From fbaf0bb26397aa498eb9156f06d5a6fe34dd7dd8 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 03:14:29 +0200 Subject: Merging upstream version 125.0.1. Signed-off-by: Daniel Baumann --- supply-chain/audits.toml | 64 ++++++++++++++++++++++--------- supply-chain/config.toml | 19 ++------- supply-chain/imports.lock | 98 +++++++++++++++++++++++++++++------------------ 3 files changed, 109 insertions(+), 72 deletions(-) (limited to 'supply-chain') diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 01c422daf5..31ca3fcf0f 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -232,7 +232,7 @@ notes = "The Glean SDKs are maintained by the Glean Team at Mozilla." [[wildcard-audits.glean]] who = "Travis Long " criteria = "safe-to-deploy" -user-id = 66068 # Travis Long (travis79) +user-id = 66068 start = "2024-02-12" end = "2025-02-13" @@ -247,7 +247,7 @@ notes = "The Glean SDKs are maintained by the Glean Team at Mozilla." [[wildcard-audits.glean-core]] who = "Travis Long " criteria = "safe-to-deploy" -user-id = 66068 # Travis Long (travis79) +user-id = 66068 start = "2020-07-10" end = "2025-02-13" @@ -529,6 +529,11 @@ criteria = "safe-to-deploy" version = "0.1.0" notes = "Written and maintained by Gfx team at Mozilla." +[[audits.ahash]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.7.6 -> 0.7.8" + [[audits.aho-corasick]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -1318,13 +1323,13 @@ delta = "0.5.0 -> 0.7.0" [[audits.d3d12]] who = [ "Erich Gubler ", - "Teodor Tanasoaia ", - "Erich Gubler ", "Jim Blandy ", "Nicolas Silva ", + "Teodor Tanasoaia ", + "Erich Gubler ", ] criteria = "safe-to-deploy" -delta = "0.7.0 -> 0.19.0@git:07e59eb6fc7de3f682f1c401b9cf9f0da9ee4b4a" +delta = "0.7.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944" importable = false [[audits.darling]] @@ -1491,6 +1496,11 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.3 -> 0.2.4" +[[audits.document-features]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +version = "0.2.8" + [[audits.dogear]] who = "Sammy Khamis " criteria = "safe-to-deploy" @@ -2392,6 +2402,11 @@ who = "Makoto Kato " criteria = "safe-to-deploy" delta = "0.7.0 -> 0.7.2" +[[audits.litrs]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +version = "0.4.1" + [[audits.lmdb-rkv]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -2650,13 +2665,13 @@ delta = "0.13.0 -> 0.14.0" [[audits.naga]] who = [ - "Teodor Tanasoaia ", - "Erich Gubler ", "Jim Blandy ", "Nicolas Silva ", + "Teodor Tanasoaia ", + "Erich Gubler ", ] criteria = "safe-to-deploy" -delta = "0.14.0 -> 0.19.0@git:07e59eb6fc7de3f682f1c401b9cf9f0da9ee4b4a" +delta = "0.14.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944" importable = false [[audits.net2]] @@ -3127,8 +3142,7 @@ delta = "0.9.0 -> 0.11.0" [[audits.qlog]] who = "Kershaw Chang " criteria = "safe-to-deploy" -delta = "0.11.0 -> 0.11.0@git:09ea4b244096a013071cfe2175bbf2945fb7f8d1" -importable = false +delta = "0.11.0 -> 0.12.0" [[audits.quote]] who = "Nika Layzell " @@ -4007,6 +4021,12 @@ who = "Jonathan Kew " criteria = "safe-to-deploy" delta = "0.3.14 -> 0.3.15" +[[audits.unicode-bidi]] +who = "Jonathan Kew " +criteria = "safe-to-deploy" +delta = "0.3.15 -> 0.3.15@git:ca612daf1c08c53abe07327cb3e6ef6e0a760f0c" +importable = false + [[audits.unicode-ident]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -4459,13 +4479,13 @@ delta = "0.17.0 -> 0.18.0" [[audits.wgpu-core]] who = [ - "Teodor Tanasoaia ", - "Erich Gubler ", "Jim Blandy ", "Nicolas Silva ", + "Teodor Tanasoaia ", + "Erich Gubler ", ] criteria = "safe-to-deploy" -delta = "0.18.0 -> 0.19.0@git:07e59eb6fc7de3f682f1c401b9cf9f0da9ee4b4a" +delta = "0.18.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944" importable = false [[audits.wgpu-hal]] @@ -4513,13 +4533,13 @@ delta = "0.17.0 -> 0.18.0" [[audits.wgpu-hal]] who = [ - "Teodor Tanasoaia ", - "Erich Gubler ", "Jim Blandy ", "Nicolas Silva ", + "Teodor Tanasoaia ", + "Erich Gubler ", ] criteria = "safe-to-deploy" -delta = "0.18.0 -> 0.19.0@git:07e59eb6fc7de3f682f1c401b9cf9f0da9ee4b4a" +delta = "0.18.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944" importable = false [[audits.wgpu-types]] @@ -4567,13 +4587,13 @@ delta = "0.17.0 -> 0.18.0" [[audits.wgpu-types]] who = [ - "Teodor Tanasoaia ", - "Erich Gubler ", "Jim Blandy ", "Nicolas Silva ", + "Teodor Tanasoaia ", + "Erich Gubler ", ] criteria = "safe-to-deploy" -delta = "0.18.0 -> 0.19.0@git:07e59eb6fc7de3f682f1c401b9cf9f0da9ee4b4a" +delta = "0.18.0 -> 0.19.0@git:6040820099bc72b827a6a5f53d66dda3e301f944" importable = false [[audits.whatsys]] @@ -4734,6 +4754,12 @@ user-id = 6741 # Alice Ryhl (Darksonn) start = "2021-01-11" end = "2024-05-05" +[[trusted.cc]] +criteria = "safe-to-deploy" +user-id = 2915 # Amanieu d'Antras (Amanieu) +start = "2024-02-20" +end = "2025-02-26" + [[trusted.clap]] criteria = "safe-to-deploy" user-id = 6743 # Ed Page (epage) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 9c863175c4..2692f61bc2 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -165,10 +165,6 @@ notes = "This is a first-party crate which is entirely unrelated to the crates.i audit-as-crates-io = true notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem." -[policy.qlog] -audit-as-crates-io = true -notes = "Use this revision (09ea4b244096a013071cfe2175bbf2945fb7f8d1) of qlog temporarily." - [policy.rure] audit-as-crates-io = true notes = "Identical to upstream, but with cdylib and staticlib targets disabled to avoid unnecessary build artifacts and linker errors." @@ -193,6 +189,9 @@ notes = "This is a first-party crate which is entirely unrelated to the crates.i audit-as-crates-io = false notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name." +[policy.unicode-bidi] +audit-as-crates-io = true + [policy.viaduct] audit-as-crates-io = false notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name." @@ -599,10 +598,6 @@ criteria = "safe-to-run" version = "0.15.0" criteria = "safe-to-deploy" -[[exemptions.nom]] -version = "7.1.1" -criteria = "safe-to-deploy" - [[exemptions.objc]] version = "0.2.7" criteria = "safe-to-deploy" @@ -755,14 +750,6 @@ criteria = "safe-to-deploy" version = "1.2.0" criteria = "safe-to-deploy" -[[exemptions.static_assertions]] -version = "1.1.0" -criteria = "safe-to-deploy" - -[[exemptions.strsim]] -version = "0.10.0" -criteria = "safe-to-deploy" - [[exemptions.tempfile]] version = "3.3.0" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 2819ea159e..5913bc8915 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -71,6 +71,13 @@ user-id = 6741 user-login = "Darksonn" user-name = "Alice Ryhl" +[[publisher.cc]] +version = "1.0.89" +when = "2024-03-04" +user-id = 2915 +user-login = "Amanieu" +user-name = "Amanieu d'Antras" + [[publisher.cexpr]] version = "0.6.0" when = "2021-10-11" @@ -212,36 +219,22 @@ user-login = "jrmuizel" user-name = "Jeff Muizelaar" [[publisher.glean]] -version = "56.1.0" -when = "2024-01-17" +version = "58.1.0" +when = "2024-03-12" user-id = 48 user-login = "badboy" user-name = "Jan-Erik Rediger" -[[publisher.glean]] -version = "57.0.0" -when = "2024-02-12" -user-id = 66068 -user-login = "travis79" -user-name = "Travis Long" - [[publisher.glean-core]] -version = "56.1.0" -when = "2024-01-17" +version = "58.1.0" +when = "2024-03-12" user-id = 48 user-login = "badboy" user-name = "Jan-Erik Rediger" -[[publisher.glean-core]] -version = "57.0.0" -when = "2024-02-12" -user-id = 66068 -user-login = "travis79" -user-name = "Travis Long" - [[publisher.glslopt]] -version = "0.1.9" -when = "2021-03-17" +version = "0.1.10" +when = "2024-02-13" user-id = 84794 user-login = "jamienicol" user-name = "Jamie Nicol" @@ -483,8 +476,8 @@ user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.serde]] -version = "1.0.195" -when = "2024-01-06" +version = "1.0.197" +when = "2024-02-20" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" @@ -497,8 +490,8 @@ user-login = "dtolnay" user-name = "David Tolnay" [[publisher.serde_derive]] -version = "1.0.195" -when = "2024-01-06" +version = "1.0.197" +when = "2024-02-20" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" @@ -525,8 +518,8 @@ user-login = "dtolnay" user-name = "David Tolnay" [[publisher.smallvec]] -version = "1.11.1" -when = "2023-09-20" +version = "1.13.1" +when = "2024-01-19" user-id = 2017 user-login = "mbrubeck" user-name = "Matt Brubeck" @@ -546,15 +539,15 @@ user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.thiserror]] -version = "1.0.56" -when = "2024-01-02" +version = "1.0.57" +when = "2024-02-11" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.thiserror-impl]] -version = "1.0.56" -when = "2024-01-02" +version = "1.0.57" +when = "2024-02-11" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" @@ -860,12 +853,6 @@ criteria = "safe-to-deploy" version = "0.1.2" notes = "no build, no ambient capabilities, no unsafe" -[[audits.bytecode-alliance.audits.cc]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -version = "1.0.73" -notes = "I am the author of this crate." - [[audits.bytecode-alliance.audits.cfg-if]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -1205,6 +1192,15 @@ criteria = "safe-to-run" version = "0.14.20" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.nom]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "7.1.3" +notes = """ +Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/5046153 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.pin-project]] who = "ChromeOS" criteria = "safe-to-run" @@ -1236,6 +1232,34 @@ criteria = "safe-to-run" version = "0.7.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.static_assertions]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = """ +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` +and there were no hits except for one `unsafe`. + +The lambda where `unsafe` is used is never invoked (e.g. the `unsafe` code +never runs) and is only introduced for some compile-time checks. Additional +unsafe review comments can be found in https://crrev.com/c/5353376. + +This crate has been added to Chromium in https://crrev.com/c/3736562. The CL +description contains a link to a document with an additional security review. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.strsim]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "0.10.0" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.tokio]] who = "Vovo Yang " criteria = "safe-to-run" @@ -1296,7 +1320,7 @@ who = "David Cook " criteria = "safe-to-deploy" user-id = 213776 # divviup-github-automation start = "2020-09-28" -end = "2024-03-23" +end = "2025-02-12" [[audits.isrg.audits.base64]] who = "Tim Geoghegan " -- cgit v1.2.3