2 # cargo-vet config file
7 [imports.bytecode-alliance]
8 url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"
10 [imports.embark-studios]
11 url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml"
14 url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml"
17 url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml"
20 url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml"
23 audit-as-crates-io = true
24 notes = "This is the upstream code plus a few local fixes, see bug 1685697."
27 audit-as-crates-io = true
28 notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that."
31 audit-as-crates-io = true
32 notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that."
35 audit-as-crates-io = true
36 notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release."
39 audit-as-crates-io = true
40 notes = "This is upstream plus a warning fix from bug 1823866."
43 audit-as-crates-io = true
44 notes = "Unpublished wgpu revisions point to unpublished d3d12 revisions."
46 [policy.firefox-on-glean]
47 audit-as-crates-io = false
48 notes = "The crates.io version of this is just a placeholder to allow public crates to depend on firefox-on-glean."
51 audit-as-crates-io = false
52 criteria = "safe-to-run"
53 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run."
56 criteria = "safe-to-run"
57 notes = "Used for testing."
59 [policy.gkrust-shared]
60 dependency-criteria = { tokio-reactor = [], tokio-threadpool = [] }
61 notes = "The dependencies on tokio-reactor and tokio-threadpools are just a hack to pin the version used by audioipc-{client,server}. Suppress vetting on those for the same reasons behind the policy entries."
64 criteria = "safe-to-run"
65 notes = "Used for fuzzing."
68 criteria = "safe-to-run"
69 notes = "Used for testing."
72 dependency-criteria = { fluent-testing = "safe-to-run", tokio = "safe-to-run" }
73 notes = "This crate has two testing-only dependencies which are specified as regular-but-optional rather than a dev-dependencies, because they need to be available to both benchmarks and integration tests."
76 audit-as-crates-io = false
77 notes = "This override is an api-compatible fork with an orthogonal implementation."
79 [policy.malloc_size_of_derive]
80 audit-as-crates-io = false
81 notes = "This was originally servo code which Bobby Holley put on crates.io some years ago and that was moved in-tree as first-party code later on."
84 audit-as-crates-io = false
85 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
88 audit-as-crates-io = true
89 notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release."
92 audit-as-crates-io = true
93 notes = "Version 0.6.23 is a local fork of upstream which just twiddles some dependencies."
96 audit-as-crates-io = false
97 notes = "The crates.io version of this is just a placeholder to allow public crates to depend on mozbuild."
100 audit-as-crates-io = false
101 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
103 [policy.mozglue-static]
104 dependency-criteria = { rustc_version = "safe-to-run" }
105 notes = "The rustc_version dependency is only used in the build script, and does not generate any runtime code"
107 [policy.mozilla-central-workspace-hack]
108 criteria = "safe-to-run"
109 notes = "The dependencies from this crate are dependencies of other crates that will get the right criteria through them, but using safe-to-deploy for this one would be too broad."
112 audit-as-crates-io = false
113 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
116 audit-as-crates-io = false
117 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
120 audit-as-crates-io = false
121 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
124 audit-as-crates-io = false
126 [policy.mp4parse_capi]
127 audit-as-crates-io = false
130 audit-as-crates-io = true
131 notes = "wgpu-core pins this crate."
134 audit-as-crates-io = true
135 notes = "Local fork with a patch from https://github.com/rust-num/num-derive/pull/54"
137 [policy.packed_simd_2]
138 audit-as-crates-io = true
139 notes = "Based on upstream, see bug 1719674."
142 audit-as-crates-io = false
144 [policy.peek-poke-derive]
145 audit-as-crates-io = false
148 audit-as-crates-io = true
149 notes = "Local fork with a patch from https://github.com/rust-phf/rust-phf/pull/284"
152 audit-as-crates-io = false
153 notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name."
156 audit-as-crates-io = true
157 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
160 audit-as-crates-io = true
161 notes = "Identical to upstream, but with cdylib and staticlib targets disabled to avoid unnecessary build artifacts and linker errors."
164 audit-as-crates-io = true
165 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
168 audit-as-crates-io = true
169 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
172 criteria = "safe-to-run"
173 notes = "We're not shipping this and have no plans to ship it."
176 audit-as-crates-io = false
177 notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name."
180 audit-as-crates-io = false
181 notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
184 audit-as-crates-io = false
185 notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
188 audit-as-crates-io = true
189 notes = "This is a third-party crate, with an extra patch."
192 audit-as-crates-io = false
193 criteria = "safe-to-run"
194 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run."
197 audit-as-crates-io = false
199 [policy.webrender_api]
200 audit-as-crates-io = false
202 [policy.webrender_build]
203 audit-as-crates-io = false
206 audit-as-crates-io = true
207 notes = "Upstream project which we pin."
210 audit-as-crates-io = true
211 notes = "Upstream project which we pin."
214 audit-as-crates-io = true
215 notes = "Upstream project which we pin."
217 [policy.wr_malloc_size_of]
218 audit-as-crates-io = false
222 criteria = "safe-to-deploy"
226 criteria = "safe-to-deploy"
230 criteria = "safe-to-deploy"
232 [[exemptions.alsa-sys]]
234 criteria = "safe-to-deploy"
236 [[exemptions.android_log-sys]]
238 criteria = "safe-to-deploy"
240 [[exemptions.askama_derive]]
242 criteria = "safe-to-deploy"
244 [[exemptions.askama_escape]]
246 criteria = "safe-to-deploy"
248 [[exemptions.askama_shared]]
250 criteria = "safe-to-deploy"
252 [[exemptions.async-task]]
254 criteria = "safe-to-deploy"
256 [[exemptions.bincode]]
258 criteria = "safe-to-deploy"
260 [[exemptions.bitflags]]
262 criteria = "safe-to-deploy"
264 [[exemptions.bitreader]]
266 criteria = "safe-to-deploy"
270 criteria = "safe-to-deploy"
272 [[exemptions.cache-padded]]
274 criteria = "safe-to-deploy"
276 [[exemptions.camino]]
278 criteria = "safe-to-deploy"
280 [[exemptions.chrono]]
282 criteria = "safe-to-deploy"
284 [[exemptions.chunky-vec]]
286 criteria = "safe-to-deploy"
288 [[exemptions.clang-sys]]
290 criteria = "safe-to-deploy"
292 [[exemptions.cookie]]
294 criteria = "safe-to-run"
296 [[exemptions.coreaudio-sys]]
298 criteria = "safe-to-deploy"
300 [[exemptions.coremidi]]
301 version = "0.6.0@git:fc68464b5445caf111e41f643a2e69ccce0b4f83"
302 criteria = "safe-to-deploy"
304 [[exemptions.coremidi-sys]]
306 criteria = "safe-to-deploy"
310 criteria = "safe-to-deploy"
312 [[exemptions.cose-c]]
314 criteria = "safe-to-deploy"
316 [[exemptions.cpufeatures]]
318 criteria = "safe-to-deploy"
320 [[exemptions.crc32fast]]
322 criteria = "safe-to-deploy"
324 [[exemptions.crossbeam-channel]]
326 criteria = "safe-to-deploy"
328 [[exemptions.crossbeam-deque]]
330 criteria = "safe-to-deploy"
332 [[exemptions.crossbeam-epoch]]
334 criteria = "safe-to-deploy"
336 [[exemptions.crossbeam-utils]]
338 criteria = "safe-to-deploy"
342 criteria = "safe-to-deploy"
344 [[exemptions.darling]]
346 criteria = "safe-to-deploy"
348 [[exemptions.darling_core]]
350 criteria = "safe-to-deploy"
352 [[exemptions.darling_macro]]
354 criteria = "safe-to-deploy"
356 [[exemptions.data-encoding]]
358 criteria = "safe-to-deploy"
362 criteria = "safe-to-deploy"
364 [[exemptions.devd-rs]]
366 criteria = "safe-to-deploy"
368 [[exemptions.digest]]
370 criteria = "safe-to-deploy"
374 criteria = "safe-to-deploy"
376 [[exemptions.dirs-sys]]
378 criteria = "safe-to-deploy"
380 [[exemptions.dns-parser]]
382 criteria = "safe-to-deploy"
384 [[exemptions.enumset]]
386 criteria = "safe-to-deploy"
388 [[exemptions.enumset_derive]]
390 criteria = "safe-to-deploy"
392 [[exemptions.env_logger]]
394 criteria = "safe-to-deploy"
396 [[exemptions.error-chain]]
398 criteria = "safe-to-deploy"
400 [[exemptions.fallible-iterator]]
402 criteria = "safe-to-deploy"
404 [[exemptions.fallible-streaming-iterator]]
406 criteria = "safe-to-deploy"
408 [[exemptions.fallible_collections]]
410 criteria = "safe-to-deploy"
412 [[exemptions.ffi-support]]
414 criteria = "safe-to-deploy"
416 [[exemptions.float-cmp]]
418 criteria = "safe-to-deploy"
420 [[exemptions.fs-err]]
422 criteria = "safe-to-deploy"
424 [[exemptions.fuchsia-zircon]]
426 criteria = "safe-to-run"
428 [[exemptions.fuchsia-zircon-sys]]
430 criteria = "safe-to-run"
432 [[exemptions.futures-macro]]
434 criteria = "safe-to-deploy"
436 [[exemptions.futures-task]]
438 criteria = "safe-to-deploy"
440 [[exemptions.futures-util]]
442 criteria = "safe-to-deploy"
444 [[exemptions.generic-array]]
446 criteria = "safe-to-deploy"
448 [[exemptions.getrandom]]
450 criteria = "safe-to-deploy"
452 [[exemptions.gl_generator]]
454 criteria = "safe-to-deploy"
458 criteria = "safe-to-deploy"
460 [[exemptions.goblin]]
462 criteria = "safe-to-deploy"
464 [[exemptions.gpu-alloc]]
466 criteria = "safe-to-deploy"
468 [[exemptions.gpu-alloc-types]]
470 criteria = "safe-to-deploy"
472 [[exemptions.gpu-descriptor]]
474 criteria = "safe-to-deploy"
476 [[exemptions.gpu-descriptor-types]]
478 criteria = "safe-to-deploy"
480 [[exemptions.hashlink]]
482 criteria = "safe-to-deploy"
484 [[exemptions.hermit-abi]]
486 criteria = "safe-to-deploy"
488 [[exemptions.hexf-parse]]
490 criteria = "safe-to-deploy"
492 [[exemptions.instant]]
494 criteria = "safe-to-deploy"
496 [[exemptions.ioctl-sys]]
498 criteria = "safe-to-deploy"
500 [[exemptions.itertools]]
502 criteria = "safe-to-deploy"
504 [[exemptions.khronos-egl]]
506 criteria = "safe-to-deploy"
508 [[exemptions.khronos_api]]
510 criteria = "safe-to-deploy"
512 [[exemptions.lazycell]]
514 criteria = "safe-to-deploy"
516 [[exemptions.libdbus-sys]]
518 criteria = "safe-to-deploy"
520 [[exemptions.libloading]]
522 criteria = "safe-to-deploy"
524 [[exemptions.libsqlite3-sys]]
526 criteria = "safe-to-deploy"
528 notes = "The in-gecko feature that we enable makes only pre-built bindings used, and none of the embedded C code is built. The build script was audited and is not doing anything besides exposing those bindings"
530 [[exemptions.libudev]]
532 criteria = "safe-to-deploy"
534 [[exemptions.lmdb-rkv-sys]]
536 criteria = "safe-to-deploy"
538 notes = "This crate is forked from another crate and not developed in-house. Given that LMDB-backed RKV is going away, we will probably never bother auditing this"
542 criteria = "safe-to-deploy"
544 [[exemptions.memalloc]]
546 criteria = "safe-to-deploy"
548 [[exemptions.memmap2]]
550 criteria = "safe-to-deploy"
552 [[exemptions.memoffset]]
554 criteria = "safe-to-deploy"
558 criteria = "safe-to-deploy"
562 criteria = "safe-to-deploy"
564 [[exemptions.mime_guess]]
566 criteria = "safe-to-deploy"
568 [[exemptions.minimal-lexical]]
570 criteria = "safe-to-deploy"
572 [[exemptions.miniz_oxide]]
574 criteria = "safe-to-deploy"
578 criteria = "safe-to-deploy"
580 [[exemptions.mio-extras]]
582 criteria = "safe-to-run"
586 criteria = "safe-to-deploy"
588 [[exemptions.murmurhash3]]
590 criteria = "safe-to-deploy"
594 criteria = "safe-to-run"
598 criteria = "safe-to-deploy"
602 criteria = "safe-to-deploy"
606 criteria = "safe-to-deploy"
610 criteria = "safe-to-deploy"
612 [[exemptions.objc_exception]]
614 criteria = "safe-to-deploy"
616 [[exemptions.object]]
618 criteria = "safe-to-deploy"
620 [[exemptions.once_cell]]
622 criteria = "safe-to-deploy"
624 [[exemptions.owning_ref]]
626 criteria = "safe-to-deploy"
628 [[exemptions.packed_simd_2]]
630 criteria = "safe-to-deploy"
634 criteria = "safe-to-deploy"
636 [[exemptions.phf_codegen]]
638 criteria = "safe-to-deploy"
640 [[exemptions.phf_generator]]
642 criteria = "safe-to-deploy"
644 [[exemptions.phf_macros]]
646 criteria = "safe-to-deploy"
648 [[exemptions.phf_shared]]
650 criteria = "safe-to-deploy"
652 [[exemptions.pin-project-lite]]
654 criteria = "safe-to-deploy"
658 criteria = "safe-to-deploy"
662 criteria = "safe-to-run"
664 [[exemptions.ppv-lite86]]
666 criteria = "safe-to-deploy"
668 [[exemptions.profiling]]
670 criteria = "safe-to-deploy"
674 criteria = "safe-to-deploy"
676 [[exemptions.prost-derive]]
678 criteria = "safe-to-deploy"
682 criteria = "safe-to-deploy"
684 [[exemptions.quick-error]]
686 criteria = "safe-to-deploy"
690 criteria = "safe-to-deploy"
692 [[exemptions.rand_chacha]]
694 criteria = "safe-to-deploy"
696 [[exemptions.rand_core]]
698 criteria = "safe-to-deploy"
700 [[exemptions.redox_syscall]]
702 criteria = "safe-to-deploy"
704 [[exemptions.remove_dir_all]]
706 criteria = "safe-to-deploy"
708 [[exemptions.replace_with]]
710 criteria = "safe-to-deploy"
712 [[exemptions.ringbuf]]
714 criteria = "safe-to-deploy"
718 criteria = "safe-to-deploy"
720 [[exemptions.runloop]]
722 criteria = "safe-to-deploy"
724 [[exemptions.rusqlite]]
726 criteria = "safe-to-deploy"
728 [[exemptions.rust-ini]]
730 criteria = "safe-to-deploy"
732 [[exemptions.rust_decimal]]
734 criteria = "safe-to-deploy"
736 [[exemptions.scroll]]
738 criteria = "safe-to-deploy"
740 [[exemptions.scroll_derive]]
742 criteria = "safe-to-deploy"
744 [[exemptions.self_cell]]
746 criteria = "safe-to-deploy"
748 [[exemptions.serde_with]]
750 criteria = "safe-to-deploy"
752 [[exemptions.serde_with_macros]]
754 criteria = "safe-to-deploy"
758 criteria = "safe-to-deploy"
762 criteria = "safe-to-deploy"
766 criteria = "safe-to-deploy"
768 [[exemptions.siphasher]]
770 criteria = "safe-to-deploy"
772 [[exemptions.socket2]]
774 criteria = "safe-to-deploy"
777 version = "0.2.0+1.5.4"
778 criteria = "safe-to-deploy"
780 [[exemptions.stable_deref_trait]]
782 criteria = "safe-to-deploy"
784 [[exemptions.static_assertions]]
786 criteria = "safe-to-deploy"
788 [[exemptions.strsim]]
790 criteria = "safe-to-deploy"
792 [[exemptions.tempfile]]
794 criteria = "safe-to-deploy"
798 criteria = "safe-to-deploy"
802 criteria = "safe-to-run"
804 [[exemptions.time-macros]]
806 criteria = "safe-to-run"
810 criteria = "safe-to-run"
812 [[exemptions.triple_buffer]]
814 criteria = "safe-to-deploy"
816 [[exemptions.type-map]]
818 criteria = "safe-to-deploy"
820 [[exemptions.typenum]]
822 criteria = "safe-to-deploy"
824 [[exemptions.unix_path]]
826 criteria = "safe-to-run"
828 [[exemptions.unix_str]]
830 criteria = "safe-to-run"
834 criteria = "safe-to-deploy"
838 criteria = "safe-to-deploy"
840 [[exemptions.webrtc-sdp]]
842 criteria = "safe-to-deploy"
844 [[exemptions.winapi]]
846 criteria = "safe-to-deploy"
848 [[exemptions.winapi-i686-pc-windows-gnu]]
850 criteria = "safe-to-deploy"
852 [[exemptions.winapi-x86_64-pc-windows-gnu]]
854 criteria = "safe-to-deploy"
858 criteria = "safe-to-deploy"
860 [[exemptions.xml-rs]]
862 criteria = "safe-to-deploy"
866 criteria = "safe-to-run"