summaryrefslogtreecommitdiffstats
path: root/supply-chain
diff options
context:
space:
mode:
Diffstat (limited to 'supply-chain')
-rw-r--r--supply-chain/audits.toml64
-rw-r--r--supply-chain/config.toml19
-rw-r--r--supply-chain/imports.lock98
3 files changed, 109 insertions, 72 deletions
diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml
index 01c422daf5..31ca3fcf0f 100644
--- a/supply-chain/audits.toml
+++ b/supply-chain/audits.toml
@@ -232,7 +232,7 @@ notes = "The Glean SDKs are maintained by the Glean Team at Mozilla."
[[wildcard-audits.glean]]
who = "Travis Long <tlong@mozilla.com>"
criteria = "safe-to-deploy"
-user-id = 66068 # Travis Long (travis79)
+user-id = 66068
start = "2024-02-12"
end = "2025-02-13"
@@ -247,7 +247,7 @@ notes = "The Glean SDKs are maintained by the Glean Team at Mozilla."
[[wildcard-audits.glean-core]]
who = "Travis Long <tlong@mozilla.com>"
criteria = "safe-to-deploy"
-user-id = 66068 # Travis Long (travis79)
+user-id = 66068
start = "2020-07-10"
end = "2025-02-13"
@@ -529,6 +529,11 @@ criteria = "safe-to-deploy"
version = "0.1.0"
notes = "Written and maintained by Gfx team at Mozilla."
+[[audits.ahash]]
+who = "Mike Hommey <mh+mozilla@glandium.org>"
+criteria = "safe-to-deploy"
+delta = "0.7.6 -> 0.7.8"
+
[[audits.aho-corasick]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
@@ -1318,13 +1323,13 @@ delta = "0.5.0 -> 0.7.0"
[[audits.d3d12]]
who = [
"Erich Gubler <egubler@mozilla.com>",
- "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
- "Erich Gubler <erichdongubler@gmail.com>",
"Jim Blandy <jimb@red-bean.com>",
"Nicolas Silva <nical@fastmail.com>",
+ "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
+ "Erich Gubler <erichdongubler@gmail.com>",
]
criteria = "safe-to-deploy"
-delta = "0.7.0 -> 0.19.0@git:07e59eb6fc7de3f682f1c401b9cf9f0da9ee4b4a"
+delta = "0.7.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944"
importable = false
[[audits.darling]]
@@ -1491,6 +1496,11 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.2.3 -> 0.2.4"
+[[audits.document-features]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+version = "0.2.8"
+
[[audits.dogear]]
who = "Sammy Khamis <skhamis@mozilla.com>"
criteria = "safe-to-deploy"
@@ -2392,6 +2402,11 @@ who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "0.7.0 -> 0.7.2"
+[[audits.litrs]]
+who = "Erich Gubler <erichdongubler@gmail.com>"
+criteria = "safe-to-deploy"
+version = "0.4.1"
+
[[audits.lmdb-rkv]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
@@ -2650,13 +2665,13 @@ delta = "0.13.0 -> 0.14.0"
[[audits.naga]]
who = [
- "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
- "Erich Gubler <erichdongubler@gmail.com>",
"Jim Blandy <jimb@red-bean.com>",
"Nicolas Silva <nical@fastmail.com>",
+ "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
+ "Erich Gubler <erichdongubler@gmail.com>",
]
criteria = "safe-to-deploy"
-delta = "0.14.0 -> 0.19.0@git:07e59eb6fc7de3f682f1c401b9cf9f0da9ee4b4a"
+delta = "0.14.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944"
importable = false
[[audits.net2]]
@@ -3127,8 +3142,7 @@ delta = "0.9.0 -> 0.11.0"
[[audits.qlog]]
who = "Kershaw Chang <kershaw@mozilla.com>"
criteria = "safe-to-deploy"
-delta = "0.11.0 -> 0.11.0@git:09ea4b244096a013071cfe2175bbf2945fb7f8d1"
-importable = false
+delta = "0.11.0 -> 0.12.0"
[[audits.quote]]
who = "Nika Layzell <nika@thelayzells.com>"
@@ -4007,6 +4021,12 @@ who = "Jonathan Kew <jfkthame@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.3.14 -> 0.3.15"
+[[audits.unicode-bidi]]
+who = "Jonathan Kew <jfkthame@gmail.com>"
+criteria = "safe-to-deploy"
+delta = "0.3.15 -> 0.3.15@git:ca612daf1c08c53abe07327cb3e6ef6e0a760f0c"
+importable = false
+
[[audits.unicode-ident]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
@@ -4459,13 +4479,13 @@ delta = "0.17.0 -> 0.18.0"
[[audits.wgpu-core]]
who = [
- "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
- "Erich Gubler <erichdongubler@gmail.com>",
"Jim Blandy <jimb@red-bean.com>",
"Nicolas Silva <nical@fastmail.com>",
+ "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
+ "Erich Gubler <erichdongubler@gmail.com>",
]
criteria = "safe-to-deploy"
-delta = "0.18.0 -> 0.19.0@git:07e59eb6fc7de3f682f1c401b9cf9f0da9ee4b4a"
+delta = "0.18.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944"
importable = false
[[audits.wgpu-hal]]
@@ -4513,13 +4533,13 @@ delta = "0.17.0 -> 0.18.0"
[[audits.wgpu-hal]]
who = [
- "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
- "Erich Gubler <erichdongubler@gmail.com>",
"Jim Blandy <jimb@red-bean.com>",
"Nicolas Silva <nical@fastmail.com>",
+ "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
+ "Erich Gubler <erichdongubler@gmail.com>",
]
criteria = "safe-to-deploy"
-delta = "0.18.0 -> 0.19.0@git:07e59eb6fc7de3f682f1c401b9cf9f0da9ee4b4a"
+delta = "0.18.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944"
importable = false
[[audits.wgpu-types]]
@@ -4567,13 +4587,13 @@ delta = "0.17.0 -> 0.18.0"
[[audits.wgpu-types]]
who = [
- "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
- "Erich Gubler <erichdongubler@gmail.com>",
"Jim Blandy <jimb@red-bean.com>",
"Nicolas Silva <nical@fastmail.com>",
+ "Teodor Tanasoaia <ttanasoaia@mozilla.com>",
+ "Erich Gubler <erichdongubler@gmail.com>",
]
criteria = "safe-to-deploy"
-delta = "0.18.0 -> 0.19.0@git:07e59eb6fc7de3f682f1c401b9cf9f0da9ee4b4a"
+delta = "0.18.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944"
importable = false
[[audits.whatsys]]
@@ -4734,6 +4754,12 @@ user-id = 6741 # Alice Ryhl (Darksonn)
start = "2021-01-11"
end = "2024-05-05"
+[[trusted.cc]]
+criteria = "safe-to-deploy"
+user-id = 2915 # Amanieu d'Antras (Amanieu)
+start = "2024-02-20"
+end = "2025-02-26"
+
[[trusted.clap]]
criteria = "safe-to-deploy"
user-id = 6743 # Ed Page (epage)
diff --git a/supply-chain/config.toml b/supply-chain/config.toml
index 9c863175c4..2692f61bc2 100644
--- a/supply-chain/config.toml
+++ b/supply-chain/config.toml
@@ -165,10 +165,6 @@ notes = "This is a first-party crate which is entirely unrelated to the crates.i
audit-as-crates-io = true
notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
-[policy.qlog]
-audit-as-crates-io = true
-notes = "Use this revision (09ea4b244096a013071cfe2175bbf2945fb7f8d1) of qlog temporarily."
-
[policy.rure]
audit-as-crates-io = true
notes = "Identical to upstream, but with cdylib and staticlib targets disabled to avoid unnecessary build artifacts and linker errors."
@@ -193,6 +189,9 @@ notes = "This is a first-party crate which is entirely unrelated to the crates.i
audit-as-crates-io = false
notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
+[policy.unicode-bidi]
+audit-as-crates-io = true
+
[policy.viaduct]
audit-as-crates-io = false
notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
@@ -599,10 +598,6 @@ criteria = "safe-to-run"
version = "0.15.0"
criteria = "safe-to-deploy"
-[[exemptions.nom]]
-version = "7.1.1"
-criteria = "safe-to-deploy"
-
[[exemptions.objc]]
version = "0.2.7"
criteria = "safe-to-deploy"
@@ -755,14 +750,6 @@ criteria = "safe-to-deploy"
version = "1.2.0"
criteria = "safe-to-deploy"
-[[exemptions.static_assertions]]
-version = "1.1.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.strsim]]
-version = "0.10.0"
-criteria = "safe-to-deploy"
-
[[exemptions.tempfile]]
version = "3.3.0"
criteria = "safe-to-deploy"
diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock
index 2819ea159e..5913bc8915 100644
--- a/supply-chain/imports.lock
+++ b/supply-chain/imports.lock
@@ -71,6 +71,13 @@ user-id = 6741
user-login = "Darksonn"
user-name = "Alice Ryhl"
+[[publisher.cc]]
+version = "1.0.89"
+when = "2024-03-04"
+user-id = 2915
+user-login = "Amanieu"
+user-name = "Amanieu d'Antras"
+
[[publisher.cexpr]]
version = "0.6.0"
when = "2021-10-11"
@@ -212,36 +219,22 @@ user-login = "jrmuizel"
user-name = "Jeff Muizelaar"
[[publisher.glean]]
-version = "56.1.0"
-when = "2024-01-17"
+version = "58.1.0"
+when = "2024-03-12"
user-id = 48
user-login = "badboy"
user-name = "Jan-Erik Rediger"
-[[publisher.glean]]
-version = "57.0.0"
-when = "2024-02-12"
-user-id = 66068
-user-login = "travis79"
-user-name = "Travis Long"
-
[[publisher.glean-core]]
-version = "56.1.0"
-when = "2024-01-17"
+version = "58.1.0"
+when = "2024-03-12"
user-id = 48
user-login = "badboy"
user-name = "Jan-Erik Rediger"
-[[publisher.glean-core]]
-version = "57.0.0"
-when = "2024-02-12"
-user-id = 66068
-user-login = "travis79"
-user-name = "Travis Long"
-
[[publisher.glslopt]]
-version = "0.1.9"
-when = "2021-03-17"
+version = "0.1.10"
+when = "2024-02-13"
user-id = 84794
user-login = "jamienicol"
user-name = "Jamie Nicol"
@@ -483,8 +476,8 @@ user-login = "Amanieu"
user-name = "Amanieu d'Antras"
[[publisher.serde]]
-version = "1.0.195"
-when = "2024-01-06"
+version = "1.0.197"
+when = "2024-02-20"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"
@@ -497,8 +490,8 @@ user-login = "dtolnay"
user-name = "David Tolnay"
[[publisher.serde_derive]]
-version = "1.0.195"
-when = "2024-01-06"
+version = "1.0.197"
+when = "2024-02-20"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"
@@ -525,8 +518,8 @@ user-login = "dtolnay"
user-name = "David Tolnay"
[[publisher.smallvec]]
-version = "1.11.1"
-when = "2023-09-20"
+version = "1.13.1"
+when = "2024-01-19"
user-id = 2017
user-login = "mbrubeck"
user-name = "Matt Brubeck"
@@ -546,15 +539,15 @@ user-login = "BurntSushi"
user-name = "Andrew Gallant"
[[publisher.thiserror]]
-version = "1.0.56"
-when = "2024-01-02"
+version = "1.0.57"
+when = "2024-02-11"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"
[[publisher.thiserror-impl]]
-version = "1.0.56"
-when = "2024-01-02"
+version = "1.0.57"
+when = "2024-02-11"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"
@@ -860,12 +853,6 @@ criteria = "safe-to-deploy"
version = "0.1.2"
notes = "no build, no ambient capabilities, no unsafe"
-[[audits.bytecode-alliance.audits.cc]]
-who = "Alex Crichton <alex@alexcrichton.com>"
-criteria = "safe-to-deploy"
-version = "1.0.73"
-notes = "I am the author of this crate."
-
[[audits.bytecode-alliance.audits.cfg-if]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
@@ -1205,6 +1192,15 @@ criteria = "safe-to-run"
version = "0.14.20"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
+[[audits.google.audits.nom]]
+who = "danakj@chromium.org"
+criteria = "safe-to-deploy"
+version = "7.1.3"
+notes = """
+Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/5046153
+"""
+aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
+
[[audits.google.audits.pin-project]]
who = "ChromeOS"
criteria = "safe-to-run"
@@ -1236,6 +1232,34 @@ criteria = "safe-to-run"
version = "0.7.1"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
+[[audits.google.audits.static_assertions]]
+who = "Lukasz Anforowicz <lukasza@chromium.org>"
+criteria = "safe-to-deploy"
+version = "1.1.0"
+notes = """
+Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`
+and there were no hits except for one `unsafe`.
+
+The lambda where `unsafe` is used is never invoked (e.g. the `unsafe` code
+never runs) and is only introduced for some compile-time checks. Additional
+unsafe review comments can be found in https://crrev.com/c/5353376.
+
+This crate has been added to Chromium in https://crrev.com/c/3736562. The CL
+description contains a link to a document with an additional security review.
+"""
+aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
+
+[[audits.google.audits.strsim]]
+who = "danakj@chromium.org"
+criteria = "safe-to-deploy"
+version = "0.10.0"
+notes = """
+Reviewed in https://crrev.com/c/5171063
+
+Previously reviewed during security review and the audit is grandparented in.
+"""
+aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
+
[[audits.google.audits.tokio]]
who = "Vovo Yang <vovoy@google.com>"
criteria = "safe-to-run"
@@ -1296,7 +1320,7 @@ who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
user-id = 213776 # divviup-github-automation
start = "2020-09-28"
-end = "2024-03-23"
+end = "2025-02-12"
[[audits.isrg.audits.base64]]
who = "Tim Geoghegan <timg@letsencrypt.org>"