2 # cargo-vet config file
7 [imports.bytecode-alliance]
8 url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"
10 [imports.embark-studios]
11 url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml"
14 url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml"
17 url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml"
20 url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml"
23 audit-as-crates-io = true
24 notes = "This is the upstream code plus a few local fixes, see bug 1685697."
27 audit-as-crates-io = true
28 notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that."
31 audit-as-crates-io = true
32 notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that."
35 audit-as-crates-io = true
36 notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release."
39 audit-as-crates-io = true
40 notes = "This is upstream plus a warning fix from bug 1823866."
43 audit-as-crates-io = true
44 notes = "Upstream release plus a couple unpublished changes"
46 [policy.cssparser-macros]
47 audit-as-crates-io = true
48 notes = "Upstream release plus a couple unpublished changes"
51 audit-as-crates-io = true
52 notes = "Part of the wgpu repository, pinned as the rest of wgpu crates."
55 audit-as-crates-io = true
56 notes = "Upstream version not to use syn 1.x"
58 [policy.diplomat-runtime]
59 audit-as-crates-io = true
60 notes = "Upstream version not to use syn 1.x"
62 [policy.diplomat_core]
63 audit-as-crates-io = true
64 notes = "Upstream version not to use syn 1.x"
66 [policy.firefox-on-glean]
67 audit-as-crates-io = false
68 notes = "The crates.io version of this is just a placeholder to allow public crates to depend on firefox-on-glean."
71 audit-as-crates-io = false
72 criteria = "safe-to-run"
73 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run."
76 criteria = "safe-to-run"
77 notes = "Used for testing."
79 [policy.gkrust-shared]
80 dependency-criteria = { tokio-reactor = [], tokio-threadpool = [] }
81 notes = "The dependencies on tokio-reactor and tokio-threadpools are just a hack to pin the version used by audioipc-{client,server}. Suppress vetting on those for the same reasons behind the policy entries."
84 criteria = "safe-to-run"
85 notes = "Used for fuzzing."
88 criteria = "safe-to-run"
89 notes = "Used for testing."
91 [policy.icu_provider_macros]
92 audit-as-crates-io = true
93 notes = "Upstream version not to use syn 1.x"
96 audit-as-crates-io = false
97 notes = "Customized ICU4X baked data only that Gecko wants"
100 dependency-criteria = { fluent-testing = "safe-to-run", tokio = "safe-to-run" }
101 notes = "This crate has two testing-only dependencies which are specified as regular-but-optional rather than a dev-dependencies, because they need to be available to both benchmarks and integration tests."
104 audit-as-crates-io = false
105 notes = "This override is an api-compatible fork with an orthogonal implementation."
107 [policy.malloc_size_of_derive]
108 audit-as-crates-io = false
109 notes = "This was originally servo code which Bobby Holley put on crates.io some years ago and that was moved in-tree as first-party code later on."
112 audit-as-crates-io = false
113 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
116 audit-as-crates-io = true
117 notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release."
119 [policy."minidump-common:0.17.0@git:6ae42a7f992e8a88ebee661bc77bcedb95cd671f"]
120 audit-as-crates-io = true
121 notes = "Unreleased upstream."
123 [policy.minidump-writer]
124 audit-as-crates-io = true
125 notes = "Unreleased upstream."
127 [policy."mio:0.6.23"]
128 audit-as-crates-io = true
129 notes = "Version 0.6.23 is a local fork of upstream which just twiddles some dependencies."
132 audit-as-crates-io = false
133 notes = "The crates.io version of this is just a placeholder to allow public crates to depend on mozbuild."
136 audit-as-crates-io = false
137 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
139 [policy.mozglue-static]
140 dependency-criteria = { rustc_version = "safe-to-run" }
141 notes = "The rustc_version dependency is only used in the build script, and does not generate any runtime code"
143 [policy.mozilla-central-workspace-hack]
144 audit-as-crates-io = false
145 criteria = "safe-to-run"
146 notes = "This is a first-party crate which is also published to crates.io as a convenience for other in-tree crates that depend on it and are published as well. The dependencies from this crate are dependencies of other crates that will get the right criteria through them, but using safe-to-deploy for this one would be too broad."
149 audit-as-crates-io = false
150 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
153 audit-as-crates-io = false
154 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
157 audit-as-crates-io = false
158 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
161 audit-as-crates-io = false
163 [policy.mp4parse_capi]
164 audit-as-crates-io = false
167 audit-as-crates-io = true
168 notes = "Part of the wgpu repository, pinned as the rest of wgpu crates."
171 audit-as-crates-io = false
173 [policy.peek-poke-derive]
174 audit-as-crates-io = false
177 audit-as-crates-io = false
178 notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name."
181 audit-as-crates-io = true
182 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
185 audit-as-crates-io = true
186 notes = "Identical to upstream, but with cdylib and staticlib targets disabled to avoid unnecessary build artifacts and linker errors."
189 audit-as-crates-io = true
190 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
193 audit-as-crates-io = true
194 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
197 criteria = "safe-to-run"
198 notes = "We're not shipping this and have no plans to ship it."
201 audit-as-crates-io = false
202 notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name."
205 audit-as-crates-io = false
206 notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
209 audit-as-crates-io = false
210 notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
213 audit-as-crates-io = true
214 notes = "This is a third-party crate, with an extra patch."
217 audit-as-crates-io = false
218 criteria = "safe-to-run"
219 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run."
222 audit-as-crates-io = false
224 [policy.webrender_api]
225 audit-as-crates-io = false
227 [policy.webrender_build]
228 audit-as-crates-io = false
231 audit-as-crates-io = true
232 notes = "Upstream project which we pin."
235 audit-as-crates-io = true
236 notes = "Upstream project which we pin."
239 audit-as-crates-io = true
240 notes = "Upstream project which we pin."
242 [policy.wr_malloc_size_of]
243 audit-as-crates-io = false
246 audit-as-crates-io = true
247 notes = "Upstream version not to use syn 1.x"
249 [policy.zerofrom-derive]
250 audit-as-crates-io = true
251 notes = "Upstream version not to use syn 1.x"
253 [policy.zerovec-derive]
254 audit-as-crates-io = true
255 notes = "Upstream version not to use syn 1.x"
259 criteria = "safe-to-deploy"
263 criteria = "safe-to-deploy"
265 [[exemptions.alsa-sys]]
267 criteria = "safe-to-deploy"
269 [[exemptions.android_log-sys]]
271 criteria = "safe-to-deploy"
273 [[exemptions.askama_derive]]
275 criteria = "safe-to-deploy"
277 [[exemptions.askama_escape]]
279 criteria = "safe-to-deploy"
281 [[exemptions.async-task]]
283 criteria = "safe-to-deploy"
285 [[exemptions.bincode]]
287 criteria = "safe-to-deploy"
289 [[exemptions.bitflags]]
291 criteria = "safe-to-deploy"
293 [[exemptions.bitreader]]
295 criteria = "safe-to-deploy"
299 criteria = "safe-to-deploy"
301 [[exemptions.cache-padded]]
303 criteria = "safe-to-deploy"
305 [[exemptions.camino]]
307 criteria = "safe-to-deploy"
309 [[exemptions.chrono]]
311 criteria = "safe-to-deploy"
313 [[exemptions.chunky-vec]]
315 criteria = "safe-to-deploy"
317 [[exemptions.clang-sys]]
319 criteria = "safe-to-deploy"
321 [[exemptions.cookie]]
323 criteria = "safe-to-run"
325 [[exemptions.coreaudio-sys]]
327 criteria = "safe-to-deploy"
329 [[exemptions.coremidi]]
330 version = "0.6.0@git:fc68464b5445caf111e41f643a2e69ccce0b4f83"
331 criteria = "safe-to-deploy"
333 [[exemptions.coremidi-sys]]
335 criteria = "safe-to-deploy"
339 criteria = "safe-to-deploy"
341 [[exemptions.cose-c]]
343 criteria = "safe-to-deploy"
345 [[exemptions.cpufeatures]]
347 criteria = "safe-to-deploy"
349 [[exemptions.crc32fast]]
351 criteria = "safe-to-deploy"
353 [[exemptions.crossbeam-channel]]
355 criteria = "safe-to-deploy"
357 [[exemptions.crossbeam-deque]]
359 criteria = "safe-to-deploy"
361 [[exemptions.crossbeam-epoch]]
363 criteria = "safe-to-deploy"
365 [[exemptions.crossbeam-utils]]
367 criteria = "safe-to-deploy"
371 criteria = "safe-to-deploy"
373 [[exemptions.darling]]
375 criteria = "safe-to-deploy"
377 [[exemptions.darling_core]]
379 criteria = "safe-to-deploy"
381 [[exemptions.darling_macro]]
383 criteria = "safe-to-deploy"
385 [[exemptions.data-encoding]]
387 criteria = "safe-to-deploy"
391 criteria = "safe-to-deploy"
393 [[exemptions.derive_more-impl]]
394 version = "1.0.0-beta.2"
395 criteria = "safe-to-deploy"
396 notes = "The crate is new to version 1.0.x, and derived from older versions of derive_more. The differences against 0.99.17 have been audited, but cargo-vet cannot record this information."
398 [[exemptions.devd-rs]]
400 criteria = "safe-to-deploy"
402 [[exemptions.digest]]
404 criteria = "safe-to-deploy"
408 criteria = "safe-to-deploy"
410 [[exemptions.dirs-sys]]
412 criteria = "safe-to-deploy"
414 [[exemptions.dns-parser]]
416 criteria = "safe-to-deploy"
418 [[exemptions.enumset]]
420 criteria = "safe-to-deploy"
422 [[exemptions.enumset_derive]]
424 criteria = "safe-to-deploy"
426 [[exemptions.env_logger]]
428 criteria = "safe-to-deploy"
430 [[exemptions.error-chain]]
432 criteria = "safe-to-deploy"
434 [[exemptions.fallible-iterator]]
436 criteria = "safe-to-deploy"
438 [[exemptions.fallible-streaming-iterator]]
440 criteria = "safe-to-deploy"
442 [[exemptions.fallible_collections]]
444 criteria = "safe-to-deploy"
446 [[exemptions.ffi-support]]
448 criteria = "safe-to-deploy"
450 [[exemptions.float-cmp]]
452 criteria = "safe-to-deploy"
454 [[exemptions.fs-err]]
456 criteria = "safe-to-deploy"
458 [[exemptions.fuchsia-zircon]]
460 criteria = "safe-to-run"
462 [[exemptions.fuchsia-zircon-sys]]
464 criteria = "safe-to-run"
466 [[exemptions.futures-macro]]
468 criteria = "safe-to-deploy"
470 [[exemptions.futures-task]]
472 criteria = "safe-to-deploy"
474 [[exemptions.futures-util]]
476 criteria = "safe-to-deploy"
478 [[exemptions.generic-array]]
480 criteria = "safe-to-deploy"
482 [[exemptions.getrandom]]
484 criteria = "safe-to-deploy"
486 [[exemptions.gl_generator]]
488 criteria = "safe-to-deploy"
492 criteria = "safe-to-deploy"
494 [[exemptions.goblin]]
496 criteria = "safe-to-deploy"
498 [[exemptions.gpu-alloc]]
500 criteria = "safe-to-deploy"
502 [[exemptions.gpu-alloc-types]]
504 criteria = "safe-to-deploy"
506 [[exemptions.gpu-descriptor]]
508 criteria = "safe-to-deploy"
510 [[exemptions.gpu-descriptor-types]]
512 criteria = "safe-to-deploy"
514 [[exemptions.hashlink]]
516 criteria = "safe-to-deploy"
518 [[exemptions.hermit-abi]]
520 criteria = "safe-to-deploy"
522 [[exemptions.hexf-parse]]
524 criteria = "safe-to-deploy"
526 [[exemptions.ioctl-sys]]
528 criteria = "safe-to-deploy"
530 [[exemptions.itertools]]
532 criteria = "safe-to-deploy"
534 [[exemptions.khronos-egl]]
536 criteria = "safe-to-deploy"
538 [[exemptions.khronos_api]]
540 criteria = "safe-to-deploy"
542 [[exemptions.lazycell]]
544 criteria = "safe-to-deploy"
546 [[exemptions.libdbus-sys]]
548 criteria = "safe-to-deploy"
550 [[exemptions.libloading]]
552 criteria = "safe-to-deploy"
554 [[exemptions.libsqlite3-sys]]
556 criteria = "safe-to-deploy"
558 notes = "The in-gecko feature that we enable makes only pre-built bindings used, and none of the embedded C code is built. The build script was audited and is not doing anything besides exposing those bindings"
560 [[exemptions.libudev]]
562 criteria = "safe-to-deploy"
564 [[exemptions.lmdb-rkv-sys]]
566 criteria = "safe-to-deploy"
568 notes = "This crate is forked from another crate and not developed in-house. Given that LMDB-backed RKV is going away, we will probably never bother auditing this"
572 criteria = "safe-to-deploy"
574 [[exemptions.memalloc]]
576 criteria = "safe-to-deploy"
578 [[exemptions.memmap2]]
580 criteria = "safe-to-deploy"
582 [[exemptions.memoffset]]
584 criteria = "safe-to-deploy"
588 criteria = "safe-to-deploy"
590 [[exemptions.mime_guess]]
592 criteria = "safe-to-deploy"
594 [[exemptions.minimal-lexical]]
596 criteria = "safe-to-deploy"
600 criteria = "safe-to-deploy"
602 [[exemptions.mio-extras]]
604 criteria = "safe-to-run"
608 criteria = "safe-to-run"
610 [[exemptions.murmurhash3]]
612 criteria = "safe-to-deploy"
616 criteria = "safe-to-run"
620 criteria = "safe-to-deploy"
624 criteria = "safe-to-deploy"
628 criteria = "safe-to-deploy"
630 [[exemptions.objc_exception]]
632 criteria = "safe-to-deploy"
634 [[exemptions.object]]
636 criteria = "safe-to-deploy"
638 [[exemptions.once_cell]]
640 criteria = "safe-to-deploy"
642 [[exemptions.owning_ref]]
644 criteria = "safe-to-deploy"
646 [[exemptions.packed_simd]]
648 criteria = "safe-to-deploy"
652 criteria = "safe-to-deploy"
654 [[exemptions.phf_codegen]]
656 criteria = "safe-to-deploy"
658 [[exemptions.phf_generator]]
660 criteria = "safe-to-deploy"
662 [[exemptions.phf_macros]]
664 criteria = "safe-to-deploy"
666 [[exemptions.phf_shared]]
668 criteria = "safe-to-deploy"
672 criteria = "safe-to-deploy"
676 criteria = "safe-to-run"
678 [[exemptions.ppv-lite86]]
680 criteria = "safe-to-deploy"
682 [[exemptions.profiling]]
684 criteria = "safe-to-deploy"
688 criteria = "safe-to-deploy"
690 [[exemptions.prost-derive]]
692 criteria = "safe-to-deploy"
694 [[exemptions.quick-error]]
696 criteria = "safe-to-deploy"
700 criteria = "safe-to-deploy"
702 [[exemptions.remove_dir_all]]
704 criteria = "safe-to-deploy"
706 [[exemptions.replace_with]]
708 criteria = "safe-to-deploy"
710 [[exemptions.ringbuf]]
712 criteria = "safe-to-deploy"
716 criteria = "safe-to-deploy"
718 [[exemptions.runloop]]
720 criteria = "safe-to-deploy"
722 [[exemptions.rusqlite]]
724 criteria = "safe-to-deploy"
726 [[exemptions.rust-ini]]
728 criteria = "safe-to-deploy"
730 [[exemptions.rust_decimal]]
732 criteria = "safe-to-deploy"
734 [[exemptions.scroll]]
736 criteria = "safe-to-deploy"
738 [[exemptions.scroll_derive]]
740 criteria = "safe-to-deploy"
742 [[exemptions.self_cell]]
744 criteria = "safe-to-deploy"
746 [[exemptions.serde_with]]
748 criteria = "safe-to-deploy"
750 [[exemptions.serde_with_macros]]
752 criteria = "safe-to-deploy"
756 criteria = "safe-to-deploy"
760 criteria = "safe-to-deploy"
762 [[exemptions.siphasher]]
764 criteria = "safe-to-deploy"
766 [[exemptions.socket2]]
768 criteria = "safe-to-deploy"
771 version = "0.2.0+1.5.4"
772 criteria = "safe-to-deploy"
774 [[exemptions.stable_deref_trait]]
776 criteria = "safe-to-deploy"
778 [[exemptions.static_assertions]]
780 criteria = "safe-to-deploy"
782 [[exemptions.strsim]]
784 criteria = "safe-to-deploy"
786 [[exemptions.tempfile]]
788 criteria = "safe-to-deploy"
792 criteria = "safe-to-deploy"
794 [[exemptions.triple_buffer]]
796 criteria = "safe-to-deploy"
798 [[exemptions.type-map]]
800 criteria = "safe-to-deploy"
802 [[exemptions.typenum]]
804 criteria = "safe-to-deploy"
806 [[exemptions.unix_path]]
808 criteria = "safe-to-run"
810 [[exemptions.unix_str]]
812 criteria = "safe-to-run"
816 criteria = "safe-to-deploy"
818 [[exemptions.webrtc-sdp]]
820 criteria = "safe-to-deploy"
822 [[exemptions.winapi]]
824 criteria = "safe-to-deploy"
826 [[exemptions.winapi-i686-pc-windows-gnu]]
828 criteria = "safe-to-deploy"
830 [[exemptions.winapi-x86_64-pc-windows-gnu]]
832 criteria = "safe-to-deploy"
836 criteria = "safe-to-deploy"
838 [[exemptions.xml-rs]]
840 criteria = "safe-to-deploy"
844 criteria = "safe-to-run"