2 # cargo-vet imports lock
4 [[publisher.aho-corasick]]
8 user-login = "BurntSushi"
9 user-name = "Andrew Gallant"
18 [[publisher.arbitrary]]
22 user-login = "fitzgen"
23 user-name = "Nick Fitzgerald"
25 [[publisher.async-trait]]
29 user-login = "dtolnay"
30 user-name = "David Tolnay"
36 user-login = "Amanieu"
37 user-name = "Amanieu d'Antras"
39 [[publisher.audio_thread_priority]]
43 user-login = "padenot"
44 user-name = "Paul Adenot"
46 [[publisher.authenticator]]
47 version = "0.4.0-alpha.24"
50 user-login = "jschanck"
51 user-name = "John Schanck"
57 user-login = "martinthomson"
58 user-name = "Martin Thomson"
64 user-login = "fitzgen"
65 user-name = "Nick Fitzgerald"
67 [[publisher.byteorder]]
71 user-login = "BurntSushi"
72 user-name = "Andrew Gallant"
78 user-login = "Darksonn"
79 user-name = "Alice Ryhl"
85 user-login = "Amanieu"
86 user-name = "Amanieu d'Antras"
93 user-name = "Emilio Cobos Álvarez"
100 user-name = "Ed Page"
102 [[publisher.clap_builder]]
107 user-name = "Ed Page"
109 [[publisher.clap_derive]]
114 user-name = "Ed Page"
116 [[publisher.clap_lex]]
121 user-name = "Ed Page"
123 [[publisher.core-foundation]]
127 user-login = "jrmuizel"
128 user-name = "Jeff Muizelaar"
130 [[publisher.core-foundation-sys]]
135 user-name = "Josh Matthews"
137 [[publisher.core-graphics]]
141 user-login = "jrmuizel"
142 user-name = "Jeff Muizelaar"
144 [[publisher.core-graphics-types]]
149 user-name = "Josh Matthews"
151 [[publisher.core-text]]
155 user-login = "jrmuizel"
156 user-name = "Jeff Muizelaar"
158 [[publisher.derive_arbitrary]]
162 user-login = "fitzgen"
163 user-name = "Nick Fitzgerald"
169 user-login = "linabutler"
170 user-name = "Lina Butler"
176 user-login = "dtolnay"
177 user-name = "David Tolnay"
179 [[publisher.encoding_rs]]
183 user-login = "hsivonen"
184 user-name = "Henri Sivonen"
190 user-login = "sunfishcode"
191 user-name = "Dan Gohman"
193 [[publisher.etagere]]
198 user-name = "Nicolas Silva"
205 user-name = "Nicolas Silva"
211 user-login = "joshtriplett"
212 user-name = "Josh Triplett"
214 [[publisher.freetype]]
219 user-name = "Josh Matthews"
225 user-login = "jrmuizel"
226 user-name = "Jeff Muizelaar"
232 user-login = "badboy"
233 user-name = "Jan-Erik Rediger"
235 [[publisher.glean-core]]
239 user-login = "badboy"
240 user-name = "Jan-Erik Rediger"
242 [[publisher.glslopt]]
246 user-login = "jamienicol"
247 user-name = "Jamie Nicol"
253 user-login = "seanmonstar"
254 user-name = "Sean McArthur"
256 [[publisher.headers]]
260 user-login = "seanmonstar"
261 user-name = "Sean McArthur"
263 [[publisher.httparse]]
267 user-login = "seanmonstar"
268 user-name = "Sean McArthur"
270 [[publisher.indexmap]]
274 user-login = "cuviper"
275 user-name = "Josh Stone"
277 [[publisher.inherent]]
281 user-login = "dtolnay"
282 user-name = "David Tolnay"
288 user-login = "carllerche"
289 user-name = "Carl Lerche"
295 user-login = "dtolnay"
296 user-name = "David Tolnay"
298 [[publisher.jobserver]]
302 user-login = "alexcrichton"
303 user-name = "Alex Crichton"
309 user-login = "JohnTitor"
310 user-name = "Yuki Okushi"
312 [[publisher.linux-raw-sys]]
316 user-login = "sunfishcode"
317 user-name = "Dan Gohman"
319 [[publisher.lock_api]]
323 user-login = "Amanieu"
324 user-name = "Amanieu d'Antras"
330 user-login = "BurntSushi"
331 user-name = "Andrew Gallant"
337 user-login = "seanmonstar"
338 user-name = "Sean McArthur"
344 user-login = "carllerche"
345 user-name = "Carl Lerche"
347 [[publisher.nss-gk-api]]
351 user-login = "jschanck"
352 user-name = "John Schanck"
354 [[publisher.num_cpus]]
358 user-login = "seanmonstar"
359 user-name = "Sean McArthur"
365 user-login = "martinthomson"
366 user-name = "Martin Thomson"
368 [[publisher.ordered-float]]
372 user-login = "mbrubeck"
373 user-name = "Matt Brubeck"
375 [[publisher.parking_lot]]
379 user-login = "Amanieu"
380 user-name = "Amanieu d'Antras"
382 [[publisher.parking_lot_core]]
386 user-login = "Amanieu"
387 user-name = "Amanieu d'Antras"
393 user-login = "dtolnay"
394 user-name = "David Tolnay"
396 [[publisher.presser]]
400 user-login = "embark-studios"
406 user-login = "divviup-github-automation"
408 [[publisher.proc-macro2]]
412 user-login = "dtolnay"
413 user-name = "David Tolnay"
419 user-login = "jrmuizel"
420 user-name = "Jeff Muizelaar"
426 user-login = "dtolnay"
427 user-name = "David Tolnay"
433 user-login = "BurntSushi"
434 user-name = "Andrew Gallant"
436 [[publisher.regex-automata]]
440 user-login = "BurntSushi"
441 user-name = "Andrew Gallant"
443 [[publisher.regex-syntax]]
447 user-login = "BurntSushi"
448 user-name = "Andrew Gallant"
450 [[publisher.rust_cascade]]
454 user-login = "mozkeeler"
455 user-name = "Dana Keeler"
461 user-login = "sunfishcode"
462 user-name = "Dan Gohman"
468 user-login = "dtolnay"
469 user-name = "David Tolnay"
471 [[publisher.same-file]]
475 user-login = "BurntSushi"
476 user-name = "Andrew Gallant"
478 [[publisher.scopeguard]]
482 user-login = "Amanieu"
483 user-name = "Amanieu d'Antras"
489 user-login = "dtolnay"
490 user-name = "David Tolnay"
492 [[publisher.serde_bytes]]
496 user-login = "dtolnay"
497 user-name = "David Tolnay"
499 [[publisher.serde_derive]]
503 user-login = "dtolnay"
504 user-name = "David Tolnay"
506 [[publisher.serde_json]]
510 user-login = "dtolnay"
511 user-name = "David Tolnay"
513 [[publisher.serde_repr]]
517 user-login = "dtolnay"
518 user-name = "David Tolnay"
520 [[publisher.serde_yaml]]
524 user-login = "dtolnay"
525 user-name = "David Tolnay"
527 [[publisher.smallvec]]
531 user-login = "mbrubeck"
532 user-name = "Matt Brubeck"
538 user-login = "dtolnay"
539 user-name = "David Tolnay"
541 [[publisher.termcolor]]
545 user-login = "BurntSushi"
546 user-name = "Andrew Gallant"
548 [[publisher.thiserror]]
552 user-login = "dtolnay"
553 user-name = "David Tolnay"
555 [[publisher.thiserror-impl]]
559 user-login = "dtolnay"
560 user-name = "David Tolnay"
562 [[publisher.threadbound]]
566 user-login = "dtolnay"
567 user-name = "David Tolnay"
569 [[publisher.tokio-util]]
573 user-login = "Darksonn"
574 user-name = "Alice Ryhl"
580 user-login = "alexcrichton"
581 user-name = "Alex Crichton"
583 [[publisher.unicode-ident]]
587 user-login = "dtolnay"
588 user-name = "David Tolnay"
590 [[publisher.unicode-width]]
594 user-login = "Manishearth"
595 user-name = "Manish Goregaokar"
597 [[publisher.unicode-xid]]
601 user-login = "Manishearth"
602 user-name = "Manish Goregaokar"
608 user-login = "mhammond"
609 user-name = "Mark Hammond"
611 [[publisher.uniffi_bindgen]]
615 user-login = "mhammond"
616 user-name = "Mark Hammond"
618 [[publisher.uniffi_build]]
622 user-login = "mhammond"
623 user-name = "Mark Hammond"
625 [[publisher.uniffi_checksum_derive]]
629 user-login = "mhammond"
630 user-name = "Mark Hammond"
632 [[publisher.uniffi_core]]
636 user-login = "mhammond"
637 user-name = "Mark Hammond"
639 [[publisher.uniffi_macros]]
643 user-login = "mhammond"
644 user-name = "Mark Hammond"
646 [[publisher.uniffi_meta]]
650 user-login = "mhammond"
651 user-name = "Mark Hammond"
653 [[publisher.uniffi_testing]]
657 user-login = "mhammond"
658 user-name = "Mark Hammond"
660 [[publisher.uniffi_udl]]
664 user-login = "mhammond"
665 user-name = "Mark Hammond"
667 [[publisher.utf8_iter]]
671 user-login = "hsivonen"
672 user-name = "Henri Sivonen"
674 [[publisher.walkdir]]
678 user-login = "BurntSushi"
679 user-name = "Andrew Gallant"
685 user-login = "seanmonstar"
686 user-name = "Sean McArthur"
689 version = "0.11.0+wasi-snapshot-preview1"
692 user-login = "alexcrichton"
693 user-name = "Alex Crichton"
695 [[publisher.wasm-encoder]]
699 user-login = "wasmtime-publish"
701 [[publisher.wasm-smith]]
705 user-login = "wasmtime-publish"
711 user-login = "wasmtime-publish"
713 [[publisher.weedle2]]
719 [[publisher.winapi-util]]
723 user-login = "BurntSushi"
724 user-name = "Andrew Gallant"
726 [[publisher.windows]]
730 user-login = "kennykerr"
731 user-name = "Kenny Kerr"
733 [[publisher.windows-core]]
737 user-login = "kennykerr"
738 user-name = "Kenny Kerr"
740 [[publisher.windows-sys]]
744 user-login = "kennykerr"
745 user-name = "Kenny Kerr"
747 [[publisher.zeitstempel]]
751 user-login = "badboy"
752 user-name = "Jan-Erik Rediger"
754 [[audits.bytecode-alliance.wildcard-audits.arbitrary]]
755 who = "Nick Fitzgerald <fitzgen@gmail.com>"
756 criteria = "safe-to-deploy"
757 user-id = 696 # Nick Fitzgerald (fitzgen)
760 notes = "I am an author of this crate."
762 [[audits.bytecode-alliance.wildcard-audits.bumpalo]]
763 who = "Nick Fitzgerald <fitzgen@gmail.com>"
764 criteria = "safe-to-deploy"
765 user-id = 696 # Nick Fitzgerald (fitzgen)
769 [[audits.bytecode-alliance.wildcard-audits.derive_arbitrary]]
770 who = "Nick Fitzgerald <fitzgen@gmail.com>"
771 criteria = "safe-to-deploy"
772 user-id = 696 # Nick Fitzgerald (fitzgen)
775 notes = "I am an author of this crate"
777 [[audits.bytecode-alliance.audits.adler]]
778 who = "Alex Crichton <alex@alexcrichton.com>"
779 criteria = "safe-to-deploy"
781 notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm."
783 [[audits.bytecode-alliance.audits.arrayref]]
784 who = "Nick Fitzgerald <fitzgen@gmail.com>"
785 criteria = "safe-to-deploy"
788 Unsafe code, but its logic looks good to me. Necessary given what it is
789 doing. Well tested, has quickchecks.
792 [[audits.bytecode-alliance.audits.arrayvec]]
793 who = "Nick Fitzgerald <fitzgen@gmail.com>"
794 criteria = "safe-to-deploy"
797 Well documented invariants, good assertions for those invariants in unsafe code,
798 and tested with MIRI to boot. LGTM.
801 [[audits.bytecode-alliance.audits.base64]]
802 who = "Pat Hickey <phickey@fastly.com>"
803 criteria = "safe-to-deploy"
805 notes = "This crate has no dependencies, no build.rs, and contains no unsafe code."
807 [[audits.bytecode-alliance.audits.bitflags]]
808 who = "Jamey Sharp <jsharp@fastly.com>"
809 criteria = "safe-to-deploy"
810 delta = "2.1.0 -> 2.2.1"
812 This version adds unsafe impls of traits from the bytemuck crate when built
813 with that library enabled, but I believe the impls satisfy the documented
814 safety requirements for bytemuck. The other changes are minor.
817 [[audits.bytecode-alliance.audits.bitflags]]
818 who = "Alex Crichton <alex@alexcrichton.com>"
819 criteria = "safe-to-deploy"
820 delta = "2.3.2 -> 2.3.3"
822 Nothing outside the realm of what one would expect from a bitflags generator,
826 [[audits.bytecode-alliance.audits.block-buffer]]
827 who = "Benjamin Bouvier <public@benj.me>"
828 criteria = "safe-to-deploy"
829 delta = "0.9.0 -> 0.10.2"
831 [[audits.bytecode-alliance.audits.cargo-platform]]
832 who = "Pat Hickey <phickey@fastly.com>"
833 criteria = "safe-to-deploy"
835 notes = "no build, no ambient capabilities, no unsafe"
837 [[audits.bytecode-alliance.audits.cfg-if]]
838 who = "Alex Crichton <alex@alexcrichton.com>"
839 criteria = "safe-to-deploy"
841 notes = "I am the author of this crate."
843 [[audits.bytecode-alliance.audits.codespan-reporting]]
844 who = "Jamey Sharp <jsharp@fastly.com>"
845 criteria = "safe-to-deploy"
847 notes = "This library uses `forbid(unsafe_code)` and has no filesystem or network I/O."
849 [[audits.bytecode-alliance.audits.cpufeatures]]
850 who = "Alex Crichton <alex@alexcrichton.com>"
851 criteria = "safe-to-deploy"
852 delta = "0.2.2 -> 0.2.7"
854 This is a minor update that looks to add some more detected CPU features and
855 various other minor portability fixes such as MIRI support.
858 [[audits.bytecode-alliance.audits.crypto-common]]
859 who = "Benjamin Bouvier <public@benj.me>"
860 criteria = "safe-to-deploy"
863 [[audits.bytecode-alliance.audits.fallible-iterator]]
864 who = "Alex Crichton <alex@alexcrichton.com>"
865 criteria = "safe-to-deploy"
866 delta = "0.2.0 -> 0.3.0"
868 This major version update has a few minor breaking changes but everything
869 this crate has to do with iterators and `Result` and such. No `unsafe` or
870 anything like that, all looks good.
873 [[audits.bytecode-alliance.audits.foreign-types]]
874 who = "Pat Hickey <phickey@fastly.com>"
875 criteria = "safe-to-deploy"
877 notes = "This crate defined a macro-rules which creates wrappers working with FFI types. The implementation of this crate appears to be safe, but each use of this macro would need to be vetted for correctness as well."
879 [[audits.bytecode-alliance.audits.foreign-types-shared]]
880 who = "Pat Hickey <phickey@fastly.com>"
881 criteria = "safe-to-deploy"
884 [[audits.bytecode-alliance.audits.futures-channel]]
885 who = "Pat Hickey <phickey@fastly.com>"
886 criteria = "safe-to-deploy"
888 notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)"
890 [[audits.bytecode-alliance.audits.futures-core]]
891 who = "Pat Hickey <phickey@fastly.com>"
892 criteria = "safe-to-deploy"
894 notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting."
896 [[audits.bytecode-alliance.audits.futures-executor]]
897 who = "Pat Hickey <phickey@fastly.com>"
898 criteria = "safe-to-deploy"
900 notes = "Unsafe used to implement the unpark mutex, which is well commented and not obviously incorrect. Like with futures-channel I wouldn't be able to certify it as correct without formal methods."
902 [[audits.bytecode-alliance.audits.futures-io]]
903 who = "Pat Hickey <phickey@fastly.com>"
904 criteria = "safe-to-deploy"
907 [[audits.bytecode-alliance.audits.futures-sink]]
908 who = "Pat Hickey <phickey@fastly.com>"
909 criteria = "safe-to-deploy"
912 [[audits.bytecode-alliance.audits.heck]]
913 who = "Alex Crichton <alex@alexcrichton.com>"
914 criteria = "safe-to-deploy"
916 notes = "Contains `forbid_unsafe` and only uses `std::fmt` from the standard library. Otherwise only contains string manipulation."
918 [[audits.bytecode-alliance.audits.id-arena]]
919 who = "Nick Fitzgerald <fitzgen@gmail.com>"
920 criteria = "safe-to-deploy"
922 notes = "I am the author of this crate."
924 [[audits.bytecode-alliance.audits.idna]]
925 who = "Alex Crichton <alex@alexcrichton.com>"
926 criteria = "safe-to-deploy"
929 This is a crate without unsafe code or usage of the standard library. The large
930 size of this crate comes from the large generated unicode tables file. This
931 crate is broadly used throughout the ecosystem and does not contain anything
935 [[audits.bytecode-alliance.audits.leb128]]
936 who = "Nick Fitzgerald <fitzgen@gmail.com>"
937 criteria = "safe-to-deploy"
939 notes = "I am the author of this crate."
941 [[audits.bytecode-alliance.audits.memoffset]]
942 who = "Alex Crichton <alex@alexcrichton.com>"
943 criteria = "safe-to-deploy"
944 delta = "0.7.1 -> 0.8.0"
945 notes = "This was a small update to the crate which has to do with Rust language features and compiler versions, no substantial changes."
947 [[audits.bytecode-alliance.audits.miniz_oxide]]
948 who = "Alex Crichton <alex@alexcrichton.com>"
949 criteria = "safe-to-deploy"
952 This crate is a Rust implementation of zlib compression/decompression and has
953 been used by default by the Rust standard library for quite some time. It's also
954 a default dependency of the popular `backtrace` crate for decompressing debug
955 information. This crate forbids unsafe code and does not otherwise access system
956 resources. It's originally a port of the `miniz.c` library as well, and given
957 its own longevity should be relatively hardened against some of the more common
958 compression-related issues.
961 [[audits.bytecode-alliance.audits.mio]]
962 who = "Alex Crichton <alex@alexcrichton.com>"
963 criteria = "safe-to-deploy"
964 delta = "0.8.6 -> 0.8.8"
965 notes = "Mostly OS portability updates along with some minor bugfixes."
967 [[audits.bytecode-alliance.audits.object]]
968 who = "Alex Crichton <alex@alexcrichton.com>"
969 criteria = "safe-to-deploy"
970 delta = "0.30.3 -> 0.31.1"
971 notes = "A large-ish update to the crate but nothing out of the ordering. Support for new formats like xcoff, new constants, minor refactorings, etc. Nothing out of the ordinary."
973 [[audits.bytecode-alliance.audits.object]]
974 who = "Alex Crichton <alex@alexcrichton.com>"
975 criteria = "safe-to-deploy"
976 delta = "0.31.1 -> 0.32.0"
977 notes = "Various new features and refactorings as one would expect from an object parsing crate, all looks good."
979 [[audits.bytecode-alliance.audits.percent-encoding]]
980 who = "Alex Crichton <alex@alexcrichton.com>"
981 criteria = "safe-to-deploy"
984 This crate is a single-file crate that does what it says on the tin. There are
985 a few `unsafe` blocks related to utf-8 validation which are locally verifiable
986 as correct and otherwise this crate is good to go.
989 [[audits.bytecode-alliance.audits.pin-utils]]
990 who = "Pat Hickey <phickey@fastly.com>"
991 criteria = "safe-to-deploy"
994 [[audits.bytecode-alliance.audits.pkg-config]]
995 who = "Pat Hickey <phickey@fastly.com>"
996 criteria = "safe-to-deploy"
998 notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably."
1000 [[audits.bytecode-alliance.audits.rustc-demangle]]
1001 who = "Alex Crichton <alex@alexcrichton.com>"
1002 criteria = "safe-to-deploy"
1004 notes = "I am the author of this crate."
1006 [[audits.bytecode-alliance.audits.semver]]
1007 who = "Pat Hickey <phickey@fastly.com>"
1008 criteria = "safe-to-deploy"
1010 notes = "plenty of unsafe pointer and vec tricks, but in well-structured and commented code that appears to be correct"
1012 [[audits.bytecode-alliance.audits.slab]]
1013 who = "Pat Hickey <phickey@fastly.com>"
1014 criteria = "safe-to-deploy"
1016 notes = "provides a datastructure implemented using std's Vec. all uses of unsafe are just delegating to the underlying unsafe Vec methods."
1018 [[audits.bytecode-alliance.audits.socket2]]
1019 who = "Alex Crichton <alex@alexcrichton.com>"
1020 criteria = "safe-to-deploy"
1021 delta = "0.4.7 -> 0.4.9"
1022 notes = "Minor OS compat updates but otherwise nothing major here."
1024 [[audits.bytecode-alliance.audits.tempfile]]
1025 who = "Pat Hickey <phickey@fastly.com>"
1026 criteria = "safe-to-deploy"
1027 delta = "3.3.0 -> 3.5.0"
1029 [[audits.bytecode-alliance.audits.tempfile]]
1030 who = "Alex Crichton <alex@alexcrichton.com>"
1031 criteria = "safe-to-deploy"
1032 delta = "3.5.0 -> 3.6.0"
1033 notes = "Dependency updates and new optimized trait implementations, but otherwise everything looks normal."
1035 [[audits.bytecode-alliance.audits.unicase]]
1036 who = "Alex Crichton <alex@alexcrichton.com>"
1037 criteria = "safe-to-deploy"
1040 This crate contains no `unsafe` code and no unnecessary use of the standard
1044 [[audits.bytecode-alliance.audits.unicode-bidi]]
1045 who = "Alex Crichton <alex@alexcrichton.com>"
1046 criteria = "safe-to-deploy"
1049 This crate has no unsafe code and does not use `std::*`. Skimming the crate it
1050 does not attempt to out of the bounds of what it's already supposed to be doing.
1053 [[audits.bytecode-alliance.audits.unicode-normalization]]
1054 who = "Alex Crichton <alex@alexcrichton.com>"
1055 criteria = "safe-to-deploy"
1058 This crate contains one usage of `unsafe` which I have manually checked to see
1059 it as correct. This crate's size comes in large part due to the generated
1060 unicode tables that it contains. This crate is additionally widely used
1061 throughout the ecosystem and skimming the crate shows no usage of `std::*` APIs
1062 and nothing suspicious.
1065 [[audits.embark-studios.wildcard-audits.presser]]
1066 who = "Gray Olson <opensource@embark-studios.com>"
1067 criteria = "safe-to-deploy"
1068 user-id = 52553 # embark-studios
1069 start = "2021-01-01"
1072 Small crate with no dependencies and no ambient capabilities. The safe interface of the crate
1073 is gated behind unsafe implementation of a core trait, and care must be taken to ensure that
1074 the relevant invariants are guaranteed when doing so. Maintained by the Ark team at Embark
1075 and used in production.
1078 [[audits.embark-studios.audits.anyhow]]
1079 who = "Johan Andersson <opensource@embark-studios.com>"
1080 criteria = "safe-to-deploy"
1083 [[audits.embark-studios.audits.cfg_aliases]]
1084 who = "Johan Andersson <opensource@embark-studios.com>"
1085 criteria = "safe-to-deploy"
1087 notes = "No unsafe usage or ambient capabilities"
1089 [[audits.embark-studios.audits.derive_more]]
1090 who = "Johan Andersson <opensource@embark-studios.com>"
1091 criteria = "safe-to-deploy"
1093 notes = "No unsafe usage or ambient capabilities"
1095 [[audits.embark-studios.audits.ident_case]]
1096 who = "Johan Andersson <opensource@embark-studios.com>"
1097 criteria = "safe-to-deploy"
1099 notes = "No unsafe usage or ambient capabilities"
1101 [[audits.embark-studios.audits.idna]]
1102 who = "Johan Andersson <opensource@embark-studios.com>"
1103 criteria = "safe-to-deploy"
1104 delta = "0.3.0 -> 0.4.0"
1105 notes = "No unsafe usage or ambient capabilities"
1107 [[audits.embark-studios.audits.line-wrap]]
1108 who = "Johan Andersson <opensource@embark-studios.com>"
1109 criteria = "safe-to-deploy"
1111 notes = "No unsafe usage or ambient capabilities"
1113 [[audits.embark-studios.audits.yaml-rust]]
1114 who = "Johan Andersson <opensource@embark-studios.com>"
1115 criteria = "safe-to-deploy"
1117 notes = "No unsafe usage or ambient capabilities"
1119 [[audits.google.audits.ash]]
1120 who = "David Koloski <dkoloski@google.com>"
1121 criteria = "safe-to-deploy"
1122 version = "0.37.0+1.3.209"
1123 notes = "Reviewed on https://fxrev.dev/694269"
1124 aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
1126 [[audits.google.audits.fastrand]]
1127 who = "George Burgess IV <gbiv@google.com>"
1128 criteria = "safe-to-deploy"
1131 `does-not-implement-crypto` is certified because this crate explicitly says
1132 that the RNG here is not cryptographically secure.
1134 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1136 [[audits.google.audits.futures]]
1137 who = "George Burgess IV <gbiv@google.com>"
1138 criteria = "safe-to-deploy"
1141 `futures` has no logic other than tests - it simply `pub use`s things from
1144 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1146 [[audits.google.audits.glob]]
1147 who = "George Burgess IV <gbiv@google.com>"
1148 criteria = "safe-to-deploy"
1150 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1152 [[audits.google.audits.http]]
1154 criteria = "safe-to-run"
1156 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1158 [[audits.google.audits.http-body]]
1160 criteria = "safe-to-run"
1162 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1164 [[audits.google.audits.httpdate]]
1166 criteria = "safe-to-run"
1168 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1170 [[audits.google.audits.hyper]]
1172 criteria = "safe-to-run"
1174 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1176 [[audits.google.audits.nom]]
1177 who = "danakj@chromium.org"
1178 criteria = "safe-to-deploy"
1181 Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/5046153
1183 aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
1185 [[audits.google.audits.pin-project]]
1187 criteria = "safe-to-run"
1189 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1191 [[audits.google.audits.pin-project-internal]]
1193 criteria = "safe-to-run"
1195 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1197 [[audits.google.audits.pin-project-lite]]
1198 who = "David Koloski <dkoloski@google.com>"
1199 criteria = "safe-to-deploy"
1201 notes = "Reviewed on https://fxrev.dev/824504"
1202 aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
1204 [[audits.google.audits.scoped-tls]]
1205 who = "George Burgess IV <gbiv@google.com>"
1206 criteria = "safe-to-run"
1208 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1210 [[audits.google.audits.serde_urlencoded]]
1212 criteria = "safe-to-run"
1214 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1216 [[audits.google.audits.static_assertions]]
1217 who = "Lukasz Anforowicz <lukasza@chromium.org>"
1218 criteria = "safe-to-deploy"
1221 Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`
1222 and there were no hits except for one `unsafe`.
1224 The lambda where `unsafe` is used is never invoked (e.g. the `unsafe` code
1225 never runs) and is only introduced for some compile-time checks. Additional
1226 unsafe review comments can be found in https://crrev.com/c/5353376.
1228 This crate has been added to Chromium in https://crrev.com/c/3736562. The CL
1229 description contains a link to a document with an additional security review.
1231 aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
1233 [[audits.google.audits.strsim]]
1234 who = "danakj@chromium.org"
1235 criteria = "safe-to-deploy"
1238 Reviewed in https://crrev.com/c/5171063
1240 Previously reviewed during security review and the audit is grandparented in.
1242 aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
1244 [[audits.google.audits.tokio]]
1245 who = "Vovo Yang <vovoy@google.com>"
1246 criteria = "safe-to-run"
1248 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1250 [[audits.google.audits.tokio-stream]]
1251 who = "David Koloski <dkoloski@google.com>"
1252 criteria = "safe-to-deploy"
1254 notes = "Reviewed on https://fxrev.dev/804724"
1255 aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
1257 [[audits.google.audits.tower-service]]
1259 criteria = "safe-to-run"
1261 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1263 [[audits.google.audits.tracing]]
1265 criteria = "safe-to-run"
1267 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1269 [[audits.google.audits.tracing-attributes]]
1271 criteria = "safe-to-run"
1273 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1275 [[audits.google.audits.tracing-core]]
1277 criteria = "safe-to-run"
1279 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1281 [[audits.google.audits.try-lock]]
1283 criteria = "safe-to-run"
1285 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1287 [[audits.google.audits.unicode-linebreak]]
1288 who = "Lukasz Anforowicz <lukasza@chromium.org>"
1289 criteria = "safe-to-deploy"
1292 Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
1293 and there were no hits.
1295 Version `0.1.2` of this crate has been added to Chromium in
1296 https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb
1297 The CL description contains a link to a Google-internal document with audit details.
1299 aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
1301 [[audits.google.audits.version_check]]
1302 who = "George Burgess IV <gbiv@google.com>"
1303 criteria = "safe-to-deploy"
1305 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1307 [[audits.google.audits.want]]
1309 criteria = "safe-to-run"
1311 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
1313 [[audits.isrg.wildcard-audits.prio]]
1314 who = "David Cook <dcook@divviup.org>"
1315 criteria = "safe-to-deploy"
1316 user-id = 213776 # divviup-github-automation
1317 start = "2020-09-28"
1320 [[audits.isrg.audits.base64]]
1321 who = "Tim Geoghegan <timg@letsencrypt.org>"
1322 criteria = "safe-to-deploy"
1323 delta = "0.21.0 -> 0.21.1"
1325 [[audits.isrg.audits.base64]]
1326 who = "Brandon Pitman <bran@bran.land>"
1327 criteria = "safe-to-deploy"
1328 delta = "0.21.1 -> 0.21.2"
1330 [[audits.isrg.audits.base64]]
1331 who = "David Cook <dcook@divviup.org>"
1332 criteria = "safe-to-deploy"
1333 delta = "0.21.2 -> 0.21.3"
1335 [[audits.isrg.audits.block-buffer]]
1336 who = "David Cook <dcook@divviup.org>"
1337 criteria = "safe-to-deploy"
1340 [[audits.isrg.audits.getrandom]]
1341 who = "Tim Geoghegan <timg@letsencrypt.org>"
1342 criteria = "safe-to-deploy"
1343 delta = "0.2.9 -> 0.2.10"
1344 notes = "These changes include some new `unsafe` code for the `emscripten` and `psvita` targets, but all it does is call `libc::getentropy`."
1346 [[audits.isrg.audits.keccak]]
1347 who = "David Cook <dcook@divviup.org>"
1348 criteria = "safe-to-deploy"
1351 [[audits.isrg.audits.keccak]]
1352 who = "Brandon Pitman <bran@bran.land>"
1353 criteria = "safe-to-deploy"
1354 delta = "0.1.3 -> 0.1.4"
1356 [[audits.isrg.audits.once_cell]]
1357 who = "Brandon Pitman <bran@bran.land>"
1358 criteria = "safe-to-deploy"
1359 delta = "1.17.1 -> 1.17.2"
1361 [[audits.isrg.audits.once_cell]]
1362 who = "David Cook <dcook@divviup.org>"
1363 criteria = "safe-to-deploy"
1364 delta = "1.17.2 -> 1.18.0"
1366 [[audits.isrg.audits.once_cell]]
1367 who = "Brandon Pitman <bran@bran.land>"
1368 criteria = "safe-to-deploy"
1369 delta = "1.18.0 -> 1.19.0"
1371 [[audits.isrg.audits.rand_chacha]]
1372 who = "David Cook <dcook@divviup.org>"
1373 criteria = "safe-to-deploy"
1376 [[audits.isrg.audits.rand_core]]
1377 who = "David Cook <dcook@divviup.org>"
1378 criteria = "safe-to-deploy"
1381 [[audits.isrg.audits.rayon-core]]
1382 who = "Brandon Pitman <bran@bran.land>"
1383 criteria = "safe-to-deploy"
1384 delta = "1.10.2 -> 1.11.0"
1386 [[audits.isrg.audits.rayon-core]]
1387 who = "David Cook <dcook@divviup.org>"
1388 criteria = "safe-to-deploy"
1389 delta = "1.11.0 -> 1.12.0"
1391 [[audits.isrg.audits.sha2]]
1392 who = "David Cook <dcook@divviup.org>"
1393 criteria = "safe-to-deploy"
1396 [[audits.isrg.audits.sha3]]
1397 who = "David Cook <dcook@divviup.org>"
1398 criteria = "safe-to-deploy"
1401 [[audits.isrg.audits.sha3]]
1402 who = "Brandon Pitman <bran@bran.land>"
1403 criteria = "safe-to-deploy"
1404 delta = "0.10.7 -> 0.10.8"
1406 [[audits.mozilla.wildcard-audits.uniffi]]
1407 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1408 criteria = "safe-to-deploy"
1409 user-id = 111105 # Mark Hammond (mhammond)
1410 start = "2021-11-22"
1412 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1414 [[audits.mozilla.wildcard-audits.uniffi_bindgen]]
1415 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1416 criteria = "safe-to-deploy"
1417 user-id = 111105 # Mark Hammond (mhammond)
1418 start = "2021-11-22"
1420 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1422 [[audits.mozilla.wildcard-audits.uniffi_build]]
1423 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1424 criteria = "safe-to-deploy"
1425 user-id = 111105 # Mark Hammond (mhammond)
1426 start = "2021-11-22"
1428 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1430 [[audits.mozilla.wildcard-audits.uniffi_checksum_derive]]
1431 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1432 criteria = "safe-to-deploy"
1433 user-id = 111105 # Mark Hammond (mhammond)
1434 start = "2023-11-20"
1436 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1438 [[audits.mozilla.wildcard-audits.uniffi_core]]
1439 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1440 criteria = "safe-to-deploy"
1441 user-id = 111105 # Mark Hammond (mhammond)
1442 start = "2023-11-20"
1444 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1446 [[audits.mozilla.wildcard-audits.uniffi_macros]]
1447 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1448 criteria = "safe-to-deploy"
1449 user-id = 111105 # Mark Hammond (mhammond)
1450 start = "2021-11-22"
1452 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1454 [[audits.mozilla.wildcard-audits.uniffi_meta]]
1455 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1456 criteria = "safe-to-deploy"
1457 user-id = 111105 # Mark Hammond (mhammond)
1458 start = "2023-11-20"
1460 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1462 [[audits.mozilla.wildcard-audits.uniffi_testing]]
1463 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1464 criteria = "safe-to-deploy"
1465 user-id = 111105 # Mark Hammond (mhammond)
1466 start = "2023-11-20"
1468 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1470 [[audits.mozilla.wildcard-audits.uniffi_udl]]
1471 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1472 criteria = "safe-to-deploy"
1473 user-id = 111105 # Mark Hammond (mhammond)
1474 start = "2023-11-20"
1476 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1478 [[audits.mozilla.wildcard-audits.weedle2]]
1479 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1480 criteria = "safe-to-deploy"
1481 user-id = 127697 # bendk
1482 start = "2022-06-16"
1484 notes = "Maintained by Mozilla"
1485 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1487 [[audits.mozilla.wildcard-audits.zeitstempel]]
1488 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1489 criteria = "safe-to-deploy"
1490 user-id = 48 # Jan-Erik Rediger (badboy)
1491 start = "2021-03-03"
1493 notes = "Maintained by me"
1494 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1496 [[audits.mozilla.audits.askama]]
1497 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1498 criteria = "safe-to-deploy"
1499 delta = "0.11.1 -> 0.12.0"
1500 notes = "No new unsafe usage, mostly dependency updates and smaller API changes"
1501 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1503 [[audits.mozilla.audits.askama_derive]]
1504 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1505 criteria = "safe-to-deploy"
1506 delta = "0.11.2 -> 0.12.1"
1507 notes = "Dependency updates, a new toml dependency and some API changes. No unsafe use."
1508 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1510 [[audits.mozilla.audits.basic-toml]]
1511 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1512 criteria = "safe-to-deploy"
1514 notes = "TOML parser, forked from toml 0.5"
1515 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1517 [[audits.mozilla.audits.bitflags]]
1518 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1519 criteria = "safe-to-deploy"
1520 delta = "2.4.0 -> 2.4.1"
1521 notes = "Only allowing new clippy lints"
1522 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1524 [[audits.mozilla.audits.either]]
1525 who = "Nika Layzell <nika@thelayzells.com>"
1526 criteria = "safe-to-deploy"
1529 Straightforward crate providing the Either enum and trait implementations with
1532 aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
1534 [[audits.mozilla.audits.goblin]]
1535 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1536 criteria = "safe-to-deploy"
1537 delta = "0.7.1 -> 0.8.0"
1538 notes = "MSRV bump, no unsafe changes"
1539 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1541 [[audits.mozilla.audits.lazy_static]]
1542 who = "Nika Layzell <nika@thelayzells.com>"
1543 criteria = "safe-to-deploy"
1545 notes = "I have read over the macros, and audited the unsafe code."
1546 aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
1548 [[audits.mozilla.audits.log]]
1549 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1550 criteria = "safe-to-deploy"
1551 delta = "0.4.17 -> 0.4.18"
1552 notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed."
1553 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1555 [[audits.mozilla.audits.log]]
1556 who = "Kagami Sascha Rosylight <krosylight@mozilla.com>"
1557 criteria = "safe-to-deploy"
1558 delta = "0.4.18 -> 0.4.20"
1559 notes = "Only cfg attribute and internal macro changes and module refactorings"
1560 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1562 [[audits.mozilla.audits.oneshot-uniffi]]
1563 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1564 criteria = "safe-to-deploy"
1565 delta = "0.1.5 -> 0.1.6"
1566 notes = "Synced with the orginal crate, no new unsafe"
1567 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1569 [[audits.mozilla.audits.rkv]]
1570 who = "Kagami Sascha Rosylight <krosylight@mozilla.com>"
1571 criteria = "safe-to-deploy"
1572 delta = "0.18.4 -> 0.19.0"
1573 notes = "Maintained by Mozilla, no addition of unsafe blocks"
1574 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1576 [[audits.mozilla.audits.scroll]]
1577 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1578 criteria = "safe-to-deploy"
1579 delta = "0.11.0 -> 0.12.0"
1580 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1582 [[audits.mozilla.audits.scroll_derive]]
1583 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1584 criteria = "safe-to-deploy"
1585 delta = "0.11.1 -> 0.12.0"
1586 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1588 [[audits.mozilla.audits.smawk]]
1589 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1590 criteria = "safe-to-deploy"
1592 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
1594 [[audits.mozilla.audits.textwrap]]
1595 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
1596 criteria = "safe-to-deploy"
1598 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"