2 # cargo-vet config file
7 [imports.bytecode-alliance]
8 url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"
10 [imports.embark-studios]
11 url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml"
14 url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml"
17 url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml"
20 url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml"
23 audit-as-crates-io = true
24 notes = "This is the upstream code plus a few local fixes, see bug 1685697."
27 audit-as-crates-io = true
28 notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that."
31 audit-as-crates-io = true
32 notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that."
35 audit-as-crates-io = true
36 notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release."
39 audit-as-crates-io = true
40 notes = "This is upstream plus a warning fix from bug 1823866."
43 audit-as-crates-io = true
44 notes = "Unpublished wgpu revisions point to unpublished d3d12 revisions."
46 [policy.firefox-on-glean]
47 audit-as-crates-io = false
48 notes = "The crates.io version of this is just a placeholder to allow public crates to depend on firefox-on-glean."
51 audit-as-crates-io = false
52 criteria = "safe-to-run"
53 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run."
56 criteria = "safe-to-run"
57 notes = "Used for testing."
59 [policy.gkrust-shared]
60 dependency-criteria = { tokio-reactor = [], tokio-threadpool = [] }
61 notes = "The dependencies on tokio-reactor and tokio-threadpools are just a hack to pin the version used by audioipc-{client,server}. Suppress vetting on those for the same reasons behind the policy entries."
64 criteria = "safe-to-run"
65 notes = "Used for fuzzing."
68 criteria = "safe-to-run"
69 notes = "Used for testing."
72 dependency-criteria = { fluent-testing = "safe-to-run", tokio = "safe-to-run" }
73 notes = "This crate has two testing-only dependencies which are specified as regular-but-optional rather than a dev-dependencies, because they need to be available to both benchmarks and integration tests."
76 audit-as-crates-io = false
77 notes = "This override is an api-compatible fork with an orthogonal implementation."
79 [policy.malloc_size_of_derive]
80 audit-as-crates-io = false
81 notes = "This was originally servo code which Bobby Holley put on crates.io some years ago and that was moved in-tree as first-party code later on."
84 audit-as-crates-io = false
85 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
88 audit-as-crates-io = true
89 notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release."
92 audit-as-crates-io = true
93 notes = "Version 0.6.23 is a local fork of upstream which just twiddles some dependencies."
96 audit-as-crates-io = false
97 notes = "The crates.io version of this is just a placeholder to allow public crates to depend on mozbuild."
100 audit-as-crates-io = false
101 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
103 [policy.mozglue-static]
104 dependency-criteria = { rustc_version = "safe-to-run" }
105 notes = "The rustc_version dependency is only used in the build script, and does not generate any runtime code"
108 audit-as-crates-io = false
109 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
112 audit-as-crates-io = false
113 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
116 audit-as-crates-io = false
117 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
120 audit-as-crates-io = false
122 [policy.mp4parse_capi]
123 audit-as-crates-io = false
126 audit-as-crates-io = true
127 notes = "wgpu-core pins this crate."
129 [policy.packed_simd_2]
130 audit-as-crates-io = true
131 notes = "Based on upstream, see bug 1719674."
134 audit-as-crates-io = false
136 [policy.peek-poke-derive]
137 audit-as-crates-io = false
140 audit-as-crates-io = false
141 notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name."
144 audit-as-crates-io = true
145 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
148 audit-as-crates-io = true
149 notes = "Identical to upstream, but with cdylib and staticlib targets disabled to avoid unnecessary build artifacts and linker errors."
152 audit-as-crates-io = true
153 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
156 audit-as-crates-io = true
157 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
160 criteria = "safe-to-run"
161 notes = "We're not shipping this and have no plans to ship it."
164 audit-as-crates-io = false
165 notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name."
168 audit-as-crates-io = false
169 notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
172 audit-as-crates-io = false
173 notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
176 audit-as-crates-io = true
177 notes = "This is a third-party crate, with an extra patch."
180 audit-as-crates-io = false
181 criteria = "safe-to-run"
182 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run."
185 audit-as-crates-io = false
187 [policy.webrender_api]
188 audit-as-crates-io = false
190 [policy.webrender_build]
191 audit-as-crates-io = false
194 audit-as-crates-io = true
195 notes = "Upstream project which we pin."
198 audit-as-crates-io = true
199 notes = "Upstream project which we pin."
202 audit-as-crates-io = true
203 notes = "Upstream project which we pin."
205 [policy.wr_malloc_size_of]
206 audit-as-crates-io = false
210 criteria = "safe-to-deploy"
214 criteria = "safe-to-deploy"
218 criteria = "safe-to-deploy"
220 [[exemptions.alsa-sys]]
222 criteria = "safe-to-deploy"
224 [[exemptions.android_log-sys]]
226 criteria = "safe-to-deploy"
228 [[exemptions.askama_derive]]
230 criteria = "safe-to-deploy"
232 [[exemptions.askama_escape]]
234 criteria = "safe-to-deploy"
236 [[exemptions.askama_shared]]
238 criteria = "safe-to-deploy"
240 [[exemptions.async-task]]
242 criteria = "safe-to-deploy"
244 [[exemptions.bincode]]
246 criteria = "safe-to-deploy"
248 [[exemptions.bitflags]]
250 criteria = "safe-to-deploy"
252 [[exemptions.bitreader]]
254 criteria = "safe-to-deploy"
258 criteria = "safe-to-deploy"
260 [[exemptions.cache-padded]]
262 criteria = "safe-to-deploy"
264 [[exemptions.camino]]
266 criteria = "safe-to-deploy"
268 [[exemptions.chrono]]
270 criteria = "safe-to-deploy"
272 [[exemptions.chunky-vec]]
274 criteria = "safe-to-deploy"
276 [[exemptions.clang-sys]]
278 criteria = "safe-to-deploy"
280 [[exemptions.cookie]]
282 criteria = "safe-to-run"
284 [[exemptions.coreaudio-sys]]
286 criteria = "safe-to-deploy"
288 [[exemptions.coremidi]]
289 version = "0.6.0@git:fc68464b5445caf111e41f643a2e69ccce0b4f83"
290 criteria = "safe-to-deploy"
292 [[exemptions.coremidi-sys]]
294 criteria = "safe-to-deploy"
298 criteria = "safe-to-deploy"
300 [[exemptions.cose-c]]
302 criteria = "safe-to-deploy"
304 [[exemptions.cpufeatures]]
306 criteria = "safe-to-deploy"
308 [[exemptions.crc32fast]]
310 criteria = "safe-to-deploy"
312 [[exemptions.crossbeam-channel]]
314 criteria = "safe-to-deploy"
316 [[exemptions.crossbeam-deque]]
318 criteria = "safe-to-deploy"
320 [[exemptions.crossbeam-epoch]]
322 criteria = "safe-to-deploy"
324 [[exemptions.crossbeam-utils]]
326 criteria = "safe-to-deploy"
330 criteria = "safe-to-deploy"
332 [[exemptions.darling]]
334 criteria = "safe-to-deploy"
336 [[exemptions.darling_core]]
338 criteria = "safe-to-deploy"
340 [[exemptions.darling_macro]]
342 criteria = "safe-to-deploy"
344 [[exemptions.data-encoding]]
346 criteria = "safe-to-deploy"
350 criteria = "safe-to-deploy"
352 [[exemptions.devd-rs]]
354 criteria = "safe-to-deploy"
356 [[exemptions.digest]]
358 criteria = "safe-to-deploy"
362 criteria = "safe-to-deploy"
364 [[exemptions.dirs-sys]]
366 criteria = "safe-to-deploy"
368 [[exemptions.dns-parser]]
370 criteria = "safe-to-deploy"
372 [[exemptions.enumset]]
374 criteria = "safe-to-deploy"
376 [[exemptions.enumset_derive]]
378 criteria = "safe-to-deploy"
380 [[exemptions.env_logger]]
382 criteria = "safe-to-deploy"
384 [[exemptions.error-chain]]
386 criteria = "safe-to-deploy"
388 [[exemptions.fallible-iterator]]
390 criteria = "safe-to-deploy"
392 [[exemptions.fallible-streaming-iterator]]
394 criteria = "safe-to-deploy"
396 [[exemptions.fallible_collections]]
398 criteria = "safe-to-deploy"
400 [[exemptions.ffi-support]]
402 criteria = "safe-to-deploy"
404 [[exemptions.float-cmp]]
406 criteria = "safe-to-deploy"
408 [[exemptions.fs-err]]
410 criteria = "safe-to-deploy"
412 [[exemptions.fuchsia-zircon]]
414 criteria = "safe-to-run"
416 [[exemptions.fuchsia-zircon-sys]]
418 criteria = "safe-to-run"
420 [[exemptions.futures]]
422 criteria = "safe-to-deploy"
424 [[exemptions.futures-macro]]
426 criteria = "safe-to-deploy"
428 [[exemptions.futures-task]]
430 criteria = "safe-to-deploy"
432 [[exemptions.futures-util]]
434 criteria = "safe-to-deploy"
436 [[exemptions.generic-array]]
438 criteria = "safe-to-deploy"
440 [[exemptions.getrandom]]
442 criteria = "safe-to-deploy"
444 [[exemptions.gl_generator]]
446 criteria = "safe-to-deploy"
450 criteria = "safe-to-deploy"
452 [[exemptions.goblin]]
454 criteria = "safe-to-deploy"
456 [[exemptions.gpu-alloc]]
458 criteria = "safe-to-deploy"
460 [[exemptions.gpu-alloc-types]]
462 criteria = "safe-to-deploy"
464 [[exemptions.gpu-descriptor]]
466 criteria = "safe-to-deploy"
468 [[exemptions.gpu-descriptor-types]]
470 criteria = "safe-to-deploy"
472 [[exemptions.hashlink]]
474 criteria = "safe-to-deploy"
476 [[exemptions.hermit-abi]]
478 criteria = "safe-to-deploy"
480 [[exemptions.hexf-parse]]
482 criteria = "safe-to-deploy"
484 [[exemptions.instant]]
486 criteria = "safe-to-deploy"
488 [[exemptions.ioctl-sys]]
490 criteria = "safe-to-deploy"
492 [[exemptions.itertools]]
494 criteria = "safe-to-deploy"
496 [[exemptions.khronos-egl]]
498 criteria = "safe-to-deploy"
500 [[exemptions.khronos_api]]
502 criteria = "safe-to-deploy"
504 [[exemptions.lazycell]]
506 criteria = "safe-to-deploy"
508 [[exemptions.libdbus-sys]]
510 criteria = "safe-to-deploy"
512 [[exemptions.libloading]]
514 criteria = "safe-to-deploy"
516 [[exemptions.libsqlite3-sys]]
518 criteria = "safe-to-deploy"
520 notes = "The in-gecko feature that we enable makes only pre-built bindings used, and none of the embedded C code is built. The build script was audited and is not doing anything besides exposing those bindings"
522 [[exemptions.libudev]]
524 criteria = "safe-to-deploy"
526 [[exemptions.lmdb-rkv-sys]]
528 criteria = "safe-to-deploy"
530 notes = "This crate is forked from another crate and not developed in-house. Given that LMDB-backed RKV is going away, we will probably never bother auditing this"
534 criteria = "safe-to-deploy"
536 [[exemptions.memalloc]]
538 criteria = "safe-to-deploy"
540 [[exemptions.memmap2]]
542 criteria = "safe-to-deploy"
544 [[exemptions.memoffset]]
546 criteria = "safe-to-deploy"
550 criteria = "safe-to-deploy"
554 criteria = "safe-to-deploy"
556 [[exemptions.mime_guess]]
558 criteria = "safe-to-deploy"
560 [[exemptions.minimal-lexical]]
562 criteria = "safe-to-deploy"
564 [[exemptions.miniz_oxide]]
566 criteria = "safe-to-deploy"
570 criteria = "safe-to-deploy"
572 [[exemptions.mio-extras]]
574 criteria = "safe-to-run"
578 criteria = "safe-to-deploy"
580 [[exemptions.murmurhash3]]
582 criteria = "safe-to-deploy"
586 criteria = "safe-to-run"
590 criteria = "safe-to-deploy"
594 criteria = "safe-to-deploy"
598 criteria = "safe-to-deploy"
602 criteria = "safe-to-deploy"
604 [[exemptions.objc_exception]]
606 criteria = "safe-to-deploy"
608 [[exemptions.object]]
610 criteria = "safe-to-deploy"
612 [[exemptions.once_cell]]
614 criteria = "safe-to-deploy"
616 [[exemptions.owning_ref]]
618 criteria = "safe-to-deploy"
620 [[exemptions.packed_simd_2]]
622 criteria = "safe-to-deploy"
626 criteria = "safe-to-deploy"
628 [[exemptions.phf_codegen]]
630 criteria = "safe-to-deploy"
632 [[exemptions.phf_generator]]
634 criteria = "safe-to-deploy"
636 [[exemptions.phf_macros]]
638 criteria = "safe-to-deploy"
640 [[exemptions.phf_shared]]
642 criteria = "safe-to-deploy"
644 [[exemptions.pin-project-lite]]
646 criteria = "safe-to-deploy"
650 criteria = "safe-to-deploy"
654 criteria = "safe-to-run"
656 [[exemptions.ppv-lite86]]
658 criteria = "safe-to-deploy"
660 [[exemptions.profiling]]
662 criteria = "safe-to-deploy"
666 criteria = "safe-to-deploy"
668 [[exemptions.prost-derive]]
670 criteria = "safe-to-deploy"
674 criteria = "safe-to-deploy"
676 [[exemptions.quick-error]]
678 criteria = "safe-to-deploy"
682 criteria = "safe-to-deploy"
684 [[exemptions.rand_chacha]]
686 criteria = "safe-to-deploy"
688 [[exemptions.rand_core]]
690 criteria = "safe-to-deploy"
692 [[exemptions.redox_syscall]]
694 criteria = "safe-to-deploy"
696 [[exemptions.remove_dir_all]]
698 criteria = "safe-to-deploy"
700 [[exemptions.replace_with]]
702 criteria = "safe-to-deploy"
704 [[exemptions.ringbuf]]
706 criteria = "safe-to-deploy"
710 criteria = "safe-to-deploy"
712 [[exemptions.runloop]]
714 criteria = "safe-to-deploy"
716 [[exemptions.rusqlite]]
718 criteria = "safe-to-deploy"
720 [[exemptions.rust-ini]]
722 criteria = "safe-to-deploy"
724 [[exemptions.rust_decimal]]
726 criteria = "safe-to-deploy"
728 [[exemptions.scroll]]
730 criteria = "safe-to-deploy"
732 [[exemptions.scroll_derive]]
734 criteria = "safe-to-deploy"
736 [[exemptions.self_cell]]
738 criteria = "safe-to-deploy"
740 [[exemptions.serde_with]]
742 criteria = "safe-to-deploy"
744 [[exemptions.serde_with_macros]]
746 criteria = "safe-to-deploy"
750 criteria = "safe-to-deploy"
754 criteria = "safe-to-deploy"
758 criteria = "safe-to-deploy"
760 [[exemptions.siphasher]]
762 criteria = "safe-to-deploy"
764 [[exemptions.socket2]]
766 criteria = "safe-to-deploy"
769 version = "0.2.0+1.5.4"
770 criteria = "safe-to-deploy"
772 [[exemptions.stable_deref_trait]]
774 criteria = "safe-to-deploy"
776 [[exemptions.static_assertions]]
778 criteria = "safe-to-deploy"
780 [[exemptions.strsim]]
782 criteria = "safe-to-deploy"
784 [[exemptions.tempfile]]
786 criteria = "safe-to-deploy"
790 criteria = "safe-to-deploy"
794 criteria = "safe-to-run"
796 [[exemptions.time-macros]]
798 criteria = "safe-to-run"
802 criteria = "safe-to-run"
804 [[exemptions.triple_buffer]]
806 criteria = "safe-to-deploy"
808 [[exemptions.type-map]]
810 criteria = "safe-to-deploy"
812 [[exemptions.typenum]]
814 criteria = "safe-to-deploy"
816 [[exemptions.unix_path]]
818 criteria = "safe-to-run"
820 [[exemptions.unix_str]]
822 criteria = "safe-to-run"
826 criteria = "safe-to-deploy"
830 criteria = "safe-to-deploy"
832 [[exemptions.webrtc-sdp]]
834 criteria = "safe-to-deploy"
836 [[exemptions.winapi]]
838 criteria = "safe-to-deploy"
840 [[exemptions.winapi-i686-pc-windows-gnu]]
842 criteria = "safe-to-deploy"
844 [[exemptions.winapi-x86_64-pc-windows-gnu]]
846 criteria = "safe-to-deploy"
850 criteria = "safe-to-deploy"
852 [[exemptions.xml-rs]]
854 criteria = "safe-to-deploy"
858 criteria = "safe-to-run"