2 # cargo-vet config file
7 [imports.bytecode-alliance]
8 url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"
10 [imports.embark-studios]
11 url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml"
14 url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml"
17 url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml"
20 url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml"
23 audit-as-crates-io = true
24 notes = "This is the upstream code plus a few local fixes, see bug 1685697."
27 audit-as-crates-io = true
28 notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that."
31 audit-as-crates-io = true
32 notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that."
35 audit-as-crates-io = true
36 notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release."
39 audit-as-crates-io = true
40 notes = "This is upstream plus a warning fix from bug 1823866."
43 audit-as-crates-io = true
44 notes = "Upstream release plus a couple unpublished changes"
46 [policy.cssparser-macros]
47 audit-as-crates-io = true
48 notes = "Upstream release plus a couple unpublished changes"
51 audit-as-crates-io = true
52 notes = "Part of the wgpu repository, pinned as the rest of wgpu crates."
54 [policy.firefox-on-glean]
55 audit-as-crates-io = false
56 notes = "The crates.io version of this is just a placeholder to allow public crates to depend on firefox-on-glean."
59 audit-as-crates-io = false
60 criteria = "safe-to-run"
61 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run."
64 criteria = "safe-to-run"
65 notes = "Used for testing."
67 [policy.gkrust-shared]
68 dependency-criteria = { tokio-reactor = [], tokio-threadpool = [] }
69 notes = "The dependencies on tokio-reactor and tokio-threadpools are just a hack to pin the version used by audioipc-{client,server}. Suppress vetting on those for the same reasons behind the policy entries."
72 criteria = "safe-to-run"
73 notes = "Used for fuzzing."
76 criteria = "safe-to-run"
77 notes = "Used for testing."
80 audit-as-crates-io = true
81 notes = "Patched version of upstream"
83 [policy.icu_segmenter_data]
84 audit-as-crates-io = true
85 notes = "Patched version of upstream"
88 dependency-criteria = { fluent-testing = "safe-to-run", tokio = "safe-to-run" }
89 notes = "This crate has two testing-only dependencies which are specified as regular-but-optional rather than a dev-dependencies, because they need to be available to both benchmarks and integration tests."
92 audit-as-crates-io = false
93 notes = "This override is an api-compatible fork with an orthogonal implementation."
95 [policy.malloc_size_of_derive]
96 audit-as-crates-io = false
97 notes = "This was originally servo code which Bobby Holley put on crates.io some years ago and that was moved in-tree as first-party code later on."
100 audit-as-crates-io = false
101 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
104 audit-as-crates-io = true
105 notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release."
107 [policy."mio:0.6.23"]
108 audit-as-crates-io = true
109 notes = "Version 0.6.23 is a local fork of upstream which just twiddles some dependencies."
111 [policy."mio:0.8.8@git:9a2ef335c366044ffe73b1c4acabe50a1daefe05"]
112 audit-as-crates-io = true
113 notes = "This is 0.8.8 + https://github.com/tokio-rs/mio/commit/eea9e3e0c469480e5c59c01e6c3c7e5fd88f0848."
116 audit-as-crates-io = false
117 notes = "The crates.io version of this is just a placeholder to allow public crates to depend on mozbuild."
120 audit-as-crates-io = false
121 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
123 [policy.mozglue-static]
124 dependency-criteria = { rustc_version = "safe-to-run" }
125 notes = "The rustc_version dependency is only used in the build script, and does not generate any runtime code"
127 [policy.mozilla-central-workspace-hack]
128 audit-as-crates-io = false
129 criteria = "safe-to-run"
130 notes = "This is a first-party crate which is also published to crates.io as a convenience for other in-tree crates that depend on it and are published as well. The dependencies from this crate are dependencies of other crates that will get the right criteria through them, but using safe-to-deploy for this one would be too broad."
133 audit-as-crates-io = false
134 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
137 audit-as-crates-io = false
138 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
141 audit-as-crates-io = false
142 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
145 audit-as-crates-io = false
147 [policy.mp4parse_capi]
148 audit-as-crates-io = false
151 audit-as-crates-io = true
152 notes = "Part of the wgpu repository, pinned as the rest of wgpu crates."
155 audit-as-crates-io = false
157 [policy.peek-poke-derive]
158 audit-as-crates-io = false
161 audit-as-crates-io = false
162 notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name."
165 audit-as-crates-io = true
166 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
169 audit-as-crates-io = true
170 notes = "Identical to upstream, but with cdylib and staticlib targets disabled to avoid unnecessary build artifacts and linker errors."
173 audit-as-crates-io = true
174 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
177 audit-as-crates-io = true
178 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
181 criteria = "safe-to-run"
182 notes = "We're not shipping this and have no plans to ship it."
185 audit-as-crates-io = false
186 notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name."
189 audit-as-crates-io = false
190 notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
192 [policy.unicode-bidi]
193 audit-as-crates-io = true
196 audit-as-crates-io = false
197 notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
200 audit-as-crates-io = true
201 notes = "This is a third-party crate, with an extra patch."
204 audit-as-crates-io = false
205 criteria = "safe-to-run"
206 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run."
209 audit-as-crates-io = false
211 [policy.webrender_api]
212 audit-as-crates-io = false
214 [policy.webrender_build]
215 audit-as-crates-io = false
218 audit-as-crates-io = true
219 notes = "Upstream project which we pin."
222 audit-as-crates-io = true
223 notes = "Upstream project which we pin."
226 audit-as-crates-io = true
227 notes = "Upstream project which we pin."
230 audit-as-crates-io = true
231 notes = "Local override of the crates.io crate that uses a non-vendored local copy of the downloaded crate"
233 [policy.wr_malloc_size_of]
234 audit-as-crates-io = false
238 criteria = "safe-to-deploy"
242 criteria = "safe-to-deploy"
244 [[exemptions.alsa-sys]]
246 criteria = "safe-to-deploy"
248 [[exemptions.android_log-sys]]
250 criteria = "safe-to-deploy"
252 [[exemptions.askama_derive]]
254 criteria = "safe-to-deploy"
256 [[exemptions.askama_escape]]
258 criteria = "safe-to-deploy"
260 [[exemptions.async-task]]
262 criteria = "safe-to-deploy"
264 [[exemptions.bincode]]
266 criteria = "safe-to-deploy"
268 [[exemptions.bitflags]]
270 criteria = "safe-to-deploy"
272 [[exemptions.bitreader]]
274 criteria = "safe-to-deploy"
278 criteria = "safe-to-deploy"
280 [[exemptions.cache-padded]]
282 criteria = "safe-to-deploy"
284 [[exemptions.camino]]
286 criteria = "safe-to-deploy"
288 [[exemptions.chrono]]
290 criteria = "safe-to-deploy"
292 [[exemptions.chunky-vec]]
294 criteria = "safe-to-deploy"
296 [[exemptions.clang-sys]]
298 criteria = "safe-to-deploy"
300 [[exemptions.cookie]]
302 criteria = "safe-to-run"
304 [[exemptions.coreaudio-sys]]
306 criteria = "safe-to-deploy"
308 [[exemptions.coremidi]]
309 version = "0.6.0@git:fc68464b5445caf111e41f643a2e69ccce0b4f83"
310 criteria = "safe-to-deploy"
312 [[exemptions.coremidi-sys]]
314 criteria = "safe-to-deploy"
318 criteria = "safe-to-deploy"
320 [[exemptions.cose-c]]
322 criteria = "safe-to-deploy"
324 [[exemptions.cpufeatures]]
326 criteria = "safe-to-deploy"
328 [[exemptions.crc32fast]]
330 criteria = "safe-to-deploy"
332 [[exemptions.crossbeam-channel]]
334 criteria = "safe-to-deploy"
336 [[exemptions.crossbeam-deque]]
338 criteria = "safe-to-deploy"
340 [[exemptions.crossbeam-epoch]]
342 criteria = "safe-to-deploy"
344 [[exemptions.crossbeam-utils]]
346 criteria = "safe-to-deploy"
350 criteria = "safe-to-deploy"
352 [[exemptions.darling]]
354 criteria = "safe-to-deploy"
356 [[exemptions.darling_core]]
358 criteria = "safe-to-deploy"
360 [[exemptions.darling_macro]]
362 criteria = "safe-to-deploy"
364 [[exemptions.data-encoding]]
366 criteria = "safe-to-deploy"
370 criteria = "safe-to-deploy"
372 [[exemptions.derive_more-impl]]
373 version = "1.0.0-beta.2"
374 criteria = "safe-to-deploy"
375 notes = "The crate is new to version 1.0.x, and derived from older versions of derive_more. The differences against 0.99.17 have been audited, but cargo-vet cannot record this information."
377 [[exemptions.devd-rs]]
379 criteria = "safe-to-deploy"
381 [[exemptions.digest]]
383 criteria = "safe-to-deploy"
387 criteria = "safe-to-deploy"
389 [[exemptions.dirs-sys]]
391 criteria = "safe-to-deploy"
393 [[exemptions.dns-parser]]
395 criteria = "safe-to-deploy"
397 [[exemptions.enumset]]
399 criteria = "safe-to-deploy"
401 [[exemptions.enumset_derive]]
403 criteria = "safe-to-deploy"
405 [[exemptions.env_logger]]
407 criteria = "safe-to-deploy"
409 [[exemptions.error-chain]]
411 criteria = "safe-to-deploy"
413 [[exemptions.fallible-iterator]]
415 criteria = "safe-to-deploy"
417 [[exemptions.fallible-streaming-iterator]]
419 criteria = "safe-to-deploy"
421 [[exemptions.fallible_collections]]
423 criteria = "safe-to-deploy"
425 [[exemptions.ffi-support]]
427 criteria = "safe-to-deploy"
429 [[exemptions.float-cmp]]
431 criteria = "safe-to-deploy"
433 [[exemptions.fs-err]]
435 criteria = "safe-to-deploy"
437 [[exemptions.fuchsia-zircon]]
439 criteria = "safe-to-run"
441 [[exemptions.fuchsia-zircon-sys]]
443 criteria = "safe-to-run"
445 [[exemptions.futures-macro]]
447 criteria = "safe-to-deploy"
449 [[exemptions.futures-task]]
451 criteria = "safe-to-deploy"
453 [[exemptions.futures-util]]
455 criteria = "safe-to-deploy"
457 [[exemptions.generic-array]]
459 criteria = "safe-to-deploy"
461 [[exemptions.getrandom]]
463 criteria = "safe-to-deploy"
465 [[exemptions.gl_generator]]
467 criteria = "safe-to-deploy"
471 criteria = "safe-to-deploy"
473 [[exemptions.goblin]]
475 criteria = "safe-to-deploy"
477 [[exemptions.gpu-alloc]]
479 criteria = "safe-to-deploy"
481 [[exemptions.gpu-alloc-types]]
483 criteria = "safe-to-deploy"
485 [[exemptions.gpu-descriptor]]
487 criteria = "safe-to-deploy"
489 [[exemptions.gpu-descriptor-types]]
491 criteria = "safe-to-deploy"
493 [[exemptions.hashlink]]
495 criteria = "safe-to-deploy"
497 [[exemptions.hermit-abi]]
499 criteria = "safe-to-deploy"
501 [[exemptions.hexf-parse]]
503 criteria = "safe-to-deploy"
505 [[exemptions.ioctl-sys]]
507 criteria = "safe-to-deploy"
509 [[exemptions.itertools]]
511 criteria = "safe-to-deploy"
513 [[exemptions.khronos-egl]]
515 criteria = "safe-to-deploy"
517 [[exemptions.khronos_api]]
519 criteria = "safe-to-deploy"
521 [[exemptions.lazycell]]
523 criteria = "safe-to-deploy"
525 [[exemptions.libdbus-sys]]
527 criteria = "safe-to-deploy"
529 [[exemptions.libloading]]
531 criteria = "safe-to-deploy"
533 [[exemptions.libsqlite3-sys]]
535 criteria = "safe-to-deploy"
537 notes = "The in-gecko feature that we enable makes only pre-built bindings used, and none of the embedded C code is built. The build script was audited and is not doing anything besides exposing those bindings"
539 [[exemptions.libudev]]
541 criteria = "safe-to-deploy"
543 [[exemptions.lmdb-rkv-sys]]
545 criteria = "safe-to-deploy"
547 notes = "This crate is forked from another crate and not developed in-house. Given that LMDB-backed RKV is going away, we will probably never bother auditing this"
551 criteria = "safe-to-deploy"
553 [[exemptions.memalloc]]
555 criteria = "safe-to-deploy"
557 [[exemptions.memmap2]]
559 criteria = "safe-to-deploy"
561 [[exemptions.memoffset]]
563 criteria = "safe-to-deploy"
567 criteria = "safe-to-deploy"
569 [[exemptions.mime_guess]]
571 criteria = "safe-to-deploy"
573 [[exemptions.minimal-lexical]]
575 criteria = "safe-to-deploy"
579 criteria = "safe-to-deploy"
581 [[exemptions.mio-extras]]
583 criteria = "safe-to-run"
587 criteria = "safe-to-run"
589 [[exemptions.murmurhash3]]
591 criteria = "safe-to-deploy"
595 criteria = "safe-to-run"
599 criteria = "safe-to-deploy"
603 criteria = "safe-to-deploy"
605 [[exemptions.objc_exception]]
607 criteria = "safe-to-deploy"
609 [[exemptions.object]]
611 criteria = "safe-to-deploy"
613 [[exemptions.once_cell]]
615 criteria = "safe-to-deploy"
617 [[exemptions.owning_ref]]
619 criteria = "safe-to-deploy"
621 [[exemptions.packed_simd]]
623 criteria = "safe-to-deploy"
627 criteria = "safe-to-deploy"
629 [[exemptions.phf_codegen]]
631 criteria = "safe-to-deploy"
633 [[exemptions.phf_generator]]
635 criteria = "safe-to-deploy"
637 [[exemptions.phf_macros]]
639 criteria = "safe-to-deploy"
641 [[exemptions.phf_shared]]
643 criteria = "safe-to-deploy"
647 criteria = "safe-to-deploy"
651 criteria = "safe-to-run"
653 [[exemptions.ppv-lite86]]
655 criteria = "safe-to-deploy"
657 [[exemptions.profiling]]
659 criteria = "safe-to-deploy"
663 criteria = "safe-to-deploy"
665 [[exemptions.prost-derive]]
667 criteria = "safe-to-deploy"
669 [[exemptions.quick-error]]
671 criteria = "safe-to-deploy"
675 criteria = "safe-to-deploy"
677 [[exemptions.remove_dir_all]]
679 criteria = "safe-to-deploy"
681 [[exemptions.replace_with]]
683 criteria = "safe-to-deploy"
685 [[exemptions.ringbuf]]
687 criteria = "safe-to-deploy"
691 criteria = "safe-to-deploy"
693 [[exemptions.runloop]]
695 criteria = "safe-to-deploy"
697 [[exemptions.rusqlite]]
699 criteria = "safe-to-deploy"
701 [[exemptions.rust-ini]]
703 criteria = "safe-to-deploy"
705 [[exemptions.rust_decimal]]
707 criteria = "safe-to-deploy"
709 [[exemptions.scroll]]
711 criteria = "safe-to-deploy"
713 [[exemptions.scroll_derive]]
715 criteria = "safe-to-deploy"
717 [[exemptions.self_cell]]
719 criteria = "safe-to-deploy"
721 [[exemptions.serde_with]]
723 criteria = "safe-to-deploy"
725 [[exemptions.serde_with_macros]]
727 criteria = "safe-to-deploy"
731 criteria = "safe-to-deploy"
735 criteria = "safe-to-deploy"
737 [[exemptions.siphasher]]
739 criteria = "safe-to-deploy"
741 [[exemptions.socket2]]
743 criteria = "safe-to-deploy"
746 version = "0.2.0+1.5.4"
747 criteria = "safe-to-deploy"
749 [[exemptions.stable_deref_trait]]
751 criteria = "safe-to-deploy"
753 [[exemptions.tempfile]]
755 criteria = "safe-to-deploy"
759 criteria = "safe-to-deploy"
761 [[exemptions.triple_buffer]]
763 criteria = "safe-to-deploy"
765 [[exemptions.type-map]]
767 criteria = "safe-to-deploy"
769 [[exemptions.typenum]]
771 criteria = "safe-to-deploy"
773 [[exemptions.unix_path]]
775 criteria = "safe-to-run"
777 [[exemptions.unix_str]]
779 criteria = "safe-to-run"
783 criteria = "safe-to-deploy"
785 [[exemptions.webrtc-sdp]]
787 criteria = "safe-to-deploy"
789 [[exemptions.winapi]]
791 criteria = "safe-to-deploy"
793 [[exemptions.winapi-i686-pc-windows-gnu]]
795 criteria = "safe-to-deploy"
797 [[exemptions.winapi-x86_64-pc-windows-gnu]]
799 criteria = "safe-to-deploy"
803 criteria = "safe-to-deploy"
805 [[exemptions.xml-rs]]
807 criteria = "safe-to-deploy"