# cargo-vet imports lock
[[publisher.bumpalo]]
version = "3.19.0"
when = "2025-06-24"
user-id = 696
user-login = "fitzgen"
user-name = "Nick Fitzgerald"
[[publisher.core-foundation]]
version = "0.9.3"
when = "2022-02-07"
user-id = 5946
user-login = "jrmuizel"
user-name = "Jeff Muizelaar"
[[publisher.core-graphics]]
version = "0.22.3"
when = "2021-11-02"
user-id = 5946
user-login = "jrmuizel"
user-name = "Jeff Muizelaar"
[[publisher.core-graphics-types]]
version = "0.1.1"
when = "2020-09-15"
user-id = 2396
user-login = "jdm"
user-name = "Josh Matthews"
[[publisher.encoding_rs]]
version = "0.8.35"
when = "2024-10-24"
user-id = 4484
user-login = "hsivonen"
user-name = "Henri Sivonen"
[[publisher.etagere]]
version = "0.2.15"
when = "2025-01-21"
user-id = 1281
user-login = "nical"
user-name = "Nicolas Silva"
[[publisher.euclid]]
version = "0.22.11"
when = "2024-08-28"
user-id = 1281
user-login = "nical"
user-name = "Nicolas Silva"
[[publisher.presser]]
version = "0.3.1"
when = "2022-10-16"
user-id = 52553
user-login = "embark-studios"
[[publisher.unicode-segmentation]]
version = "1.12.0"
when = "2024-09-13"
user-id = 1139
user-login = "Manishearth"
user-name = "Manish Goregaokar"
[[publisher.unicode-width]]
version = "0.2.1"
when = "2025-06-09"
user-id = 1139
user-login = "Manishearth"
user-name = "Manish Goregaokar"
[[publisher.utf8_iter]]
version = "1.0.4"
when = "2023-12-01"
user-id = 4484
user-login = "hsivonen"
user-name = "Henri Sivonen"
[[publisher.wasi]]
version = "0.14.6+wasi-0.2.4"
when = "2025-09-15"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wasip2]]
version = "1.0.1+wasi-0.2.4"
when = "2025-09-15"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wit-bindgen]]
version = "0.43.0"
when = "2025-06-24"
user-id = 73222
user-login = "wasmtime-publish"
[[audits.bytecode-alliance.wildcard-audits.bumpalo]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
user-id = 696 # Nick Fitzgerald (fitzgen)
start = "2019-03-16"
end = "2026-08-21"
[[audits.bytecode-alliance.wildcard-audits.wasi]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
user-id = 1 # Alex Crichton (alexcrichton)
start = "2025-08-10"
end = "2026-08-21"
notes = """
This is a Bytecode Alliance authored crate.
"""
[[audits.bytecode-alliance.wildcard-audits.wasip2]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
user-id = 1 # Alex Crichton (alexcrichton)
start = "2025-08-10"
end = "2026-08-21"
notes = """
This is a Bytecode Alliance authored crate.
"""
[[audits.bytecode-alliance.wildcard-audits.wit-bindgen]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2023-01-01"
end = "2026-06-03"
notes = """
The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate
publication of this crate from CI. This repository requires all PRs are reviewed
by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself.
"""
[[audits.bytecode-alliance.audits.adler2]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "2.0.0"
notes = "Fork of the original `adler` crate, zero unsfae code, works in `no_std`, does what it says on th tin."
[[audits.bytecode-alliance.audits.allocator-api2]]
who = "Chris Fallin <chris@cfallin.org>"
criteria = "safe-to-deploy"
delta = "0.2.18 -> 0.2.20"
notes = """
The changes appear to be reasonable updates from Rust's stdlib imported into
`allocator-api2`'s copy of this code.
"""
[[audits.bytecode-alliance.audits.anes]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.6"
notes = "Contains no unsafe code, no IO, no build.rs."
[[audits.bytecode-alliance.audits.arrayref]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "0.3.6"
notes = """
Unsafe code, but its logic looks good to me. Necessary given what it is
doing. Well tested, has quickchecks.
"""
[[audits.bytecode-alliance.audits.block-buffer]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
delta = "0.9.0 -> 0.10.2"
[[audits.bytecode-alliance.audits.cfg-if]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.0"
notes = "I am the author of this crate."
[[audits.bytecode-alliance.audits.crossbeam-epoch]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.9.15 -> 0.9.18"
notes = "Nontrivial update but mostly around dependencies and how `unsafe` code is managed. Everything looks the same shape as before."
[[audits.bytecode-alliance.audits.crypto-common]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
version = "0.1.3"
[[audits.bytecode-alliance.audits.embedded-io]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.4.0"
notes = "No `unsafe` code and only uses `std` in ways one would expect the crate to do so."
[[audits.bytecode-alliance.audits.fastrand]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "2.0.0 -> 2.0.1"
notes = """
This update had a few doc updates but no otherwise-substantial source code
updates.
"""
[[audits.bytecode-alliance.audits.fastrand]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "2.1.1 -> 2.3.0"
notes = "Minor refactoring, nothing new."
[[audits.bytecode-alliance.audits.foreign-types]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.2"
notes = "This crate defined a macro-rules which creates wrappers working with FFI types. The implementation of this crate appears to be safe, but each use of this macro would need to be vetted for correctness as well."
[[audits.bytecode-alliance.audits.foreign-types-shared]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.1"
[[audits.bytecode-alliance.audits.futures]]
who = "Joel Dice <joel.dice@gmail.com>"
criteria = "safe-to-deploy"
version = "0.3.31"
[[audits.bytecode-alliance.audits.futures-channel]]
who = "Joel Dice <joel.dice@gmail.com>"
criteria = "safe-to-deploy"
version = "0.3.31"
[[audits.bytecode-alliance.audits.futures-core]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.27"
notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting."
[[audits.bytecode-alliance.audits.futures-core]]
who = "Pat Hickey <pat@moreproductive.org>"
criteria = "safe-to-deploy"
delta = "0.3.28 -> 0.3.31"
[[audits.bytecode-alliance.audits.futures-executor]]
who = "Joel Dice <joel.dice@gmail.com>"
criteria = "safe-to-deploy"
version = "0.3.31"
[[audits.bytecode-alliance.audits.futures-io]]
who = "Joel Dice <joel.dice@gmail.com>"
criteria = "safe-to-deploy"
version = "0.3.31"
[[audits.bytecode-alliance.audits.futures-macro]]
who = "Joel Dice <joel.dice@gmail.com>"
criteria = "safe-to-deploy"
version = "0.3.31"
[[audits.bytecode-alliance.audits.futures-sink]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.27"
[[audits.bytecode-alliance.audits.futures-sink]]
who = "Pat Hickey <pat@moreproductive.org>"
criteria = "safe-to-deploy"
delta = "0.3.28 -> 0.3.31"
[[audits.bytecode-alliance.audits.gimli]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.29.0 -> 0.31.0"
notes = "Various updates here and there, nothing too major, what you'd expect from a DWARF parsing crate."
[[audits.bytecode-alliance.audits.gimli]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.31.0 -> 0.31.1"
notes = "No fundmanetally new `unsafe` code, some small refactoring of existing code. Lots of changes in tests, not as many changes in the rest of the crate. More dwarf!"
[[audits.bytecode-alliance.audits.heck]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.4.1 -> 0.5.0"
notes = "Minor changes for a `no_std` upgrade but otherwise everything looks as expected."
[[audits.bytecode-alliance.audits.http-body]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "1.0.0-rc.2"
[[audits.bytecode-alliance.audits.http-body]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "1.0.0-rc.2 -> 1.0.0"
notes = "Only minor changes made for a stable release."
[[audits.bytecode-alliance.audits.iana-time-zone-haiku]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.1.2"
[[audits.bytecode-alliance.audits.itertools]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.10.5 -> 0.12.1"
notes = """
Minimal `unsafe` usage. Few blocks that existed looked reasonable. Does what it
says on the tin: lots of iterators.
"""
[[audits.bytecode-alliance.audits.itertools]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.12.1 -> 0.14.0"
notes = """
Lots of new iterators and shuffling some things around. Some new unsafe code but
it's well-documented and well-tested. Nothing suspicious.
"""
[[audits.bytecode-alliance.audits.miniz_oxide]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.7.1"
notes = """
This crate is a Rust implementation of zlib compression/decompression and has
been used by default by the Rust standard library for quite some time. It's also
a default dependency of the popular `backtrace` crate for decompressing debug
information. This crate forbids unsafe code and does not otherwise access system
resources. It's originally a port of the `miniz.c` library as well, and given
its own longevity should be relatively hardened against some of the more common
compression-related issues.
"""
[[audits.bytecode-alliance.audits.miniz_oxide]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.7.1 -> 0.8.0"
notes = "Minor updates, using new Rust features like `const`, no major changes."
[[audits.bytecode-alliance.audits.miniz_oxide]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.8.0 -> 0.8.5"
notes = """
Lots of small updates here and there, for example around modernizing Rust
idioms. No new `unsafe` code and everything looks like what you'd expect a
compression library to be doing.
"""
[[audits.bytecode-alliance.audits.miniz_oxide]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.8.5 -> 0.8.9"
notes = "No new unsafe code, just refactorings."
[[audits.bytecode-alliance.audits.native-tls]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.2.11"
notes = "build is only looking for environment variables to set cfg. only two minor uses of unsafe,on macos, with ffi bindings to digest primitives and libc atexit. otherwise, this is an abstraction over three very complex systems (schannel, security-framework, and openssl) which may end up having subtle differences, but none of those are apparent from the implementation of this crate"
[[audits.bytecode-alliance.audits.native-tls]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.2.11 -> 0.2.14"
notes = "Minor changes, mostly around updating some dependencies, directives, etc."
[[audits.bytecode-alliance.audits.pin-utils]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.0"
[[audits.bytecode-alliance.audits.shlex]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = "Only minor `unsafe` code blocks which look valid and otherwise does what it says on the tin."
[[audits.bytecode-alliance.audits.tokio-native-tls]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.1"
notes = "unsafety is used for smuggling std::task::Context as a raw pointer. Lifetime and type safety appears to be taken care of correctly."
[[audits.bytecode-alliance.audits.try-lock]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.2.4"
notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect"
[[audits.bytecode-alliance.audits.vcpkg]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.2.15"
notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR."
[[audits.bytecode-alliance.audits.want]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.0"
[[audits.bytecode-alliance.audits.wit-bindgen]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.43.0 -> 0.45.0"
notes = "The Bytecode Alliance is the author of this crate"
[[audits.bytecode-alliance.audits.wit-bindgen]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.45.0 -> 0.45.1"
notes = "The Bytecode Alliance is the author of this crate"
[[audits.bytecode-alliance.audits.wit-bindgen]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.45.1 -> 0.46.0"
notes = "The Bytecode Alliance is the author of this crate"
[[audits.embark-studios.wildcard-audits.presser]]
who = "Gray Olson <opensource@embark-studios.com>"
criteria = "safe-to-deploy"
user-id = 52553 # embark-studios
start = "2021-01-01"
end = "2024-05-23"
notes = """
Small crate with no dependencies and no ambient capabilities. The safe interface of the crate
is gated behind unsafe implementation of a core trait, and care must be taken to ensure that
the relevant invariants are guaranteed when doing so. Maintained by the Ark team at Embark
and used in production.
"""
[[audits.embark-studios.audits.cfg_aliases]]
who = "Johan Andersson <opensource@embark-studios.com>"
criteria = "safe-to-deploy"
version = "0.1.1"
notes = "No unsafe usage or ambient capabilities"
[[audits.embark-studios.audits.jni]]
who = "Robert Bragg <opensource@embark-studios.com>"
criteria = "safe-to-deploy"
version = "0.21.1"
notes = """
Aims to provide a safe JNI (Java Native Interface) API over the
unsafe `jni_sys` crate.
This is a very general FFI abstraction for Java VMs with a lot of unsafe code
throughout the API. There are almost certainly some edge cases with its design
that could lead to unsound behaviour but it should still be considerably safer
than working with JNI directly.
A lot of the unsafe usage relates to quite-simple use of `from_raw` APIs to
construct or cast wrapper types (around JNI pointers) which are fairly
straight-forward to verify/trust in context.
Some unsafe code has good `// # Safety` documentation (this has been enforced for
newer code) but a lot of unsafe code doesn't document invariants that are
being relied on.
The design depends on non-trivial named lifetimes across many APIs to associate
Java local references with JNI stack frames.
The crate is not very actively maintained and was practically unmaintained for
over a year before the 0.20 release.
Robert Bragg who now works at Embark Studios became the maintainer of this
crate in October 2022.
In the process of working on the `jni` crate since becoming maintainer it's
worth noting that I came across multiple APIs that I found needed to be
re-worked to address safety issues, including ensuring that APIs that are not
implemented safely are correctly declared as `unsafe`.
There has been a focus on improving safety in the last two release.
The jni crate has been used in production with the Signal messaging application
for over two years:
https://github.com/signalapp/libsignal/blob/main/rust/bridge/jni/Cargo.toml
# Some Notable Open Issues
- https://github.com/jni-rs/jni-rs/issues/422 - questions soundness of linking
multiple versions of jni crate into an application, considering the use
of (separately scoped) thread-local-storage to track thread attachments
- https://github.com/jni-rs/jni-rs/issues/405 - discusses the ease with which
code may expose the JVM to invalid booleans with undefined behaviour
"""
[[audits.embark-studios.audits.ndk-context]]
who = "Johan Andersson <opensource@embark-studios.com>"
criteria = "safe-to-deploy"
version = "0.1.1"
notes = "Tiny crate that initializes Android with FFI, looks sane. No other ambient capabilities"
[[audits.embark-studios.audits.thiserror]]
who = "Johan Andersson <opensource@embark-studios.com>"
criteria = "safe-to-deploy"
version = "1.0.40"
notes = "Wrapper over implementation crate, found no unsafe or ambient capabilities used"
[[audits.embark-studios.audits.thiserror-impl]]
who = "Johan Andersson <opensource@embark-studios.com>"
criteria = "safe-to-deploy"
version = "1.0.40"
notes = "Found no unsafe or ambient capabilities used"
[audits.fermyon.audits]
[[audits.google.audits.android_system_properties]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "0.1.5"
notes = "Android system API FFI"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.arrayvec]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "0.7.6"
notes = '''
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'` and there were
no hits, except for some `net` usage in tests.
The crate has quite a few bits of `unsafe` Rust. The audit comments can be
found in https://chromium-review.googlesource.com/c/chromium/src/+/6187726/2
'''
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.ash]]
who = "Chia-I Wu <olv@google.com>"
criteria = "safe-to-run"
version = "0.38.0+1.3.281"
notes = "Vulkan binding mostly generated from vk.xml"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.autocfg]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "1.4.0"
notes = "Contains no unsafe"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.base64]]
who = "amarjotgill <amarjotgill@google.com>"
criteria = "safe-to-deploy"
version = "0.22.1"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.bit-set]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
version = "0.5.3"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.bit-vec]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
version = "0.6.3"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.bitflags]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
version = "1.3.2"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.byteorder]]
who = "danakj <danakj@chromium.org>"
criteria = "safe-to-deploy"
version = "1.5.0"
notes = "Unsafe review in https://crrev.com/c/5838022"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.cast]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
version = "0.3.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.ciborium]]
who = "Daniel Verkamp <dverkamp@chromium.org>"
criteria = "safe-to-run"
version = "0.2.2"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.ciborium-io]]
who = "Daniel Verkamp <dverkamp@chromium.org>"
criteria = "safe-to-run"
version = "0.2.2"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.ciborium-ll]]
who = "Daniel Verkamp <dverkamp@chromium.org>"
criteria = "safe-to-run"
version = "0.2.2"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.codespan-reporting]]
who = "danakj@chromium.org"
criteria = "safe-to-run"
version = "0.11.1"
notes = """
Reviewed in https://crrev.com/c/5171063
Previously reviewed during security review and the audit is grandparented in.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.core-foundation-sys]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "0.8.7"
notes = "OSX system APIs"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.crossbeam-epoch]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
version = "0.9.14"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.crossbeam-epoch]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
delta = "0.9.14 -> 0.9.15"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.dasp_sample]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
version = "0.11.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.displaydoc]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "0.2.5"
notes = "No unsafe code"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.drm]]
who = "Justin Green <greenjustin@google.com>"
criteria = "safe-to-run"
version = "0.12.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.drm-ffi]]
who = "Justin Green <greenjustin@google.com>"
criteria = "safe-to-run"
version = "0.8.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.drm-fourcc]]
who = "Justin Green <greenjustin@google.com>"
criteria = "safe-to-run"
version = "2.2.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.drm-sys]]
who = "Justin Green <greenjustin@google.com>"
criteria = "safe-to-run"
version = "0.7.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.either]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "1.13.0"
notes = "Unsafe code pertaining to wrapping Pin APIs. Mostly passes invariants down."
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.either]]
who = "Daniel Cheng <dcheng@chromium.org>"
criteria = "safe-to-deploy"
delta = "1.13.0 -> 1.14.0"
notes = """
Inheriting ub-risk-1 from the baseline review of 1.13.0. While the delta has some diffs in unsafe code, they are either:
- migrating code to use helper macros
- migrating match patterns to take advantage of default bindings mode from RFC 2005
Either way, the result is code that does exactly the same thing and does not change the risk of UB.
See https://crrev.com/c/6323164 for more audit details.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.either]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
delta = "1.14.0 -> 1.15.0"
notes = "The delta in `lib.rs` only tweaks doc comments and `#[cfg(feature = \"std\")]`."
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.equivalent]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
version = "1.0.1"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.equivalent]]
who = "Jonathan Hao <phao@chromium.org>"
criteria = "safe-to-deploy"
delta = "1.0.1 -> 1.0.2"
notes = "No changes to any .rs files or Rust code."
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.fastrand]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
version = "1.9.0"
notes = """
`does-not-implement-crypto` is certified because this crate explicitly says
that the RNG here is not cryptographically secure.
"""
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.fdeflate]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "0.3.4"
notes = '''
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`
and there were no hits.
Note that some additional, internal notes about an older version of this crate
can be found at go/image-crate-chromium-security-review.
'''
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.fdeflate]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
delta = "0.3.4 -> 0.3.5"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.fdeflate]]
who = "Dustin J. Mitchell <djmitche@chromium.org>"
criteria = "safe-to-deploy"
delta = "0.3.5 -> 0.3.6"
notes = "No unsafe, no crypto, mysterious tables replaced with const expressions"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.fdeflate]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
delta = "0.3.6 -> 0.3.7"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.foldhash]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "0.1.3"
notes = """
`ub-risk-2` review notes can be found in https://crrev.com/c/6071306/5/third_party/rust/chromium_crates_io/vendor/foldhash-0.1.3/src/seed.rs
`does-not-implement-crypto` based on `README.md` which explicitly says that
\"Foldhash is **not appropriate for any cryptographic purpose**.\"
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.foldhash]]
who = "Adrian Taylor <adetaylor@chromium.org>"
criteria = "safe-to-deploy"
delta = "0.1.3 -> 0.1.4"
notes = "No changes to safety-relevant code"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.foldhash]]
who = "Chris Palmer <palmer@google.com>"
criteria = "safe-to-deploy"
delta = "0.1.4 -> 0.1.5"
notes = "No new `unsafe`."
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.heck]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "0.4.1"
notes = """
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
and there were no hits.
`heck` (version `0.3.3`) has been added to Chromium in
https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.httpdate]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
version = "1.0.3"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.icu_collections]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "2.0.0-beta1"
notes = """
Two instances of unsafe :
- Non-safety related unsafe API that imposes additional invariants
- `from_utf8` for known-UTF8 integer
Comments added/improved in https://github.com/unicode-org/icu4x/pull/6056.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.icu_collections]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
delta = "2.0.0-beta1 -> 2.0.0-beta2"
notes = "from_utf8 unsafe removed. no new unsafe added"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.icu_locale_core]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "2.0.0-beta2"
notes = """
All unsafe code commented (and improved from prior version):
- A checklisted ULE impl
- from-utf8 code on known-ASCII
- Some unchecked indexing around maintained invariants
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.icu_normalizer]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "2.0.0-beta2"
notes = """
All unsafe is unchecked `char` and `str` conversion, mostly well-commented.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.icu_normalizer_data]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "2.0.0-beta1"
notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.icu_normalizer_data]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
delta = "2.0.0-beta1 -> 2.0.0-beta2"
notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.icu_properties]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "2.0.0-beta2"
notes = "All unsafe was removed"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.icu_properties_data]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "2.0.0-beta1"
notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.icu_properties_data]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
delta = "2.0.0-beta1 -> 2.0.0-beta2"
notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.icu_provider]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "2.0.0-beta1"
notes = """
All unsafe code commented:
- Minor unsafe transmutes between types which are identical but not type-system-provably so.
- One unsafe EqULE impl
- Some repr(transparent) transmutes
- A from_utf8_unchecked for an ascii-validated string
Comment improvements can be found in https://github.com/unicode-org/icu4x/pull/6056
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.icu_provider]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
delta = "2.0.0-beta1 -> 2.0.0-beta2"
notes = "from_utf8_unchecked unsafe remove, all other unsafe not meaningfully changed"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.itertools]]
who = "ChromeOS"
criteria = "safe-to-run"
version = "0.10.5"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.itertools]]
who = "agl@chromium.org"
criteria = "safe-to-run"
version = "0.11.0"
notes = """
This is 12K lines of code, plus 6K lines of tests and benchmarks.
It has minimal use of unsafe and so I have paged though it all with \"::\"
highlighted and paid attention to which imported functions are being called.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.itoa]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "1.0.10"
notes = '''
I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits.
There are a few places where `unsafe` is used. Unsafe review notes can be found
in https://crrev.com/c/5350697.
Version 1.0.1 of this crate has been added to Chromium in
https://crrev.com/c/3321896.
'''
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.itoa]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
delta = "1.0.10 -> 1.0.11"
notes = """
Straightforward diff between 1.0.10 and 1.0.11 - only 3 commits:
* Bumping up the version
* A touch up of comments
* And my own PR to make `unsafe` blocks more granular:
https://github.com/dtolnay/itoa/pull/42
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.itoa]]
who = "Liza Burakova <liza@chromium.org>"
criteria = "safe-to-deploy"
delta = "1.0.11 -> 1.0.14"
notes = """
Unsafe review at https://crrev.com/c/6051067
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.itoa]]
who = "Daniel Cheng <dcheng@chromium.org>"
criteria = "safe-to-deploy"
delta = "1.0.14 -> 1.0.15"
notes = "Only minor rustdoc changes."
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.lazy_static]]
who = "Android Legacy"
criteria = "safe-to-run"
version = "1.4.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.lazy_static]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
delta = "1.4.0 -> 1.5.0"
notes = "Unsafe review notes: https://crrev.com/c/5650836"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.linux-raw-sys]]
who = "Justin Green <greenjustin@google.com>"
criteria = "safe-to-run"
version = "0.6.5"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.litemap]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "0.7.4"
notes = "Contains no unsafe"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.litemap]]
who = "Daniel Cheng <dcheng@chromium.org>"
criteria = "safe-to-deploy"
delta = "0.7.4 -> 0.7.5"
notes = "Delta implements the entry API but doesn't add or change any unsafe code."
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.num-derive]]
who = "Android Legacy"
criteria = "safe-to-run"
version = "0.3.3"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.num-derive]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
delta = "0.3.3 -> 0.4.2"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.num-integer]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "0.1.46"
notes = "Contains no unsafe"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.num-rational]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "0.4.2"
notes = "Contains no unsafe"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.num-traits]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "0.2.19"
notes = "Contains a single line of float-to-int unsafe with decent safety comments"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.num_cpus]]
who = "Android Legacy"
criteria = "safe-to-run"
version = "1.13.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.num_cpus]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
delta = "1.13.0 -> 1.16.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.openssl-macros]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
version = "0.1.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.openssl-macros]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
delta = "0.1.0 -> 0.1.1"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.pin-project-lite]]
who = "David Koloski <dkoloski@google.com>"
criteria = "safe-to-deploy"
version = "0.2.9"
notes = "Reviewed on https://fxrev.dev/824504"
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.pin-project-lite]]
who = "David Koloski <dkoloski@google.com>"
criteria = "safe-to-deploy"
delta = "0.2.9 -> 0.2.13"
notes = "Audited at https://fxrev.dev/946396"
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.png]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "0.17.13"
notes = '''
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`
and there were no hits except for reasonable, client-controlled usage of
`std::fs::File` in tests in `src/encoder.rs`, tests in `src/decoder/stream.rs`,
and in some example code.
Note that some additional, internal notes about an older version of this crate
can be found at go/image-crate-chromium-security-review.
'''
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.png]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
delta = "0.17.13 -> 0.17.14"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.png]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
delta = "0.17.14 -> 0.17.15"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.png]]
who = "Adrian Taylor <adetaylor@chromium.org>"
criteria = "safe-to-deploy"
delta = "0.17.15 -> 0.17.16"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.quick-xml]]
who = "Matthew DeVore <matvore@chromium.org>"
criteria = "safe-to-run"
version = "0.30.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.quote]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "1.0.35"
notes = """
Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits
(except for benign \"net\" hit in tests and \"fs\" hit in README.md)
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.quote]]
who = "Adrian Taylor <adetaylor@chromium.org>"
criteria = "safe-to-deploy"
delta = "1.0.35 -> 1.0.36"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.quote]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
delta = "1.0.36 -> 1.0.37"
notes = """
The delta just 1) inlines/expands `impl ToTokens` that used to be handled via
`primitive!` macro and 2) adds `impl ToTokens` for `CStr` and `CString`.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.quote]]
who = "Dustin J. Mitchell <djmitche@chromium.org>"
criteria = "safe-to-deploy"
delta = "1.0.37 -> 1.0.38"
notes = "Still no unsafe"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.quote]]
who = "Daniel Cheng <dcheng@chromium.org>"
criteria = "safe-to-deploy"
delta = "1.0.38 -> 1.0.39"
notes = "Only minor changes for clippy lints and documentation."
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.quote]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
delta = "1.0.39 -> 1.0.40"
notes = """
The delta is just a simplification of how `tokens.extend(...)` call is made.
Still no `unsafe` anywhere.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.rand]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "0.8.5"
notes = """
For more detailed unsafe review notes please see https://crrev.com/c/6362797
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.rand_chacha]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "0.3.1"
notes = """
For more detailed unsafe review notes please see https://crrev.com/c/6362797
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.rand_core]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "0.6.4"
notes = """
For more detailed unsafe review notes please see https://crrev.com/c/6362797
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.rustc-hash]]
who = "Android Legacy"
criteria = "safe-to-run"
version = "1.1.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.same-file]]
who = "Android Legacy"
criteria = "safe-to-run"
version = "1.0.6"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.scoped-tls]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
version = "1.0.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.simd-adler32]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "0.3.7"
notes = """
Security review of earlier versions of the crate can be found at
(Google-internal, sorry): go/image-crate-chromium-security-review
Audit comments for 1.3.2 can be found at https://crrev.com/c/4723145.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.stable_deref_trait]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "1.2.0"
notes = "Purely a trait, crates using this should be carefully vetted since self-referential stuff can be super tricky around various unsafe rust edges."
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.static_assertions]]
who = "ChromeOS"
criteria = "safe-to-run"
version = "1.1.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.strsim]]
who = "danakj@chromium.org"
criteria = "safe-to-deploy"
version = "0.10.0"
notes = """
Reviewed in https://crrev.com/c/5171063
Previously reviewed during security review and the audit is grandparented in.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.synstructure]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "0.13.1"
notes = "Exposes unsafe codegen APIs but does not itself contain unsafe"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.termcolor]]
who = "danakj@chromium.org"
criteria = "safe-to-run"
version = "1.4.0"
notes = """
Reviewed in https://crrev.com/c/5171063
Previously reviewed during security review and the audit is grandparented in.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.termcolor]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-run"
delta = "1.4.0 -> 1.4.1"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.tinytemplate]]
who = "Ying Hsu <yinghsu@chromium.org>"
criteria = "safe-to-run"
version = "1.2.1"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.tinyvec_macros]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
version = "0.1.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.unicode-bidi]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "0.3.18"
notes = "Contains one line of repr(transparent) unsafe"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.unicode-linebreak]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "0.1.5"
notes = """
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
and there were no hits.
Version `0.1.2` of this crate has been added to Chromium in
https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb
The CL description contains a link to a Google-internal document with audit details.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.utf8parse]]
who = "David Koloski <dkoloski@google.com>"
criteria = "safe-to-deploy"
version = "0.2.1"
notes = "Reviewed on https://fxrev.dev/904811"
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.writeable]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "0.6.0"
notes = "Contains three lines of unsafe, thoroughly commented: one is for from-UTF8 on ASCII, the other two are for from-UTF8 on a datastructure that keeps track of a buffer with partial UTF8 validation. Relatively straigtforward."
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.writeable]]
who = "Daniel Cheng <dcheng@chromium.org>"
criteria = "safe-to-deploy"
delta = "0.6.0 -> 0.6.1"
notes = "Minor comment/documentation updates and switch to a non-panicking alternative to split_at()."
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.yoke]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "0.7.5"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.yoke]]
who = "Daniel Cheng <dcheng@chromium.org>"
criteria = "safe-to-deploy"
delta = "0.7.5 -> 0.8.0"
notes = """
Cleaning up a previous hack for adding trait bounds to yoke objects. Unsafe changes:
- deleting the hack itself removes a lot of unsafe use required in the hack's implementation
- changes another unsafe use to remove the use of the hack, now that it's no longer needed
See https://crrev.com/c/6323349 for more audit notes.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.yoke-derive]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "0.7.5"
notes = "Custom derive implementing the `Yokeable` trait. Generally generates simple code that asserts covariance."
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.yoke-derive]]
who = "Daniel Cheng <dcheng@chromium.org>"
criteria = "safe-to-deploy"
delta = "0.7.5 -> 0.8.0"
notes = "No code changes: only incrementing the version."
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.zerofrom]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "0.1.5"
notes = "Contains no unsafe"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.zerofrom]]
who = "Daniel Cheng <dcheng@chromium.org>"
criteria = "safe-to-deploy"
delta = "0.1.5 -> 0.1.6"
notes = "Only minor cfg tweaks."
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.zerofrom-derive]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "0.1.5"
notes = "Contains no unsafe"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.zerofrom-derive]]
who = "Daniel Cheng <dcheng@chromium.org>"
criteria = "safe-to-deploy"
delta = "0.1.5 -> 0.1.6"
notes = "Only a minor clippy adjustment."
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.zerotrie]]
who = "Manish Goregaokar <manishearth@google.com>"
criteria = "safe-to-deploy"
version = "0.2.0"
notes = "Minor repr(transparent) unsafe code. Improved comments in https://github.com/unicode-org/icu4x/pull/6054"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.zerotrie]]
who = "Daniel Cheng <dcheng@chromium.org>"
criteria = "safe-to-deploy"
delta = "0.2.0 -> 0.2.1"
notes = """
Changes in unsafe blocks are wrapping direct calls to `core::mem::transmute` with the `transparent_ref_from_store` wrapper.
No safety guarantees change, but providing the `transparent_ref_from_store` as a wrapper provides a convenient marker that this transmute operation is actually sound.
See https://crrev.com/c/6323349 for more audit notes.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.isrg.audits.block-buffer]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
version = "0.9.0"
[[audits.isrg.audits.cfg-if]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
delta = "1.0.0 -> 1.0.1"
[[audits.isrg.audits.cfg-if]]
who = "J.C. Jones <jc@divviup.org>"
criteria = "safe-to-deploy"
delta = "1.0.1 -> 1.0.3"
[[audits.isrg.audits.itertools]]
who = "Tim Geoghegan <timg@divviup.org>"
criteria = "safe-to-run"
delta = "0.14.0 -> 0.13.0"
notes = "This *downgrade* only removes `unsafe` code."
[[audits.isrg.audits.rayon]]
who = "Brandon Pitman <bran@bran.land>"
criteria = "safe-to-deploy"
delta = "1.6.1 -> 1.7.0"
[[audits.isrg.audits.rayon]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
delta = "1.7.0 -> 1.8.0"
[[audits.isrg.audits.rayon]]
who = "Ameer Ghani <inahga@divviup.org>"
criteria = "safe-to-deploy"
delta = "1.8.0 -> 1.8.1"
[[audits.isrg.audits.rayon]]
who = "Brandon Pitman <bran@bran.land>"
criteria = "safe-to-deploy"
delta = "1.8.1 -> 1.9.0"
[[audits.isrg.audits.rayon]]
who = "Brandon Pitman <bran@bran.land>"
criteria = "safe-to-deploy"
delta = "1.9.0 -> 1.10.0"
[[audits.isrg.audits.rayon]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
delta = "1.10.0 -> 1.11.0"
notes = """
I compared src/slice/sort.rs against the file library/core/src/slice/sort.rs
from the standard library, as of commit e501add.
"""
[[audits.isrg.audits.rayon-core]]
who = "Ameer Ghani <inahga@divviup.org>"
criteria = "safe-to-deploy"
version = "1.12.1"
[[audits.isrg.audits.rayon-core]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
delta = "1.12.1 -> 1.13.0"
[[audits.isrg.audits.subtle]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
delta = "2.5.0 -> 2.6.1"
[[audits.isrg.audits.thiserror]]
who = "Brandon Pitman <bran@bran.land>"
criteria = "safe-to-deploy"
delta = "1.0.40 -> 1.0.43"
[[audits.isrg.audits.thiserror-impl]]
who = "Brandon Pitman <bran@bran.land>"
criteria = "safe-to-deploy"
delta = "1.0.40 -> 1.0.43"
[[audits.mozilla.wildcard-audits.core-foundation]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 5946 # Jeff Muizelaar (jrmuizel)
start = "2019-03-29"
end = "2023-05-04"
renew = false
notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.wildcard-audits.core-graphics]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 5946 # Jeff Muizelaar (jrmuizel)
start = "2020-12-08"
end = "2023-05-04"
renew = false
notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.wildcard-audits.core-graphics-types]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 2396 # Josh Matthews (jdm)
start = "2020-07-20"
end = "2023-05-04"
renew = false
notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.wildcard-audits.encoding_rs]]
who = "Henri Sivonen <hsivonen@hsivonen.fi>"
criteria = "safe-to-deploy"
user-id = 4484 # Henri Sivonen (hsivonen)
start = "2019-02-26"
end = "2025-10-23"
notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.wildcard-audits.etagere]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
user-id = 1281 # Nicolas Silva (nical)
start = "2020-11-12"
end = "2025-06-01"
notes = "I am the author of this crate."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.wildcard-audits.euclid]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
user-id = 1281 # Nicolas Silva (nical)
start = "2019-03-14"
end = "2025-04-25"
notes = "I wrote most of the commits in the euclid reprository and review every change that is not produced by me."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.wildcard-audits.unicode-segmentation]]
who = "Manish Goregaokar <manishsmail@gmail.com>"
criteria = "safe-to-deploy"
user-id = 1139 # Manish Goregaokar (Manishearth)
start = "2019-05-15"
end = "2026-02-01"
notes = "All code written or reviewed by Manish"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.wildcard-audits.unicode-width]]
who = "Manish Goregaokar <manishsmail@gmail.com>"
criteria = "safe-to-deploy"
user-id = 1139 # Manish Goregaokar (Manishearth)
start = "2019-12-05"
end = "2026-02-01"
notes = "All code written or reviewed by Manish"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.wildcard-audits.utf8_iter]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
user-id = 4484 # Henri Sivonen (hsivonen)
start = "2022-04-19"
end = "2024-06-16"
notes = "Maintained by Henri Sivonen who works at Mozilla."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.allocator-api2]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
version = "0.2.18"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.allocator-api2]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.2.20 -> 0.2.21"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.bit-set]]
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.5.3 -> 0.6.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.bit-set]]
who = "Jim Blandy <jimb@red-bean.com>"
criteria = "safe-to-deploy"
delta = "0.6.0 -> 0.8.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.bit-vec]]
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.6.3 -> 0.7.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.bit-vec]]
who = "Jim Blandy <jimb@red-bean.com>"
criteria = "safe-to-deploy"
delta = "0.7.0 -> 0.8.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.block-buffer]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.10.2 -> 0.10.3"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.cfg_aliases]]
who = "Alex Franchuk <afranchuk@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.1.1 -> 0.2.1"
notes = "Very minor changes."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.codespan-reporting]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.11.1 -> 0.12.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.core-foundation]]
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.9.3 -> 0.9.4"
notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.core-graphics]]
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.22.3 -> 0.23.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.core-graphics]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.23.1 -> 0.24.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.core-graphics-types]]
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.1.1 -> 0.1.2"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.core-graphics-types]]
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.1.2 -> 0.1.3"
notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.core-graphics-types]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.1.3 -> 0.2.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.crunchy]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
version = "0.2.3"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.crypto-common]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.3 -> 0.1.6"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.document-features]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
version = "0.2.8"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.document-features]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.2.8 -> 0.2.9"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.document-features]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.2.9 -> 0.2.10"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.document-features]]
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.2.10 -> 0.2.11"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.fastrand]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.9.0 -> 2.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.fastrand]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "2.0.1 -> 2.1.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.fastrand]]
who = "Chris Martin <cmartin@mozilla.com>"
criteria = "safe-to-deploy"
delta = "2.1.0 -> 2.1.1"
notes = "Fairly trivial changes, no chance of security regression."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.fnv]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
version = "1.0.7"
notes = "Simple hasher implementation with no unsafe code."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.foreign-types]]
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.3.2 -> 0.5.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.foreign-types-macros]]
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
version = "0.2.3"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.foreign-types-shared]]
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.1.1 -> 0.3.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.futures-core]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.3.27 -> 0.3.28"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.futures-sink]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.3.27 -> 0.3.28"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.gimli]]
who = "Alex Franchuk <afranchuk@mozilla.com>"
criteria = "safe-to-deploy"
version = "0.30.0"
notes = """
Unsafe code blocks are sound. Minimal dependencies used. No use of
side-effectful std functions.
"""
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.gimli]]
who = "Chris Martin <cmartin@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.30.0 -> 0.29.0"
notes = "No unsafe code, mostly algorithms and parsing. Very unlikely to cause security issues."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.gpu-allocator]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
version = "0.25.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.gpu-allocator]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.25.0 -> 0.26.0"
notes = "New Metal backend is written with no `unsafe`. New `unsafe` usage of DX12's platform APIs appear correct and safe. Otherwise, minimal changes."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.gpu-allocator]]
who = "Jim Blandy <jimb@red-bean.com>"
criteria = "safe-to-deploy"
delta = "0.26.0 -> 0.27.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.icu_collections]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "2.0.0-beta2 -> 2.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.icu_locale_core]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "2.0.0-beta2 -> 2.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.icu_normalizer]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "2.0.0-beta2 -> 2.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.icu_normalizer_data]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "2.0.0-beta2 -> 2.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.icu_properties]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "2.0.0-beta2 -> 2.0.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.icu_properties_data]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "2.0.0-beta2 -> 2.0.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.icu_provider]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "2.0.0-beta2 -> 2.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.idna_adapter]]
who = "Valentin Gosu <valentin.gosu@gmail.com>"
criteria = "safe-to-deploy"
version = "1.2.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.idna_adapter]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "1.2.0 -> 1.2.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.litemap]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "0.7.5 -> 0.8.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.malloc_buf]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
version = "0.0.6"
notes = """
Very small crate for managing malloc-ed buffers, primarily for use in the objc crate.
There is an edge-case condition that passes slice::from_raw_parts(0x1, 0) which I'm
not entirely certain is technically sound, but in either case I am reasonably confident
it's not exploitable.
"""
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.metal]]
who = "Jim Blandy <jimb@red-bean.com>"
criteria = "safe-to-deploy"
version = "0.23.1"
notes = "This audit treats Dzmitry Malyshau (kvark) as a trusted reviewer."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.metal]]
who = "Jim Blandy <jimb@red-bean.com>"
criteria = "safe-to-deploy"
delta = "0.23.1 -> 0.24.0"
notes = "This audit treats Dzmitry Malyshau (kvark) as a trusted reviewer."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.metal]]
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.24.0 -> 0.25.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.metal]]
who = "Erich Gubler <egubler@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.25.0 -> 0.26.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.metal]]
who = "Nicolas Silva <nical@fastmail.com>, Jim Blandy <jimb@red-bean.com>"
criteria = "safe-to-deploy"
delta = "0.26.0 -> 0.27.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.metal]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.27.0 -> 0.28.0"
notes = "No significantly changed functionality. Some warnings resolved, bumped `core-graphics-types`, newer versions of Metal supported."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.metal]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.28.0 -> 0.29.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.metal]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.29.0 -> 0.30.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.metal]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.30.0 -> 0.31.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.metal]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.31.0 -> 0.32.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.naga]]
who = "Dzmitry Malyshau <kvark@fastmail.com>"
criteria = "safe-to-deploy"
version = "0.8.0"
notes = """
This crate, up through the indicated version, was written or reviewed
by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left
Mozilla at the beginning of February 2022. This audit statement was
collected by Jim Blandy, a Mozilla employee, over email in July 2022:
Dzmitry was shown, and agreed to, the 'safe-to-deploy' text.
"""
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.naga]]
who = "Jim Blandy <jimb@red-bean.com>"
criteria = "safe-to-deploy"
delta = "0.8.0 -> 0.9.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.naga]]
who = "Jim Blandy <jimb@red-bean.com>"
criteria = "safe-to-deploy"
delta = "0.9.0 -> 0.10.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.naga]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
delta = "0.10.0 -> 0.11.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.naga]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
delta = "0.11.0 -> 0.12.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.naga]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
delta = "0.12.0 -> 0.13.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.naga]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
delta = "0.13.0 -> 0.14.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.naga]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.14.0 -> 0.19.2"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.naga]]
who = [
"Jim Blandy <jimb@red-bean.com>",
"Nicolas Silva <nical@fastmail.com>",
"Erich Gubler <erichdongubler@gmail.com>",
"Teodor Tanasoaia <ttanasoaia@mozilla.com>",
]
criteria = "safe-to-deploy"
delta = "0.19.2 -> 0.20.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.naga]]
who = "Jim Blandy <jimb@red-bean.com>"
criteria = "safe-to-deploy"
delta = "0.20.0 -> 22.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.naga]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "22.0.0 -> 23.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.naga]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "23.0.0 -> 23.1.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.naga]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "23.1.0 -> 24.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.naga]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "24.0.0 -> 25.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.naga]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "25.0.0 -> 26.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.option-ext]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
version = "0.2.0"
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
[[audits.mozilla.audits.pin-project-lite]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.2.13 -> 0.2.14"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.pin-project-lite]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
delta = "0.2.14 -> 0.2.16"
notes = """
Only functional change is to work around a bug in the negative_impls feature
(https://github.com/taiki-e/pin-project/issues/340#issuecomment-2432146009)
"""
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
[[audits.mozilla.audits.quick-xml]]
who = "Lars Eggert <lars@eggert.org>"
criteria = "safe-to-run"
delta = "0.30.0 -> 0.37.5"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.raw-window-handle]]
who = "Jim Blandy <jimb@red-bean.com>"
criteria = "safe-to-deploy"
version = "0.5.0"
notes = "I looked through all the sources of the v0.5.0 crate."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.raw-window-handle]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.5.0 -> 0.5.2"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.raw-window-handle]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
delta = "0.5.2 -> 0.6.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.raw-window-handle]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.6.0 -> 0.6.2"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.rayon]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
version = "1.5.3"
notes = "All code written or reviewed by Josh Stone or Niko Matsakis."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.rayon]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.5.3 -> 1.6.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.rustc-hash]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = "Straightforward crate with no unsafe code, does what it says on the tin."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.rustc-hash]]
who = "Ben Dean-Kawamura <bdk@mozilla.com>"
criteria = "safe-to-deploy"
delta = "1.1.0 -> 2.1.1"
notes = "Simple hashing crate, no unsafe code."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.rustc_version]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
version = "0.4.0"
notes = """
Use of powerful capabilities is limited to invoking `rustc -vV` to get version
information for parsing version information.
"""
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
[[audits.mozilla.audits.scoped-tls]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-run"
delta = "1.0.0 -> 1.0.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.shlex]]
who = "Max Inden <mail@max-inden.de>"
criteria = "safe-to-deploy"
delta = "1.1.0 -> 1.3.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.strsim]]
who = "Ben Dean-Kawamura <bdk@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.10.0 -> 0.11.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.subtle]]
who = "Simon Friedberger <simon@mozilla.com>"
criteria = "safe-to-deploy"
version = "2.5.0"
notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.synstructure]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
delta = "0.13.1 -> 0.13.2"
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
[[audits.mozilla.audits.thiserror]]
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
criteria = "safe-to-deploy"
delta = "1.0.43 -> 1.0.69"
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
[[audits.mozilla.audits.thiserror-impl]]
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
criteria = "safe-to-deploy"
delta = "1.0.43 -> 1.0.69"
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
[[audits.mozilla.audits.tinystr]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
version = "0.7.0"
notes = "One of original auther was Zibi Braniecki who worked at Mozilla and maintained by ICU4X developers (Google and Mozilla). I've vetted the one instance of unsafe code."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.tinystr]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.7.0 -> 0.7.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.tinystr]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "0.7.1 -> 0.7.4"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.tinystr]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "0.7.4 -> 0.7.6"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.tinystr]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "0.7.6 -> 0.8.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.tinyvec_macros]]
who = "Drew Willcoxon <adw@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.1.0 -> 0.1.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.tracing]]
who = "Alex Franchuk <afranchuk@mozilla.com>"
criteria = "safe-to-deploy"
version = "0.1.37"
notes = """
There's only one unsafe impl, and its purpose is to ensure correct behavior by
creating a non-Send marker type (it has nothing to do with soundness). All
dependencies make sense, and no side-effectful std functions are used.
"""
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.tracing]]
who = "Mark Hammond <mhammond@skippinet.com.au>"
criteria = "safe-to-deploy"
delta = "0.1.37 -> 0.1.41"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.utf8parse]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
delta = "0.2.1 -> 0.2.2"
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-core-deps-apple]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
version = "25.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-core-deps-apple]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "25.0.0 -> 26.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-core-deps-windows-linux-android]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
version = "25.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-core-deps-windows-linux-android]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "25.0.0 -> 26.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-types]]
who = "Dzmitry Malyshau <kvark@fastmail.com>"
criteria = "safe-to-deploy"
version = "0.12.0"
notes = """
This crate, up through the indicated version, was written or reviewed
by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left
Mozilla at the beginning of February 2022. This audit statement was
collected by Jim Blandy, a Mozilla employee, over email in July 2022:
Dzmitry was shown, and agreed to, the 'safe-to-deploy' text.
"""
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-types]]
who = "Jim Blandy <jimb@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.12.0 -> 0.13.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-types]]
who = "Jim Blandy <jimb@red-bean.com>"
criteria = "safe-to-deploy"
delta = "0.13.0 -> 0.14.0"
notes = "Audit by Erich Gubler, Jim Blandy, Nicolas Silva, and Teodor Tanasoaia."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-types]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
delta = "0.14.0 -> 0.15.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-types]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
delta = "0.15.0 -> 0.16.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-types]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
delta = "0.16.0 -> 0.17.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-types]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
delta = "0.17.0 -> 0.18.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-types]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.18.0 -> 0.19.2"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-types]]
who = [
"Jim Blandy <jimb@red-bean.com>",
"Nicolas Silva <nical@fastmail.com>",
"Erich Gubler <erichdongubler@gmail.com>",
"Teodor Tanasoaia <ttanasoaia@mozilla.com>",
]
criteria = "safe-to-deploy"
delta = "0.19.2 -> 0.20.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-types]]
who = "Jim Blandy <jimb@red-bean.com>"
criteria = "safe-to-deploy"
delta = "0.20.0 -> 22.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-types]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "22.0.0 -> 23.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-types]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "23.0.0 -> 24.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-types]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "24.0.0 -> 25.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.wgpu-types]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
delta = "25.0.0 -> 26.0.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.zeroize]]
who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
criteria = "safe-to-deploy"
version = "1.8.1"
notes = """
This code DOES contain unsafe code required to internally call volatiles
for deleting data. This is expected and documented behavior.
"""
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.zerotrie]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "0.2.1 -> 0.2.2"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.zerovec]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
version = "0.9.4"
notes = "This crate is zero-copy data structure implmentation. Although this uses unsafe block in several code, it requires for zero-copy. And this has a comment in code why this uses unsafe and I audited code."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.zerovec]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "0.9.4 -> 0.10.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.zerovec]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "0.10.1 -> 0.10.2"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.zerovec]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.10.2 -> 0.10.4"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.zerovec]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "0.10.4 -> 0.11.2"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.zerovec]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "0.11.2 -> 0.11.3"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.zerovec]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "0.11.3 -> 0.11.4"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.zerovec-derive]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
version = "0.10.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.zerovec-derive]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "0.10.1 -> 0.10.2"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.zerovec-derive]]
who = "Max Inden <mail@max-inden.de>"
criteria = "safe-to-deploy"
delta = "0.10.2 -> 0.10.3"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.zerovec-derive]]
who = "Makoto Kato <m_kato@ga2.so-net.ne.jp>"
criteria = "safe-to-deploy"
delta = "0.10.3 -> 0.11.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.zcash.audits.adler2]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "2.0.0 -> 2.0.1"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.arrayref]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.3.6 -> 0.3.8"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.arrayref]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.3.8 -> 0.3.9"
notes = "Changes to `unsafe` lines are to make some existing `unsafe fn`s `const`."
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.autocfg]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "1.4.0 -> 1.5.0"
notes = "Filesystem change is to remove the generated LLVM IR output file after probing."
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.block-buffer]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.10.3 -> 0.10.4"
notes = "Adds panics to prevent a block size of zero from causing unsoundness."
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.crunchy]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.2.3 -> 0.2.4"
notes = """
Build script change is to fix a bug where a path separator for an included file
was being selected by the target OS instead of the host OS.
"""
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.http-body]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "1.0.0 -> 1.0.1"
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
[[audits.zcash.audits.num_cpus]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "1.16.0 -> 1.17.0"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.rustc_version]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.4.0 -> 0.4.1"
notes = "Changes to `Command` usage are to add support for `RUSTC_WRAPPER`."
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.try-lock]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.2.4 -> 0.2.5"
notes = "Bumps MSRV to remove unsafe code block."
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.want]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.3.0 -> 0.3.1"
notes = """
Migrates to `try-lock 0.2.4` to replace some unsafe APIs that were not marked
`unsafe` (but that were being used safely).
"""
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"