2 # cargo-vet config file
7 [imports.bytecode-alliance]
8 url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"
10 [imports.embark-studios]
11 url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml"
14 url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml"
17 url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml"
20 url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml"
23 audit-as-crates-io = true
24 notes = "This is the upstream code plus a few local fixes, see bug 1685697."
27 audit-as-crates-io = true
28 notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that."
31 audit-as-crates-io = true
32 notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that."
35 audit-as-crates-io = true
36 notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release."
39 audit-as-crates-io = true
40 notes = "This is upstream plus a warning fix from bug 1823866."
42 [policy.firefox-on-glean]
43 audit-as-crates-io = false
44 notes = "The crates.io version of this is just a placeholder to allow public crates to depend on firefox-on-glean."
47 audit-as-crates-io = false
48 criteria = "safe-to-run"
49 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run."
52 criteria = "safe-to-run"
53 notes = "Used for testing."
55 [policy.gkrust-shared]
56 dependency-criteria = { tokio-reactor = [], tokio-threadpool = [] }
57 notes = "The dependencies on tokio-reactor and tokio-threadpools are just a hack to pin the version used by audioipc-{client,server}. Suppress vetting on those for the same reasons behind the policy entries."
60 criteria = "safe-to-run"
61 notes = "Used for fuzzing."
64 criteria = "safe-to-run"
65 notes = "Used for testing."
68 dependency-criteria = { fluent-testing = "safe-to-run", tokio = "safe-to-run" }
69 notes = "This crate has two testing-only dependencies which are specified as regular-but-optional rather than a dev-dependencies, because they need to be available to both benchmarks and integration tests."
72 audit-as-crates-io = false
73 notes = "This override is an api-compatible fork with an orthogonal implementation."
75 [policy.malloc_size_of_derive]
76 audit-as-crates-io = false
77 notes = "This was originally servo code which Bobby Holley put on crates.io some years ago and that was moved in-tree as first-party code later on."
80 audit-as-crates-io = false
81 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
84 audit-as-crates-io = false
87 audit-as-crates-io = true
88 notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release."
90 [policy."minidump-common:0.17.0@git:87a29fba5e19cfae5ebf73a57ba31504a3872545"]
91 audit-as-crates-io = true
92 notes = "Unreleased upstream."
94 [policy.minidump-writer]
95 audit-as-crates-io = true
96 notes = "Unreleased upstream."
99 audit-as-crates-io = true
100 notes = "Version 0.6.23 is a local fork of upstream which just twiddles some dependencies."
103 audit-as-crates-io = false
104 notes = "The crates.io version of this is just a placeholder to allow public crates to depend on mozbuild."
107 audit-as-crates-io = false
108 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
110 [policy.mozglue-static]
111 dependency-criteria = { rustc_version = "safe-to-run" }
112 notes = "The rustc_version dependency is only used in the build script, and does not generate any runtime code"
114 [policy.mozilla-central-workspace-hack]
115 audit-as-crates-io = false
116 criteria = "safe-to-run"
117 notes = "This is a first-party crate which is also published to crates.io as a convenience for other in-tree crates that depend on it and are published as well. The dependencies from this crate are dependencies of other crates that will get the right criteria through them, but using safe-to-deploy for this one would be too broad."
120 audit-as-crates-io = false
121 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
124 audit-as-crates-io = false
125 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
128 audit-as-crates-io = false
129 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
132 audit-as-crates-io = false
134 [policy.mp4parse_capi]
135 audit-as-crates-io = false
138 audit-as-crates-io = true
139 notes = "wgpu-core pins this crate."
141 [policy.packed_simd_2]
142 audit-as-crates-io = true
143 notes = "Based on upstream, see bug 1719674."
146 audit-as-crates-io = false
148 [policy.peek-poke-derive]
149 audit-as-crates-io = false
151 [policy.prost-derive]
152 audit-as-crates-io = true
153 notes = "Fork of prost-derive with support for syn 2"
156 audit-as-crates-io = false
157 notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name."
160 audit-as-crates-io = true
161 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
164 audit-as-crates-io = true
165 notes = "Identical to upstream, but with cdylib and staticlib targets disabled to avoid unnecessary build artifacts and linker errors."
168 audit-as-crates-io = true
169 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
172 audit-as-crates-io = true
173 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
176 criteria = "safe-to-run"
177 notes = "We're not shipping this and have no plans to ship it."
180 audit-as-crates-io = false
181 notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name."
184 audit-as-crates-io = false
185 notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
188 audit-as-crates-io = false
189 notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
192 audit-as-crates-io = true
193 notes = "This is a third-party crate, with an extra patch."
196 audit-as-crates-io = false
197 criteria = "safe-to-run"
198 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run."
201 audit-as-crates-io = false
203 [policy.webrender_api]
204 audit-as-crates-io = false
206 [policy.webrender_build]
207 audit-as-crates-io = false
210 audit-as-crates-io = true
211 notes = "Upstream project which we pin."
214 audit-as-crates-io = true
215 notes = "Upstream project which we pin."
218 audit-as-crates-io = true
219 notes = "Upstream project which we pin."
221 [policy.wr_malloc_size_of]
222 audit-as-crates-io = false
226 criteria = "safe-to-deploy"
230 criteria = "safe-to-deploy"
232 [[exemptions.alsa-sys]]
234 criteria = "safe-to-deploy"
236 [[exemptions.android_log-sys]]
238 criteria = "safe-to-deploy"
240 [[exemptions.askama_derive]]
242 criteria = "safe-to-deploy"
244 [[exemptions.askama_escape]]
246 criteria = "safe-to-deploy"
248 [[exemptions.async-task]]
250 criteria = "safe-to-deploy"
252 [[exemptions.bincode]]
254 criteria = "safe-to-deploy"
256 [[exemptions.bitflags]]
258 criteria = "safe-to-deploy"
260 [[exemptions.bitreader]]
262 criteria = "safe-to-deploy"
266 criteria = "safe-to-deploy"
268 [[exemptions.cache-padded]]
270 criteria = "safe-to-deploy"
272 [[exemptions.camino]]
274 criteria = "safe-to-deploy"
276 [[exemptions.chrono]]
278 criteria = "safe-to-deploy"
280 [[exemptions.chunky-vec]]
282 criteria = "safe-to-deploy"
284 [[exemptions.clang-sys]]
286 criteria = "safe-to-deploy"
288 [[exemptions.cookie]]
290 criteria = "safe-to-run"
292 [[exemptions.coreaudio-sys]]
294 criteria = "safe-to-deploy"
296 [[exemptions.coremidi]]
297 version = "0.6.0@git:fc68464b5445caf111e41f643a2e69ccce0b4f83"
298 criteria = "safe-to-deploy"
300 [[exemptions.coremidi-sys]]
302 criteria = "safe-to-deploy"
306 criteria = "safe-to-deploy"
308 [[exemptions.cose-c]]
310 criteria = "safe-to-deploy"
312 [[exemptions.cpufeatures]]
314 criteria = "safe-to-deploy"
316 [[exemptions.crc32fast]]
318 criteria = "safe-to-deploy"
320 [[exemptions.crossbeam-channel]]
322 criteria = "safe-to-deploy"
324 [[exemptions.crossbeam-deque]]
326 criteria = "safe-to-deploy"
328 [[exemptions.crossbeam-epoch]]
330 criteria = "safe-to-deploy"
332 [[exemptions.crossbeam-utils]]
334 criteria = "safe-to-deploy"
338 criteria = "safe-to-deploy"
340 [[exemptions.darling]]
342 criteria = "safe-to-deploy"
344 [[exemptions.darling_core]]
346 criteria = "safe-to-deploy"
348 [[exemptions.darling_macro]]
350 criteria = "safe-to-deploy"
352 [[exemptions.data-encoding]]
354 criteria = "safe-to-deploy"
358 criteria = "safe-to-deploy"
360 [[exemptions.derive_more-impl]]
361 version = "1.0.0-beta.2"
362 criteria = "safe-to-deploy"
363 notes = "The crate is new to version 1.0.x, and derived from older versions of derive_more. The differences against 0.99.17 have been audited, but cargo-vet cannot record this information."
365 [[exemptions.devd-rs]]
367 criteria = "safe-to-deploy"
369 [[exemptions.digest]]
371 criteria = "safe-to-deploy"
375 criteria = "safe-to-deploy"
377 [[exemptions.dirs-sys]]
379 criteria = "safe-to-deploy"
381 [[exemptions.dns-parser]]
383 criteria = "safe-to-deploy"
385 [[exemptions.enumset]]
387 criteria = "safe-to-deploy"
389 [[exemptions.enumset_derive]]
391 criteria = "safe-to-deploy"
393 [[exemptions.env_logger]]
395 criteria = "safe-to-deploy"
397 [[exemptions.error-chain]]
399 criteria = "safe-to-deploy"
401 [[exemptions.fallible-iterator]]
403 criteria = "safe-to-deploy"
405 [[exemptions.fallible-streaming-iterator]]
407 criteria = "safe-to-deploy"
409 [[exemptions.fallible_collections]]
411 criteria = "safe-to-deploy"
413 [[exemptions.ffi-support]]
415 criteria = "safe-to-deploy"
417 [[exemptions.float-cmp]]
419 criteria = "safe-to-deploy"
421 [[exemptions.fs-err]]
423 criteria = "safe-to-deploy"
425 [[exemptions.fuchsia-zircon]]
427 criteria = "safe-to-run"
429 [[exemptions.fuchsia-zircon-sys]]
431 criteria = "safe-to-run"
433 [[exemptions.futures-macro]]
435 criteria = "safe-to-deploy"
437 [[exemptions.futures-task]]
439 criteria = "safe-to-deploy"
441 [[exemptions.futures-util]]
443 criteria = "safe-to-deploy"
445 [[exemptions.generic-array]]
447 criteria = "safe-to-deploy"
449 [[exemptions.getrandom]]
451 criteria = "safe-to-deploy"
453 [[exemptions.gl_generator]]
455 criteria = "safe-to-deploy"
459 criteria = "safe-to-deploy"
461 [[exemptions.goblin]]
463 criteria = "safe-to-deploy"
465 [[exemptions.gpu-alloc]]
467 criteria = "safe-to-deploy"
469 [[exemptions.gpu-alloc-types]]
471 criteria = "safe-to-deploy"
473 [[exemptions.gpu-descriptor]]
475 criteria = "safe-to-deploy"
477 [[exemptions.gpu-descriptor-types]]
479 criteria = "safe-to-deploy"
481 [[exemptions.hashlink]]
483 criteria = "safe-to-deploy"
485 [[exemptions.hermit-abi]]
487 criteria = "safe-to-deploy"
489 [[exemptions.hexf-parse]]
491 criteria = "safe-to-deploy"
493 [[exemptions.instant]]
495 criteria = "safe-to-deploy"
497 [[exemptions.ioctl-sys]]
499 criteria = "safe-to-deploy"
501 [[exemptions.itertools]]
503 criteria = "safe-to-deploy"
505 [[exemptions.khronos-egl]]
507 criteria = "safe-to-deploy"
509 [[exemptions.khronos_api]]
511 criteria = "safe-to-deploy"
513 [[exemptions.lazycell]]
515 criteria = "safe-to-deploy"
517 [[exemptions.libdbus-sys]]
519 criteria = "safe-to-deploy"
521 [[exemptions.libloading]]
523 criteria = "safe-to-deploy"
525 [[exemptions.libsqlite3-sys]]
527 criteria = "safe-to-deploy"
529 notes = "The in-gecko feature that we enable makes only pre-built bindings used, and none of the embedded C code is built. The build script was audited and is not doing anything besides exposing those bindings"
531 [[exemptions.libudev]]
533 criteria = "safe-to-deploy"
535 [[exemptions.lmdb-rkv-sys]]
537 criteria = "safe-to-deploy"
539 notes = "This crate is forked from another crate and not developed in-house. Given that LMDB-backed RKV is going away, we will probably never bother auditing this"
543 criteria = "safe-to-deploy"
545 [[exemptions.memalloc]]
547 criteria = "safe-to-deploy"
549 [[exemptions.memmap2]]
551 criteria = "safe-to-deploy"
553 [[exemptions.memoffset]]
555 criteria = "safe-to-deploy"
559 criteria = "safe-to-deploy"
561 [[exemptions.mime_guess]]
563 criteria = "safe-to-deploy"
565 [[exemptions.minimal-lexical]]
567 criteria = "safe-to-deploy"
569 [[exemptions.miniz_oxide]]
571 criteria = "safe-to-deploy"
575 criteria = "safe-to-deploy"
577 [[exemptions.mio-extras]]
579 criteria = "safe-to-run"
583 criteria = "safe-to-deploy"
585 [[exemptions.murmurhash3]]
587 criteria = "safe-to-deploy"
591 criteria = "safe-to-run"
595 criteria = "safe-to-deploy"
599 criteria = "safe-to-deploy"
603 criteria = "safe-to-deploy"
607 criteria = "safe-to-deploy"
609 [[exemptions.objc_exception]]
611 criteria = "safe-to-deploy"
613 [[exemptions.object]]
615 criteria = "safe-to-deploy"
617 [[exemptions.once_cell]]
619 criteria = "safe-to-deploy"
621 [[exemptions.owning_ref]]
623 criteria = "safe-to-deploy"
625 [[exemptions.packed_simd_2]]
627 criteria = "safe-to-deploy"
631 criteria = "safe-to-deploy"
633 [[exemptions.phf_codegen]]
635 criteria = "safe-to-deploy"
637 [[exemptions.phf_generator]]
639 criteria = "safe-to-deploy"
641 [[exemptions.phf_macros]]
643 criteria = "safe-to-deploy"
645 [[exemptions.phf_shared]]
647 criteria = "safe-to-deploy"
651 criteria = "safe-to-deploy"
655 criteria = "safe-to-run"
657 [[exemptions.ppv-lite86]]
659 criteria = "safe-to-deploy"
661 [[exemptions.profiling]]
663 criteria = "safe-to-deploy"
667 criteria = "safe-to-deploy"
669 [[exemptions.prost-derive]]
671 criteria = "safe-to-deploy"
675 criteria = "safe-to-deploy"
677 [[exemptions.quick-error]]
679 criteria = "safe-to-deploy"
683 criteria = "safe-to-deploy"
685 [[exemptions.rand_chacha]]
687 criteria = "safe-to-deploy"
689 [[exemptions.rand_core]]
691 criteria = "safe-to-deploy"
693 [[exemptions.remove_dir_all]]
695 criteria = "safe-to-deploy"
697 [[exemptions.replace_with]]
699 criteria = "safe-to-deploy"
701 [[exemptions.ringbuf]]
703 criteria = "safe-to-deploy"
707 criteria = "safe-to-deploy"
709 [[exemptions.runloop]]
711 criteria = "safe-to-deploy"
713 [[exemptions.rusqlite]]
715 criteria = "safe-to-deploy"
717 [[exemptions.rust-ini]]
719 criteria = "safe-to-deploy"
721 [[exemptions.rust_decimal]]
723 criteria = "safe-to-deploy"
725 [[exemptions.scroll]]
727 criteria = "safe-to-deploy"
729 [[exemptions.scroll_derive]]
731 criteria = "safe-to-deploy"
733 [[exemptions.self_cell]]
735 criteria = "safe-to-deploy"
737 [[exemptions.serde_with]]
739 criteria = "safe-to-deploy"
741 [[exemptions.serde_with_macros]]
743 criteria = "safe-to-deploy"
747 criteria = "safe-to-deploy"
751 criteria = "safe-to-deploy"
755 criteria = "safe-to-deploy"
757 [[exemptions.siphasher]]
759 criteria = "safe-to-deploy"
761 [[exemptions.socket2]]
763 criteria = "safe-to-deploy"
766 version = "0.2.0+1.5.4"
767 criteria = "safe-to-deploy"
769 [[exemptions.stable_deref_trait]]
771 criteria = "safe-to-deploy"
773 [[exemptions.static_assertions]]
775 criteria = "safe-to-deploy"
777 [[exemptions.strsim]]
779 criteria = "safe-to-deploy"
781 [[exemptions.tempfile]]
783 criteria = "safe-to-deploy"
787 criteria = "safe-to-deploy"
791 criteria = "safe-to-run"
793 [[exemptions.triple_buffer]]
795 criteria = "safe-to-deploy"
797 [[exemptions.type-map]]
799 criteria = "safe-to-deploy"
801 [[exemptions.typenum]]
803 criteria = "safe-to-deploy"
805 [[exemptions.unix_path]]
807 criteria = "safe-to-run"
809 [[exemptions.unix_str]]
811 criteria = "safe-to-run"
815 criteria = "safe-to-deploy"
819 criteria = "safe-to-deploy"
821 [[exemptions.webrtc-sdp]]
823 criteria = "safe-to-deploy"
825 [[exemptions.winapi]]
827 criteria = "safe-to-deploy"
829 [[exemptions.winapi-i686-pc-windows-gnu]]
831 criteria = "safe-to-deploy"
833 [[exemptions.winapi-x86_64-pc-windows-gnu]]
835 criteria = "safe-to-deploy"
839 criteria = "safe-to-deploy"
841 [[exemptions.xml-rs]]
843 criteria = "safe-to-deploy"
847 criteria = "safe-to-run"