diff options
Diffstat (limited to 'supply-chain')
-rw-r--r-- | supply-chain/audits.toml | 54 | ||||
-rw-r--r-- | supply-chain/config.toml | 8 | ||||
-rw-r--r-- | supply-chain/imports.lock | 316 |
3 files changed, 268 insertions, 110 deletions
diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 31ca3fcf0f..b21bde4f10 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -1329,7 +1329,7 @@ who = [ "Erich Gubler <erichdongubler@gmail.com>", ] criteria = "safe-to-deploy" -delta = "0.7.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944" +delta = "0.7.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4" importable = false [[audits.darling]] @@ -1533,6 +1533,12 @@ who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" delta = "1.8.0 -> 1.8.1" +[[audits.embed-manifest]] +who = "Alex Franchuk <afranchuk@mozilla.com>" +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "Necessary dependencies, all environment variable access is for build script vars set by cargo." + [[audits.encoding_c]] who = "Henri Sivonen <hsivonen@hsivonen.fi>" criteria = "safe-to-deploy" @@ -2387,6 +2393,12 @@ version = "0.5.4" notes = "I own this crate (I am contain-rs) and 0.5.4 passes miri. This code is very old and used by lots of people, so I'm pretty confident in it, even though it's in maintenance-mode and missing some nice-to-have APIs." [[audits.linked-hash-map]] +who = "Alex Franchuk <afranchuk@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.5.4 -> 0.5.6" +notes = "New unsafe code has debug assertions and meets invariants. All other changes are formatting-related." + +[[audits.linked-hash-map]] who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-run" delta = "0.5.4 -> 0.5.6" @@ -2671,7 +2683,7 @@ who = [ "Erich Gubler <erichdongubler@gmail.com>", ] criteria = "safe-to-deploy" -delta = "0.14.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944" +delta = "0.14.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4" importable = false [[audits.net2]] @@ -3738,6 +3750,11 @@ who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" delta = "0.15.2 -> 0.16.0" +[[audits.textwrap]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.16.0 -> 0.16.1" + [[audits.thin-vec]] who = "Aria Beingessner <a.beingessner@gmail.com>" criteria = "safe-to-deploy" @@ -4485,7 +4502,7 @@ who = [ "Erich Gubler <erichdongubler@gmail.com>", ] criteria = "safe-to-deploy" -delta = "0.18.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944" +delta = "0.18.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4" importable = false [[audits.wgpu-hal]] @@ -4539,7 +4556,7 @@ who = [ "Erich Gubler <erichdongubler@gmail.com>", ] criteria = "safe-to-deploy" -delta = "0.18.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944" +delta = "0.18.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4" importable = false [[audits.wgpu-types]] @@ -4593,7 +4610,7 @@ who = [ "Erich Gubler <erichdongubler@gmail.com>", ] criteria = "safe-to-deploy" -delta = "0.18.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944" +delta = "0.18.0 -> 0.19.0@git:0c5bebca514eb06d9387f87666c1c658f3f673b4" importable = false [[audits.whatsys]] @@ -4709,6 +4726,15 @@ criteria = "safe-to-deploy" version = "0.10.1" [[audits.zip]] +who = "Alex Franchuk <afranchuk@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.6.4" +notes = """ +No unsafe code nor unwarranted dependencies. Side-effectful std usage is only +present where expected (zip archive reading/writing and unpacking) +""" + +[[audits.zip]] who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-run" delta = "0.6.2 -> 0.6.3" @@ -5108,6 +5134,24 @@ user-id = 1 # Alex Crichton (alexcrichton) start = "2020-06-03" end = "2024-05-05" +[[trusted.wasm-encoder]] +criteria = "safe-to-deploy" +user-id = 73222 # wasmtime-publish +start = "2024-02-15" +end = "2025-03-11" + +[[trusted.wasm-smith]] +criteria = "safe-to-deploy" +user-id = 73222 # wasmtime-publish +start = "2024-02-15" +end = "2025-03-11" + +[[trusted.wast]] +criteria = "safe-to-deploy" +user-id = 73222 # wasmtime-publish +start = "2024-02-15" +end = "2025-03-11" + [[trusted.winapi-util]] criteria = "safe-to-deploy" user-id = 189 # Andrew Gallant (BurntSushi) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 2692f61bc2..20b62a8210 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -233,6 +233,10 @@ notes = "Local override of the crates.io crate that uses a non-vendored local co [policy.wr_malloc_size_of] audit-as-crates-io = false +[policy.zip] +audit-as-crates-io = true +notes = "Locally patched version of the zip crate to allow for reading omnijars." + [[exemptions.ahash]] version = "0.7.6" criteria = "safe-to-deploy" @@ -805,7 +809,3 @@ criteria = "safe-to-deploy" [[exemptions.xml-rs]] version = "0.8.4" criteria = "safe-to-deploy" - -[[exemptions.zip]] -version = "0.6.2" -criteria = "safe-to-run" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 5913bc8915..73065c6c4f 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -37,8 +37,8 @@ user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.audio_thread_priority]] -version = "0.31.0" -when = "2024-01-17" +version = "0.32.0" +when = "2024-03-14" user-id = 1258 user-login = "padenot" user-name = "Paul Adenot" @@ -57,6 +57,13 @@ user-id = 128763 user-login = "martinthomson" user-name = "Martin Thomson" +[[publisher.bumpalo]] +version = "3.15.4" +when = "2024-03-07" +user-id = 696 +user-login = "fitzgen" +user-name = "Nick Fitzgerald" + [[publisher.byteorder]] version = "1.4.3" when = "2021-03-10" @@ -219,15 +226,15 @@ user-login = "jrmuizel" user-name = "Jeff Muizelaar" [[publisher.glean]] -version = "58.1.0" -when = "2024-03-12" +version = "59.0.0" +when = "2024-03-28" user-id = 48 user-login = "badboy" user-name = "Jan-Erik Rediger" [[publisher.glean-core]] -version = "58.1.0" -when = "2024-03-12" +version = "59.0.0" +when = "2024-03-28" user-id = 48 user-login = "badboy" user-name = "Jan-Erik Rediger" @@ -595,58 +602,67 @@ user-login = "Manishearth" user-name = "Manish Goregaokar" [[publisher.uniffi]] -version = "0.25.3" -when = "2023-12-07" -user-id = 127697 -user-login = "bendk" +version = "0.27.1" +when = "2024-04-03" +user-id = 111105 +user-login = "mhammond" +user-name = "Mark Hammond" [[publisher.uniffi_bindgen]] -version = "0.25.3" -when = "2023-12-07" -user-id = 127697 -user-login = "bendk" +version = "0.27.1" +when = "2024-04-03" +user-id = 111105 +user-login = "mhammond" +user-name = "Mark Hammond" [[publisher.uniffi_build]] -version = "0.25.3" -when = "2023-12-07" -user-id = 127697 -user-login = "bendk" +version = "0.27.1" +when = "2024-04-03" +user-id = 111105 +user-login = "mhammond" +user-name = "Mark Hammond" [[publisher.uniffi_checksum_derive]] -version = "0.25.3" -when = "2023-12-07" -user-id = 127697 -user-login = "bendk" +version = "0.27.1" +when = "2024-04-03" +user-id = 111105 +user-login = "mhammond" +user-name = "Mark Hammond" [[publisher.uniffi_core]] -version = "0.25.3" -when = "2023-12-07" -user-id = 127697 -user-login = "bendk" +version = "0.27.1" +when = "2024-04-03" +user-id = 111105 +user-login = "mhammond" +user-name = "Mark Hammond" [[publisher.uniffi_macros]] -version = "0.25.3" -when = "2023-12-07" -user-id = 127697 -user-login = "bendk" +version = "0.27.1" +when = "2024-04-03" +user-id = 111105 +user-login = "mhammond" +user-name = "Mark Hammond" [[publisher.uniffi_meta]] -version = "0.25.3" -when = "2023-12-07" -user-id = 127697 -user-login = "bendk" +version = "0.27.1" +when = "2024-04-03" +user-id = 111105 +user-login = "mhammond" +user-name = "Mark Hammond" [[publisher.uniffi_testing]] -version = "0.25.3" -when = "2023-12-07" -user-id = 127697 -user-login = "bendk" +version = "0.27.1" +when = "2024-04-03" +user-id = 111105 +user-login = "mhammond" +user-name = "Mark Hammond" [[publisher.uniffi_udl]] -version = "0.25.3" -when = "2023-12-07" -user-id = 127697 -user-login = "bendk" +version = "0.27.1" +when = "2024-04-03" +user-id = 111105 +user-login = "mhammond" +user-name = "Mark Hammond" [[publisher.utf8_iter]] version = "1.0.3" @@ -677,25 +693,28 @@ user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.wasm-encoder]] -version = "0.40.0" -when = "2024-01-24" -user-id = 1 -user-login = "alexcrichton" -user-name = "Alex Crichton" +version = "0.201.0" +when = "2024-02-27" +user-id = 73222 +user-login = "wasmtime-publish" [[publisher.wasm-smith]] -version = "0.15.0" -when = "2024-01-24" -user-id = 1 -user-login = "alexcrichton" -user-name = "Alex Crichton" +version = "0.201.0" +when = "2024-02-27" +user-id = 73222 +user-login = "wasmtime-publish" [[publisher.wast]] -version = "70.0.1" +version = "201.0.0" +when = "2024-02-27" +user-id = 73222 +user-login = "wasmtime-publish" + +[[publisher.weedle2]] +version = "5.0.0" when = "2024-01-24" -user-id = 1 -user-login = "alexcrichton" -user-name = "Alex Crichton" +user-id = 127697 +user-login = "bendk" [[publisher.winapi-util]] version = "0.1.5" @@ -740,6 +759,13 @@ start = "2020-01-14" end = "2024-04-21" notes = "I am an author of this crate." +[[audits.bytecode-alliance.wildcard-audits.bumpalo]] +who = "Nick Fitzgerald <fitzgen@gmail.com>" +criteria = "safe-to-deploy" +user-id = 696 # Nick Fitzgerald (fitzgen) +start = "2019-03-16" +end = "2024-03-10" + [[audits.bytecode-alliance.wildcard-audits.derive_arbitrary]] who = "Nick Fitzgerald <fitzgen@gmail.com>" criteria = "safe-to-deploy" @@ -748,45 +774,6 @@ start = "2020-01-14" end = "2024-04-27" notes = "I am an author of this crate" -[[audits.bytecode-alliance.wildcard-audits.wasm-encoder]] -who = "Alex Crichton <alex@alexcrichton.com>" -criteria = "safe-to-deploy" -user-id = 1 # Alex Crichton (alexcrichton) -start = "2020-12-11" -end = "2024-04-14" -notes = """ -This is a Bytecode Alliance authored crate maintained in the `wasm-tools` -repository of which I'm one of the primary maintainers and publishers for. -I am employed by a member of the Bytecode Alliance and plan to continue doing -so and will actively maintain this crate over time. -""" - -[[audits.bytecode-alliance.wildcard-audits.wasm-smith]] -who = "Alex Crichton <alex@alexcrichton.com>" -criteria = "safe-to-deploy" -user-id = 1 # Alex Crichton (alexcrichton) -start = "2020-09-03" -end = "2024-04-14" -notes = """ -This is a Bytecode Alliance authored crate maintained in the `wasm-tools` -repository of which I'm one of the primary maintainers and publishers for. -I am employed by a member of the Bytecode Alliance and plan to continue doing -so and will actively maintain this crate over time. -""" - -[[audits.bytecode-alliance.wildcard-audits.wast]] -who = "Alex Crichton <alex@alexcrichton.com>" -criteria = "safe-to-deploy" -user-id = 1 # Alex Crichton (alexcrichton) -start = "2019-10-16" -end = "2024-04-14" -notes = """ -This is a Bytecode Alliance authored crate maintained in the `wasm-tools` -repository of which I'm one of the primary maintainers and publishers for. -I am employed by a member of the Bytecode Alliance and plan to continue doing -so and will actively maintain this crate over time. -""" - [[audits.bytecode-alliance.audits.adler]] who = "Alex Crichton <alex@alexcrichton.com>" criteria = "safe-to-deploy" @@ -841,12 +828,6 @@ who = "Benjamin Bouvier <public@benj.me>" criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.2" -[[audits.bytecode-alliance.audits.bumpalo]] -who = "Nick Fitzgerald <fitzgen@gmail.com>" -criteria = "safe-to-deploy" -version = "3.11.1" -notes = "I am the author of this crate." - [[audits.bytecode-alliance.audits.cargo-platform]] who = "Pat Hickey <phickey@fastly.com>" criteria = "safe-to-deploy" @@ -1303,6 +1284,20 @@ criteria = "safe-to-run" version = "0.2.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.unicode-linebreak]] +who = "Lukasz Anforowicz <lukasza@chromium.org>" +criteria = "safe-to-deploy" +version = "0.1.5" +notes = """ +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` +and there were no hits. + +Version `0.1.2` of this crate has been added to Chromium in +https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb +The CL description contains a link to a Google-internal document with audit details. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.version_check]] who = "George Burgess IV <gbiv@google.com>" criteria = "safe-to-deploy" @@ -1408,6 +1403,87 @@ who = "Brandon Pitman <bran@bran.land>" criteria = "safe-to-deploy" delta = "0.10.7 -> 0.10.8" +[[audits.mozilla.wildcard-audits.uniffi]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 111105 # Mark Hammond (mhammond) +start = "2021-11-22" +end = "2024-11-28" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.uniffi_bindgen]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 111105 # Mark Hammond (mhammond) +start = "2021-11-22" +end = "2024-11-28" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.uniffi_build]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 111105 # Mark Hammond (mhammond) +start = "2021-11-22" +end = "2024-11-28" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.uniffi_checksum_derive]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 111105 # Mark Hammond (mhammond) +start = "2023-11-20" +end = "2024-11-28" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.uniffi_core]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 111105 # Mark Hammond (mhammond) +start = "2023-11-20" +end = "2024-11-28" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.uniffi_macros]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 111105 # Mark Hammond (mhammond) +start = "2021-11-22" +end = "2024-11-28" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.uniffi_meta]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 111105 # Mark Hammond (mhammond) +start = "2023-11-20" +end = "2024-11-28" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.uniffi_testing]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 111105 # Mark Hammond (mhammond) +start = "2023-11-20" +end = "2024-11-28" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.uniffi_udl]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 111105 # Mark Hammond (mhammond) +start = "2023-11-20" +end = "2024-11-28" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.weedle2]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +user-id = 127697 # bendk +start = "2022-06-16" +end = "2025-03-05" +notes = "Maintained by Mozilla" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + [[audits.mozilla.wildcard-audits.zeitstempel]] who = "Jan-Erik Rediger <jrediger@mozilla.com>" criteria = "safe-to-deploy" @@ -1455,6 +1531,13 @@ no unsafe code. """ aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" +[[audits.mozilla.audits.goblin]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.8.0" +notes = "MSRV bump, no unsafe changes" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + [[audits.mozilla.audits.lazy_static]] who = "Nika Layzell <nika@thelayzells.com>" criteria = "safe-to-deploy" @@ -1476,9 +1559,40 @@ delta = "0.4.18 -> 0.4.20" notes = "Only cfg attribute and internal macro changes and module refactorings" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" +[[audits.mozilla.audits.oneshot-uniffi]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.1.5 -> 0.1.6" +notes = "Synced with the orginal crate, no new unsafe" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + [[audits.mozilla.audits.rkv]] who = "Kagami Sascha Rosylight <krosylight@mozilla.com>" criteria = "safe-to-deploy" delta = "0.18.4 -> 0.19.0" notes = "Maintained by Mozilla, no addition of unsafe blocks" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.scroll]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.11.0 -> 0.12.0" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.scroll_derive]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "0.11.1 -> 0.12.0" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.smawk]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.3.2" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.textwrap]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +version = "0.15.0" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" |