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4"
importable = false
[[audits.wgpu-types]]
@@ -4593,7 +4610,7 @@ who = [
"Erich Gubler <erichdongubler@gmail.com>",
]
criteria = "safe-to-deploy"
-delta = "0.18.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944"
+delta = "0.18.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4"
importable = false
[[audits.whatsys]]
@@ -4709,6 +4726,15 @@ criteria = "safe-to-deploy"
version = "0.10.1"
[[audits.zip]]
+who = "Alex Franchuk <afranchuk@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "0.6.4"
+notes = """
+No unsafe code nor unwarranted dependencies. Side-effectful std usage is only
+present where expected (zip archive reading/writing and unpacking)
+"""
+
+[[audits.zip]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-run"
delta = "0.6.2 -> 0.6.3"
@@ -5108,6 +5134,24 @@ user-id = 1 # Alex Crichton (alexcrichton)
start = "2020-06-03"
end = "2024-05-05"
+[[trusted.wasm-encoder]]
+criteria = "safe-to-deploy"
+user-id = 73222 # wasmtime-publish
+start = "2024-02-15"
+end = "2025-03-11"
+
+[[trusted.wasm-smith]]
+criteria = "safe-to-deploy"
+user-id = 73222 # wasmtime-publish
+start = "2024-02-15"
+end = "2025-03-11"
+
+[[trusted.wast]]
+criteria = "safe-to-deploy"
+user-id = 73222 # wasmtime-publish
+start = "2024-02-15"
+end = "2025-03-11"
+
[[trusted.winapi-util]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
diff --git a/supply-chain/config.toml b/supply-chain/config.toml
index 2692f61bc2..20b62a8210 100644
--- a/supply-chain/config.toml
+++ b/supply-chain/config.toml
@@ -233,6 +233,10 @@ notes = "Local override of the crates.io crate that uses a non-vendored local co
[policy.wr_malloc_size_of]
audit-as-crates-io = false
+[policy.zip]
+audit-as-crates-io = true
+notes = "Locally patched version of the zip crate to allow for reading omnijars."
+
[[exemptions.ahash]]
version = "0.7.6"
criteria = "safe-to-deploy"
@@ -805,7 +809,3 @@ criteria = "safe-to-deploy"
[[exemptions.xml-rs]]
version = "0.8.4"
criteria = "safe-to-deploy"
-
-[[exemptions.zip]]
-version = "0.6.2"
-criteria = "safe-to-run"
diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock
index 5913bc8915..73065c6c4f 100644
--- a/supply-chain/imports.lock
+++ b/supply-chain/imports.lock
@@ -37,8 +37,8 @@ user-login = "Amanieu"
user-name = "Amanieu d'Antras"
[[publisher.audio_thread_priority]]
-version = "0.31.0"
-when = "2024-01-17"
+version = "0.32.0"
+when = "2024-03-14"
user-id = 1258
user-login = "padenot"
user-name = "Paul Adenot"
@@ -57,6 +57,13 @@ user-id = 128763
user-login = "martinthomson"
user-name = "Martin Thomson"
+[[publisher.bumpalo]]
+version = "3.15.4"
+when = "2024-03-07"
+user-id = 696
+user-login = "fitzgen"
+user-name = "Nick Fitzgerald"
+
[[publisher.byteorder]]
version = "1.4.3"
when = "2021-03-10"
@@ -219,15 +226,15 @@ user-login = "jrmuizel"
user-name = "Jeff Muizelaar"
[[publisher.glean]]
-version = "58.1.0"
-when = "2024-03-12"
+version = "59.0.0"
+when = "2024-03-28"
user-id = 48
user-login = "badboy"
user-name = "Jan-Erik Rediger"
[[publisher.glean-core]]
-version = "58.1.0"
-when = "2024-03-12"
+version = "59.0.0"
+when = "2024-03-28"
user-id = 48
user-login = "badboy"
user-name = "Jan-Erik Rediger"
@@ -595,58 +602,67 @@ user-login = "Manishearth"
user-name = "Manish Goregaokar"
[[publisher.uniffi]]
-version = "0.25.3"
-when = "2023-12-07"
-user-id = 127697
-user-login = "bendk"
+version = "0.27.1"
+when = "2024-04-03"
+user-id = 111105
+user-login = "mhammond"
+user-name = "Mark Hammond"
[[publisher.uniffi_bindgen]]
-version = "0.25.3"
-when = "2023-12-07"
-user-id = 127697
-user-login = "bendk"
+version = "0.27.1"
+when = "2024-04-03"
+user-id = 111105
+user-login = "mhammond"
+user-name = "Mark Hammond"
[[publisher.uniffi_build]]
-version = "0.25.3"
-when = "2023-12-07"
-user-id = 127697
-user-login = "bendk"
+version = "0.27.1"
+when = "2024-04-03"
+user-id = 111105
+user-login = "mhammond"
+user-name = "Mark Hammond"
[[publisher.uniffi_checksum_derive]]
-version = "0.25.3"
-when = "2023-12-07"
-user-id = 127697
-user-login = "bendk"
+version = "0.27.1"
+when = "2024-04-03"
+user-id = 111105
+user-login = "mhammond"
+user-name = "Mark Hammond"
[[publisher.uniffi_core]]
-version = "0.25.3"
-when = "2023-12-07"
-user-id = 127697
-user-login = "bendk"
+version = "0.27.1"
+when = "2024-04-03"
+user-id = 111105
+user-login = "mhammond"
+user-name = "Mark Hammond"
[[publisher.uniffi_macros]]
-version = "0.25.3"
-when = "2023-12-07"
-user-id = 127697
-user-login = "bendk"
+version = "0.27.1"
+when = "2024-04-03"
+user-id = 111105
+user-login = "mhammond"
+user-name = "Mark Hammond"
[[publisher.uniffi_meta]]
-version = "0.25.3"
-when = "2023-12-07"
-user-id = 127697
-user-login = "bendk"
+version = "0.27.1"
+when = "2024-04-03"
+user-id = 111105
+user-login = "mhammond"
+user-name = "Mark Hammond"
[[publisher.uniffi_testing]]
-version = "0.25.3"
-when = "2023-12-07"
-user-id = 127697
-user-login = "bendk"
+version = "0.27.1"
+when = "2024-04-03"
+user-id = 111105
+user-login = "mhammond"
+user-name = "Mark Hammond"
[[publisher.uniffi_udl]]
-version = "0.25.3"
-when = "2023-12-07"
-user-id = 127697
-user-login = "bendk"
+version = "0.27.1"
+when = "2024-04-03"
+user-id = 111105
+user-login = "mhammond"
+user-name = "Mark Hammond"
[[publisher.utf8_iter]]
version = "1.0.3"
@@ -677,25 +693,28 @@ user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wasm-encoder]]
-version = "0.40.0"
-when = "2024-01-24"
-user-id = 1
-user-login = "alexcrichton"
-user-name = "Alex Crichton"
+version = "0.201.0"
+when = "2024-02-27"
+user-id = 73222
+user-login = "wasmtime-publish"
[[publisher.wasm-smith]]
-version = "0.15.0"
-when = "2024-01-24"
-user-id = 1
-user-login = "alexcrichton"
-user-name = "Alex Crichton"
+version = "0.201.0"
+when = "2024-02-27"
+user-id = 73222
+user-login = "wasmtime-publish"
[[publisher.wast]]
-version = "70.0.1"
+version = "201.0.0"
+when = "2024-02-27"
+user-id = 73222
+user-login = "wasmtime-publish"
+
+[[publisher.weedle2]]
+version = "5.0.0"
when = "2024-01-24"
-user-id = 1
-user-login = "alexcrichton"
-user-name = "Alex Crichton"
+user-id = 127697
+user-login = "bendk"
[[publisher.winapi-util]]
version = "0.1.5"
@@ -740,6 +759,13 @@ start = "2020-01-14"
end = "2024-04-21"
notes = "I am an author of this crate."
+[[audits.bytecode-alliance.wildcard-audits.bumpalo]]
+who = "Nick Fitzgerald <fitzgen@gmail.com>"
+criteria = "safe-to-deploy"
+user-id = 696 # Nick Fitzgerald (fitzgen)
+start = "2019-03-16"
+end = "2024-03-10"
+
[[audits.bytecode-alliance.wildcard-audits.derive_arbitrary]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
@@ -748,45 +774,6 @@ start = "2020-01-14"
end = "2024-04-27"
notes = "I am an author of this crate"
-[[audits.bytecode-alliance.wildcard-audits.wasm-encoder]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-user-id = 1 # Alex Crichton (alexcrichton)
-start = "2020-12-11"
-end = "2024-04-14"
-notes = """
-This is a Bytecode Alliance authored crate maintained in the `wasm-tools`
-repository of which I'm one of the primary maintainers and publishers for.
-I am employed by a member of the Bytecode Alliance and plan to continue doing
-so and will actively maintain this crate over time.
-"""
-
-[[audits.bytecode-alliance.wildcard-audits.wasm-smith]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-user-id = 1 # Alex Crichton (alexcrichton)
-start = "2020-09-03"
-end = "2024-04-14"
-notes = """
-This is a Bytecode Alliance authored crate maintained in the `wasm-tools`
-repository of which I'm one of the primary maintainers and publishers for.
-I am employed by a member of the Bytecode Alliance and plan to continue doing
-so and will actively maintain this crate over time.
-"""
-
-[[audits.bytecode-alliance.wildcard-audits.wast]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-user-id = 1 # Alex Crichton (alexcrichton)
-start = "2019-10-16"
-end = "2024-04-14"
-notes = """
-This is a Bytecode Alliance authored crate maintained in the `wasm-tools`
-repository of which I'm one of the primary maintainers and publishers for.
-I am employed by a member of the Bytecode Alliance and plan to continue doing
-so and will actively maintain this crate over time.
-"""
-
[[audits.bytecode-alliance.audits.adler]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
@@ -841,12 +828,6 @@ who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
delta = "0.9.0 -> 0.10.2"
-[[audits.bytecode-alliance.audits.bumpalo]]
-who = "Nick Fitzgerald <fitzgen@gmail.com>"
-criteria = "safe-to-deploy"
-version = "3.11.1"
-notes = "I am the author of this crate."
-
[[audits.bytecode-alliance.audits.cargo-platform]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
@@ -1303,6 +1284,20 @@ criteria = "safe-to-run"
version = "0.2.3"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
+[[audits.google.audits.unicode-linebreak]]
+who = "Lukasz Anforowicz <lukasza@chromium.org>"
+criteria = "safe-to-deploy"
+version = "0.1.5"
+notes = """
+Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
+and there were no hits.
+
+Version `0.1.2` of this crate has been added to Chromium in
+https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb
+The CL description contains a link to a Google-internal document with audit details.
+"""
+aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
+
[[audits.google.audits.version_check]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
@@ -1408,6 +1403,87 @@ who = "Brandon Pitman <bran@bran.land>"
criteria = "safe-to-deploy"
delta = "0.10.7 -> 0.10.8"
+[[audits.mozilla.wildcard-audits.uniffi]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+user-id = 111105 # Mark Hammond (mhammond)
+start = "2021-11-22"
+end = "2024-11-28"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
+[[audits.mozilla.wildcard-audits.uniffi_bindgen]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+user-id = 111105 # Mark Hammond (mhammond)
+start = "2021-11-22"
+end = "2024-11-28"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
+[[audits.mozilla.wildcard-audits.uniffi_build]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+user-id = 111105 # Mark Hammond (mhammond)
+start = "2021-11-22"
+end = "2024-11-28"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
+[[audits.mozilla.wildcard-audits.uniffi_checksum_derive]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+user-id = 111105 # Mark Hammond (mhammond)
+start = "2023-11-20"
+end = "2024-11-28"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
+[[audits.mozilla.wildcard-audits.uniffi_core]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+user-id = 111105 # Mark Hammond (mhammond)
+start = "2023-11-20"
+end = "2024-11-28"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
+[[audits.mozilla.wildcard-audits.uniffi_macros]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+user-id = 111105 # Mark Hammond (mhammond)
+start = "2021-11-22"
+end = "2024-11-28"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
+[[audits.mozilla.wildcard-audits.uniffi_meta]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+user-id = 111105 # Mark Hammond (mhammond)
+start = "2023-11-20"
+end = "2024-11-28"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
+[[audits.mozilla.wildcard-audits.uniffi_testing]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+user-id = 111105 # Mark Hammond (mhammond)
+start = "2023-11-20"
+end = "2024-11-28"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
+[[audits.mozilla.wildcard-audits.uniffi_udl]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+user-id = 111105 # Mark Hammond (mhammond)
+start = "2023-11-20"
+end = "2024-11-28"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
+[[audits.mozilla.wildcard-audits.weedle2]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+user-id = 127697 # bendk
+start = "2022-06-16"
+end = "2025-03-05"
+notes = "Maintained by Mozilla"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
[[audits.mozilla.wildcard-audits.zeitstempel]]
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
criteria = "safe-to-deploy"
@@ -1455,6 +1531,13 @@ no unsafe code.
"""
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
+[[audits.mozilla.audits.goblin]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.7.1 -> 0.8.0"
+notes = "MSRV bump, no unsafe changes"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
[[audits.mozilla.audits.lazy_static]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
@@ -1476,9 +1559,40 @@ delta = "0.4.18 -> 0.4.20"
notes = "Only cfg attribute and internal macro changes and module refactorings"
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+[[audits.mozilla.audits.oneshot-uniffi]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.1.5 -> 0.1.6"
+notes = "Synced with the orginal crate, no new unsafe"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
[[audits.mozilla.audits.rkv]]
who = "Kagami Sascha Rosylight <krosylight@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.18.4 -> 0.19.0"
notes = "Maintained by Mozilla, no addition of unsafe blocks"
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
+[[audits.mozilla.audits.scroll]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.11.0 -> 0.12.0"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
+[[audits.mozilla.audits.scroll_derive]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.11.1 -> 0.12.0"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
+[[audits.mozilla.audits.smawk]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "0.3.2"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
+[[audits.mozilla.audits.textwrap]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "0.15.0"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"