2 # cargo-vet config file
7 [imports.bytecode-alliance]
8 url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"
10 [imports.embark-studios]
11 url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml"
14 url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml"
17 url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml"
20 url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml"
23 audit-as-crates-io = true
24 notes = "This is the upstream code plus a few local fixes, see bug 1685697."
27 audit-as-crates-io = true
28 notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that."
31 audit-as-crates-io = true
32 notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that."
35 audit-as-crates-io = true
36 notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release."
39 audit-as-crates-io = true
40 notes = "This is upstream plus a warning fix from bug 1823866."
43 audit-as-crates-io = true
44 notes = "Upstream version not to use syn 1.x"
46 [policy.diplomat-runtime]
47 audit-as-crates-io = true
48 notes = "Upstream version not to use syn 1.x"
50 [policy.diplomat_core]
51 audit-as-crates-io = true
52 notes = "Upstream version not to use syn 1.x"
54 [policy.firefox-on-glean]
55 audit-as-crates-io = false
56 notes = "The crates.io version of this is just a placeholder to allow public crates to depend on firefox-on-glean."
59 audit-as-crates-io = false
60 criteria = "safe-to-run"
61 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run."
64 criteria = "safe-to-run"
65 notes = "Used for testing."
67 [policy.gkrust-shared]
68 dependency-criteria = { tokio-reactor = [], tokio-threadpool = [] }
69 notes = "The dependencies on tokio-reactor and tokio-threadpools are just a hack to pin the version used by audioipc-{client,server}. Suppress vetting on those for the same reasons behind the policy entries."
72 criteria = "safe-to-run"
73 notes = "Used for fuzzing."
76 criteria = "safe-to-run"
77 notes = "Used for testing."
79 [policy.icu_provider_macros]
80 audit-as-crates-io = true
81 notes = "Upstream version not to use syn 1.x"
84 audit-as-crates-io = false
85 notes = "Customized ICU4X baked data only that Gecko wants"
88 dependency-criteria = { fluent-testing = "safe-to-run", tokio = "safe-to-run" }
89 notes = "This crate has two testing-only dependencies which are specified as regular-but-optional rather than a dev-dependencies, because they need to be available to both benchmarks and integration tests."
92 audit-as-crates-io = false
93 notes = "This override is an api-compatible fork with an orthogonal implementation."
95 [policy.malloc_size_of_derive]
96 audit-as-crates-io = false
97 notes = "This was originally servo code which Bobby Holley put on crates.io some years ago and that was moved in-tree as first-party code later on."
100 audit-as-crates-io = false
101 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
104 audit-as-crates-io = true
105 notes = "Upstream project which we pin."
108 audit-as-crates-io = true
109 notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release."
111 [policy."minidump-common:0.17.0@git:6ae42a7f992e8a88ebee661bc77bcedb95cd671f"]
112 audit-as-crates-io = true
113 notes = "Unreleased upstream."
115 [policy.minidump-writer]
116 audit-as-crates-io = true
117 notes = "Unreleased upstream."
119 [policy."mio:0.6.23"]
120 audit-as-crates-io = true
121 notes = "Version 0.6.23 is a local fork of upstream which just twiddles some dependencies."
124 audit-as-crates-io = false
125 notes = "The crates.io version of this is just a placeholder to allow public crates to depend on mozbuild."
128 audit-as-crates-io = false
129 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
131 [policy.mozglue-static]
132 dependency-criteria = { rustc_version = "safe-to-run" }
133 notes = "The rustc_version dependency is only used in the build script, and does not generate any runtime code"
135 [policy.mozilla-central-workspace-hack]
136 audit-as-crates-io = false
137 criteria = "safe-to-run"
138 notes = "This is a first-party crate which is also published to crates.io as a convenience for other in-tree crates that depend on it and are published as well. The dependencies from this crate are dependencies of other crates that will get the right criteria through them, but using safe-to-deploy for this one would be too broad."
141 audit-as-crates-io = false
142 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
145 audit-as-crates-io = false
146 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
149 audit-as-crates-io = false
150 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
153 audit-as-crates-io = false
155 [policy.mp4parse_capi]
156 audit-as-crates-io = false
159 audit-as-crates-io = true
160 notes = "wgpu-core pins this crate."
163 audit-as-crates-io = false
165 [policy.peek-poke-derive]
166 audit-as-crates-io = false
168 [policy.prost-derive]
169 audit-as-crates-io = true
170 notes = "Fork of prost-derive with support for syn 2"
173 audit-as-crates-io = false
174 notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name."
177 audit-as-crates-io = true
178 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
181 audit-as-crates-io = true
182 notes = "Identical to upstream, but with cdylib and staticlib targets disabled to avoid unnecessary build artifacts and linker errors."
185 audit-as-crates-io = true
186 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
189 audit-as-crates-io = true
190 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
193 criteria = "safe-to-run"
194 notes = "We're not shipping this and have no plans to ship it."
197 audit-as-crates-io = false
198 notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name."
201 audit-as-crates-io = false
202 notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
205 audit-as-crates-io = false
206 notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
209 audit-as-crates-io = true
210 notes = "This is a third-party crate, with an extra patch."
213 audit-as-crates-io = false
214 criteria = "safe-to-run"
215 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run."
218 audit-as-crates-io = false
220 [policy.webrender_api]
221 audit-as-crates-io = false
223 [policy.webrender_build]
224 audit-as-crates-io = false
227 audit-as-crates-io = true
228 notes = "Upstream project which we pin."
231 audit-as-crates-io = true
232 notes = "Upstream project which we pin."
235 audit-as-crates-io = true
236 notes = "Upstream project which we pin."
238 [policy.wr_malloc_size_of]
239 audit-as-crates-io = false
242 audit-as-crates-io = true
243 notes = "Upstream version not to use syn 1.x"
245 [policy.zerofrom-derive]
246 audit-as-crates-io = true
247 notes = "Upstream version not to use syn 1.x"
249 [policy.zerovec-derive]
250 audit-as-crates-io = true
251 notes = "Upstream version not to use syn 1.x"
255 criteria = "safe-to-deploy"
259 criteria = "safe-to-deploy"
261 [[exemptions.alsa-sys]]
263 criteria = "safe-to-deploy"
265 [[exemptions.android_log-sys]]
267 criteria = "safe-to-deploy"
269 [[exemptions.askama_derive]]
271 criteria = "safe-to-deploy"
273 [[exemptions.askama_escape]]
275 criteria = "safe-to-deploy"
277 [[exemptions.async-task]]
279 criteria = "safe-to-deploy"
281 [[exemptions.bincode]]
283 criteria = "safe-to-deploy"
285 [[exemptions.bitflags]]
287 criteria = "safe-to-deploy"
289 [[exemptions.bitreader]]
291 criteria = "safe-to-deploy"
295 criteria = "safe-to-deploy"
297 [[exemptions.cache-padded]]
299 criteria = "safe-to-deploy"
301 [[exemptions.camino]]
303 criteria = "safe-to-deploy"
305 [[exemptions.chrono]]
307 criteria = "safe-to-deploy"
309 [[exemptions.chunky-vec]]
311 criteria = "safe-to-deploy"
313 [[exemptions.clang-sys]]
315 criteria = "safe-to-deploy"
317 [[exemptions.cookie]]
319 criteria = "safe-to-run"
321 [[exemptions.coreaudio-sys]]
323 criteria = "safe-to-deploy"
325 [[exemptions.coremidi]]
326 version = "0.6.0@git:fc68464b5445caf111e41f643a2e69ccce0b4f83"
327 criteria = "safe-to-deploy"
329 [[exemptions.coremidi-sys]]
331 criteria = "safe-to-deploy"
335 criteria = "safe-to-deploy"
337 [[exemptions.cose-c]]
339 criteria = "safe-to-deploy"
341 [[exemptions.cpufeatures]]
343 criteria = "safe-to-deploy"
345 [[exemptions.crc32fast]]
347 criteria = "safe-to-deploy"
349 [[exemptions.crossbeam-channel]]
351 criteria = "safe-to-deploy"
353 [[exemptions.crossbeam-deque]]
355 criteria = "safe-to-deploy"
357 [[exemptions.crossbeam-epoch]]
359 criteria = "safe-to-deploy"
361 [[exemptions.crossbeam-utils]]
363 criteria = "safe-to-deploy"
367 criteria = "safe-to-deploy"
369 [[exemptions.darling]]
371 criteria = "safe-to-deploy"
373 [[exemptions.darling_core]]
375 criteria = "safe-to-deploy"
377 [[exemptions.darling_macro]]
379 criteria = "safe-to-deploy"
381 [[exemptions.data-encoding]]
383 criteria = "safe-to-deploy"
387 criteria = "safe-to-deploy"
389 [[exemptions.derive_more-impl]]
390 version = "1.0.0-beta.2"
391 criteria = "safe-to-deploy"
392 notes = "The crate is new to version 1.0.x, and derived from older versions of derive_more. The differences against 0.99.17 have been audited, but cargo-vet cannot record this information."
394 [[exemptions.devd-rs]]
396 criteria = "safe-to-deploy"
398 [[exemptions.digest]]
400 criteria = "safe-to-deploy"
404 criteria = "safe-to-deploy"
406 [[exemptions.dirs-sys]]
408 criteria = "safe-to-deploy"
410 [[exemptions.dns-parser]]
412 criteria = "safe-to-deploy"
414 [[exemptions.enumset]]
416 criteria = "safe-to-deploy"
418 [[exemptions.enumset_derive]]
420 criteria = "safe-to-deploy"
422 [[exemptions.env_logger]]
424 criteria = "safe-to-deploy"
426 [[exemptions.error-chain]]
428 criteria = "safe-to-deploy"
430 [[exemptions.fallible-iterator]]
432 criteria = "safe-to-deploy"
434 [[exemptions.fallible-streaming-iterator]]
436 criteria = "safe-to-deploy"
438 [[exemptions.fallible_collections]]
440 criteria = "safe-to-deploy"
442 [[exemptions.ffi-support]]
444 criteria = "safe-to-deploy"
446 [[exemptions.float-cmp]]
448 criteria = "safe-to-deploy"
450 [[exemptions.fs-err]]
452 criteria = "safe-to-deploy"
454 [[exemptions.fuchsia-zircon]]
456 criteria = "safe-to-run"
458 [[exemptions.fuchsia-zircon-sys]]
460 criteria = "safe-to-run"
462 [[exemptions.futures-macro]]
464 criteria = "safe-to-deploy"
466 [[exemptions.futures-task]]
468 criteria = "safe-to-deploy"
470 [[exemptions.futures-util]]
472 criteria = "safe-to-deploy"
474 [[exemptions.generic-array]]
476 criteria = "safe-to-deploy"
478 [[exemptions.getrandom]]
480 criteria = "safe-to-deploy"
482 [[exemptions.gl_generator]]
484 criteria = "safe-to-deploy"
488 criteria = "safe-to-deploy"
490 [[exemptions.goblin]]
492 criteria = "safe-to-deploy"
494 [[exemptions.gpu-alloc]]
496 criteria = "safe-to-deploy"
498 [[exemptions.gpu-alloc-types]]
500 criteria = "safe-to-deploy"
502 [[exemptions.gpu-descriptor]]
504 criteria = "safe-to-deploy"
506 [[exemptions.gpu-descriptor-types]]
508 criteria = "safe-to-deploy"
510 [[exemptions.hashlink]]
512 criteria = "safe-to-deploy"
514 [[exemptions.hermit-abi]]
516 criteria = "safe-to-deploy"
518 [[exemptions.hexf-parse]]
520 criteria = "safe-to-deploy"
522 [[exemptions.instant]]
524 criteria = "safe-to-deploy"
526 [[exemptions.ioctl-sys]]
528 criteria = "safe-to-deploy"
530 [[exemptions.itertools]]
532 criteria = "safe-to-deploy"
534 [[exemptions.khronos-egl]]
536 criteria = "safe-to-deploy"
538 [[exemptions.khronos_api]]
540 criteria = "safe-to-deploy"
542 [[exemptions.lazycell]]
544 criteria = "safe-to-deploy"
546 [[exemptions.libdbus-sys]]
548 criteria = "safe-to-deploy"
550 [[exemptions.libloading]]
552 criteria = "safe-to-deploy"
554 [[exemptions.libsqlite3-sys]]
556 criteria = "safe-to-deploy"
558 notes = "The in-gecko feature that we enable makes only pre-built bindings used, and none of the embedded C code is built. The build script was audited and is not doing anything besides exposing those bindings"
560 [[exemptions.libudev]]
562 criteria = "safe-to-deploy"
564 [[exemptions.lmdb-rkv-sys]]
566 criteria = "safe-to-deploy"
568 notes = "This crate is forked from another crate and not developed in-house. Given that LMDB-backed RKV is going away, we will probably never bother auditing this"
572 criteria = "safe-to-deploy"
574 [[exemptions.memalloc]]
576 criteria = "safe-to-deploy"
578 [[exemptions.memmap2]]
580 criteria = "safe-to-deploy"
582 [[exemptions.memoffset]]
584 criteria = "safe-to-deploy"
588 criteria = "safe-to-deploy"
590 [[exemptions.mime_guess]]
592 criteria = "safe-to-deploy"
594 [[exemptions.minimal-lexical]]
596 criteria = "safe-to-deploy"
598 [[exemptions.miniz_oxide]]
600 criteria = "safe-to-deploy"
604 criteria = "safe-to-deploy"
606 [[exemptions.mio-extras]]
608 criteria = "safe-to-run"
612 criteria = "safe-to-deploy"
614 [[exemptions.murmurhash3]]
616 criteria = "safe-to-deploy"
620 criteria = "safe-to-run"
624 criteria = "safe-to-deploy"
628 criteria = "safe-to-deploy"
632 criteria = "safe-to-deploy"
636 criteria = "safe-to-deploy"
638 [[exemptions.objc_exception]]
640 criteria = "safe-to-deploy"
642 [[exemptions.object]]
644 criteria = "safe-to-deploy"
646 [[exemptions.once_cell]]
648 criteria = "safe-to-deploy"
650 [[exemptions.owning_ref]]
652 criteria = "safe-to-deploy"
654 [[exemptions.packed_simd]]
656 criteria = "safe-to-deploy"
660 criteria = "safe-to-deploy"
662 [[exemptions.phf_codegen]]
664 criteria = "safe-to-deploy"
666 [[exemptions.phf_generator]]
668 criteria = "safe-to-deploy"
670 [[exemptions.phf_macros]]
672 criteria = "safe-to-deploy"
674 [[exemptions.phf_shared]]
676 criteria = "safe-to-deploy"
680 criteria = "safe-to-deploy"
684 criteria = "safe-to-run"
686 [[exemptions.ppv-lite86]]
688 criteria = "safe-to-deploy"
690 [[exemptions.profiling]]
692 criteria = "safe-to-deploy"
696 criteria = "safe-to-deploy"
698 [[exemptions.prost-derive]]
700 criteria = "safe-to-deploy"
704 criteria = "safe-to-deploy"
706 [[exemptions.quick-error]]
708 criteria = "safe-to-deploy"
712 criteria = "safe-to-deploy"
714 [[exemptions.remove_dir_all]]
716 criteria = "safe-to-deploy"
718 [[exemptions.replace_with]]
720 criteria = "safe-to-deploy"
722 [[exemptions.ringbuf]]
724 criteria = "safe-to-deploy"
728 criteria = "safe-to-deploy"
730 [[exemptions.runloop]]
732 criteria = "safe-to-deploy"
734 [[exemptions.rusqlite]]
736 criteria = "safe-to-deploy"
738 [[exemptions.rust-ini]]
740 criteria = "safe-to-deploy"
742 [[exemptions.rust_decimal]]
744 criteria = "safe-to-deploy"
746 [[exemptions.scroll]]
748 criteria = "safe-to-deploy"
750 [[exemptions.scroll_derive]]
752 criteria = "safe-to-deploy"
754 [[exemptions.self_cell]]
756 criteria = "safe-to-deploy"
758 [[exemptions.serde_with]]
760 criteria = "safe-to-deploy"
762 [[exemptions.serde_with_macros]]
764 criteria = "safe-to-deploy"
768 criteria = "safe-to-deploy"
772 criteria = "safe-to-deploy"
774 [[exemptions.siphasher]]
776 criteria = "safe-to-deploy"
778 [[exemptions.socket2]]
780 criteria = "safe-to-deploy"
783 version = "0.2.0+1.5.4"
784 criteria = "safe-to-deploy"
786 [[exemptions.stable_deref_trait]]
788 criteria = "safe-to-deploy"
790 [[exemptions.static_assertions]]
792 criteria = "safe-to-deploy"
794 [[exemptions.strsim]]
796 criteria = "safe-to-deploy"
798 [[exemptions.tempfile]]
800 criteria = "safe-to-deploy"
804 criteria = "safe-to-deploy"
808 criteria = "safe-to-run"
810 [[exemptions.triple_buffer]]
812 criteria = "safe-to-deploy"
814 [[exemptions.type-map]]
816 criteria = "safe-to-deploy"
818 [[exemptions.typenum]]
820 criteria = "safe-to-deploy"
822 [[exemptions.unix_path]]
824 criteria = "safe-to-run"
826 [[exemptions.unix_str]]
828 criteria = "safe-to-run"
832 criteria = "safe-to-deploy"
836 criteria = "safe-to-deploy"
838 [[exemptions.webrtc-sdp]]
840 criteria = "safe-to-deploy"
842 [[exemptions.winapi]]
844 criteria = "safe-to-deploy"
846 [[exemptions.winapi-i686-pc-windows-gnu]]
848 criteria = "safe-to-deploy"
850 [[exemptions.winapi-x86_64-pc-windows-gnu]]
852 criteria = "safe-to-deploy"
856 criteria = "safe-to-deploy"
858 [[exemptions.xml-rs]]
860 criteria = "safe-to-deploy"
864 criteria = "safe-to-run"