From 33b1d6c7db227583fd43e84a82c6108f54e8ba74 Mon Sep 17 00:00:00 2001 From: Jeff Charles Date: Mon, 22 Jul 2024 15:37:04 -0400 Subject: [PATCH] cargo vet --- supply-chain/config.toml | 12 +--- supply-chain/imports.lock | 128 +++++++++----------------------------- 2 files changed, 30 insertions(+), 110 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index a9d54faa..9c093cfc 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -443,11 +443,11 @@ version = "11.1.4" criteria = "safe-to-run" [[exemptions.openssl]] -version = "0.10.64" +version = "0.10.66" criteria = "safe-to-deploy" [[exemptions.openssl-sys]] -version = "0.9.102" +version = "0.9.103" criteria = "safe-to-deploy" [[exemptions.outref]] @@ -718,10 +718,6 @@ criteria = "safe-to-deploy" version = "3.10.1" criteria = "safe-to-deploy" -[[exemptions.tinyvec]] -version = "1.8.0" -criteria = "safe-to-deploy" - [[exemptions.tinyvec_macros]] version = "0.1.1" criteria = "safe-to-deploy" @@ -866,10 +862,6 @@ criteria = "safe-to-deploy" version = "0.7.35" criteria = "safe-to-deploy" -[[exemptions.zerovec]] -version = "0.10.4" -criteria = "safe-to-deploy" - [[exemptions.zstd]] version = "0.13.2" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 8c6ce1dc..c01155f2 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1767,6 +1767,16 @@ criteria = "safe-to-deploy" version = "1.1.0" notes = "No dependencies and completely a compile-time crate as advertised. Uses `unsafe` in one module as a compile-time check only: `mem::transmute` and `ptr::write` are wrapped in an impossible-to-run closure." +[[audits.bytecode-alliance.audits.tinyvec]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.6.0" +notes = """ +This crate, while it implements collections, does so without `std::*` APIs and +without `unsafe`. Skimming the crate everything looks reasonable and what one +would expect from idiomatic safe collections in Rust. +""" + [[audits.bytecode-alliance.audits.tokio-native-tls]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -1977,6 +1987,24 @@ criteria = "safe-to-run" version = "1.2.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.tinyvec]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.6.0 -> 1.6.1" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.tinyvec]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.6.1 -> 1.7.0" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.tinyvec]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.7.0 -> 1.8.0" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.version_check]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -2315,12 +2343,6 @@ criteria = "safe-to-deploy" delta = "0.5.5 -> 0.5.7" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.tinystr]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -delta = "0.7.4 -> 0.7.6" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.unicode-bidi]] who = "Makoto Kato " criteria = "safe-to-deploy" @@ -2339,97 +2361,3 @@ who = "Jonathan Kew " criteria = "safe-to-deploy" delta = "0.3.14 -> 0.3.15" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.writeable]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -version = "0.5.2" -notes = "writeable is a variation of fmt::Write with sink version. This uses `unsafe` block to handle potentially-invalid UTF-8 character. I've vetted the one instance of unsafe code." -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.writeable]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -delta = "0.5.2 -> 0.5.4" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.writeable]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -delta = "0.5.4 -> 0.5.5" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.yoke]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -version = "0.7.1" -notes = "This crate is for zero-copy serialization for ICU4X data structure, and maintained by ICU4X team. Since this uses unsafe block for serialization, I audited code." -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.yoke]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -delta = "0.7.1 -> 0.7.3" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.yoke]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -delta = "0.7.3 -> 0.7.4" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.yoke-derive]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -version = "0.7.3" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.yoke-derive]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -delta = "0.7.3 -> 0.7.4" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.zerofrom]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -version = "0.1.2" -notes = "This crate is zero-copy version of \"From\". This has no unsafe code and uses no ambient capabilities." -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.zerofrom]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -delta = "0.1.2 -> 0.1.4" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.zerovec]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -version = "0.9.4" -notes = "This crate is zero-copy data structure implmentation. Although this uses unsafe block in several code, it requires for zero-copy. And this has a comment in code why this uses unsafe and I audited code." -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.zerovec]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -delta = "0.9.4 -> 0.10.1" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.zerovec]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -delta = "0.10.1 -> 0.10.2" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.zerovec-derive]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -version = "0.10.1" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.zerovec-derive]] -who = "Makoto Kato " -criteria = "safe-to-deploy" -delta = "0.10.1 -> 0.10.2" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"