github
/
cranelift
mirror of https://github.com/bytecodealliance/wasmtime.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12286 Commits
49 Branches
140 Tags
128 MiB
Tree: 079ddd4bf7
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '079ddd4bf7'
${ noResults }
cranelift/supply-chain/audits.toml

3380 lines
100 KiB
Raw Normal View History

Enable cargo-vet (#4444) * Initialize cargo-vet on wasmtime. * Add cargo-vet to CI. * Add README.
2 years ago
# cargo-vet audits file
Add a wildcard audit for `arbitrary` (#6264)
2 years ago
[[wildcard-audits.arbitrary]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 696 # Nick Fitzgerald (fitzgen)
Add a wildcard audit for `arbitrary` (#6264)
2 years ago
start = "2020-01-14"
end = "2024-04-21"
notes = "I am an author of this crate."
Update `wasmprinter` and `wasm-mutate` deps (#5983) * Bump wasm-mutate and wasmprinter deps * Add wildcard audits for wasmprinter and wasm-mutate * Add wildcard audit for bumpalo
2 years ago
[[wildcard-audits.bumpalo]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 696 # Nick Fitzgerald (fitzgen)
Update `wasmprinter` and `wasm-mutate` deps (#5983) * Bump wasm-mutate and wasmprinter deps * Add wildcard audits for wasmprinter and wasm-mutate * Add wildcard audit for bumpalo
2 years ago
start = "2019-03-16"
end = "2024-03-10"
Bump cargo-vet to 0.8.0 (#6642) * Bump cargo-vet to 0.8.0. * Use the new audited-as feature to enable audit-as-crates-io for not-yet-published versions of first-party crates.
1 year ago
[[wildcard-audits.cranelift]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.cranelift-bforest]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.cranelift-codegen]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.cranelift-codegen-meta]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.cranelift-codegen-shared]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.cranelift-control]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2023-05-22"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.cranelift-entity]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.cranelift-frontend]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.cranelift-interpreter]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.cranelift-isle]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-12-13"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.cranelift-jit]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.cranelift-module]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.cranelift-native]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.cranelift-object]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.cranelift-reader]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.cranelift-serde]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.cranelift-wasm]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
Add a wildcard audit of `derive_arbitrary` (#6294)
2 years ago
[[wildcard-audits.derive_arbitrary]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 696 # Nick Fitzgerald (fitzgen)
Add a wildcard audit of `derive_arbitrary` (#6294)
2 years ago
start = "2020-01-14"
end = "2024-04-27"
notes = "I am an author of this crate"
Add a wildcard audit for regalloc2 versions published by me. (#6331)
2 years ago
[[wildcard-audits.regalloc2]]
who = "Chris Fallin <chris@cfallin.org>"
criteria = "safe-to-deploy"
Cranelift: upgrade to regalloc2 0.9.2. (#6726) * Cranelift: upgrade to regalloc2 0.9.2. This pulls in bytecodealliance/regalloc2#152, which fixes a bug that is reachable on RISC-V: when two different register classes have the same stackslot size, the register allocation result might share a slot between two different classes, which can result in moves between classes that will cause a panic. The fix properly separates slots by class. * cargo-vet update for regalloc2 0.9.2.
1 year ago
user-id = 3726 # Chris Fallin (cfallin)
Add a wildcard audit for regalloc2 versions published by me. (#6331)
2 years ago
start = "2021-12-03"
end = "2024-05-02"
notes = "We (Bytecode Alliance) are the primary authors of regalloc2 and co-develop it with Cranelift/Wasmtime, with the same code-review, testing/fuzzing, and security standards."
Add a regalloc2 wildcard audit for myself (#6329)
2 years ago
[[wildcard-audits.regalloc2]]
who = "Trevor Elliott <telliott@fastly.com>"
criteria = "safe-to-deploy"
Remove the implementation of wasi-crypto (#6816) * Remove the implementation of wasi-crypto This commit is a follow-up to the discussion on #6732. This removes Wasmtime&#39;s implementation of the wasi-crypto proposal from in-tree along with its various support in CI, configuration, etc. See the discussion on #6732 for the full information but at a high level the main reasons for removing the implementation at this time are: * There is not currently an active maintainer of the Wasmtime integration here for wasi-crypto. * There are known issues with the code quality of the implementation such as transmutes of guest-owned memory to `&amp;&#39;static mut [u8]` and known unsafety in dependencies. * The size and breadth of the dependency tree brings maintenance burden and overhead to managing Wasmtime&#39;s dependency tree. As mentioned on the issue this commit does not mean that Wasmtime doesn&#39;t want to implement the wasi-crypto proposal. Instead the &#34;tier 3&#34; status of wasi-crypto needs to be re-attained to be included back in-tree, which would mean resolving the above issues. Note that this commit is intentionally just after the 13.0.0 branch point which means that this is slated for Wasmtime 14 to be released on September 20. * Remove some cfgs * Remove wasi-crypto CI
1 year ago
user-id = 187138
Add a regalloc2 wildcard audit for myself (#6329)
2 years ago
start = "2022-11-29"
end = "2024-05-02"
notes = """
This is a Bytecode Alliance authored crate maintained in the `regalloc2`
repository of which I'm one of the maintainers and publishers for. I am employed
by a member of the Bytecode Alliance and plan to continue doing so and will
actively maintain this crate over time.
"""
Bump cargo-vet to 0.8.0 (#6642) * Bump cargo-vet to 0.8.0. * Use the new audited-as feature to enable audit-as-crates-io for not-yet-published versions of first-party crates.
1 year ago
[[wildcard-audits.wasi-cap-std-sync]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasi-common]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasi-tokio]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#6215) While bringing in no major updates for Wasmtime I&#39;ve taken this opportunity to list myself for `cargo vet` with wildcard audits of this family of crates. That means I shouldn&#39;t need to further add any more entries in the future for updating these crates and additionally any other organizations using these audits will automatically be able to have audits for version that I publish. While here I also ran `cargo vet prune` which was able to remove a number of our exemptions.
2 years ago
[[wildcard-audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 1 # Alex Crichton (alexcrichton)
Update wasm-tools crates (#6215) While bringing in no major updates for Wasmtime I&#39;ve taken this opportunity to list myself for `cargo vet` with wildcard audits of this family of crates. That means I shouldn&#39;t need to further add any more entries in the future for updating these crates and additionally any other organizations using these audits will automatically be able to have audits for version that I publish. While here I also ran `cargo vet prune` which was able to remove a number of our exemptions.
2 years ago
start = "2020-12-11"
end = "2024-04-14"
notes = """
This is a Bytecode Alliance authored crate maintained in the `wasm-tools`
repository of which I'm one of the primary maintainers and publishers for.
I am employed by a member of the Bytecode Alliance and plan to continue doing
so and will actively maintain this crate over time.
"""
use latest wit-bindgen, add wildcard audits for wit-bindgen and wasm-tools crates
2 years ago
[[wildcard-audits.wasm-metadata]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 1 # Alex Crichton (alexcrichton)
use latest wit-bindgen, add wildcard audits for wit-bindgen and wasm-tools crates
2 years ago
start = "2020-12-11"
end = "2024-04-14"
notes = """
This is a Bytecode Alliance authored crate maintained in the `wasm-tools`
repository of which I'm one of the primary maintainers and publishers for.
I am employed by a member of the Bytecode Alliance and plan to continue doing
so and will actively maintain this crate over time.
"""
cargo-vet all remaining dependency bumps
2 years ago
[[wildcard-audits.wasm-mutate]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 696 # Nick Fitzgerald (fitzgen)
cargo-vet all remaining dependency bumps
2 years ago
start = "2022-02-17"
end = "2024-03-10"
Update wasm-tools crates (#6215) While bringing in no major updates for Wasmtime I&#39;ve taken this opportunity to list myself for `cargo vet` with wildcard audits of this family of crates. That means I shouldn&#39;t need to further add any more entries in the future for updating these crates and additionally any other organizations using these audits will automatically be able to have audits for version that I publish. While here I also ran `cargo vet prune` which was able to remove a number of our exemptions.
2 years ago
[[wildcard-audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 1 # Alex Crichton (alexcrichton)
Update wasm-tools crates (#6215) While bringing in no major updates for Wasmtime I&#39;ve taken this opportunity to list myself for `cargo vet` with wildcard audits of this family of crates. That means I shouldn&#39;t need to further add any more entries in the future for updating these crates and additionally any other organizations using these audits will automatically be able to have audits for version that I publish. While here I also ran `cargo vet prune` which was able to remove a number of our exemptions.
2 years ago
start = "2022-01-05"
end = "2024-04-14"
notes = """
This is a Bytecode Alliance authored crate maintained in the `wasm-tools`
repository of which I'm one of the primary maintainers and publishers for.
I am employed by a member of the Bytecode Alliance and plan to continue doing
so and will actively maintain this crate over time.
"""
[[wildcard-audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 1 # Alex Crichton (alexcrichton)
Update wasm-tools crates (#6215) While bringing in no major updates for Wasmtime I&#39;ve taken this opportunity to list myself for `cargo vet` with wildcard audits of this family of crates. That means I shouldn&#39;t need to further add any more entries in the future for updating these crates and additionally any other organizations using these audits will automatically be able to have audits for version that I publish. While here I also ran `cargo vet prune` which was able to remove a number of our exemptions.
2 years ago
start = "2020-09-03"
end = "2024-04-14"
notes = """
This is a Bytecode Alliance authored crate maintained in the `wasm-tools`
repository of which I'm one of the primary maintainers and publishers for.
I am employed by a member of the Bytecode Alliance and plan to continue doing
so and will actively maintain this crate over time.
"""
[[wildcard-audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 1 # Alex Crichton (alexcrichton)
Update wasm-tools crates (#6215) While bringing in no major updates for Wasmtime I&#39;ve taken this opportunity to list myself for `cargo vet` with wildcard audits of this family of crates. That means I shouldn&#39;t need to further add any more entries in the future for updating these crates and additionally any other organizations using these audits will automatically be able to have audits for version that I publish. While here I also ran `cargo vet prune` which was able to remove a number of our exemptions.
2 years ago
start = "2020-07-13"
end = "2024-04-14"
notes = """
This is a Bytecode Alliance authored crate maintained in the `wasm-tools`
repository of which I'm one of the primary maintainers and publishers for.
I am employed by a member of the Bytecode Alliance and plan to continue doing
so and will actively maintain this crate over time.
"""
Update `wasmprinter` and `wasm-mutate` deps (#5983) * Bump wasm-mutate and wasmprinter deps * Add wildcard audits for wasmprinter and wasm-mutate * Add wildcard audit for bumpalo
2 years ago
[[wildcard-audits.wasmprinter]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 696 # Nick Fitzgerald (fitzgen)
Update `wasmprinter` and `wasm-mutate` deps (#5983) * Bump wasm-mutate and wasmprinter deps * Add wildcard audits for wasmprinter and wasm-mutate * Add wildcard audit for bumpalo
2 years ago
start = "2021-04-28"
end = "2024-03-10"
Update wasm-tools crates (#6215) While bringing in no major updates for Wasmtime I&#39;ve taken this opportunity to list myself for `cargo vet` with wildcard audits of this family of crates. That means I shouldn&#39;t need to further add any more entries in the future for updating these crates and additionally any other organizations using these audits will automatically be able to have audits for version that I publish. While here I also ran `cargo vet prune` which was able to remove a number of our exemptions.
2 years ago
[[wildcard-audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 1 # Alex Crichton (alexcrichton)
Update wasm-tools crates (#6215) While bringing in no major updates for Wasmtime I&#39;ve taken this opportunity to list myself for `cargo vet` with wildcard audits of this family of crates. That means I shouldn&#39;t need to further add any more entries in the future for updating these crates and additionally any other organizations using these audits will automatically be able to have audits for version that I publish. While here I also ran `cargo vet prune` which was able to remove a number of our exemptions.
2 years ago
start = "2019-11-18"
end = "2024-04-14"
notes = """
This is a Bytecode Alliance authored crate maintained in the `wasm-tools`
repository of which I'm one of the primary maintainers and publishers for.
I am employed by a member of the Bytecode Alliance and plan to continue doing
so and will actively maintain this crate over time.
"""
Bump cargo-vet to 0.8.0 (#6642) * Bump cargo-vet to 0.8.0. * Use the new audited-as feature to enable audit-as-crates-io for not-yet-published versions of first-party crates.
1 year ago
[[wildcard-audits.wasmtime]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-asm-macros]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2022-08-22"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-cache]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-cli]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-cli-flags]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2022-05-20"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-component-macro]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2022-07-20"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-component-util]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2022-08-22"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-cranelift]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-cranelift-shared]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2023-04-20"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-environ]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-explorer]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2023-04-20"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-fiber]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-jit]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-jit-debug]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2022-03-07"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-jit-icache-coherence]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2022-11-21"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-runtime]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-types]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-wasi]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-wasi-crypto]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-wasi-http]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2023-05-22"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-wasi-nn]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-wasi-threads]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2023-03-20"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-wast]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-winch]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2022-11-21"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wasmtime-wit-bindgen]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2023-01-20"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
Wasi-http: support inbound requests (proxy world) (#7091) * Move the incoming_handler impl into http_impl * Remove the incoming handler -- we need to use it as a guest export * Start adding a test-programs test for the server side of wasi-http * Progress towards running a server test * Implement incoming-request-method * Validate outparam value * Initial incoming handler test * Implement more of the incoming api * Finish the incoming api implementations * Initial cut at `wasmtime serve` * fix warning * wasmtime-cli: invoke ServeCommand, and add enough stuff to the linker to run trivial test * fix warnings * fix warnings * argument parsing: allow --addr to specify sockaddr * rustfmt * sync wit definitions between wasmtime-wasi and wasmtime-wasi-http * cargo vet: add an import config and wildcard audit for wasmtime-wmemcheck * cargo vet: audit signal-hook-registry * Remove duplicate add_to_linker calls for preview2 interfaces prtest:full * Add a method to finish outgoing responses Co-authored-by: Adam Foltzer &lt;acfoltzer@fastly.com&gt; Co-authored-by: Pat Hickey &lt;phickey@fastly.com&gt; * Mark the result of the incoming_{request,response}_consume methods as own * Explicit versions for http-body and http-body-util * Explicit `serve` feature for the `wasmtime serve` command * Move the spawn outside of the future returned by `ProxyHandler::call` * Review feedback --------- Co-authored-by: Trevor Elliott &lt;telliott@fastly.com&gt; Co-authored-by: Adam Foltzer &lt;acfoltzer@fastly.com&gt;
1 year ago
[[wildcard-audits.wasmtime-wmemcheck]]
who = "Pat Hickey <pat@moreproductive.org>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2022-11-27"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#6215) While bringing in no major updates for Wasmtime I&#39;ve taken this opportunity to list myself for `cargo vet` with wildcard audits of this family of crates. That means I shouldn&#39;t need to further add any more entries in the future for updating these crates and additionally any other organizations using these audits will automatically be able to have audits for version that I publish. While here I also ran `cargo vet prune` which was able to remove a number of our exemptions.
2 years ago
[[wildcard-audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 1 # Alex Crichton (alexcrichton)
Update wasm-tools crates (#6215) While bringing in no major updates for Wasmtime I&#39;ve taken this opportunity to list myself for `cargo vet` with wildcard audits of this family of crates. That means I shouldn&#39;t need to further add any more entries in the future for updating these crates and additionally any other organizations using these audits will automatically be able to have audits for version that I publish. While here I also ran `cargo vet prune` which was able to remove a number of our exemptions.
2 years ago
start = "2019-10-16"
end = "2024-04-14"
notes = """
This is a Bytecode Alliance authored crate maintained in the `wasm-tools`
repository of which I'm one of the primary maintainers and publishers for.
I am employed by a member of the Bytecode Alliance and plan to continue doing
so and will actively maintain this crate over time.
"""
[[wildcard-audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 1 # Alex Crichton (alexcrichton)
Update wasm-tools crates (#6215) While bringing in no major updates for Wasmtime I&#39;ve taken this opportunity to list myself for `cargo vet` with wildcard audits of this family of crates. That means I shouldn&#39;t need to further add any more entries in the future for updating these crates and additionally any other organizations using these audits will automatically be able to have audits for version that I publish. While here I also ran `cargo vet prune` which was able to remove a number of our exemptions.
2 years ago
start = "2019-10-18"
end = "2024-04-14"
notes = """
This is a Bytecode Alliance authored crate maintained in the `wasm-tools`
repository of which I'm one of the primary maintainers and publishers for.
I am employed by a member of the Bytecode Alliance and plan to continue doing
so and will actively maintain this crate over time.
"""
Bump cargo-vet to 0.8.0 (#6642) * Bump cargo-vet to 0.8.0. * Use the new audited-as feature to enable audit-as-crates-io for not-yet-published versions of first-party crates.
1 year ago
[[wildcard-audits.wiggle]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wiggle-generate]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wiggle-macro]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2021-10-29"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.wiggle-test]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 18162 # Pat Hickey (pchickey)
start = "2020-03-12"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
[[wildcard-audits.winch-codegen]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2022-11-21"
end = "2024-06-26"
notes = "The Bytecode Alliance is the author of this crate."
use latest wit-bindgen, add wildcard audits for wit-bindgen and wasm-tools crates
2 years ago
[[wildcard-audits.wit-bindgen]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 1 # Alex Crichton (alexcrichton)
use latest wit-bindgen, add wildcard audits for wit-bindgen and wasm-tools crates
2 years ago
start = "2020-12-11"
end = "2024-04-14"
notes = """
This is a Bytecode Alliance authored crate maintained in the `wit-bindgen`
repository of which I'm one of the primary maintainers and publishers for.
I am employed by a member of the Bytecode Alliance and plan to continue doing
so and will actively maintain this crate over time.
"""
[[wildcard-audits.wit-bindgen-core]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 1 # Alex Crichton (alexcrichton)
use latest wit-bindgen, add wildcard audits for wit-bindgen and wasm-tools crates
2 years ago
start = "2020-12-11"
end = "2024-04-14"
notes = """
This is a Bytecode Alliance authored crate maintained in the `wit-bindgen`
repository of which I'm one of the primary maintainers and publishers for.
I am employed by a member of the Bytecode Alliance and plan to continue doing
so and will actively maintain this crate over time.
"""
cargo-vet all remaining dependency bumps
2 years ago
[[wildcard-audits.wit-bindgen-rust]]
use latest wit-bindgen, add wildcard audits for wit-bindgen and wasm-tools crates
2 years ago
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 1 # Alex Crichton (alexcrichton)
use latest wit-bindgen, add wildcard audits for wit-bindgen and wasm-tools crates
2 years ago
start = "2020-12-11"
end = "2024-04-14"
notes = """
This is a Bytecode Alliance authored crate maintained in the `wit-bindgen`
repository of which I'm one of the primary maintainers and publishers for.
I am employed by a member of the Bytecode Alliance and plan to continue doing
so and will actively maintain this crate over time.
"""
cargo-vet all remaining dependency bumps
2 years ago
[[wildcard-audits.wit-bindgen-rust-lib]]
use latest wit-bindgen, add wildcard audits for wit-bindgen and wasm-tools crates
2 years ago
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 1 # Alex Crichton (alexcrichton)
use latest wit-bindgen, add wildcard audits for wit-bindgen and wasm-tools crates
2 years ago
start = "2020-12-11"
end = "2024-04-14"
notes = """
This is a Bytecode Alliance authored crate maintained in the `wit-bindgen`
repository of which I'm one of the primary maintainers and publishers for.
I am employed by a member of the Bytecode Alliance and plan to continue doing
so and will actively maintain this crate over time.
"""
cargo-vet all remaining dependency bumps
2 years ago
[[wildcard-audits.wit-bindgen-rust-macro]]
use latest wit-bindgen, add wildcard audits for wit-bindgen and wasm-tools crates
2 years ago
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 1 # Alex Crichton (alexcrichton)
use latest wit-bindgen, add wildcard audits for wit-bindgen and wasm-tools crates
2 years ago
start = "2020-12-11"
end = "2024-04-14"
notes = """
This is a Bytecode Alliance authored crate maintained in the `wit-bindgen`
repository of which I'm one of the primary maintainers and publishers for.
I am employed by a member of the Bytecode Alliance and plan to continue doing
so and will actively maintain this crate over time.
"""
[[wildcard-audits.wit-component]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 1 # Alex Crichton (alexcrichton)
use latest wit-bindgen, add wildcard audits for wit-bindgen and wasm-tools crates
2 years ago
start = "2020-12-11"
end = "2024-04-14"
notes = """
This is a Bytecode Alliance authored crate maintained in the `wasm-tools`
repository of which I'm one of the primary maintainers and publishers for.
I am employed by a member of the Bytecode Alliance and plan to continue doing
so and will actively maintain this crate over time.
"""
Refactor test-programs to build modules and components (#6385) * wasi-tests and wasi-http-tests no longer have their own workspace * wasi-tests: fix warnings * rewrite the test-programs build.rs to generate {package}_modules.rs and _components.rs The style is cribbed from preview2-prototying repo, but I ended up refactoring it a bit. * better escaping should help with windows? * long form cap-std-sync and tokio test suites * convert wasi-http test * fixes, comments * apply cargo fmt to whole workspace * bump test-programs and wasi-http-tests to all use common dependency versions wit-bindgen 0.6.0 and wit-component 0.7.4 * add new audits * cargo vet prune * package and supply chain updates to fix vulnerabilities h2 upgraded from 0.3.16 -&gt; 0.3.19 to fix vulnerability tempfile upgraded from 0.3.3 -&gt; 0.3.5 to eliminate dep on vulnerable remove_dir_all * deny: temporarily allow duplicate wasm-encoder, wasmparser, wit-parser prtest:full * convert more dependencies to { workspace = true } Alex asked me to do thsi for wit-component and wit-bindgen, and I found a few more (cfg-if, tempfile, filecheck, anyhow... I also reorganized the workspace dependencies section to make the ones our team maintains more clearly separated from our external dependencies. * test-programs build: ensure that the user writes a #[test] for each module, component * fix build of wasi-tests on windows * misspelled macos * mark wasi-tests crate test=false so we dont try building it natively... * mark wasi-http-tests test=false as well * try getting the cargo keys right * just exclude wasi-tests and wasi-http-tests in run-tests.sh * interesting paths fails on windows * misspelling so nice i did it twice * new cargo deny exception: ignore all of wit-bindgen&#39;s dependencies * auto-import wildcard vets
2 years ago
[[wildcard-audits.wit-component]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 696 # Nick Fitzgerald (fitzgen)
Refactor test-programs to build modules and components (#6385) * wasi-tests and wasi-http-tests no longer have their own workspace * wasi-tests: fix warnings * rewrite the test-programs build.rs to generate {package}_modules.rs and _components.rs The style is cribbed from preview2-prototying repo, but I ended up refactoring it a bit. * better escaping should help with windows? * long form cap-std-sync and tokio test suites * convert wasi-http test * fixes, comments * apply cargo fmt to whole workspace * bump test-programs and wasi-http-tests to all use common dependency versions wit-bindgen 0.6.0 and wit-component 0.7.4 * add new audits * cargo vet prune * package and supply chain updates to fix vulnerabilities h2 upgraded from 0.3.16 -&gt; 0.3.19 to fix vulnerability tempfile upgraded from 0.3.3 -&gt; 0.3.5 to eliminate dep on vulnerable remove_dir_all * deny: temporarily allow duplicate wasm-encoder, wasmparser, wit-parser prtest:full * convert more dependencies to { workspace = true } Alex asked me to do thsi for wit-component and wit-bindgen, and I found a few more (cfg-if, tempfile, filecheck, anyhow... I also reorganized the workspace dependencies section to make the ones our team maintains more clearly separated from our external dependencies. * test-programs build: ensure that the user writes a #[test] for each module, component * fix build of wasi-tests on windows * misspelled macos * mark wasi-tests crate test=false so we dont try building it natively... * mark wasi-http-tests test=false as well * try getting the cargo keys right * just exclude wasi-tests and wasi-http-tests in run-tests.sh * interesting paths fails on windows * misspelling so nice i did it twice * new cargo deny exception: ignore all of wit-bindgen&#39;s dependencies * auto-import wildcard vets
2 years ago
start = "2019-03-16"
end = "2024-03-10"
Update wasm-tools crates (#6215) While bringing in no major updates for Wasmtime I&#39;ve taken this opportunity to list myself for `cargo vet` with wildcard audits of this family of crates. That means I shouldn&#39;t need to further add any more entries in the future for updating these crates and additionally any other organizations using these audits will automatically be able to have audits for version that I publish. While here I also ran `cargo vet prune` which was able to remove a number of our exemptions.
2 years ago
[[wildcard-audits.wit-parser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Bump cargo-vet to 0.7.0 (#6544) * Bump cargo-vet to 0.7.0. * Prune exemptions. * Import fermyon.
1 year ago
user-id = 1 # Alex Crichton (alexcrichton)
Update wasm-tools crates (#6215) While bringing in no major updates for Wasmtime I&#39;ve taken this opportunity to list myself for `cargo vet` with wildcard audits of this family of crates. That means I shouldn&#39;t need to further add any more entries in the future for updating these crates and additionally any other organizations using these audits will automatically be able to have audits for version that I publish. While here I also ran `cargo vet prune` which was able to remove a number of our exemptions.
2 years ago
start = "2019-12-02"
end = "2024-04-14"
notes = """
This is a Bytecode Alliance authored crate maintained in the `wasm-tools`
repository of which I'm one of the primary maintainers and publishers for.
I am employed by a member of the Bytecode Alliance and plan to continue doing
so and will actively maintain this crate over time.
"""
Add cargo-vet entries for dependency update (#5778) This adds vet entries for the updates being performed in #5513
2 years ago
[[audits.addr2line]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.17.0 -> 0.19.0"
notes = """
This is a minor update for addr2line which looks to mainly update its
dependencies and refactor existing code to expose more functionality and such.
"""
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[audits.addr2line]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.19.0 -> 0.20.0"
notes = "This version brings support for split-dwarf which while it uses the filesystem is always done at the behest of the caller, so everything is as expected for this update."
Update vets for gimli/object/etc. (#6908) Needed for #6904
1 year ago
[[audits.addr2line]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.20.0 -> 0.21.0"
notes = "This version bump updated some dependencies and optimized some internals. All looks good."
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[audits.adler]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.2"
notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm."
Add cargo-vet updates for audit backlog. (#5708)
2 years ago
[[audits.ahash]]
who = "Chris Fallin <chris@cfallin.org>"
criteria = "safe-to-deploy"
delta = "0.7.6 -> 0.8.2"
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.ambient-authority]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.0.2"
notes = "Contains no unsafe code, no IO, no build.rs."
cargo vet: add audits for criterion upgrade, and its transitive dependencies (#5946)
2 years ago
[[audits.anes]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.6"
notes = "Contains no unsafe code, no IO, no build.rs."
Update wasm-tools crates (#5130) * Update wasm-tools crates Mostly just a hygienic update, nothing major here * Fix fuzz compile * Fix test expectations
2 years ago
[[audits.anyhow]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "1.0.62 -> 1.0.66"
notes = """
This update looks to be related to minor fixes and mostly integrating with a
nightly feature in the standard library for backtrace integration. No undue
`unsafe` is added and nothing unsurprising for the `anyhow` crate is happening
here.
"""
cargo-vet all remaining dependency bumps
2 years ago
[[audits.anyhow]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.69 -> 1.0.71"
Add some more audits for my own crates (#4837) Mostly stuff that Firefox is using and asked me to publish audits for, but a couple are in our dep tree as well.
2 years ago
[[audits.arbitrary]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = "I am the author of this crate."
[[audits.arbitrary]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "1.1.4"
notes = "I am the author of this crate."
Cranelift: Harvest each Souper LHS into its own file (#5649) * Cranelift: Harvest each Souper LHS into its own file Souper only handles one input LHS at a time, so this makes it way easier to script. Don&#39;t need to try and parse each LHS. * Add audit of `arrayref` version 0.3.6 * Add audit of `constant_time_eq` version 0.2.4
2 years ago
[[audits.arrayref]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "0.3.6"
notes = """
Unsafe code, but its logic looks good to me. Necessary given what it is
doing. Well tested, has quickchecks.
"""
Cranelift: Use bump allocation in `remove_constant_phis` pass (#4710) * Cranelift: Use bump allocation in `remove_constant_phis` pass This makes compilation 2-6% faster for Sightglass&#39;s bz2 benchmark: ``` compilation :: cycles :: benchmarks/bz2/benchmark.wasm Δ = 7290648.36 ± 4245152.07 (confidence = 99%) bump.so is 1.02x to 1.06x faster than main.so! [166388177 183238542.98 214732518] bump.so [172836648 190529191.34 217514271] main.so compilation :: cycles :: benchmarks/pulldown-cmark/benchmark.wasm No difference in performance. [182220055 225793551.12 277857575] bump.so [193212613 227784078.61 277175335] main.so compilation :: cycles :: benchmarks/spidermonkey/benchmark.wasm No difference in performance. [3848442474 4295214144.37 4665127241] bump.so [3969505457 4262415290.10 4563869974] main.so ``` * Add audit for `bumpalo` * Add an audit of `arrayvec` version 0.7.2 * Remove unnecessary `collect` into `Vec` I wasn&#39;t able to measure any perf difference here, but its nice to do anyways. * Use a `SecondaryMap` for keeping track of summaries
2 years ago
[[audits.arrayvec]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "0.7.2"
notes = """
Well documented invariants, good assertions for those invariants in unsafe code,
and tested with MIRI to boot. LGTM.
"""
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
[[audits.atty]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.14"
notes = """
Contains only unsafe code for what this crate's purpose is and only accesses
the environment's terminal information when asked. Does its stated purpose and
no more.
"""
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.backtrace]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.3.66"
notes = "I am the author of this crate."
Add cargo-vet entries for dependency update (#5778) This adds vet entries for the updates being performed in #5513
2 years ago
[[audits.backtrace]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
delta = "0.3.66 -> 0.3.67"
notes = """
This change introduced a new means of learning the current exe by parsing
Linux-specific constructs and does not constitute any major changes to the
crate.
"""
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.base64]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.21.0"
notes = "This crate has no dependencies, no build.rs, and contains no unsafe code."
cargo-vet: audit base64 0.21.0 (#5707)
2 years ago
[[audits.base64]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-run"
version = "0.21.0"
notes = "This crate has no dependencies, no build.rs, and contains no unsafe code."
`cargo vet` audits for guest profiling support (#6284) These audits are necessary for in-process guest profiling support, currently under development in PR #6282.
2 years ago
[[audits.bitflags]]
who = "Jamey Sharp <jsharp@fastly.com>"
criteria = "safe-to-deploy"
delta = "2.1.0 -> 2.2.1"
notes = """
This version adds unsafe impls of traits from the bytemuck crate when built
with that library enabled, but I believe the impls satisfy the documented
safety requirements for bytemuck. The other changes are minor.
"""
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[audits.bitflags]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "2.3.2 -> 2.3.3"
notes = """
Nothing outside the realm of what one would expect from a bitflags generator,
all as expected.
"""
Upgrade sha2 to 0.10.2 in wasmtime (#4749)
2 years ago
[[audits.block-buffer]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
delta = "0.9.0 -> 0.10.2"
Cranelift: Use bump allocation in `remove_constant_phis` pass (#4710) * Cranelift: Use bump allocation in `remove_constant_phis` pass This makes compilation 2-6% faster for Sightglass&#39;s bz2 benchmark: ``` compilation :: cycles :: benchmarks/bz2/benchmark.wasm Δ = 7290648.36 ± 4245152.07 (confidence = 99%) bump.so is 1.02x to 1.06x faster than main.so! [166388177 183238542.98 214732518] bump.so [172836648 190529191.34 217514271] main.so compilation :: cycles :: benchmarks/pulldown-cmark/benchmark.wasm No difference in performance. [182220055 225793551.12 277857575] bump.so [193212613 227784078.61 277175335] main.so compilation :: cycles :: benchmarks/spidermonkey/benchmark.wasm No difference in performance. [3848442474 4295214144.37 4665127241] bump.so [3969505457 4262415290.10 4563869974] main.so ``` * Add audit for `bumpalo` * Add an audit of `arrayvec` version 0.7.2 * Remove unnecessary `collect` into `Vec` I wasn&#39;t able to measure any perf difference here, but its nice to do anyways. * Use a `SecondaryMap` for keeping track of summaries
2 years ago
[[audits.bumpalo]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "3.9.1"
notes = "I am the author of this crate."
Update bumpalo to 3.11.1 (#5070)
2 years ago
[[audits.bumpalo]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "3.11.1"
notes = "I am the author of this crate."
cargo vet remaining dependencies for #5929 (#6125)
2 years ago
[[audits.camino]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "1.1.4"
Optimize the WASI `random_get` implementation. (#4917) * Optimize the WASI `random_get` implementation. Use `StdRng` instead of the `OsRng` in the default implementation of `random_get`. This uses a userspace CSPRNG, making `random_get` 3x faster in simple benchmarks. * Update cargo-vet audits for cap-std 0.25.3. * Update all cap-std packages to 0.25.3.
2 years ago
[[audits.cap-fs-ext]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
Update to cap-std 0.26. (#4940) * Update to cap-std 0.26. This is primarily to pull in bytecodealliance/cap-std#271, the fix for #4936, compilation on Rust nightly on Windows. It also updates to rustix 0.35.10, to pull in bytecodealliance/rustix#403, the fix for bytecodealliance/rustix#402, compilation on newer versions of the libc crate, which changed a public function from `unsafe` to safe. Fixes #4936. * Update the system-interface audit for 0.23. * Update the libc supply-chain config version.
2 years ago
version = "0.26.0"
Optimize the WASI `random_get` implementation. (#4917) * Optimize the WASI `random_get` implementation. Use `StdRng` instead of the `OsRng` in the default implementation of `random_get`. This uses a userspace CSPRNG, making `random_get` 3x faster in simple benchmarks. * Update cargo-vet audits for cap-std 0.25.3. * Update all cap-std packages to 0.25.3.
2 years ago
notes = "The Bytecode Alliance is the author of this crate"
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.cap-fs-ext]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "1.0.1"
notes = "The Bytecode Alliance is the author of this crate"
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.cap-fs-ext]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.1 -> 1.0.5"
notes = "The Bytecode Alliance is the author of this crate."
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.cap-fs-ext]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "1.0.5 -> 1.0.14"
notes = "The Bytecode Alliance is the author of this crate."
Optimize the WASI `random_get` implementation. (#4917) * Optimize the WASI `random_get` implementation. Use `StdRng` instead of the `OsRng` in the default implementation of `random_get`. This uses a userspace CSPRNG, making `random_get` 3x faster in simple benchmarks. * Update cargo-vet audits for cap-std 0.25.3. * Update all cap-std packages to 0.25.3.
2 years ago
[[audits.cap-primitives]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
Update to cap-std 0.26. (#4940) * Update to cap-std 0.26. This is primarily to pull in bytecodealliance/cap-std#271, the fix for #4936, compilation on Rust nightly on Windows. It also updates to rustix 0.35.10, to pull in bytecodealliance/rustix#403, the fix for bytecodealliance/rustix#402, compilation on newer versions of the libc crate, which changed a public function from `unsafe` to safe. Fixes #4936. * Update the system-interface audit for 0.23. * Update the libc supply-chain config version.
2 years ago
version = "0.26.0"
Optimize the WASI `random_get` implementation. (#4917) * Optimize the WASI `random_get` implementation. Use `StdRng` instead of the `OsRng` in the default implementation of `random_get`. This uses a userspace CSPRNG, making `random_get` 3x faster in simple benchmarks. * Update cargo-vet audits for cap-std 0.25.3. * Update all cap-std packages to 0.25.3.
2 years ago
notes = "The Bytecode Alliance is the author of this crate"
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.cap-primitives]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "1.0.1"
notes = "The Bytecode Alliance is the author of this crate"
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.cap-primitives]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.1 -> 1.0.5"
notes = "The Bytecode Alliance is the author of this crate."
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.cap-primitives]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "1.0.5 -> 1.0.14"
notes = "The Bytecode Alliance is the author of this crate."
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
[[audits.cap-rand]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Update to cap-std 0.26. (#4940) * Update to cap-std 0.26. This is primarily to pull in bytecodealliance/cap-std#271, the fix for #4936, compilation on Rust nightly on Windows. It also updates to rustix 0.35.10, to pull in bytecodealliance/rustix#403, the fix for bytecodealliance/rustix#402, compilation on newer versions of the libc crate, which changed a public function from `unsafe` to safe. Fixes #4936. * Update the system-interface audit for 0.23. * Update the libc supply-chain config version.
2 years ago
version = "0.26.0"
Optimize the WASI `random_get` implementation. (#4917) * Optimize the WASI `random_get` implementation. Use `StdRng` instead of the `OsRng` in the default implementation of `random_get`. This uses a userspace CSPRNG, making `random_get` 3x faster in simple benchmarks. * Update cargo-vet audits for cap-std 0.25.3. * Update all cap-std packages to 0.25.3.
2 years ago
notes = "The Bytecode Alliance is the author of this crate"
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.cap-rand]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "1.0.1"
notes = "The Bytecode Alliance is the author of this crate"
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.cap-rand]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "1.0.1 -> 1.0.14"
notes = "The Bytecode Alliance is the author of this crate."
Optimize the WASI `random_get` implementation. (#4917) * Optimize the WASI `random_get` implementation. Use `StdRng` instead of the `OsRng` in the default implementation of `random_get`. This uses a userspace CSPRNG, making `random_get` 3x faster in simple benchmarks. * Update cargo-vet audits for cap-std 0.25.3. * Update all cap-std packages to 0.25.3.
2 years ago
[[audits.cap-std]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
Update to cap-std 0.26. (#4940) * Update to cap-std 0.26. This is primarily to pull in bytecodealliance/cap-std#271, the fix for #4936, compilation on Rust nightly on Windows. It also updates to rustix 0.35.10, to pull in bytecodealliance/rustix#403, the fix for bytecodealliance/rustix#402, compilation on newer versions of the libc crate, which changed a public function from `unsafe` to safe. Fixes #4936. * Update the system-interface audit for 0.23. * Update the libc supply-chain config version.
2 years ago
version = "0.26.0"
Optimize the WASI `random_get` implementation. (#4917) * Optimize the WASI `random_get` implementation. Use `StdRng` instead of the `OsRng` in the default implementation of `random_get`. This uses a userspace CSPRNG, making `random_get` 3x faster in simple benchmarks. * Update cargo-vet audits for cap-std 0.25.3. * Update all cap-std packages to 0.25.3.
2 years ago
notes = "The Bytecode Alliance is the author of this crate"
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.cap-std]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "1.0.1"
notes = "The Bytecode Alliance is the author of this crate"
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.cap-std]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.1 -> 1.0.5"
notes = "The Bytecode Alliance is the author of this crate."
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.cap-std]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "1.0.5 -> 1.0.14"
notes = "The Bytecode Alliance is the author of this crate."
Optimize the WASI `random_get` implementation. (#4917) * Optimize the WASI `random_get` implementation. Use `StdRng` instead of the `OsRng` in the default implementation of `random_get`. This uses a userspace CSPRNG, making `random_get` 3x faster in simple benchmarks. * Update cargo-vet audits for cap-std 0.25.3. * Update all cap-std packages to 0.25.3.
2 years ago
[[audits.cap-tempfile]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-run"
Update to cap-std 0.26. (#4940) * Update to cap-std 0.26. This is primarily to pull in bytecodealliance/cap-std#271, the fix for #4936, compilation on Rust nightly on Windows. It also updates to rustix 0.35.10, to pull in bytecodealliance/rustix#403, the fix for bytecodealliance/rustix#402, compilation on newer versions of the libc crate, which changed a public function from `unsafe` to safe. Fixes #4936. * Update the system-interface audit for 0.23. * Update the libc supply-chain config version.
2 years ago
version = "0.26.0"
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
notes = "The Bytecode Alliance is the author of this crate"
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.cap-tempfile]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-run"
version = "1.0.1"
notes = "The Bytecode Alliance is the author of this crate"
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.cap-tempfile]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "1.0.1 -> 1.0.14"
notes = "The Bytecode Alliance is the author of this crate."
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
[[audits.cap-time-ext]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Update to cap-std 0.26. (#4940) * Update to cap-std 0.26. This is primarily to pull in bytecodealliance/cap-std#271, the fix for #4936, compilation on Rust nightly on Windows. It also updates to rustix 0.35.10, to pull in bytecodealliance/rustix#403, the fix for bytecodealliance/rustix#402, compilation on newer versions of the libc crate, which changed a public function from `unsafe` to safe. Fixes #4936. * Update the system-interface audit for 0.23. * Update the libc supply-chain config version.
2 years ago
version = "0.26.0"
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
notes = "The Bytecode Alliance is the author of this crate."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.cap-time-ext]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "1.0.1"
notes = "The Bytecode Alliance is the author of this crate."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.cap-time-ext]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.1 -> 1.0.5"
notes = "The Bytecode Alliance is the author of this crate."
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.cap-time-ext]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "1.0.5 -> 1.0.14"
notes = "The Bytecode Alliance is the author of this crate."
cargo vet remaining dependencies for #5929 (#6125)
2 years ago
[[audits.cargo-platform]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.2"
notes = "no build, no ambient capabilities, no unsafe"
[[audits.cargo_metadata]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.15.3"
notes = "no build, no unsafe, inputs to cargo command are reasonably sanitized"
Drop a few crates from our dependency graph (#5009) A minor update of a few other crates drops `semver` and `rustc_version` from `Cargo.lock`. I&#39;ve audited the deltas in versions for the other crates here as well and they all look good.
2 years ago
[[audits.cast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
delta = "0.2.7 -> 0.3.0"
notes = """
This release appears to have brought support for 128-bit integers and removed a
`transmute` around converting between float bits and the float itself.
Otherwise no major changes except what was presumably minor API breaking changes
due to the major version bump.
"""
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.cc]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.73"
notes = "I am the author of this crate."
[[audits.cfg-if]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.0"
notes = "I am the author of this crate."
cargo vet: add audits for criterion upgrade, and its transitive dependencies (#5946)
2 years ago
[[audits.ciborium]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.2.0"
[[audits.ciborium-io]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.2.0"
[[audits.ciborium-ll]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.2.0"
cranelift-isle: Rewrite error reporting (#5318) There were several issues with ISLE&#39;s existing error reporting implementation. - When using Miette for more readable error reports, it would panic if errors were reported from multiple files in the same run. - Miette is pretty heavy-weight for what we&#39;re doing, with a lot of dependencies. - The `Error::Errors` enum variant led to normalization steps in many places, to avoid using that variant to represent a single error. This commit: - replaces Miette with codespan-reporting - gets rid of a bunch of cargo-vet exemptions - replaces the `Error::Errors` variant with a new `Errors` type - removes source info from `Error` variants so they&#39;re easy to construct - adds source info only when formatting `Errors` - formats `Errors` with a custom `Debug` impl - shares common code between ISLE&#39;s callers, islec and cranelift-codegen - includes a source snippet even with fancy-errors disabled I tried to make this a series of smaller commits but I couldn&#39;t find any good split points; everything was too entangled with everything else.
2 years ago
[[audits.codespan-reporting]]
who = "Jamey Sharp <jsharp@fastly.com>"
criteria = "safe-to-deploy"
version = "0.11.1"
notes = "This library uses `forbid(unsafe_code)` and has no filesystem or network I/O."
Cranelift: Harvest each Souper LHS into its own file (#5649) * Cranelift: Harvest each Souper LHS into its own file Souper only handles one input LHS at a time, so this makes it way easier to script. Don&#39;t need to try and parse each LHS. * Add audit of `arrayref` version 0.3.6 * Add audit of `constant_time_eq` version 0.2.4
2 years ago
[[audits.constant_time_eq]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "0.2.4"
notes = "A few tiny blocks of `unsafe` but each of them is very obviously correct."
Remove yanked dependencies from `Cargo.lock` (#6428) * Remove some yanked crates from `Cargo.lock` This commit fixes some warnings that are cropping up during publishing about yanked crates being in our `Cargo.lock`. * Remove an unneeded vet `imports.lock` entry
1 year ago
[[audits.cpufeatures]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.2.2 -> 0.2.7"
notes = """
This is a minor update that looks to add some more detected CPU features and
various other minor portability fixes such as MIRI support.
"""
Drop a few crates from our dependency graph (#5009) A minor update of a few other crates drops `semver` and `rustc_version` from `Cargo.lock`. I&#39;ve audited the deltas in versions for the other crates here as well and they all look good.
2 years ago
[[audits.criterion]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
delta = "0.3.5 -> 0.3.6"
notes = """
There were no major changes to code in this update, mostly just stylistic and
updating some version dependency requirements.
"""
cargo vet: add audits for criterion upgrade, and its transitive dependencies (#5946)
2 years ago
[[audits.criterion]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.3.6 -> 0.4.0"
notes = """
criterion v0.3.6..v0.4.0 is mostly re-arranging the crate features and bumping dependencies. all changes
to code seem to be confined to benchmarks.
"""
Drop a few crates from our dependency graph (#5009) A minor update of a few other crates drops `semver` and `rustc_version` from `Cargo.lock`. I&#39;ve audited the deltas in versions for the other crates here as well and they all look good.
2 years ago
[[audits.criterion-plot]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
delta = "0.4.4 -> 0.4.5"
notes = """
No major changes in this update, it was almost entirely stylistic with what
appears to be a few clippy fixes here and there.
"""
cargo vet: add audits for criterion upgrade, and its transitive dependencies (#5946)
2 years ago
[[audits.criterion-plot]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.4.5 -> 0.5.0"
notes = "Just a version bump, only change to code is to remove an allow(deprecated)"
Remove yanked dependencies from `Cargo.lock` (#6428) * Remove some yanked crates from `Cargo.lock` This commit fixes some warnings that are cropping up during publishing about yanked crates being in our `Cargo.lock`. * Remove an unneeded vet `imports.lock` entry
1 year ago
[[audits.crossbeam-channel]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.5.4 -> 0.5.8"
notes = """
This diff does what it says on the tin for this version range, notably fixing a
race condition, improving handling of durations, and additionally swapping out a
spin lock with a lock from the standard library. Minor bits of `unsafe` code
are modified but that's expected given the nature of this crate.
"""
Remove duplicate memoffset dependency (#6735) Do this by updating `crossbeam-epoch` and auditing this update of crossbeam. The newer version of crossbeam additionally updates its version of `memoffset`.
1 year ago
[[audits.crossbeam-epoch]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.9.9 -> 0.9.15"
notes = """
In general crossbeam has quite a lot of unsafe code as it's a primitive tool for
concurrency but this update isn't adding any extra unsafe than there already
was and all the updates here are related to odds-and-ends maintenance. In
other words everything is as one would expect from a minor update for this
crate.
"""
Upgrade sha2 to 0.10.2 in wasmtime (#4749)
2 years ago
[[audits.crypto-common]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
version = "0.1.3"
Add some more audits for my own crates (#4837) Mostly stuff that Firefox is using and asked me to publish audits for, but a couple are in our dep tree as well.
2 years ago
[[audits.derive_arbitrary]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = "I am the author of this crate."
[[audits.derive_arbitrary]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "1.1.4"
notes = "I am the author of this crate."
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[audits.derive_arbitrary]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "1.3.0 -> 1.3.1"
notes = "This updates `syn` to 2.x.x, nothing else in this diff."
Upgrade sha2 to 0.10.2 in wasmtime (#4749)
2 years ago
[[audits.digest]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
delta = "0.9.0 -> 0.10.3"
Remove yanked dependencies from `Cargo.lock` (#6428) * Remove some yanked crates from `Cargo.lock` This commit fixes some warnings that are cropping up during publishing about yanked crates being in our `Cargo.lock`. * Remove an unneeded vet `imports.lock` entry
1 year ago
[[audits.ed25519]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "1.4.1 -> 1.5.3"
notes = """
This diff brings in a number of minor updates of which none are related to
`unsafe` code or anything system-related like filesystems.
"""
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.errno]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.3.0"
notes = "This crate uses libc and windows-sys APIs to get and set the raw OS error value."
[[audits.errno]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "0.3.0 -> 0.3.1"
notes = "Just a dependency version bump and a bug fix for redox"
Audit some of the cargo vet backlog (#6536) Joint session between myself, pchickey, elliottt, itsrainy, and fitzgen.
1 year ago
[[audits.errno-dragonfly]]
who = "Jamey Sharp <jsharp@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.2"
notes = "This should be portable to any POSIX system and seems like it should be part of the libc crate, but at any rate it's safe as is."
Update vets for gimli/object/etc. (#6908) Needed for #6904
1 year ago
[[audits.fallible-iterator]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.2.0 -> 0.3.0"
notes = """
This major version update has a few minor breaking changes but everything
this crate has to do with iterators and `Result` and such. No `unsafe` or
anything like that, all looks good.
"""
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.fd-lock]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "3.0.9"
notes = "This crate uses unsafe to make Windows syscalls, to borrow an Fd with an appropriate lifetime, and to zero a windows API structure that appears to have a valid representation with zeroed memory."
[[audits.fd-lock]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "3.0.9 -> 3.0.10"
notes = "Just a dependency version bump"
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.fd-lock]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "3.0.10 -> 3.0.12"
notes = "Just a dependency version bump"
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
[[audits.file-per-thread-logger]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.5"
notes = """
Contains no unsafe code but does write log files to the filesystem. Log files
are only created when requested by the application, however, and otherwise
only does its stated purpose.
"""
Upgrade file per thread logger to 0.2.0 (#6503) * Upgrade file-per-thread-logger to v0.2.0 Signed-off-by: Benjamin Bouvier &lt;public@benj.me&gt; * Update audits too Signed-off-by: Benjamin Bouvier &lt;public@benj.me&gt; --------- Signed-off-by: Benjamin Bouvier &lt;public@benj.me&gt;
1 year ago
[[audits.file-per-thread-logger]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
version = "0.2.0"
notes = "Simple version bump."
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.file-per-thread-logger]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "0.1.5 -> 0.1.6"
notes = "Just a dependency version bump"
wasi-http supply chain audit (#6121) * add cargo-deny exception for duplicate versions of windows-sys * cargo vetting for all new deps introduced by https://github.com/bytecodealliance/wasmtime/pull/5929 The audits are straightforward. The exemptions, as always, need to be justified: * core-foundation, core-foundation-sys, security-framework, security-framework-sys: these are large crates which are FFI bindings to Mac OS frameworks. As such they contain tons of unsafe code to make these FFI calls and manage memory. These crates are too big to audit. * schannel: same as the above, except this is a windows component, which I&#39;m also unfamiliar with. * openssl, openssl-sys: also large FFI bindings which are impractical to audit. * futures-macro, futures-task: while not as complex as futures-util, these are beyond my personal understanding of futures to vet practically. I&#39;ve asked Alex to look at auditing these, and he will after he returns from vacation next week. * futures-util: 25kloc of code, over 149 instances of the substring &#34;unsafe&#34; (case insensitive), this is impractical to audit in the extreme. * h2, http, httparse, hyper, mio, tokio: this so-called tokio/hyper family are very large and challenging to audit. Bobby Holley has indicated that he is working to get the AWS engineers who maintain these crates to publish their own audits, which we can then import. We expect to exempt these until those imports are available.
2 years ago
[[audits.foreign-types]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.2"
notes = "This crate defined a macro-rules which creates wrappers working with FFI types. The implementation of this crate appears to be safe, but each use of this macro would need to be vetted for correctness as well."
[[audits.foreign-types-shared]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.1"
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.form_urlencoded]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = """
This is a small crate for working with url-encoded forms which doesn't have any
more than what it says on the tin. Contains one `unsafe` block related to
performance around utf-8 validation which is fairly easy to verify as correct.
"""
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.fs-set-times]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.18.0"
notes = "I am the author of this crate."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.fs-set-times]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.18.0 -> 0.18.1"
notes = "The Bytecode Alliance is the author of this crate."
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.fs-set-times]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "0.18.1 -> 0.19.1"
notes = "Just a dependency version bump"
wasi-http supply chain audit (#6121) * add cargo-deny exception for duplicate versions of windows-sys * cargo vetting for all new deps introduced by https://github.com/bytecodealliance/wasmtime/pull/5929 The audits are straightforward. The exemptions, as always, need to be justified: * core-foundation, core-foundation-sys, security-framework, security-framework-sys: these are large crates which are FFI bindings to Mac OS frameworks. As such they contain tons of unsafe code to make these FFI calls and manage memory. These crates are too big to audit. * schannel: same as the above, except this is a windows component, which I&#39;m also unfamiliar with. * openssl, openssl-sys: also large FFI bindings which are impractical to audit. * futures-macro, futures-task: while not as complex as futures-util, these are beyond my personal understanding of futures to vet practically. I&#39;ve asked Alex to look at auditing these, and he will after he returns from vacation next week. * futures-util: 25kloc of code, over 149 instances of the substring &#34;unsafe&#34; (case insensitive), this is impractical to audit in the extreme. * h2, http, httparse, hyper, mio, tokio: this so-called tokio/hyper family are very large and challenging to audit. Bobby Holley has indicated that he is working to get the AWS engineers who maintain these crates to publish their own audits, which we can then import. We expect to exempt these until those imports are available.
2 years ago
[[audits.futures]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.27"
notes = "There are no definitions in this crate, just exports of definitions from child crates."
[[audits.futures-channel]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.27"
notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)"
[[audits.futures-core]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.27"
notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting."
[[audits.futures-executor]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.27"
notes = "Unsafe used to implement the unpark mutex, which is well commented and not obviously incorrect. Like with futures-channel I wouldn't be able to certify it as correct without formal methods."
[[audits.futures-io]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.27"
[[audits.futures-sink]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.27"
`cargo vet` audits for guest profiling support (#6284) These audits are necessary for in-process guest profiling support, currently under development in PR #6282.
2 years ago
[[audits.fxprof-processed-profile]]
who = "Jamey Sharp <jsharp@fastly.com>"
criteria = "safe-to-deploy"
version = "0.6.0"
notes = """
No unsafe code, I/O, or powerful imports. This is a straightforward set of data
structures representing the Firefox \"processed\" profile format, with serde
serialization support. All logic is trivial: either unit conversion, or
hash-consing to support de-duplication required by the format.
"""
Add cargo-vet entries for dependency update (#5778) This adds vet entries for the updates being performed in #5513
2 years ago
[[audits.gimli]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.26.1 -> 0.27.0"
notes = """
This is a standard update to gimli for more DWARF support for more platforms,
more features, etc. Some minor `unsafe` code was added that does not appear
incorrect. Otherwise looks like someone probably ran clippy and/or rustfmt.
"""
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[audits.gimli]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.27.0 -> 0.27.3"
notes = "More support for more DWARF, nothing major in this update. Some small refactorings and updates to publication of the package but otherwise everything's in order."
Update vets for gimli/object/etc. (#6908) Needed for #6904
1 year ago
[[audits.gimli]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.27.3 -> 0.28.0"
notes = """
Still looks like a good DWARF-parsing crate, nothing major was added or deleted
and no `unsafe` code to review here.
"""
Audit some of the cargo vet backlog (#6536) Joint session between myself, pchickey, elliottt, itsrainy, and fitzgen.
1 year ago
[[audits.glob]]
who = "Jamey Sharp <jsharp@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.3.1 -> 0.3.0"
Add cargo-vet updates for audit backlog. (#5708)
2 years ago
[[audits.hashbrown]]
who = "Chris Fallin <chris@cfallin.org>"
criteria = "safe-to-deploy"
delta = "0.12.3 -> 0.13.1"
notes = "The diff looks plausible. Much of it is low-level memory-layout code and I can't be 100% certain without a deeper dive into the implementation logic, but nothing looks actively malicious."
Bump hashbrown to 0.13.2 (#6238)
2 years ago
[[audits.hashbrown]]
who = "Trevor Elliott <telliott@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.13.1 -> 0.13.2"
notes = "I read through the diff between v0.13.1 and v0.13.2, and verified that the changes made matched up with the changelog entries. There were very few changes between these two releases, and it was easy to verify what they did."
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
[[audits.heck]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.4.0"
notes = "Contains `forbid_unsafe` and only uses `std::fmt` from the standard library. Otherwise only contains string manipulation."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.hermit-abi]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.2.0 -> 0.3.0"
wasi-http supply chain audit (#6121) * add cargo-deny exception for duplicate versions of windows-sys * cargo vetting for all new deps introduced by https://github.com/bytecodealliance/wasmtime/pull/5929 The audits are straightforward. The exemptions, as always, need to be justified: * core-foundation, core-foundation-sys, security-framework, security-framework-sys: these are large crates which are FFI bindings to Mac OS frameworks. As such they contain tons of unsafe code to make these FFI calls and manage memory. These crates are too big to audit. * schannel: same as the above, except this is a windows component, which I&#39;m also unfamiliar with. * openssl, openssl-sys: also large FFI bindings which are impractical to audit. * futures-macro, futures-task: while not as complex as futures-util, these are beyond my personal understanding of futures to vet practically. I&#39;ve asked Alex to look at auditing these, and he will after he returns from vacation next week. * futures-util: 25kloc of code, over 149 instances of the substring &#34;unsafe&#34; (case insensitive), this is impractical to audit in the extreme. * h2, http, httparse, hyper, mio, tokio: this so-called tokio/hyper family are very large and challenging to audit. Bobby Holley has indicated that he is working to get the AWS engineers who maintain these crates to publish their own audits, which we can then import. We expect to exempt these until those imports are available.
2 years ago
[[audits.http-body]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "1.0.0-rc.2"
[[audits.http-body-util]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.0-rc.2"
notes = "only one use of unsafe related to pin projection. unclear to me why pin_project! is used in many modules of the project, but the expanded output of that macro is inlined in either.rs"
[[audits.httpdate]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "1.0.2"
notes = "No unsafety, no io"
Add some more audits for my own crates (#4837) Mostly stuff that Firefox is using and asked me to publish audits for, but a couple are in our dep tree as well.
2 years ago
[[audits.id-arena]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "2.2.1"
notes = "I am the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.idna]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.3.0"
notes = """
This is a crate without unsafe code or usage of the standard library. The large
size of this crate comes from the large generated unicode tables file. This
crate is broadly used throughout the ecosystem and does not contain anything
suspicious.
"""
Update `wasmi` used in differential fuzzing (#5104) * Update `wasmi` used in differential fuzzing Closes #4818 Closes #5102 * Add audits
2 years ago
[[audits.indexmap-nostd]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.4.0"
notes = """
I've verified that this is a sliced-down version of the `indexmap` crate which
is otherwise certified. This doesn't contain unnecessary `unsafe` and
additionally doesn't reach for ambient capabilities.
"""
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.io-extras]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.17.0"
notes = "I am the author of this crate."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.io-extras]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.17.0 -> 0.17.2"
notes = "The Bytecode Alliance is the author of this crate."
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.io-extras]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "0.17.2 -> 0.17.4"
notes = "Just a dependency version bump"
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.io-lifetimes]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "1.0.3"
notes = "I am the author of this crate."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.io-lifetimes]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.3 -> 1.0.5"
notes = "The Bytecode Alliance is the author of this crate."
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.io-lifetimes]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "1.0.5 -> 1.0.10"
notes = "I am the maintainer of this crate."
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
[[audits.is-terminal]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.3.0"
notes = "Contains only unsafe code for interacting with the crate's intended purpose."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.is-terminal]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.4.1"
notes = "Contains only unsafe code for interacting with the crate's intended purpose."
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.is-terminal]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.4.7"
notes = """
The is-terminal implementation code is now sync'd up with the prototype
implementation in the Rust standard library.
"""
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.is-terminal]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.4.1 -> 0.4.3"
notes = "The Bytecode Alliance is the author of this crate."
Update `ittapi` crate (#7092) This update gets rid of a panic that occurs when using `--profile=vtune` from the command line.
1 year ago
[[audits.ittapi]]
who = "Andrew Brown <andrew.brown@intel.com>"
criteria = "safe-to-deploy"
version = "0.3.4"
Fix compile errors on FreeBSD x64/arm64 (#5606) * Fix compile error on FreeBSD x64 * Fix compile on FreeBSD arm64 * Update Cargo.lock for ittapi * vet: certify diff for ittapi libraries Co-authored-by: Andrew Brown &lt;andrew.brown@intel.com&gt;
2 years ago
[[audits.ittapi]]
who = "Andrew Brown <andrew.brown@intel.com>"
criteria = "safe-to-deploy"
delta = "0.3.1 -> 0.3.3"
notes = "I am the author of this crate."
Update `ittapi` crate (#7092) This update gets rid of a panic that occurs when using `--profile=vtune` from the command line.
1 year ago
[[audits.ittapi-sys]]
who = "Andrew Brown <andrew.brown@intel.com>"
criteria = "safe-to-deploy"
version = "0.3.4"
Fix compile errors on FreeBSD x64/arm64 (#5606) * Fix compile error on FreeBSD x64 * Fix compile on FreeBSD arm64 * Update Cargo.lock for ittapi * vet: certify diff for ittapi libraries Co-authored-by: Andrew Brown &lt;andrew.brown@intel.com&gt;
2 years ago
[[audits.ittapi-sys]]
who = "Andrew Brown <andrew.brown@intel.com>"
criteria = "safe-to-deploy"
delta = "0.3.1 -> 0.3.3"
notes = "Unsafe code is due to auto-generated bindings to a widely-deployed C library."
Add some more audits for my own crates (#4837) Mostly stuff that Firefox is using and asked me to publish audits for, but a couple are in our dep tree as well.
2 years ago
[[audits.leb128]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "0.2.5"
notes = "I am the author of this crate."
Update libfuzzer to 0.4.5 (#5068) * Update `libfuzzer-sys` to 0.4.5 * Set fuzzing crates as `safe-to-run` in `cargo-vet` Rather than `safe-to-deploy`.
2 years ago
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.libc]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "0.2.133 -> 0.2.141"
notes = """
I have performed a very rough survey of the changes and didn't see anything
obviously out of place, or that looks like a silent ABI break on a platform
Wasmtime supports. I didn't check all the new struct layouts, constants,
function signatures, and so on for ABI conformance though.
This crate is maintained by the Rust project and is a dependency of the Rust
standard library itself. It contains tests that generate C source files to
ensure that the ABI it describes matches the ABI described by the C header
files in the correspond to match.
"""
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[audits.libc]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.2.146 -> 0.2.147"
notes = "Only new type definitions and updating others for some platforms, no major changes"
Update libfuzzer to 0.4.5 (#5068) * Update `libfuzzer-sys` to 0.4.5 * Set fuzzing crates as `safe-to-run` in `cargo-vet` Rather than `safe-to-deploy`.
2 years ago
[[audits.libfuzzer-sys]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-run"
delta = "0.4.3 -> 0.4.4"
notes = "I am the author of this crate."
[[audits.libfuzzer-sys]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-run"
delta = "0.4.4 -> 0.4.5"
notes = "I am the author of this crate."
Add some more audits for my own crates (#4837) Mostly stuff that Firefox is using and asked me to publish audits for, but a couple are in our dep tree as well.
2 years ago
cranelift: Upgrade libm to 0.2.4 (#4670) * cranelift: Upgrade libm to 0.2.4 This resolves an issue with incorrect fmaf on the x86_64-pc-windows-gnu target under some inputs. See: #4517 * supply-chain: Vet `libm` 0.2.4
2 years ago
[[audits.libm]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.2.2 -> 0.2.4"
notes = """
This diff primarily fixes a few issues with the `fma`-related functions,
but also contains some other minor fixes as well. Everything looks A-OK and
as expected.
"""
Remove yanked dependencies from `Cargo.lock` (#6428) * Remove some yanked crates from `Cargo.lock` This commit fixes some warnings that are cropping up during publishing about yanked crates being in our `Cargo.lock`. * Remove an unneeded vet `imports.lock` entry
1 year ago
[[audits.libm]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.2.4 -> 0.2.7"
notes = """
This is a minor update which has some testing affordances as well as some
updated math algorithms.
"""
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.linux-raw-sys]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.1.3"
notes = "I am the author of this crate."
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.linux-raw-sys]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.3.3"
notes = "I am the author of this crate."
Refactor test-programs to build modules and components (#6385) * wasi-tests and wasi-http-tests no longer have their own workspace * wasi-tests: fix warnings * rewrite the test-programs build.rs to generate {package}_modules.rs and _components.rs The style is cribbed from preview2-prototying repo, but I ended up refactoring it a bit. * better escaping should help with windows? * long form cap-std-sync and tokio test suites * convert wasi-http test * fixes, comments * apply cargo fmt to whole workspace * bump test-programs and wasi-http-tests to all use common dependency versions wit-bindgen 0.6.0 and wit-component 0.7.4 * add new audits * cargo vet prune * package and supply chain updates to fix vulnerabilities h2 upgraded from 0.3.16 -&gt; 0.3.19 to fix vulnerability tempfile upgraded from 0.3.3 -&gt; 0.3.5 to eliminate dep on vulnerable remove_dir_all * deny: temporarily allow duplicate wasm-encoder, wasmparser, wit-parser prtest:full * convert more dependencies to { workspace = true } Alex asked me to do thsi for wit-component and wit-bindgen, and I found a few more (cfg-if, tempfile, filecheck, anyhow... I also reorganized the workspace dependencies section to make the ones our team maintains more clearly separated from our external dependencies. * test-programs build: ensure that the user writes a #[test] for each module, component * fix build of wasi-tests on windows * misspelled macos * mark wasi-tests crate test=false so we dont try building it natively... * mark wasi-http-tests test=false as well * try getting the cargo keys right * just exclude wasi-tests and wasi-http-tests in run-tests.sh * interesting paths fails on windows * misspelling so nice i did it twice * new cargo deny exception: ignore all of wit-bindgen&#39;s dependencies * auto-import wildcard vets
2 years ago
[[audits.matchers]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.0"
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
[[audits.memfd]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.6.1"
notes = """
Does not interact with the system in any way than otherwise instructed to.
Contains unsafe blocks but are encapsulated and required for the operation at
hand.
"""
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.memfd]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.6.2"
notes = """
The only changes from 0.6.1 were from my own PR which updated memfd to newer
dependencies.
"""
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.memfd]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "0.6.2 -> 0.6.3"
notes = "Just a dependency version bump and documentation update"
Add cargo-vet entries for dependency update (#5778) This adds vet entries for the updates being performed in #5513
2 years ago
[[audits.memoffset]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.7.1 -> 0.8.0"
notes = "This was a small update to the crate which has to do with Rust language features and compiler versions, no substantial changes."
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[audits.memoffset]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.8.0 -> 0.9.0"
notes = "No major changes in the crate, mostly updates to use new nightly Rust features."
Update `regalloc2` to v0.4.2 (#5169)
2 years ago
[[audits.memory_units]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
delta = "0.3.0 -> 0.4.0"
notes = """
This bump only changed from a function to an associated `const` and trivially
contains no significant changes.
"""
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[audits.miniz_oxide]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.7.1"
notes = """
This crate is a Rust implementation of zlib compression/decompression and has
been used by default by the Rust standard library for quite some time. It's also
a default dependency of the popular `backtrace` crate for decompressing debug
information. This crate forbids unsafe code and does not otherwise access system
resources. It's originally a port of the `miniz.c` library as well, and given
its own longevity should be relatively hardened against some of the more common
compression-related issues.
"""
Add cargo-vet entries for dependency update (#5778) This adds vet entries for the updates being performed in #5513
2 years ago
[[audits.miniz_oxide]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
delta = "0.5.1 -> 0.5.3"
notes = """
This looks to be a minor update to the crate to remove some `unsafe` code,
update Rust stylistic conventions, and perhaps some clippy lints. No major
changes.
"""
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[audits.mio]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.8.6 -> 0.8.8"
notes = "Mostly OS portability updates along with some minor bugfixes."
wasi-http supply chain audit (#6121) * add cargo-deny exception for duplicate versions of windows-sys * cargo vetting for all new deps introduced by https://github.com/bytecodealliance/wasmtime/pull/5929 The audits are straightforward. The exemptions, as always, need to be justified: * core-foundation, core-foundation-sys, security-framework, security-framework-sys: these are large crates which are FFI bindings to Mac OS frameworks. As such they contain tons of unsafe code to make these FFI calls and manage memory. These crates are too big to audit. * schannel: same as the above, except this is a windows component, which I&#39;m also unfamiliar with. * openssl, openssl-sys: also large FFI bindings which are impractical to audit. * futures-macro, futures-task: while not as complex as futures-util, these are beyond my personal understanding of futures to vet practically. I&#39;ve asked Alex to look at auditing these, and he will after he returns from vacation next week. * futures-util: 25kloc of code, over 149 instances of the substring &#34;unsafe&#34; (case insensitive), this is impractical to audit in the extreme. * h2, http, httparse, hyper, mio, tokio: this so-called tokio/hyper family are very large and challenging to audit. Bobby Holley has indicated that he is working to get the AWS engineers who maintain these crates to publish their own audits, which we can then import. We expect to exempt these until those imports are available.
2 years ago
[[audits.native-tls]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.2.11"
notes = "build is only looking for environment variables to set cfg. only two minor uses of unsafe,on macos, with ffi bindings to digest primitives and libc atexit. otherwise, this is an abstraction over three very complex systems (schannel, security-framework, and openssl) which may end up having subtle differences, but none of those are apparent from the implementation of this crate"
wasmtime-cli: add tracing output on `WASMTIME_LOG` (#7239) * wasmtime cli: install tracing-subscriber, listen to WASMTIME_LOG, log to stderr * enable tracing colors * audit supply chain for tracing subscriber
1 year ago
[[audits.nu-ansi-term]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.46.0"
notes = "one use of unsafe to call windows specific api to get console handle."
Add cargo-vet updates for audit backlog. (#5708)
2 years ago
[[audits.object]]
who = "Chris Fallin <chris@cfallin.org>"
criteria = "safe-to-deploy"
delta = "0.29.0 -> 0.30.1"
Audit `object` crate update to 0.30.3 (#5827) This audit is needed for #5619. I&#39;m going ahead and updating Cargo.toml and Cargo.lock at the same time because no source code changes are required for this update.
2 years ago
[[audits.object]]
who = "Jamey Sharp <jsharp@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.30.1 -> 0.30.3"
notes = """
No unsafe blocks or I/O in the diff. The only changes clearly implement what
the changelog says is new in these versions.
"""
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[audits.object]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.30.3 -> 0.31.1"
notes = "A large-ish update to the crate but nothing out of the ordering. Support for new formats like xcoff, new constants, minor refactorings, etc. Nothing out of the ordinary."
Update vets for gimli/object/etc. (#6908) Needed for #6904
1 year ago
[[audits.object]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.31.1 -> 0.32.0"
notes = "Various new features and refactorings as one would expect from an object parsing crate, all looks good."
Add cargo-vet updates for audit backlog. (#5708)
2 years ago
[[audits.once_cell]]
who = "Chris Fallin <chris@cfallin.org>"
criteria = "safe-to-deploy"
delta = "1.16.0 -> 1.17.0"
wasi-http supply chain audit (#6121) * add cargo-deny exception for duplicate versions of windows-sys * cargo vetting for all new deps introduced by https://github.com/bytecodealliance/wasmtime/pull/5929 The audits are straightforward. The exemptions, as always, need to be justified: * core-foundation, core-foundation-sys, security-framework, security-framework-sys: these are large crates which are FFI bindings to Mac OS frameworks. As such they contain tons of unsafe code to make these FFI calls and manage memory. These crates are too big to audit. * schannel: same as the above, except this is a windows component, which I&#39;m also unfamiliar with. * openssl, openssl-sys: also large FFI bindings which are impractical to audit. * futures-macro, futures-task: while not as complex as futures-util, these are beyond my personal understanding of futures to vet practically. I&#39;ve asked Alex to look at auditing these, and he will after he returns from vacation next week. * futures-util: 25kloc of code, over 149 instances of the substring &#34;unsafe&#34; (case insensitive), this is impractical to audit in the extreme. * h2, http, httparse, hyper, mio, tokio: this so-called tokio/hyper family are very large and challenging to audit. Bobby Holley has indicated that he is working to get the AWS engineers who maintain these crates to publish their own audits, which we can then import. We expect to exempt these until those imports are available.
2 years ago
[[audits.openssl-macros]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.0"
[[audits.openssl-probe]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.5"
notes = "IO is only checking for the existence of paths in the filesystem"
Make WASI-NN classes send and/or sync (#5077) * Make send and remove wrapper around WasiNnCtx· This removes the wrapper around WasiNnCtx and no longer requires borrow_mut(). Once send/sync changes in OpenVINO crate are merged in it will allow·use by frameworks that requires this trait. * Bump openvino to compatible version. * BackendExecutionContext should be Send and Sync * Fix rust format issues. * Update Cargo.lock for openvino * Audit changes to openvino crates.
2 years ago
[[audits.openvino]]
who = "Matthew Tamayo-Rios <matthew@geekbeast.com>"
criteria = "safe-to-deploy"
version = "0.4.2"
notes = """
I am the author of most of these changes.
"""
ci: unpin the wasi-nn tasks from an older Ubuntu (#6089) * ci: unpin the wasi-nn tasks from an older Ubuntu Previously, OpenVINO&#39;s lack of APT packages for Ubuntu 22.04 (`jammy`) prevented us from upgrading the GitHub runner to use `ubuntu-latest`. I updated the `install-openvino-action` to substitute in the `focal` packages in this case (this is what the OpenVINO team considers the fix) so this pin should no longer be necessary. Fixes #5408. (Run all CI actions: prtest:full) * vet: audit the openvino version bump
2 years ago
[[audits.openvino]]
who = "Andrew Brown <andrew.brown@intel.com>"
criteria = "safe-to-deploy"
delta = "0.4.2 -> 0.5.0"
Make WASI-NN classes send and/or sync (#5077) * Make send and remove wrapper around WasiNnCtx· This removes the wrapper around WasiNnCtx and no longer requires borrow_mut(). Once send/sync changes in OpenVINO crate are merged in it will allow·use by frameworks that requires this trait. * Bump openvino to compatible version. * BackendExecutionContext should be Send and Sync * Fix rust format issues. * Update Cargo.lock for openvino * Audit changes to openvino crates.
2 years ago
[[audits.openvino-finder]]
who = "Matthew Tamayo-Rios <matthew@geekbeast.com>"
criteria = "safe-to-deploy"
delta = "0.4.1 -> 0.4.2"
notes = """
Only updates to Cargo file for versioning.
"""
ci: unpin the wasi-nn tasks from an older Ubuntu (#6089) * ci: unpin the wasi-nn tasks from an older Ubuntu Previously, OpenVINO&#39;s lack of APT packages for Ubuntu 22.04 (`jammy`) prevented us from upgrading the GitHub runner to use `ubuntu-latest`. I updated the `install-openvino-action` to substitute in the `focal` packages in this case (this is what the OpenVINO team considers the fix) so this pin should no longer be necessary. Fixes #5408. (Run all CI actions: prtest:full) * vet: audit the openvino version bump
2 years ago
[[audits.openvino-finder]]
who = "Andrew Brown <andrew.brown@intel.com>"
criteria = "safe-to-deploy"
delta = "0.4.2 -> 0.5.0"
Make WASI-NN classes send and/or sync (#5077) * Make send and remove wrapper around WasiNnCtx· This removes the wrapper around WasiNnCtx and no longer requires borrow_mut(). Once send/sync changes in OpenVINO crate are merged in it will allow·use by frameworks that requires this trait. * Bump openvino to compatible version. * BackendExecutionContext should be Send and Sync * Fix rust format issues. * Update Cargo.lock for openvino * Audit changes to openvino crates.
2 years ago
[[audits.openvino-sys]]
who = "Matthew Tamayo-Rios <matthew@geekbeast.com>"
criteria = "safe-to-deploy"
delta = "0.4.1 -> 0.4.2"
notes = """
Only updates to tests to use new rust functions for mut pointers.
"""
ci: unpin the wasi-nn tasks from an older Ubuntu (#6089) * ci: unpin the wasi-nn tasks from an older Ubuntu Previously, OpenVINO&#39;s lack of APT packages for Ubuntu 22.04 (`jammy`) prevented us from upgrading the GitHub runner to use `ubuntu-latest`. I updated the `install-openvino-action` to substitute in the `focal` packages in this case (this is what the OpenVINO team considers the fix) so this pin should no longer be necessary. Fixes #5408. (Run all CI actions: prtest:full) * vet: audit the openvino version bump
2 years ago
[[audits.openvino-sys]]
who = "Andrew Brown <andrew.brown@intel.com>"
criteria = "safe-to-deploy"
delta = "0.4.2 -> 0.5.0"
wasmtime-cli: add tracing output on `WASMTIME_LOG` (#7239) * wasmtime cli: install tracing-subscriber, listen to WASMTIME_LOG, log to stderr * enable tracing colors * audit supply chain for tracing subscriber
1 year ago
[[audits.overload]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.1"
notes = "small crate, only defines macro-rules!, nicely documented as well"
Add some more audits for my own crates (#4837) Mostly stuff that Firefox is using and asked me to publish audits for, but a couple are in our dep tree as well.
2 years ago
[[audits.peeking_take_while]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "1.0.0"
notes = "I am the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.percent-encoding]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "2.2.0"
notes = """
This crate is a single-file crate that does what it says on the tin. There are
a few `unsafe` blocks related to utf-8 validation which are locally verifiable
as correct and otherwise this crate is good to go.
"""
wasi-http supply chain audit (#6121) * add cargo-deny exception for duplicate versions of windows-sys * cargo vetting for all new deps introduced by https://github.com/bytecodealliance/wasmtime/pull/5929 The audits are straightforward. The exemptions, as always, need to be justified: * core-foundation, core-foundation-sys, security-framework, security-framework-sys: these are large crates which are FFI bindings to Mac OS frameworks. As such they contain tons of unsafe code to make these FFI calls and manage memory. These crates are too big to audit. * schannel: same as the above, except this is a windows component, which I&#39;m also unfamiliar with. * openssl, openssl-sys: also large FFI bindings which are impractical to audit. * futures-macro, futures-task: while not as complex as futures-util, these are beyond my personal understanding of futures to vet practically. I&#39;ve asked Alex to look at auditing these, and he will after he returns from vacation next week. * futures-util: 25kloc of code, over 149 instances of the substring &#34;unsafe&#34; (case insensitive), this is impractical to audit in the extreme. * h2, http, httparse, hyper, mio, tokio: this so-called tokio/hyper family are very large and challenging to audit. Bobby Holley has indicated that he is working to get the AWS engineers who maintain these crates to publish their own audits, which we can then import. We expect to exempt these until those imports are available.
2 years ago
[[audits.pin-utils]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.0"
[[audits.pkg-config]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.25"
notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably."
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[audits.pretty_env_logger]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.4.0 -> 0.5.0"
notes = "This is a minor update which bumps the `env_logger` dependency and has other formatting, no major changes."
cargo-vet all remaining dependency bumps
2 years ago
[[audits.proc-macro2]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.51 -> 1.0.57"
Update v8 and proc-macro2 dependencies (#6680) * Update v8 and proc-macro2 dependencies Gets them both compiling on the latest nightly so we can unpin the Rust compiler version in OSS-Fuzz. * Update nightly in CI
1 year ago
[[audits.proc-macro2]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "1.0.59 -> 1.0.63"
notes = """
This is a routine update for new nightly features and new syntax popping up on
nightly, nothing out of the ordinary.
"""
Add a `wasmtime::component::bindgen!` macro (#5317) * Import Wasmtime support from the `wit-bindgen` repo This commit imports the `wit-bindgen-gen-host-wasmtime-rust` crate from the `wit-bindgen` repository into the upstream Wasmtime repository. I&#39;ve chosen to not import the full history here since the crate is relatively small and doesn&#39;t have a ton of complexity. While the history of the crate is quite long the current iteration of the crate&#39;s history is relatively short so there&#39;s not a ton of import there anyway. The thinking is that this can now continue to evolve in-tree. * Refactor `wasmtime-component-macro` a bit Make room for a `wit_bindgen` macro to slot in. * Add initial support for a `bindgen` macro * Add tests for `wasmtime::component::bindgen!` * Improve error forgetting `async` feature * Add end-to-end tests for bindgen * Add an audit of `unicase` * Add a license to the test-helpers crate * Add vet entry for `pulldown-cmark` * Update publish script with new crate * Try to fix publish script * Update audits * Update lock file
2 years ago
[[audits.pulldown-cmark]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.8.0"
notes = """
This crate has `unsafe` blocks and they're all related to SIMD-acceleration and
are otherwise not doing other `unsafe` operations. Additionally the crate does
not do anything other than markdown rendering as is expected.
"""
Update the wasm-tools family of crates (#6710) * Update wasm-tools dependencies * Get tests passing after wasm-tools update Mostly dealing with updates to `wasmparser`&#39;s API. * Update `cargo vet` for new crates * Add `equivalent`, `hashbrown`, and `quote` to the list of trusted authors. We already trust these authors for other crates. * Pull in some upstream audits for various deps. * I&#39;ve audited the `pulldown-cmark` dependency upgrade myself.
1 year ago
[[audits.pulldown-cmark]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.8.0 -> 0.9.3"
notes = """
This is a large change to the `pulldown-cmark` crate but it tightens
restrictions on `unsafe` code to forbid it in non-SIMD mode and additionally
many changes look to be related to refactoring, improving, and restructuring.
This crate is not fundamentally different from before, which was trusted, but
looks to be receiving new assistance for maintainership as well.
"""
cargo-vet all remaining dependency bumps
2 years ago
[[audits.quote]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.23 -> 1.0.27"
Upgrade regalloc2 -&gt; 0.3.2 (#4603) Includes a modest improvement in memory usage and performance by removing analysis that was only used during fuzzing.
2 years ago
[[audits.regalloc2]]
who = "Jamey Sharp <jsharp@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.3.1 -> 0.3.2"
notes = "The Bytecode Alliance is the author of this crate."
Cranelift: use regalloc2 constraints on caller side of ABI code. (#4892) * Cranelift: use regalloc2 constraints on caller side of ABI code. This PR updates the shared ABI code and backends to use register-operand constraints rather than explicit pinned-vreg moves for register arguments and return values. The s390x backend was not updated, because it has its own implementation of ABI code. Ideally we could converge back to the code shared by x64 and aarch64 (which didn&#39;t exist when s390x ported calls to ISLE, so the current situation is underestandable, to be clear!). I&#39;ll leave this for future work. This PR exposed several places where regalloc2 needed to be a bit more flexible with constraints; it requires regalloc2#74 to be merged and pulled in. * Update to regalloc2 0.3.3. In addition to version bump, this required removing two asserts as `SpillSlot`s no longer carry their class (so we can&#39;t assert that they have the correct class). * Review comments. * Filetest updates. * Add cargo-vet audit for regalloc2 0.3.2 -&gt; 0.3.3 upgrade. * Update to regalloc2 0.4.0.
2 years ago
[[audits.regalloc2]]
who = "Chris Fallin <chris@cfallin.org>"
criteria = "safe-to-deploy"
delta = "0.3.2 -> 0.4.0"
notes = "The Bytecode Alliance is the author of this crate."
Upgrade to regalloc2 0.4.1. (#4945) * Upgrade to regalloc2 0.4.1. Incorporates bytecodealliance/regalloc2#85, which fixes a fuzzbug related to constraints and liverange splits. * Add audit of regalloc2 upgrade.
2 years ago
[[audits.regalloc2]]
who = "Chris Fallin <chris@cfallin.org>"
criteria = "safe-to-deploy"
delta = "0.4.0 -> 0.4.1"
notes = "The Bytecode Alliance is the author of this crate."
Update `regalloc2` to v0.4.2 (#5169)
2 years ago
[[audits.regalloc2]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.4.1 -> 0.4.2"
notes = "The Bytecode Alliance is the author of this crate."
Bump regalloc2 to 0.5.0 (#5345) * Bump the regalloc2 dependency to 0.5.0 * Replace preg_set_from_machine_env with PRegSet::from * Vet the regalloc2 update
2 years ago
[[audits.regalloc2]]
who = "Trevor Elliott <telliott@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.4.2 -> 0.5.0"
notes = "The Bytecode Alliance is the author of this crate."
Bump regalloc2 to version 0.5.1 (#5387) Bump regalloc2 to version 0.5.1.
2 years ago
[[audits.regalloc2]]
who = "Trevor Elliott <telliott@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.5.0 -> 0.5.1"
notes = "The Bytecode Alliance is the author of this crate."
Bump regalloc2 to 0.6.0 (#5742) * Bump regalloc2 * Certify regalloc2 0.6.0
2 years ago
[[audits.regalloc2]]
who = "Trevor Elliott <telliott@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.5.1 -> 0.6.0"
notes = "The Bytecode Alliance is the author of this crate."
Cranelift: upgrade to regalloc2 0.6.1. (#5799) * Cranelift: upgrade to regalloc2 0.6.1. Fixes #5791 by pulling in bytecodealliance/regalloc2#113. * Add cargo-vet entry for regalloc2 0.6.1.
2 years ago
[[audits.regalloc2]]
who = "Chris Fallin <chris@cfallin.org>"
criteria = "safe-to-deploy"
delta = "0.6.0 -> 0.6.1"
notes = "Bytecode Alliance is the author of this crate."
Bump regalloc2 to 0.7.0 (#6237) * Bump RA2 to 0.7.0 * Certify the RA2 update * Import the rustc-hash audit * Updates for regalloc2 prtest:full * Update tests
2 years ago
[[audits.regalloc2]]
who = "Trevor Elliott <telliott@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.6.1 -> 0.7.0"
notes = "The Bytecode Alliance is the author of this crate."
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.rustc-demangle]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.21"
notes = "I am the author of this crate."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.rustix]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.36.4"
notes = "The Bytecode Alliance is the author of this crate."
Update to rustix 0.36.7. (#5590) This fixes compilation on armv7-unknown-freebsd, as reported [here]. [here]: https://github.com/bytecodealliance/wasmtime/issues/5499#issuecomment-1383157702
2 years ago
[[audits.rustix]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.36.7"
notes = "The Bytecode Alliance is the author of this crate."
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.rustix]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.37.13"
notes = "The Bytecode Alliance is the author of this crate."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.rustix]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.36.7 -> 0.36.8"
notes = "The Bytecode Alliance is the author of this crate."
add supply chain audits for #5929&#39;s rustls changes (#6137) The `ring` crate needed to be exempted: it contains a large quantity of asm and native binary implementations of crypto primitives. It is a major undertaking to certify the safety of those implementations. ring also pulled in the wasm-bindgen family of crates for its wasm32-unknown-unknown target, which this project will not be using. Because we don&#39;t care about that platform, I added exemptions for all of these crates, so we don&#39;t have to audit them. The actual supply chain audits for rusttls, rustls-webpki, sct, and tokio-rustls were unremarkable. I also audited a small diff on wasm-bindgen-shared because it was trivial.
2 years ago
[[audits.rustls]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.21.0"
notes = "no unsafe code, ambient capabilities only used in tests"
Update webpki-roots and rustls deps (#6894) * upgrade webpki-roots to 0.25.2 Co-authored-by: Timmy Silesmo &lt;silesmo@nor2.io&gt; * upgrade rustls to 0.21.6 and replace deprecated add_server_trust_anchors with add_trust_anchors Co-authored-by: Timmy Silesmo &lt;silesmo@nor2.io&gt; * audit dependency upgrades --------- Co-authored-by: Timmy Silesmo &lt;silesmo@nor2.io&gt;
1 year ago
[[audits.rustls]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.21.0 -> 0.21.6"
add supply chain audits for #5929&#39;s rustls changes (#6137) The `ring` crate needed to be exempted: it contains a large quantity of asm and native binary implementations of crypto primitives. It is a major undertaking to certify the safety of those implementations. ring also pulled in the wasm-bindgen family of crates for its wasm32-unknown-unknown target, which this project will not be using. Because we don&#39;t care about that platform, I added exemptions for all of these crates, so we don&#39;t have to audit them. The actual supply chain audits for rusttls, rustls-webpki, sct, and tokio-rustls were unremarkable. I also audited a small diff on wasm-bindgen-shared because it was trivial.
2 years ago
[[audits.rustls-webpki]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.100.1"
Update webpki-roots and rustls deps (#6894) * upgrade webpki-roots to 0.25.2 Co-authored-by: Timmy Silesmo &lt;silesmo@nor2.io&gt; * upgrade rustls to 0.21.6 and replace deprecated add_server_trust_anchors with add_trust_anchors Co-authored-by: Timmy Silesmo &lt;silesmo@nor2.io&gt; * audit dependency upgrades --------- Co-authored-by: Timmy Silesmo &lt;silesmo@nor2.io&gt;
1 year ago
[[audits.rustls-webpki]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.100.1 -> 0.101.4"
add supply chain audits for #5929&#39;s rustls changes (#6137) The `ring` crate needed to be exempted: it contains a large quantity of asm and native binary implementations of crypto primitives. It is a major undertaking to certify the safety of those implementations. ring also pulled in the wasm-bindgen family of crates for its wasm32-unknown-unknown target, which this project will not be using. Because we don&#39;t care about that platform, I added exemptions for all of these crates, so we don&#39;t have to audit them. The actual supply chain audits for rusttls, rustls-webpki, sct, and tokio-rustls were unremarkable. I also audited a small diff on wasm-bindgen-shared because it was trivial.
2 years ago
[[audits.sct]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.7.0"
notes = "no unsafe, no build, no ambient capabilities"
cargo vet remaining dependencies for #5929 (#6125)
2 years ago
[[audits.semver]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "1.0.17"
notes = "plenty of unsafe pointer and vec tricks, but in well-structured and commented code that appears to be correct"
Upgrade sha2 to 0.10.2 in wasmtime (#4749)
2 years ago
[[audits.sha2]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
delta = "0.9.9 -> 0.10.2"
notes = "This upgrade is mostly a code refactor, as far as I can tell. No new uses of unsafe nor any new ambient capabilities usage."
wasmtime-cli: add tracing output on `WASMTIME_LOG` (#7239) * wasmtime cli: install tracing-subscriber, listen to WASMTIME_LOG, log to stderr * enable tracing colors * audit supply chain for tracing subscriber
1 year ago
[[audits.sharded-slab]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.4"
notes = "I always really enjoy reading eliza's code, she left perfect comments at every use of unsafe."
Wasi-http: support inbound requests (proxy world) (#7091) * Move the incoming_handler impl into http_impl * Remove the incoming handler -- we need to use it as a guest export * Start adding a test-programs test for the server side of wasi-http * Progress towards running a server test * Implement incoming-request-method * Validate outparam value * Initial incoming handler test * Implement more of the incoming api * Finish the incoming api implementations * Initial cut at `wasmtime serve` * fix warning * wasmtime-cli: invoke ServeCommand, and add enough stuff to the linker to run trivial test * fix warnings * fix warnings * argument parsing: allow --addr to specify sockaddr * rustfmt * sync wit definitions between wasmtime-wasi and wasmtime-wasi-http * cargo vet: add an import config and wildcard audit for wasmtime-wmemcheck * cargo vet: audit signal-hook-registry * Remove duplicate add_to_linker calls for preview2 interfaces prtest:full * Add a method to finish outgoing responses Co-authored-by: Adam Foltzer &lt;acfoltzer@fastly.com&gt; Co-authored-by: Pat Hickey &lt;phickey@fastly.com&gt; * Mark the result of the incoming_{request,response}_consume methods as own * Explicit versions for http-body and http-body-util * Explicit `serve` feature for the `wasmtime serve` command * Move the spawn outside of the future returned by `ProxyHandler::call` * Review feedback --------- Co-authored-by: Trevor Elliott &lt;telliott@fastly.com&gt; Co-authored-by: Adam Foltzer &lt;acfoltzer@fastly.com&gt;
1 year ago
[[audits.signal-hook-registry]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "1.4.1"
wasi-http supply chain audit (#6121) * add cargo-deny exception for duplicate versions of windows-sys * cargo vetting for all new deps introduced by https://github.com/bytecodealliance/wasmtime/pull/5929 The audits are straightforward. The exemptions, as always, need to be justified: * core-foundation, core-foundation-sys, security-framework, security-framework-sys: these are large crates which are FFI bindings to Mac OS frameworks. As such they contain tons of unsafe code to make these FFI calls and manage memory. These crates are too big to audit. * schannel: same as the above, except this is a windows component, which I&#39;m also unfamiliar with. * openssl, openssl-sys: also large FFI bindings which are impractical to audit. * futures-macro, futures-task: while not as complex as futures-util, these are beyond my personal understanding of futures to vet practically. I&#39;ve asked Alex to look at auditing these, and he will after he returns from vacation next week. * futures-util: 25kloc of code, over 149 instances of the substring &#34;unsafe&#34; (case insensitive), this is impractical to audit in the extreme. * h2, http, httparse, hyper, mio, tokio: this so-called tokio/hyper family are very large and challenging to audit. Bobby Holley has indicated that he is working to get the AWS engineers who maintain these crates to publish their own audits, which we can then import. We expect to exempt these until those imports are available.
2 years ago
[[audits.slab]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.4.6"
notes = "provides a datastructure implemented using std's Vec. all uses of unsafe are just delegating to the underlying unsafe Vec methods."
Update the `slice-group-by` dependency (#6335) This pulls in Kerollmops/slice-group-by#20 which is necessary to get Cranelift &#34;clean&#34; in MIRI with Stacked Borrows. I plan on leveraging this in a subsequent commit to #6332 which turns on Stacked Borrows for Wasmtime, but currently it fails due to this transitive dependency of Cranelift, hence the update.
2 years ago
[[audits.slice-group-by]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.3.0 -> 0.3.1"
notes = """
This update runs `rustfmt` for the first time in awhile and additionally fixes a
few minor issues related to Stacked Borrows and running in MIRI. No fundamental
change to any preexisting unsafe code is happening here.
"""
Implement the `tcp` interface of wasi-sockets. (#6837) * Implement the `tcp` interface of wasi-sockets. Implement the `tcp`, `tcp-create-socket`, and `network` interfaces of wasi-sockets. * Minor cleanups. * Update to the latest upstream wasi-sockets. * Address review feedback. * Handle zero-length reads and writes, and other cleanups. * Fix compilation on macOS. * Fix compilation on Windows. * Update all the copies of wasi-socket wit files. * Sync up more wit files. * Fix the errno code for non-blocking `connect` on Windows. prtest:full * Tolerate `NOTCONN` errors when cleaning up with `shutdown`. * Simplify the polling mechanism. This requires an updated tokio for `Interest::ERROR`. * Downgrade to tokio 1.29.1 for now. * Move `tcp_state` out of the `Arc`. * `accept` doesn&#39;t need a write lock. * Remove `tcp_state`&#39;s `RwLock`.
1 year ago
[[audits.smallvec]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "1.8.0 -> 1.11.0"
notes = """
The main change is the switch to use `NonNull<T>` internally instead of
`*mut T`. This seems reasonable, as `Vec` also never stores a null pointer,
and in particular the new `NonNull::new_unchecked`s look ok.
Most of the rest of the changes are adding some new unstable features which
aren't enabled by default.
"""
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[audits.socket2]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.4.7 -> 0.4.9"
notes = "Minor OS compat updates but otherwise nothing major here."
Update `wasmi` used in differential fuzzing (#5104) * Update `wasmi` used in differential fuzzing Closes #4818 Closes #5102 * Add audits
2 years ago
[[audits.spin]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.9.4"
notes = """
I've verified the contents of this crate and that while they contain `unsafe`
it's exclusively around implementing atomic primitive where some `unsafe` is to
be expected. Otherwise this crate does not unduly access ambient capabilities
and does what it says on the tin, providing spin-based synchronization
primitives.
"""
Make Wasmtime compatible with Stacked Borrows in MIRI (#6338) * Make Wasmtime compatible with Stacked Borrows in MIRI The fact that Wasmtime executes correctly under Tree Borrows but not Stacked Borrows is a bit suspect and given what I&#39;ve since learned about the aliasing models I wanted to give it a stab to get things working with Stacked Borrows. It turns out that this wasn&#39;t all that difficult, but required two underlying changes: * First the implementation of `Instance::vmctx` is now specially crafted in an intentional way to preserve the provenance of the returned pointer. This way all `&amp;Instance` pointers will return a `VMContext` pointer with the same provenance and acquiring the pointer won&#39;t accidentally invalidate all prior pointers. * Second the conversion from `VMContext` to `Instance` has been updated to work with provenance and such. Previously the conversion looked like `&amp;mut VMContext -&gt; &amp;mut Instance`, but I think this didn&#39;t play well with MIRI because `&amp;mut VMContext` has no provenance over any data since it&#39;s zero-sized. Instead now the conversion is from `*mut VMContext` to `&amp;mut Instance` where we know that `*mut VMContext` has provenance over the entire instance allocation. This shuffled a fair bit around to handle the new closure-based API to prevent escaping pointers, but otherwise no major change other than the structure and the types in play. This commit additionally picks up a dependency on the `sptr` crate which is a crate for prototyping strict-provenance APIs in Rust. This is I believe intended to be upstreamed into Rust one day (it&#39;s in the standard library as a Nightly-only API right now) but in the meantime this is a stable alternative. * Clean up manual `unsafe impl Send` impls This commit adds a new wrapper type `SendSyncPtr&lt;T&gt;` which automatically impls the `Send` and `Sync` traits based on the `T` type contained. Otherwise it works similarly to `NonNull&lt;T&gt;`. This helps clean up a number of manual annotations of `unsafe impl {Send,Sync} for ...` throughout the runtime. * Remove pointer-to-integer casts with tables In an effort to enable MIRI&#39;s &#34;strict provenance&#34; mode this commit removes the integer-to-pointer casts in the runtime `Table` implementation for Wasmtime. Most of the bits were already there to track all this, so this commit plumbed around the various pointer types and with the help of the `sptr` crate preserves the provenance of all related pointers. * Remove integer-to-pointer casts in CoW management The `MemoryImageSlot` type stored a `base: usize` field mostly because I was too lazy to have a `Send`/`Sync` type as a pointer, so this commit updates it to use `SendSyncPtr&lt;u8&gt;` and then plumbs the pointer-ness throughout the implementation. This removes all integer-to-pointer casts and has pointers stores as actual pointers when they&#39;re at rest. * Remove pointer-to-integer casts in &#34;raw&#34; representations This commit changes the &#34;raw&#34; representation of `Func` and `ExternRef` to a `*mut c_void` instead of the previous `usize`. This is done to satisfy MIRI&#39;s requirements with strict provenance, properly marking the intermediate value as a pointer rather than round-tripping through integers. * Minor remaining cleanups * Switch to Stacked Borrows for MIRI on CI Additionally enable the strict-provenance features to force warnings emitted today to become errors. * Fix a typo * Replace a negative offset with `sub` * Comment the sentinel value * Use NonNull::dangling
2 years ago
[[audits.sptr]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.3.2"
notes = """
This crate is 90% documentation and does contain a good deal of `unsafe` code,
but it's all doing what it says on the tin: being a stable polyfill for strict
provenance APIs in the standard library while they're on Nightly.
"""
cargo-vet all remaining dependency bumps
2 years ago
[[audits.syn]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.92 -> 2.0.16"
Import cargo-vet audits from Mozilla (#4792) * Bump cargo-vet to 0.3. * Add Mozilla as a trusted import for audits.
2 years ago
[[audits.system-interface]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
Update to cap-std 0.26. (#4940) * Update to cap-std 0.26. This is primarily to pull in bytecodealliance/cap-std#271, the fix for #4936, compilation on Rust nightly on Windows. It also updates to rustix 0.35.10, to pull in bytecodealliance/rustix#403, the fix for bytecodealliance/rustix#402, compilation on newer versions of the libc crate, which changed a public function from `unsafe` to safe. Fixes #4936. * Update the system-interface audit for 0.23. * Update the libc supply-chain config version.
2 years ago
version = "0.23.0"
Import cargo-vet audits from Mozilla (#4792) * Bump cargo-vet to 0.3. * Add Mozilla as a trusted import for audits.
2 years ago
notes = "The Bytecode Alliance is the author of this crate."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.system-interface]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.25.0"
notes = "The Bytecode Alliance is the author of this crate."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.system-interface]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.25.0 -> 0.25.4"
notes = "The Bytecode Alliance is the author of this crate."
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.system-interface]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "0.25.4 -> 0.25.6"
notes = "Just a dependency version bump"
Fix `poll_oneoff`&#39;s handling of non-regular files. (#6258) `poll_oneoff` uses `system_interface::ReadReady` to compute how many bytes are ready to be read, which is part of the Preview1 `poll_oneoff` API. This updates to system-interface 0.25.7 which has a fix to handle special files such as /dev/urandom and /dev/null properly. Fixes #6239.
2 years ago
[[audits.system-interface]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "0.25.6 -> 0.25.7"
notes = "This is a minor bug-fix update."
Refactor test-programs to build modules and components (#6385) * wasi-tests and wasi-http-tests no longer have their own workspace * wasi-tests: fix warnings * rewrite the test-programs build.rs to generate {package}_modules.rs and _components.rs The style is cribbed from preview2-prototying repo, but I ended up refactoring it a bit. * better escaping should help with windows? * long form cap-std-sync and tokio test suites * convert wasi-http test * fixes, comments * apply cargo fmt to whole workspace * bump test-programs and wasi-http-tests to all use common dependency versions wit-bindgen 0.6.0 and wit-component 0.7.4 * add new audits * cargo vet prune * package and supply chain updates to fix vulnerabilities h2 upgraded from 0.3.16 -&gt; 0.3.19 to fix vulnerability tempfile upgraded from 0.3.3 -&gt; 0.3.5 to eliminate dep on vulnerable remove_dir_all * deny: temporarily allow duplicate wasm-encoder, wasmparser, wit-parser prtest:full * convert more dependencies to { workspace = true } Alex asked me to do thsi for wit-component and wit-bindgen, and I found a few more (cfg-if, tempfile, filecheck, anyhow... I also reorganized the workspace dependencies section to make the ones our team maintains more clearly separated from our external dependencies. * test-programs build: ensure that the user writes a #[test] for each module, component * fix build of wasi-tests on windows * misspelled macos * mark wasi-tests crate test=false so we dont try building it natively... * mark wasi-http-tests test=false as well * try getting the cargo keys right * just exclude wasi-tests and wasi-http-tests in run-tests.sh * interesting paths fails on windows * misspelling so nice i did it twice * new cargo deny exception: ignore all of wit-bindgen&#39;s dependencies * auto-import wildcard vets
2 years ago
[[audits.tempfile]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "3.3.0 -> 3.5.0"
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[audits.tempfile]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "3.5.0 -> 3.6.0"
notes = "Dependency updates and new optimized trait implementations, but otherwise everything looks normal."
Refactor test-programs to build modules and components (#6385) * wasi-tests and wasi-http-tests no longer have their own workspace * wasi-tests: fix warnings * rewrite the test-programs build.rs to generate {package}_modules.rs and _components.rs The style is cribbed from preview2-prototying repo, but I ended up refactoring it a bit. * better escaping should help with windows? * long form cap-std-sync and tokio test suites * convert wasi-http test * fixes, comments * apply cargo fmt to whole workspace * bump test-programs and wasi-http-tests to all use common dependency versions wit-bindgen 0.6.0 and wit-component 0.7.4 * add new audits * cargo vet prune * package and supply chain updates to fix vulnerabilities h2 upgraded from 0.3.16 -&gt; 0.3.19 to fix vulnerability tempfile upgraded from 0.3.3 -&gt; 0.3.5 to eliminate dep on vulnerable remove_dir_all * deny: temporarily allow duplicate wasm-encoder, wasmparser, wit-parser prtest:full * convert more dependencies to { workspace = true } Alex asked me to do thsi for wit-component and wit-bindgen, and I found a few more (cfg-if, tempfile, filecheck, anyhow... I also reorganized the workspace dependencies section to make the ones our team maintains more clearly separated from our external dependencies. * test-programs build: ensure that the user writes a #[test] for each module, component * fix build of wasi-tests on windows * misspelled macos * mark wasi-tests crate test=false so we dont try building it natively... * mark wasi-http-tests test=false as well * try getting the cargo keys right * just exclude wasi-tests and wasi-http-tests in run-tests.sh * interesting paths fails on windows * misspelling so nice i did it twice * new cargo deny exception: ignore all of wit-bindgen&#39;s dependencies * auto-import wildcard vets
2 years ago
[[audits.test-log]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.2.11"
wasmtime-cli: add tracing output on `WASMTIME_LOG` (#7239) * wasmtime cli: install tracing-subscriber, listen to WASMTIME_LOG, log to stderr * enable tracing colors * audit supply chain for tracing subscriber
1 year ago
[[audits.thread_local]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "1.1.4"
notes = "uses unsafe to implement thread local storage of objects"
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.tinyvec]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.6.0"
notes = """
This crate, while it implements collections, does so without `std::*` APIs and
without `unsafe`. Skimming the crate everything looks reasonable and what one
would expect from idiomatic safe collections in Rust.
"""
[[audits.tinyvec_macros]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.0"
notes = """
This is a trivial crate which only contains a singular macro definition which is
intended to multiplex across the internal representation of a tinyvec,
presumably. This trivially doesn't contain anything bad.
"""
Update tokio to resolve dependabot warning (#5607) This doesn&#39;t fully update tokio since the update to the latest version has quite a few changes I&#39;d prefer to not audit at the moment, but it updates to a patched version.
2 years ago
[[audits.tokio]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "1.18.1 -> 1.18.4"
notes = """
This looks to be a minor release primarily to fix a security-related Windows
issue plus some reorganization around lazy initialization. Altogether nothing
amiss here.
"""
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[audits.tokio-macros]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "1.7.0 -> 2.1.0"
notes = "A number of updates to parsed syntax and such but nothing unexpected and entirely what one would expect a Rust procedural macro to do."
wasi-http supply chain audit (#6121) * add cargo-deny exception for duplicate versions of windows-sys * cargo vetting for all new deps introduced by https://github.com/bytecodealliance/wasmtime/pull/5929 The audits are straightforward. The exemptions, as always, need to be justified: * core-foundation, core-foundation-sys, security-framework, security-framework-sys: these are large crates which are FFI bindings to Mac OS frameworks. As such they contain tons of unsafe code to make these FFI calls and manage memory. These crates are too big to audit. * schannel: same as the above, except this is a windows component, which I&#39;m also unfamiliar with. * openssl, openssl-sys: also large FFI bindings which are impractical to audit. * futures-macro, futures-task: while not as complex as futures-util, these are beyond my personal understanding of futures to vet practically. I&#39;ve asked Alex to look at auditing these, and he will after he returns from vacation next week. * futures-util: 25kloc of code, over 149 instances of the substring &#34;unsafe&#34; (case insensitive), this is impractical to audit in the extreme. * h2, http, httparse, hyper, mio, tokio: this so-called tokio/hyper family are very large and challenging to audit. Bobby Holley has indicated that he is working to get the AWS engineers who maintain these crates to publish their own audits, which we can then import. We expect to exempt these until those imports are available.
2 years ago
[[audits.tokio-native-tls]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.1"
notes = "unsafety is used for smuggling std::task::Context as a raw pointer. Lifetime and type safety appears to be taken care of correctly."
add supply chain audits for #5929&#39;s rustls changes (#6137) The `ring` crate needed to be exempted: it contains a large quantity of asm and native binary implementations of crypto primitives. It is a major undertaking to certify the safety of those implementations. ring also pulled in the wasm-bindgen family of crates for its wasm32-unknown-unknown target, which this project will not be using. Because we don&#39;t care about that platform, I added exemptions for all of these crates, so we don&#39;t have to audit them. The actual supply chain audits for rusttls, rustls-webpki, sct, and tokio-rustls were unremarkable. I also audited a small diff on wasm-bindgen-shared because it was trivial.
2 years ago
[[audits.tokio-rustls]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.24.0"
notes = "no unsafe, no build, no ambient capabilities"
wasi-http supply chain audit (#6121) * add cargo-deny exception for duplicate versions of windows-sys * cargo vetting for all new deps introduced by https://github.com/bytecodealliance/wasmtime/pull/5929 The audits are straightforward. The exemptions, as always, need to be justified: * core-foundation, core-foundation-sys, security-framework, security-framework-sys: these are large crates which are FFI bindings to Mac OS frameworks. As such they contain tons of unsafe code to make these FFI calls and manage memory. These crates are too big to audit. * schannel: same as the above, except this is a windows component, which I&#39;m also unfamiliar with. * openssl, openssl-sys: also large FFI bindings which are impractical to audit. * futures-macro, futures-task: while not as complex as futures-util, these are beyond my personal understanding of futures to vet practically. I&#39;ve asked Alex to look at auditing these, and he will after he returns from vacation next week. * futures-util: 25kloc of code, over 149 instances of the substring &#34;unsafe&#34; (case insensitive), this is impractical to audit in the extreme. * h2, http, httparse, hyper, mio, tokio: this so-called tokio/hyper family are very large and challenging to audit. Bobby Holley has indicated that he is working to get the AWS engineers who maintain these crates to publish their own audits, which we can then import. We expect to exempt these until those imports are available.
2 years ago
[[audits.tokio-util]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.7.4"
notes = "Alex Crichton audited the safety of src/sync/reusable_box.rs, I audited the remainder of the crate."
Trust crates published by BurntSushi (#6734) This commit adds `cargo vet` trust entries for any crate published by BurntSushi, of which a good number are in our dependency graph. This additionally updates the `bstr` crate to its latest version and updates regex-related dependencies from other crates to avoid duplication of versions.
1 year ago
[[audits.tracing]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.1.34 -> 0.1.37"
notes = """
A routine set of updates for the tracing crate this includes minor refactorings,
addition of benchmarks, some test updates, but overall nothing out of the
ordinary.
"""
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[audits.tracing-attributes]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.1.21 -> 0.1.26"
notes = "This range notably updated `syn` to 2.x.x and otherwise adds a few features here and there but nothing out of the ordering for a procedural macro."
Trust crates published by BurntSushi (#6734) This commit adds `cargo vet` trust entries for any crate published by BurntSushi, of which a good number are in our dependency graph. This additionally updates the `bstr` crate to its latest version and updates regex-related dependencies from other crates to avoid duplication of versions.
1 year ago
[[audits.tracing-core]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.1.28 -> 0.1.31"
notes = """
This is a relatively minor set of releases with minor refactorings and bug
fixes. Nothing fundamental was added in these changes.
"""
wasmtime-cli: add tracing output on `WASMTIME_LOG` (#7239) * wasmtime cli: install tracing-subscriber, listen to WASMTIME_LOG, log to stderr * enable tracing colors * audit supply chain for tracing subscriber
1 year ago
[[audits.tracing-subscriber]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.17"
Trust crates published by BurntSushi (#6734) This commit adds `cargo vet` trust entries for any crate published by BurntSushi, of which a good number are in our dependency graph. This additionally updates the `bstr` crate to its latest version and updates regex-related dependencies from other crates to avoid duplication of versions.
1 year ago
[[audits.tracing-subscriber]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
delta = "0.3.11 -> 0.3.17"
notes = """
Largely documentation changes in this update but there was additionally a crop
of other miscellaneous updates to APIs all covered in the changelog without,
business as usual for minor updates in this crate.
"""
wasi-http supply chain audit (#6121) * add cargo-deny exception for duplicate versions of windows-sys * cargo vetting for all new deps introduced by https://github.com/bytecodealliance/wasmtime/pull/5929 The audits are straightforward. The exemptions, as always, need to be justified: * core-foundation, core-foundation-sys, security-framework, security-framework-sys: these are large crates which are FFI bindings to Mac OS frameworks. As such they contain tons of unsafe code to make these FFI calls and manage memory. These crates are too big to audit. * schannel: same as the above, except this is a windows component, which I&#39;m also unfamiliar with. * openssl, openssl-sys: also large FFI bindings which are impractical to audit. * futures-macro, futures-task: while not as complex as futures-util, these are beyond my personal understanding of futures to vet practically. I&#39;ve asked Alex to look at auditing these, and he will after he returns from vacation next week. * futures-util: 25kloc of code, over 149 instances of the substring &#34;unsafe&#34; (case insensitive), this is impractical to audit in the extreme. * h2, http, httparse, hyper, mio, tokio: this so-called tokio/hyper family are very large and challenging to audit. Bobby Holley has indicated that he is working to get the AWS engineers who maintain these crates to publish their own audits, which we can then import. We expect to exempt these until those imports are available.
2 years ago
[[audits.try-lock]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.2.4"
notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect"
Add a `wasmtime::component::bindgen!` macro (#5317) * Import Wasmtime support from the `wit-bindgen` repo This commit imports the `wit-bindgen-gen-host-wasmtime-rust` crate from the `wit-bindgen` repository into the upstream Wasmtime repository. I&#39;ve chosen to not import the full history here since the crate is relatively small and doesn&#39;t have a ton of complexity. While the history of the crate is quite long the current iteration of the crate&#39;s history is relatively short so there&#39;s not a ton of import there anyway. The thinking is that this can now continue to evolve in-tree. * Refactor `wasmtime-component-macro` a bit Make room for a `wit_bindgen` macro to slot in. * Add initial support for a `bindgen` macro * Add tests for `wasmtime::component::bindgen!` * Improve error forgetting `async` feature * Add end-to-end tests for bindgen * Add an audit of `unicase` * Add a license to the test-helpers crate * Add vet entry for `pulldown-cmark` * Update publish script with new crate * Try to fix publish script * Update audits * Update lock file
2 years ago
[[audits.unicase]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "2.6.0"
notes = """
This crate contains no `unsafe` code and no unnecessary use of the standard
library.
"""
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.unicode-bidi]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.3.8"
notes = """
This crate has no unsafe code and does not use `std::*`. Skimming the crate it
does not attempt to out of the bounds of what it's already supposed to be doing.
"""
cargo-vet all remaining dependency bumps
2 years ago
[[audits.unicode-ident]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "1.0.8"
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.unicode-normalization]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.19"
notes = """
This crate contains one usage of `unsafe` which I have manually checked to see
it as correct. This crate's size comes in large part due to the generated
unicode tables that it contains. This crate is additionally widely used
throughout the ecosystem and skimming the crate shows no usage of `std::*` APIs
and nothing suspicious.
"""
[[audits.url]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "2.3.1"
notes = """
This crate contains no `unsafe` code and otherwise doesn't use any functionality
it's not supposed to from `std` or such. This crate is the defacto standard for
URL parsing in the Rust community with widespread usage to battle-test, harden,
and suss out bugs. I've historically reviewed this crate in the past and it
is similar to what it once was back then. Skimming over the crate there is
nothing suspicious and it's everything you'd expect a Rust URL parser to be.
"""
wasi-http supply chain audit (#6121) * add cargo-deny exception for duplicate versions of windows-sys * cargo vetting for all new deps introduced by https://github.com/bytecodealliance/wasmtime/pull/5929 The audits are straightforward. The exemptions, as always, need to be justified: * core-foundation, core-foundation-sys, security-framework, security-framework-sys: these are large crates which are FFI bindings to Mac OS frameworks. As such they contain tons of unsafe code to make these FFI calls and manage memory. These crates are too big to audit. * schannel: same as the above, except this is a windows component, which I&#39;m also unfamiliar with. * openssl, openssl-sys: also large FFI bindings which are impractical to audit. * futures-macro, futures-task: while not as complex as futures-util, these are beyond my personal understanding of futures to vet practically. I&#39;ve asked Alex to look at auditing these, and he will after he returns from vacation next week. * futures-util: 25kloc of code, over 149 instances of the substring &#34;unsafe&#34; (case insensitive), this is impractical to audit in the extreme. * h2, http, httparse, hyper, mio, tokio: this so-called tokio/hyper family are very large and challenging to audit. Bobby Holley has indicated that he is working to get the AWS engineers who maintain these crates to publish their own audits, which we can then import. We expect to exempt these until those imports are available.
2 years ago
[[audits.vcpkg]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.2.15"
notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR."
vet: certify `walkdir` version bump from 2.3.2 to 2.3.3 (#6342)
2 years ago
[[audits.walkdir]]
who = "Andrew Brown <andrew.brown@intel.com>"
criteria = "safe-to-deploy"
delta = "2.3.2 -> 2.3.3"
notes = "No significant changes: minor refactoring and removes the need to use `winapi`."
wasi-http supply chain audit (#6121) * add cargo-deny exception for duplicate versions of windows-sys * cargo vetting for all new deps introduced by https://github.com/bytecodealliance/wasmtime/pull/5929 The audits are straightforward. The exemptions, as always, need to be justified: * core-foundation, core-foundation-sys, security-framework, security-framework-sys: these are large crates which are FFI bindings to Mac OS frameworks. As such they contain tons of unsafe code to make these FFI calls and manage memory. These crates are too big to audit. * schannel: same as the above, except this is a windows component, which I&#39;m also unfamiliar with. * openssl, openssl-sys: also large FFI bindings which are impractical to audit. * futures-macro, futures-task: while not as complex as futures-util, these are beyond my personal understanding of futures to vet practically. I&#39;ve asked Alex to look at auditing these, and he will after he returns from vacation next week. * futures-util: 25kloc of code, over 149 instances of the substring &#34;unsafe&#34; (case insensitive), this is impractical to audit in the extreme. * h2, http, httparse, hyper, mio, tokio: this so-called tokio/hyper family are very large and challenging to audit. Bobby Holley has indicated that he is working to get the AWS engineers who maintain these crates to publish their own audits, which we can then import. We expect to exempt these until those imports are available.
2 years ago
[[audits.want]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.0"
add supply chain audits for #5929&#39;s rustls changes (#6137) The `ring` crate needed to be exempted: it contains a large quantity of asm and native binary implementations of crypto primitives. It is a major undertaking to certify the safety of those implementations. ring also pulled in the wasm-bindgen family of crates for its wasm32-unknown-unknown target, which this project will not be using. Because we don&#39;t care about that platform, I added exemptions for all of these crates, so we don&#39;t have to audit them. The actual supply chain audits for rusttls, rustls-webpki, sct, and tokio-rustls were unremarkable. I also audited a small diff on wasm-bindgen-shared because it was trivial.
2 years ago
[[audits.wasm-bindgen-shared]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.2.83 -> 0.2.80"
Add vet entries for coredump support (#5878) * Update the `num_cpus` crate Audits for this update provided from our import from Mozilla. * Add vet entries for coredump support
2 years ago
[[audits.wasm-coredump-builder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.10"
notes = """
This is a small crate which doesn't deviate outside of its intended purpose and
additionally contains no `unsafe` code.
"""
Add more vets for core dumps (#5894) Required by #5868
2 years ago
[[audits.wasm-coredump-builder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.1.10 -> 0.1.11"
notes = "This is a minor update which only adds a small bit of functionality."
Add vet entries for coredump support (#5878) * Update the `num_cpus` crate Audits for this update provided from our import from Mozilla. * Add vet entries for coredump support
2 years ago
[[audits.wasm-coredump-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.10"
notes = """
This small crate contains no `unsafe` code and does no more than what it says on
the tin.
"""
Add more vets for core dumps (#5894) Required by #5868
2 years ago
[[audits.wasm-coredump-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.1.10 -> 0.1.11"
notes = """
This is a small update which accounts for a function offset in frames and
doesn't add in too much extra.
"""
Add vet entries for coredump support (#5878) * Update the `num_cpus` crate Audits for this update provided from our import from Mozilla. * Add vet entries for coredump support
2 years ago
[[audits.wasm-coredump-types]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.10"
notes = """
This small crate contains no `unsafe` code and only contains type definitions
used for wasm core dumps and trivially stays within its bounds.
"""
Add more vets for core dumps (#5894) Required by #5868
2 years ago
[[audits.wasm-coredump-types]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.1.10 -> 0.1.11"
notes = "This is quite a small update which only adds a small bit of offset-related functionality."
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.14.0"
notes = "The Bytecode Alliance is the author of this crate."
Add `*.wast` support for invoking components (#4526) This commit builds on bytecodealliance/wasm-tools#690 to add support to testing of the component model to execute functions when running `*.wast` files. This support is all built on #4442 as functions are invoked through a &#34;dynamic&#34; API. Right now the testing and integration is fairly crude but I&#39;m hoping that we can try to improve it over time as necessary. For now this should provide a hopefully more convenient syntax for unit tests and the like.
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.15.0"
notes = "The Bytecode Alliance is the author of this crate."
Upgrade wasm-tools crates, namely the component model (#4715) * Upgrade wasm-tools crates, namely the component model This commit pulls in the latest versions of all of the `wasm-tools` family of crates. There were two major changes that happened in `wasm-tools` in the meantime: * bytecodealliance/wasm-tools#697 - this commit introduced a new API for more efficiently reading binary operators from a wasm binary. The old `Operator`-based reading was left in place, however, and continues to be what Wasmtime uses. I hope to update Wasmtime in a future PR to use this new API, but for now the biggest change is... * bytecodealliance/wasm-tools#703 - this commit was a major update to the component model AST. This commit almost entirely deals with the fallout of this change. The changes made to the component model were: 1. The `unit` type no longer exists. This was generally a simple change where the `Unit` case in a few different locations were all removed. 2. The `expected` type was renamed to `result`. This similarly was relatively lightweight and mostly just a renaming on the surface. I took this opportunity to rename `val::Result` to `val::ResultVal` and `types::Result` to `types::ResultType` to avoid clashing with the standard library types. The `Option`-based types were handled with this as well. 3. The payload type of `variant` and `result` types are now optional. This affected many locations that calculate flat type representations, ABI information, etc. The `#[derive(ComponentType)]` macro now specifically handles Rust-defined `enum` types which have no payload to the equivalent in the component model. 4. Functions can now return multiple parameters. This changed the signature of invoking component functions because the return value is now bound by `ComponentNamedList` (renamed from `ComponentParams`). This had a large effect in the tests, fuzz test case generation, etc. 5. Function types with 2-or-more parameters/results must uniquely name all parameters/results. This mostly affected the text format used throughout the tests. I haven&#39;t added specifically new tests for multi-return but I changed a number of tests to use it. Additionally I&#39;ve updated the fuzzers to all exercise multi-return as well so I think we should get some good coverage with that. * Update version numbers * Use crates.io
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.16.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what&#39;s probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.17.0"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5010) * Update the wasm-tools family of crates Only minor updates here, mostly internal changes and no binary-related changes today. * Fix test expectation
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.18.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5130) * Update wasm-tools crates Mostly just a hygienic update, nothing major here * Fix fuzz compile * Fix test expectations
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.19.0"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.20.0"
notes = "The Bytecode Alliance is the author of this crate."
Update WIT tooling used by Wasmtime (#5565) * Update WIT tooling used by Wasmtime This commit updates the WIT tooling, namely the wasm-tools family of crates, with recent updates. Notably: * bytecodealliance/wasm-tools#867 * bytecodealliance/wasm-tools#871 This updates index spaces in components and additionally bumps the minimum required version of the component binary format to be consumed by Wasmtime (because of the index space changes). Additionally WIT tooling now fully supports `use`. Note that WIT tooling doesn&#39;t, at this time, fully support packages and depending on remotely defined WIT packages. Currently WIT still needs to be vendored in the project. It&#39;s hoped that future work with `cargo component` and possible integration here could make the story about depending on remotely-defined WIT more ergonomic and streamlined. * Fix `bindgen!` codegen tests * Add a test for `use` paths an implement support * Update to crates.io versions of wasm-tools * Uncomment codegen tests
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.21.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5631) Nothing major pulled in here, but wanted to update to the latest versions which enable tail calls by default. When used in Wasmtime, however, the feature is disabled without the possibility of being enabled since it&#39;s not implemented.
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.22.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5757) * Update wasm-tools crates Pulls in a new component binary format which should hopefully be the last update for awhile. * Update cargo vet configuration
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.23.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5945) This notably updates `wasmparser` for updates to the relaxed-simd proposal and an implementation of the function-references proposal. Additionally there are some minor bug fixes being picked up for WIT and the component model.
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.25.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5248) No major updates, just keeping up-to-date.
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.19.0 -> 0.19.1"
notes = "The Bytecode Alliance is the author of this crate."
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.5"
notes = "The Bytecode Alliance is the author of this crate."
Add `*.wast` support for invoking components (#4526) This commit builds on bytecodealliance/wasm-tools#690 to add support to testing of the component model to execute functions when running `*.wast` files. This support is all built on #4442 as functions are invoked through a &#34;dynamic&#34; API. Right now the testing and integration is fairly crude but I&#39;m hoping that we can try to improve it over time as necessary. For now this should provide a hopefully more convenient syntax for unit tests and the like.
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.6"
notes = "The Bytecode Alliance is the author of this crate."
Upgrade wasm-tools crates, namely the component model (#4715) * Upgrade wasm-tools crates, namely the component model This commit pulls in the latest versions of all of the `wasm-tools` family of crates. There were two major changes that happened in `wasm-tools` in the meantime: * bytecodealliance/wasm-tools#697 - this commit introduced a new API for more efficiently reading binary operators from a wasm binary. The old `Operator`-based reading was left in place, however, and continues to be what Wasmtime uses. I hope to update Wasmtime in a future PR to use this new API, but for now the biggest change is... * bytecodealliance/wasm-tools#703 - this commit was a major update to the component model AST. This commit almost entirely deals with the fallout of this change. The changes made to the component model were: 1. The `unit` type no longer exists. This was generally a simple change where the `Unit` case in a few different locations were all removed. 2. The `expected` type was renamed to `result`. This similarly was relatively lightweight and mostly just a renaming on the surface. I took this opportunity to rename `val::Result` to `val::ResultVal` and `types::Result` to `types::ResultType` to avoid clashing with the standard library types. The `Option`-based types were handled with this as well. 3. The payload type of `variant` and `result` types are now optional. This affected many locations that calculate flat type representations, ABI information, etc. The `#[derive(ComponentType)]` macro now specifically handles Rust-defined `enum` types which have no payload to the equivalent in the component model. 4. Functions can now return multiple parameters. This changed the signature of invoking component functions because the return value is now bound by `ComponentNamedList` (renamed from `ComponentParams`). This had a large effect in the tests, fuzz test case generation, etc. 5. Function types with 2-or-more parameters/results must uniquely name all parameters/results. This mostly affected the text format used throughout the tests. I haven&#39;t added specifically new tests for multi-return but I changed a number of tests to use it. Additionally I&#39;ve updated the fuzzers to all exercise multi-return as well so I think we should get some good coverage with that. * Update version numbers * Use crates.io
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.7"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what&#39;s probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.8"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5010) * Update the wasm-tools family of crates Only minor updates here, mostly internal changes and no binary-related changes today. * Fix test expectation
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.9"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5130) * Update wasm-tools crates Mostly just a hygienic update, nothing major here * Fix fuzz compile * Fix test expectations
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.2.10"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5248) No major updates, just keeping up-to-date.
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.2.11"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.2.12"
notes = "The Bytecode Alliance is the author of this crate."
Update some wasm-tools crates (#5422) Notably this pulls in https://github.com/bytecodealliance/wasm-tools/pull/862 which should fix some fuzz bugs on oss-fuzz.
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.2.13"
notes = "The Bytecode Alliance is the author of this crate."
Update WIT tooling used by Wasmtime (#5565) * Update WIT tooling used by Wasmtime This commit updates the WIT tooling, namely the wasm-tools family of crates, with recent updates. Notably: * bytecodealliance/wasm-tools#867 * bytecodealliance/wasm-tools#871 This updates index spaces in components and additionally bumps the minimum required version of the component binary format to be consumed by Wasmtime (because of the index space changes). Additionally WIT tooling now fully supports `use`. Note that WIT tooling doesn&#39;t, at this time, fully support packages and depending on remotely defined WIT packages. Currently WIT still needs to be vendored in the project. It&#39;s hoped that future work with `cargo component` and possible integration here could make the story about depending on remotely-defined WIT more ergonomic and streamlined. * Fix `bindgen!` codegen tests * Add a test for `use` paths an implement support * Update to crates.io versions of wasm-tools * Uncomment codegen tests
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.2.14"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5631) Nothing major pulled in here, but wanted to update to the latest versions which enable tail calls by default. When used in Wasmtime, however, the feature is disabled without the possibility of being enabled since it&#39;s not implemented.
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.2.16"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5757) * Update wasm-tools crates Pulls in a new component binary format which should hopefully be the last update for awhile. * Update cargo vet configuration
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.2.18"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5945) This notably updates `wasmparser` for updates to the relaxed-simd proposal and an implementation of the function-references proposal. Additionally there are some minor bug fixes being picked up for WIT and the component model.
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.2.21"
notes = "The Bytecode Alliance is the author of this crate."
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.11.2"
notes = "The Bytecode Alliance is the author of this crate."
Add `*.wast` support for invoking components (#4526) This commit builds on bytecodealliance/wasm-tools#690 to add support to testing of the component model to execute functions when running `*.wast` files. This support is all built on #4442 as functions are invoked through a &#34;dynamic&#34; API. Right now the testing and integration is fairly crude but I&#39;m hoping that we can try to improve it over time as necessary. For now this should provide a hopefully more convenient syntax for unit tests and the like.
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.11.3"
notes = "The Bytecode Alliance is the author of this crate."
Upgrade wasm-tools crates, namely the component model (#4715) * Upgrade wasm-tools crates, namely the component model This commit pulls in the latest versions of all of the `wasm-tools` family of crates. There were two major changes that happened in `wasm-tools` in the meantime: * bytecodealliance/wasm-tools#697 - this commit introduced a new API for more efficiently reading binary operators from a wasm binary. The old `Operator`-based reading was left in place, however, and continues to be what Wasmtime uses. I hope to update Wasmtime in a future PR to use this new API, but for now the biggest change is... * bytecodealliance/wasm-tools#703 - this commit was a major update to the component model AST. This commit almost entirely deals with the fallout of this change. The changes made to the component model were: 1. The `unit` type no longer exists. This was generally a simple change where the `Unit` case in a few different locations were all removed. 2. The `expected` type was renamed to `result`. This similarly was relatively lightweight and mostly just a renaming on the surface. I took this opportunity to rename `val::Result` to `val::ResultVal` and `types::Result` to `types::ResultType` to avoid clashing with the standard library types. The `Option`-based types were handled with this as well. 3. The payload type of `variant` and `result` types are now optional. This affected many locations that calculate flat type representations, ABI information, etc. The `#[derive(ComponentType)]` macro now specifically handles Rust-defined `enum` types which have no payload to the equivalent in the component model. 4. Functions can now return multiple parameters. This changed the signature of invoking component functions because the return value is now bound by `ComponentNamedList` (renamed from `ComponentParams`). This had a large effect in the tests, fuzz test case generation, etc. 5. Function types with 2-or-more parameters/results must uniquely name all parameters/results. This mostly affected the text format used throughout the tests. I haven&#39;t added specifically new tests for multi-return but I changed a number of tests to use it. Additionally I&#39;ve updated the fuzzers to all exercise multi-return as well so I think we should get some good coverage with that. * Update version numbers * Use crates.io
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.11.4"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what&#39;s probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.11.5"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5010) * Update the wasm-tools family of crates Only minor updates here, mostly internal changes and no binary-related changes today. * Fix test expectation
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.11.6"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5130) * Update wasm-tools crates Mostly just a hygienic update, nothing major here * Fix fuzz compile * Fix test expectations
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.11.7"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5248) No major updates, just keeping up-to-date.
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.11.8"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.11.9"
notes = "The Bytecode Alliance is the author of this crate."
Update some wasm-tools crates (#5422) Notably this pulls in https://github.com/bytecodealliance/wasm-tools/pull/862 which should fix some fuzz bugs on oss-fuzz.
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.11.10"
notes = "The Bytecode Alliance is the author of this crate."
Update WIT tooling used by Wasmtime (#5565) * Update WIT tooling used by Wasmtime This commit updates the WIT tooling, namely the wasm-tools family of crates, with recent updates. Notably: * bytecodealliance/wasm-tools#867 * bytecodealliance/wasm-tools#871 This updates index spaces in components and additionally bumps the minimum required version of the component binary format to be consumed by Wasmtime (because of the index space changes). Additionally WIT tooling now fully supports `use`. Note that WIT tooling doesn&#39;t, at this time, fully support packages and depending on remotely defined WIT packages. Currently WIT still needs to be vendored in the project. It&#39;s hoped that future work with `cargo component` and possible integration here could make the story about depending on remotely-defined WIT more ergonomic and streamlined. * Fix `bindgen!` codegen tests * Add a test for `use` paths an implement support * Update to crates.io versions of wasm-tools * Uncomment codegen tests
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.11.11"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5631) Nothing major pulled in here, but wanted to update to the latest versions which enable tail calls by default. When used in Wasmtime, however, the feature is disabled without the possibility of being enabled since it&#39;s not implemented.
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.12.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5757) * Update wasm-tools crates Pulls in a new component binary format which should hopefully be the last update for awhile. * Update cargo vet configuration
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.12.2"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5945) This notably updates `wasmparser` for updates to the relaxed-simd proposal and an implementation of the function-references proposal. Additionally there are some minor bug fixes being picked up for WIT and the component model.
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.12.5"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.wasmi]]
who = "Robin Freyler <robin.freyler@gmail.com>"
criteria = "safe-to-run"
version = "0.20.0"
notes = """
I am the author of this crate. It contains unsafe Rust code.
However, the crate does not read or write data from any parts of the filesystem,
it does not install software upon compilation e.g. via build scripts,
it does not connect to network endpoints and does not misuse system resources.
If any of the above happens it is either by the user explicitly telling the
crate to do so (it is an interpreter) or due to a bug or other unintended
behavior.
"""
Update `wasmi` used in differential fuzzing (#5104) * Update `wasmi` used in differential fuzzing Closes #4818 Closes #5102 * Add audits
2 years ago
[[audits.wasmi_arena]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.1.0"
notes = """
This crate contains no `unsafe` code and doesn't reach in unnecessarily to the
standard library or anything like that. This only contains a few data structures
used by `wasmi` and various idiomatic Rust trait implementations.
"""
[[audits.wasmi_core]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.4.0"
notes = """
This crate contains no `unsafe` code and otherwise is only the bits and bobs for
the internals of a wasm implementation. Reading over this crate there is no
unexpected usage of the filesystem or things like that and otherwise is mostly
plumbing for all the integer operations in core wasm.
"""
Update `wasmi` to `0.20.0` in `wasmtime-fuzzing` (#5256) * update wasmi to 0.20 in wasmtime-fuzzing * add cargo-vet entries for wasmi_core 0.5.0 and wasmi 0.20.0
2 years ago
[[audits.wasmi_core]]
who = "Robin Freyler <robin.freyler@gmail.com>"
criteria = "safe-to-run"
version = "0.5.0"
notes = "See notes for version 0.4.0"
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.87.0"
notes = "The Bytecode Alliance is the author of this crate."
Add `*.wast` support for invoking components (#4526) This commit builds on bytecodealliance/wasm-tools#690 to add support to testing of the component model to execute functions when running `*.wast` files. This support is all built on #4442 as functions are invoked through a &#34;dynamic&#34; API. Right now the testing and integration is fairly crude but I&#39;m hoping that we can try to improve it over time as necessary. For now this should provide a hopefully more convenient syntax for unit tests and the like.
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.88.0"
notes = "The Bytecode Alliance is the author of this crate."
Upgrade wasm-tools crates, namely the component model (#4715) * Upgrade wasm-tools crates, namely the component model This commit pulls in the latest versions of all of the `wasm-tools` family of crates. There were two major changes that happened in `wasm-tools` in the meantime: * bytecodealliance/wasm-tools#697 - this commit introduced a new API for more efficiently reading binary operators from a wasm binary. The old `Operator`-based reading was left in place, however, and continues to be what Wasmtime uses. I hope to update Wasmtime in a future PR to use this new API, but for now the biggest change is... * bytecodealliance/wasm-tools#703 - this commit was a major update to the component model AST. This commit almost entirely deals with the fallout of this change. The changes made to the component model were: 1. The `unit` type no longer exists. This was generally a simple change where the `Unit` case in a few different locations were all removed. 2. The `expected` type was renamed to `result`. This similarly was relatively lightweight and mostly just a renaming on the surface. I took this opportunity to rename `val::Result` to `val::ResultVal` and `types::Result` to `types::ResultType` to avoid clashing with the standard library types. The `Option`-based types were handled with this as well. 3. The payload type of `variant` and `result` types are now optional. This affected many locations that calculate flat type representations, ABI information, etc. The `#[derive(ComponentType)]` macro now specifically handles Rust-defined `enum` types which have no payload to the equivalent in the component model. 4. Functions can now return multiple parameters. This changed the signature of invoking component functions because the return value is now bound by `ComponentNamedList` (renamed from `ComponentParams`). This had a large effect in the tests, fuzz test case generation, etc. 5. Function types with 2-or-more parameters/results must uniquely name all parameters/results. This mostly affected the text format used throughout the tests. I haven&#39;t added specifically new tests for multi-return but I changed a number of tests to use it. Additionally I&#39;ve updated the fuzzers to all exercise multi-return as well so I think we should get some good coverage with that. * Update version numbers * Use crates.io
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.89.0"
notes = "The Bytecode Alliance is the author of this crate."
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.89.1"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what&#39;s probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.91.0"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5010) * Update the wasm-tools family of crates Only minor updates here, mostly internal changes and no binary-related changes today. * Fix test expectation
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.92.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5130) * Update wasm-tools crates Mostly just a hygienic update, nothing major here * Fix fuzz compile * Fix test expectations
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.93.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5248) No major updates, just keeping up-to-date.
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.94.0"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.95.0"
notes = "The Bytecode Alliance is the author of this crate."
Update some wasm-tools crates (#5422) Notably this pulls in https://github.com/bytecodealliance/wasm-tools/pull/862 which should fix some fuzz bugs on oss-fuzz.
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.96.0"
notes = "The Bytecode Alliance is the author of this crate."
Update WIT tooling used by Wasmtime (#5565) * Update WIT tooling used by Wasmtime This commit updates the WIT tooling, namely the wasm-tools family of crates, with recent updates. Notably: * bytecodealliance/wasm-tools#867 * bytecodealliance/wasm-tools#871 This updates index spaces in components and additionally bumps the minimum required version of the component binary format to be consumed by Wasmtime (because of the index space changes). Additionally WIT tooling now fully supports `use`. Note that WIT tooling doesn&#39;t, at this time, fully support packages and depending on remotely defined WIT packages. Currently WIT still needs to be vendored in the project. It&#39;s hoped that future work with `cargo component` and possible integration here could make the story about depending on remotely-defined WIT more ergonomic and streamlined. * Fix `bindgen!` codegen tests * Add a test for `use` paths an implement support * Update to crates.io versions of wasm-tools * Uncomment codegen tests
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.97.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5631) Nothing major pulled in here, but wanted to update to the latest versions which enable tail calls by default. When used in Wasmtime, however, the feature is disabled without the possibility of being enabled since it&#39;s not implemented.
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.99.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5757) * Update wasm-tools crates Pulls in a new component binary format which should hopefully be the last update for awhile. * Update cargo vet configuration
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.100.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5945) This notably updates `wasmparser` for updates to the relaxed-simd proposal and an implementation of the function-references proposal. Additionally there are some minor bug fixes being picked up for WIT and the component model.
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.102.0"
notes = "The Bytecode Alliance is the author of this crate."
Update `wasmi` used in differential fuzzing (#5104) * Update `wasmi` used in differential fuzzing Closes #4818 Closes #5102 * Add audits
2 years ago
[[audits.wasmparser-nostd]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.91.0"
notes = """
I have certified that this crate is a one-to-one fork of `wasmparser` with
updates exclusively for the usage on targets without the standard library.
This crate is otherwise primarily authored by the Bytecode Alliance and
otherwise certified.
"""
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.37"
notes = "The Bytecode Alliance is the author of this crate."
Add `*.wast` support for invoking components (#4526) This commit builds on bytecodealliance/wasm-tools#690 to add support to testing of the component model to execute functions when running `*.wast` files. This support is all built on #4442 as functions are invoked through a &#34;dynamic&#34; API. Right now the testing and integration is fairly crude but I&#39;m hoping that we can try to improve it over time as necessary. For now this should provide a hopefully more convenient syntax for unit tests and the like.
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.38"
notes = "The Bytecode Alliance is the author of this crate."
Upgrade wasm-tools crates, namely the component model (#4715) * Upgrade wasm-tools crates, namely the component model This commit pulls in the latest versions of all of the `wasm-tools` family of crates. There were two major changes that happened in `wasm-tools` in the meantime: * bytecodealliance/wasm-tools#697 - this commit introduced a new API for more efficiently reading binary operators from a wasm binary. The old `Operator`-based reading was left in place, however, and continues to be what Wasmtime uses. I hope to update Wasmtime in a future PR to use this new API, but for now the biggest change is... * bytecodealliance/wasm-tools#703 - this commit was a major update to the component model AST. This commit almost entirely deals with the fallout of this change. The changes made to the component model were: 1. The `unit` type no longer exists. This was generally a simple change where the `Unit` case in a few different locations were all removed. 2. The `expected` type was renamed to `result`. This similarly was relatively lightweight and mostly just a renaming on the surface. I took this opportunity to rename `val::Result` to `val::ResultVal` and `types::Result` to `types::ResultType` to avoid clashing with the standard library types. The `Option`-based types were handled with this as well. 3. The payload type of `variant` and `result` types are now optional. This affected many locations that calculate flat type representations, ABI information, etc. The `#[derive(ComponentType)]` macro now specifically handles Rust-defined `enum` types which have no payload to the equivalent in the component model. 4. Functions can now return multiple parameters. This changed the signature of invoking component functions because the return value is now bound by `ComponentNamedList` (renamed from `ComponentParams`). This had a large effect in the tests, fuzz test case generation, etc. 5. Function types with 2-or-more parameters/results must uniquely name all parameters/results. This mostly affected the text format used throughout the tests. I haven&#39;t added specifically new tests for multi-return but I changed a number of tests to use it. Additionally I&#39;ve updated the fuzzers to all exercise multi-return as well so I think we should get some good coverage with that. * Update version numbers * Use crates.io
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.39"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what&#39;s probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.40"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5010) * Update the wasm-tools family of crates Only minor updates here, mostly internal changes and no binary-related changes today. * Fix test expectation
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.41"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5130) * Update wasm-tools crates Mostly just a hygienic update, nothing major here * Fix fuzz compile * Fix test expectations
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.42"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5248) No major updates, just keeping up-to-date.
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.43"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.44"
notes = "The Bytecode Alliance is the author of this crate."
Update some wasm-tools crates (#5422) Notably this pulls in https://github.com/bytecodealliance/wasm-tools/pull/862 which should fix some fuzz bugs on oss-fuzz.
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.45"
notes = "The Bytecode Alliance is the author of this crate."
Update WIT tooling used by Wasmtime (#5565) * Update WIT tooling used by Wasmtime This commit updates the WIT tooling, namely the wasm-tools family of crates, with recent updates. Notably: * bytecodealliance/wasm-tools#867 * bytecodealliance/wasm-tools#871 This updates index spaces in components and additionally bumps the minimum required version of the component binary format to be consumed by Wasmtime (because of the index space changes). Additionally WIT tooling now fully supports `use`. Note that WIT tooling doesn&#39;t, at this time, fully support packages and depending on remotely defined WIT packages. Currently WIT still needs to be vendored in the project. It&#39;s hoped that future work with `cargo component` and possible integration here could make the story about depending on remotely-defined WIT more ergonomic and streamlined. * Fix `bindgen!` codegen tests * Add a test for `use` paths an implement support * Update to crates.io versions of wasm-tools * Uncomment codegen tests
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.46"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5631) Nothing major pulled in here, but wanted to update to the latest versions which enable tail calls by default. When used in Wasmtime, however, the feature is disabled without the possibility of being enabled since it&#39;s not implemented.
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.49"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5757) * Update wasm-tools crates Pulls in a new component binary format which should hopefully be the last update for awhile. * Update cargo vet configuration
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.50"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5945) This notably updates `wasmparser` for updates to the relaxed-simd proposal and an implementation of the function-references proposal. Additionally there are some minor bug fixes being picked up for WIT and the component model.
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.53"
notes = "The Bytecode Alliance is the author of this crate."
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "35.0.2"
notes = "The Bytecode Alliance is the author of this crate."
Bump wat/wast crates (#4524) * Bump wat/wast crates Pull in upstream updates, nothing major, just keeping up-to-date. * Record audit log for new crates
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "44.0.0"
notes = "The Bytecode Alliance is the author of this crate"
Add `*.wast` support for invoking components (#4526) This commit builds on bytecodealliance/wasm-tools#690 to add support to testing of the component model to execute functions when running `*.wast` files. This support is all built on #4442 as functions are invoked through a &#34;dynamic&#34; API. Right now the testing and integration is fairly crude but I&#39;m hoping that we can try to improve it over time as necessary. For now this should provide a hopefully more convenient syntax for unit tests and the like.
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "45.0.0"
notes = "The Bytecode Alliance is the author of this crate"
Upgrade wasm-tools crates, namely the component model (#4715) * Upgrade wasm-tools crates, namely the component model This commit pulls in the latest versions of all of the `wasm-tools` family of crates. There were two major changes that happened in `wasm-tools` in the meantime: * bytecodealliance/wasm-tools#697 - this commit introduced a new API for more efficiently reading binary operators from a wasm binary. The old `Operator`-based reading was left in place, however, and continues to be what Wasmtime uses. I hope to update Wasmtime in a future PR to use this new API, but for now the biggest change is... * bytecodealliance/wasm-tools#703 - this commit was a major update to the component model AST. This commit almost entirely deals with the fallout of this change. The changes made to the component model were: 1. The `unit` type no longer exists. This was generally a simple change where the `Unit` case in a few different locations were all removed. 2. The `expected` type was renamed to `result`. This similarly was relatively lightweight and mostly just a renaming on the surface. I took this opportunity to rename `val::Result` to `val::ResultVal` and `types::Result` to `types::ResultType` to avoid clashing with the standard library types. The `Option`-based types were handled with this as well. 3. The payload type of `variant` and `result` types are now optional. This affected many locations that calculate flat type representations, ABI information, etc. The `#[derive(ComponentType)]` macro now specifically handles Rust-defined `enum` types which have no payload to the equivalent in the component model. 4. Functions can now return multiple parameters. This changed the signature of invoking component functions because the return value is now bound by `ComponentNamedList` (renamed from `ComponentParams`). This had a large effect in the tests, fuzz test case generation, etc. 5. Function types with 2-or-more parameters/results must uniquely name all parameters/results. This mostly affected the text format used throughout the tests. I haven&#39;t added specifically new tests for multi-return but I changed a number of tests to use it. Additionally I&#39;ve updated the fuzzers to all exercise multi-return as well so I think we should get some good coverage with that. * Update version numbers * Use crates.io
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "46.0.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what&#39;s probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "47.0.0"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5010) * Update the wasm-tools family of crates Only minor updates here, mostly internal changes and no binary-related changes today. * Fix test expectation
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "47.0.1"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5130) * Update wasm-tools crates Mostly just a hygienic update, nothing major here * Fix fuzz compile * Fix test expectations
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "48.0.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5248) No major updates, just keeping up-to-date.
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "49.0.0"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "50.0.0"
notes = "The Bytecode Alliance is the author of this crate."
Update WIT tooling used by Wasmtime (#5565) * Update WIT tooling used by Wasmtime This commit updates the WIT tooling, namely the wasm-tools family of crates, with recent updates. Notably: * bytecodealliance/wasm-tools#867 * bytecodealliance/wasm-tools#871 This updates index spaces in components and additionally bumps the minimum required version of the component binary format to be consumed by Wasmtime (because of the index space changes). Additionally WIT tooling now fully supports `use`. Note that WIT tooling doesn&#39;t, at this time, fully support packages and depending on remotely defined WIT packages. Currently WIT still needs to be vendored in the project. It&#39;s hoped that future work with `cargo component` and possible integration here could make the story about depending on remotely-defined WIT more ergonomic and streamlined. * Fix `bindgen!` codegen tests * Add a test for `use` paths an implement support * Update to crates.io versions of wasm-tools * Uncomment codegen tests
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "51.0.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5631) Nothing major pulled in here, but wanted to update to the latest versions which enable tail calls by default. When used in Wasmtime, however, the feature is disabled without the possibility of being enabled since it&#39;s not implemented.
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "52.0.2"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5757) * Update wasm-tools crates Pulls in a new component binary format which should hopefully be the last update for awhile. * Update cargo vet configuration
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "53.0.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5945) This notably updates `wasmparser` for updates to the relaxed-simd proposal and an implementation of the function-references proposal. Additionally there are some minor bug fixes being picked up for WIT and the component model.
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "55.0.0"
notes = "The Bytecode Alliance is the author of this crate."
Bump wat/wast crates (#4524) * Bump wat/wast crates Pull in upstream updates, nothing major, just keeping up-to-date. * Record audit log for new crates
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.46"
notes = "The Bytecode Alliance is the author of this crate."
Enable cargo-vet (#4444) * Initialize cargo-vet on wasmtime. * Add cargo-vet to CI. * Add README.
2 years ago
Add `*.wast` support for invoking components (#4526) This commit builds on bytecodealliance/wasm-tools#690 to add support to testing of the component model to execute functions when running `*.wast` files. This support is all built on #4442 as functions are invoked through a &#34;dynamic&#34; API. Right now the testing and integration is fairly crude but I&#39;m hoping that we can try to improve it over time as necessary. For now this should provide a hopefully more convenient syntax for unit tests and the like.
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.47"
notes = "The Bytecode Alliance is the author of this crate."
Upgrade wasm-tools crates, namely the component model (#4715) * Upgrade wasm-tools crates, namely the component model This commit pulls in the latest versions of all of the `wasm-tools` family of crates. There were two major changes that happened in `wasm-tools` in the meantime: * bytecodealliance/wasm-tools#697 - this commit introduced a new API for more efficiently reading binary operators from a wasm binary. The old `Operator`-based reading was left in place, however, and continues to be what Wasmtime uses. I hope to update Wasmtime in a future PR to use this new API, but for now the biggest change is... * bytecodealliance/wasm-tools#703 - this commit was a major update to the component model AST. This commit almost entirely deals with the fallout of this change. The changes made to the component model were: 1. The `unit` type no longer exists. This was generally a simple change where the `Unit` case in a few different locations were all removed. 2. The `expected` type was renamed to `result`. This similarly was relatively lightweight and mostly just a renaming on the surface. I took this opportunity to rename `val::Result` to `val::ResultVal` and `types::Result` to `types::ResultType` to avoid clashing with the standard library types. The `Option`-based types were handled with this as well. 3. The payload type of `variant` and `result` types are now optional. This affected many locations that calculate flat type representations, ABI information, etc. The `#[derive(ComponentType)]` macro now specifically handles Rust-defined `enum` types which have no payload to the equivalent in the component model. 4. Functions can now return multiple parameters. This changed the signature of invoking component functions because the return value is now bound by `ComponentNamedList` (renamed from `ComponentParams`). This had a large effect in the tests, fuzz test case generation, etc. 5. Function types with 2-or-more parameters/results must uniquely name all parameters/results. This mostly affected the text format used throughout the tests. I haven&#39;t added specifically new tests for multi-return but I changed a number of tests to use it. Additionally I&#39;ve updated the fuzzers to all exercise multi-return as well so I think we should get some good coverage with that. * Update version numbers * Use crates.io
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.48"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5130) * Update wasm-tools crates Mostly just a hygienic update, nothing major here * Fix fuzz compile * Fix test expectations
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.50"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5248) No major updates, just keeping up-to-date.
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.51"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.52"
notes = "The Bytecode Alliance is the author of this crate."
Update WIT tooling used by Wasmtime (#5565) * Update WIT tooling used by Wasmtime This commit updates the WIT tooling, namely the wasm-tools family of crates, with recent updates. Notably: * bytecodealliance/wasm-tools#867 * bytecodealliance/wasm-tools#871 This updates index spaces in components and additionally bumps the minimum required version of the component binary format to be consumed by Wasmtime (because of the index space changes). Additionally WIT tooling now fully supports `use`. Note that WIT tooling doesn&#39;t, at this time, fully support packages and depending on remotely defined WIT packages. Currently WIT still needs to be vendored in the project. It&#39;s hoped that future work with `cargo component` and possible integration here could make the story about depending on remotely-defined WIT more ergonomic and streamlined. * Fix `bindgen!` codegen tests * Add a test for `use` paths an implement support * Update to crates.io versions of wasm-tools * Uncomment codegen tests
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.53"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5631) Nothing major pulled in here, but wanted to update to the latest versions which enable tail calls by default. When used in Wasmtime, however, the feature is disabled without the possibility of being enabled since it&#39;s not implemented.
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.56"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5757) * Update wasm-tools crates Pulls in a new component binary format which should hopefully be the last update for awhile. * Update cargo vet configuration
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.58"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5945) This notably updates `wasmparser` for updates to the relaxed-simd proposal and an implementation of the function-references proposal. Additionally there are some minor bug fixes being picked up for WIT and the component model.
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.61"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what&#39;s probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "1.0.48 -> 1.0.49"
notes = "The Bytecode Alliance is the author of this crate."
add supply chain audits for #5929&#39;s rustls changes (#6137) The `ring` crate needed to be exempted: it contains a large quantity of asm and native binary implementations of crypto primitives. It is a major undertaking to certify the safety of those implementations. ring also pulled in the wasm-bindgen family of crates for its wasm32-unknown-unknown target, which this project will not be using. Because we don&#39;t care about that platform, I added exemptions for all of these crates, so we don&#39;t have to audit them. The actual supply chain audits for rusttls, rustls-webpki, sct, and tokio-rustls were unremarkable. I also audited a small diff on wasm-bindgen-shared because it was trivial.
2 years ago
[[audits.webpki-roots]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.22.4 -> 0.23.0"
Update webpki-roots and rustls deps (#6894) * upgrade webpki-roots to 0.25.2 Co-authored-by: Timmy Silesmo &lt;silesmo@nor2.io&gt; * upgrade rustls to 0.21.6 and replace deprecated add_server_trust_anchors with add_trust_anchors Co-authored-by: Timmy Silesmo &lt;silesmo@nor2.io&gt; * audit dependency upgrades --------- Co-authored-by: Timmy Silesmo &lt;silesmo@nor2.io&gt;
1 year ago
[[audits.webpki-roots]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.23.0 -> 0.25.2"
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.winx]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.34.0"
notes = "I am the author of this crate."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.winx]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.34.0 -> 0.35.0"
notes = "Dan Gohman, a Bytecode Alliance core contributor, is the author of this crate."
Update several dependencies. (#6171) This updates to rustix 0.37.13, which contains some features we can use to implement more features in wasi-common for the wasi-sockets API. This also pulls in several other updates to avoid having multiple versions of rustix. This does introduce multiple versions of windows-sys, as the errno and tokio crates are currently using 0.45 while rustix and other dependencies have updated to 0.48; PRs updating these are already in flight so this will hopefully be resolved soon. It also includes cap-std 1.0.14, which disables the use of `openat2` and `statx` on Android, fixing a bug where some Android devices crash the process when those syscalls are executed.
2 years ago
[[audits.winx]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "0.35.0 -> 0.35.1"
notes = "Just a dependency version bump"
Add a `wasmtime::component::bindgen!` macro (#5317) * Import Wasmtime support from the `wit-bindgen` repo This commit imports the `wit-bindgen-gen-host-wasmtime-rust` crate from the `wit-bindgen` repository into the upstream Wasmtime repository. I&#39;ve chosen to not import the full history here since the crate is relatively small and doesn&#39;t have a ton of complexity. While the history of the crate is quite long the current iteration of the crate&#39;s history is relatively short so there&#39;s not a ton of import there anyway. The thinking is that this can now continue to evolve in-tree. * Refactor `wasmtime-component-macro` a bit Make room for a `wit_bindgen` macro to slot in. * Add initial support for a `bindgen` macro * Add tests for `wasmtime::component::bindgen!` * Improve error forgetting `async` feature * Add end-to-end tests for bindgen * Add an audit of `unicase` * Add a license to the test-helpers crate * Add vet entry for `pulldown-cmark` * Update publish script with new crate * Try to fix publish script * Update audits * Update lock file
2 years ago
[[audits.wit-parser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.3.0"
notes = "The Bytecode Alliance is the author of this crate."
Fix built with latest `wit-parser` crate (#5393) A mistake was made in the publication of `wit-parser` where a breaking change was made without bumping its major version, causing build issues on `main` if `wit-parser` is updated. This commit updates `wit-parser` to the latest and we&#39;ll handle breaking changes better next time. Closes #5390
2 years ago
[[audits.wit-parser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.3.1"
notes = "The Bytecode Alliance is the author of this crate."
Update WIT tooling used by Wasmtime (#5565) * Update WIT tooling used by Wasmtime This commit updates the WIT tooling, namely the wasm-tools family of crates, with recent updates. Notably: * bytecodealliance/wasm-tools#867 * bytecodealliance/wasm-tools#871 This updates index spaces in components and additionally bumps the minimum required version of the component binary format to be consumed by Wasmtime (because of the index space changes). Additionally WIT tooling now fully supports `use`. Note that WIT tooling doesn&#39;t, at this time, fully support packages and depending on remotely defined WIT packages. Currently WIT still needs to be vendored in the project. It&#39;s hoped that future work with `cargo component` and possible integration here could make the story about depending on remotely-defined WIT more ergonomic and streamlined. * Fix `bindgen!` codegen tests * Add a test for `use` paths an implement support * Update to crates.io versions of wasm-tools * Uncomment codegen tests
2 years ago
[[audits.wit-parser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.4.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5631) Nothing major pulled in here, but wanted to update to the latest versions which enable tail calls by default. When used in Wasmtime, however, the feature is disabled without the possibility of being enabled since it&#39;s not implemented.
2 years ago
[[audits.wit-parser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.4.1"
notes = "The Bytecode Alliance is the author of this crate."
Update to the latest `wit-parser` (#5694) This notably pulls in support in WIT for types-in-worlds.
2 years ago
[[audits.wit-parser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.5.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5757) * Update wasm-tools crates Pulls in a new component binary format which should hopefully be the last update for awhile. * Update cargo vet configuration
2 years ago
[[audits.wit-parser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.6.0"
notes = "The Bytecode Alliance is the author of this crate."
Update world-selection in `bindgen!` macro (#5779) * Update world-selection in `bindgen!` macro Inspired by bytecodealliance/wit-bindgen#494 specifying a world or document to bindgen is now optional as it&#39;s inferred if there&#39;s only one `default world` in a package&#39;s documents. * Add cargo-vet entry
2 years ago
[[audits.wit-parser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.6.1"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5945) This notably updates `wasmparser` for updates to the relaxed-simd proposal and an implementation of the function-references proposal. Additionally there are some minor bug fixes being picked up for WIT and the component model.
2 years ago
[[audits.wit-parser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.6.4"
notes = "The Bytecode Alliance is the author of this crate."
Replace audits for windows-rs with trusted entries. (#6595) The Bytecode Alliance didn&#39;t actually audit these crates but rather simply trusts them, per the notes. Previously we didn&#39;t have a way to express this distinction, but now we do.
1 year ago
Trust crates published by BurntSushi (#6734) This commit adds `cargo vet` trust entries for any crate published by BurntSushi, of which a good number are in our dependency graph. This additionally updates the `bstr` crate to its latest version and updates regex-related dependencies from other crates to avoid duplication of versions.
1 year ago
[[trusted.aho-corasick]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
start = "2019-03-28"
end = "2024-07-15"
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[trusted.anstream]]
criteria = "safe-to-deploy"
user-id = 6743 # Ed Page (epage)
start = "2023-03-16"
end = "2024-07-14"
[[trusted.anstyle]]
criteria = "safe-to-deploy"
user-id = 6743 # Ed Page (epage)
start = "2022-05-18"
end = "2024-07-14"
[[trusted.anstyle-parse]]
criteria = "safe-to-deploy"
user-id = 6743 # Ed Page (epage)
start = "2023-03-08"
end = "2024-07-14"
[[trusted.anstyle-query]]
criteria = "safe-to-deploy"
user-id = 6743 # Ed Page (epage)
start = "2023-04-13"
end = "2024-07-14"
[[trusted.anstyle-wincon]]
criteria = "safe-to-deploy"
user-id = 6743 # Ed Page (epage)
start = "2023-03-08"
end = "2024-07-14"
Update in-tree wit-bindgen to 0.11.0 (#6947) This only affects tests and the adapter itself, but not in any breaking way. The tests for wasi-http are reorganized to be commands which is also required to not have any exports currently since wit-bindgen for Rust guests doesn&#39;t support generating bindings in one crate and exporting in another.
1 year ago
[[trusted.anyhow]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-10-05"
end = "2024-09-01"
Trust crates published by dtolnay, epage, cuviper, Amanieu (#6697) We discussed this in today&#39;s Wasmtime meeting and the consensus was that we trust each of these people to have a sufficient standard of care for anything they release. This reduces our estimated audit backlog by about 184 kLOC. For the most part, the trust records I&#39;m adding here are identical to trust records that Mozilla is using. The fact that they&#39;ve also decided these publishers are trustworthy is reassuring additional evidence for our decision. The exceptions and notable cases are as follows: I&#39;ve chosen to not trust three crates by these authors that Mozilla did not trust. I suspect Mozilla simply doesn&#39;t use these crates or has manually audited them, rather than there being any problem with the crates themselves. But I&#39;ve chosen to be conservative about what we trust. - autocfg: we only have an exception for an old version, and that version is only used transitively by wasi-crypto. - env_logger: Mozilla has audited some versions; we should update, or add delta audits. - thread_local: only used by tracing-subscriber which is only used in dev-dependencies. I&#39;ve trusted one crate that Mozilla did not: libm, when published by Amanieu. We&#39;re trusting libc when published by the same author, and libm is a small extension of the same trust. Recent versions of the toml crate have been published by epage so I looked at in this process, but Mozilla only trusts the older versions which were published by alexcrichton. They&#39;ve been delta-auditing the newer versions. I&#39;ve chosen to follow their lead on this; Alex is a trusted contributor to Wasmtime anyway.
1 year ago
[[trusted.async-trait]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-07-23"
end = "2024-07-06"
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[trusted.backtrace]]
criteria = "safe-to-deploy"
user-id = 2915 # Amanieu d'Antras (Amanieu)
start = "2023-06-29"
end = "2024-07-14"
Trust crates published by BurntSushi (#6734) This commit adds `cargo vet` trust entries for any crate published by BurntSushi, of which a good number are in our dependency graph. This additionally updates the `bstr` crate to its latest version and updates regex-related dependencies from other crates to avoid duplication of versions.
1 year ago
[[trusted.bstr]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
start = "2019-04-02"
end = "2024-07-15"
[[trusted.byteorder]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
start = "2019-06-09"
end = "2024-07-15"
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[trusted.cap-fs-ext]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2020-12-11"
end = "2024-07-14"
Implement the `tcp` interface of wasi-sockets. (#6837) * Implement the `tcp` interface of wasi-sockets. Implement the `tcp`, `tcp-create-socket`, and `network` interfaces of wasi-sockets. * Minor cleanups. * Update to the latest upstream wasi-sockets. * Address review feedback. * Handle zero-length reads and writes, and other cleanups. * Fix compilation on macOS. * Fix compilation on Windows. * Update all the copies of wasi-socket wit files. * Sync up more wit files. * Fix the errno code for non-blocking `connect` on Windows. prtest:full * Tolerate `NOTCONN` errors when cleaning up with `shutdown`. * Simplify the polling mechanism. This requires an updated tokio for `Interest::ERROR`. * Downgrade to tokio 1.29.1 for now. * Move `tcp_state` out of the `Arc`. * `accept` doesn&#39;t need a write lock. * Remove `tcp_state`&#39;s `RwLock`.
1 year ago
[[trusted.cap-net-ext]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2020-12-11"
end = "2024-07-14"
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[trusted.cap-primitives]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2020-08-07"
end = "2024-07-14"
[[trusted.cap-rand]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2020-09-24"
end = "2024-07-14"
[[trusted.cap-std]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2020-06-25"
end = "2024-07-14"
[[trusted.cap-tempfile]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2020-08-07"
end = "2024-07-14"
[[trusted.cap-time-ext]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2020-09-21"
end = "2024-07-14"
Trust crates published by dtolnay, epage, cuviper, Amanieu (#6697) We discussed this in today&#39;s Wasmtime meeting and the consensus was that we trust each of these people to have a sufficient standard of care for anything they release. This reduces our estimated audit backlog by about 184 kLOC. For the most part, the trust records I&#39;m adding here are identical to trust records that Mozilla is using. The fact that they&#39;ve also decided these publishers are trustworthy is reassuring additional evidence for our decision. The exceptions and notable cases are as follows: I&#39;ve chosen to not trust three crates by these authors that Mozilla did not trust. I suspect Mozilla simply doesn&#39;t use these crates or has manually audited them, rather than there being any problem with the crates themselves. But I&#39;ve chosen to be conservative about what we trust. - autocfg: we only have an exception for an old version, and that version is only used transitively by wasi-crypto. - env_logger: Mozilla has audited some versions; we should update, or add delta audits. - thread_local: only used by tracing-subscriber which is only used in dev-dependencies. I&#39;ve trusted one crate that Mozilla did not: libm, when published by Amanieu. We&#39;re trusting libc when published by the same author, and libm is a small extension of the same trust. Recent versions of the toml crate have been published by epage so I looked at in this process, but Mozilla only trusts the older versions which were published by alexcrichton. They&#39;ve been delta-auditing the newer versions. I&#39;ve chosen to follow their lead on this; Alex is a trusted contributor to Wasmtime anyway.
1 year ago
[[trusted.clap]]
criteria = "safe-to-deploy"
user-id = 6743 # Ed Page (epage)
start = "2021-12-08"
end = "2024-07-06"
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[trusted.clap_builder]]
criteria = "safe-to-deploy"
user-id = 6743 # Ed Page (epage)
start = "2023-03-28"
end = "2024-07-14"
Trust crates published by dtolnay, epage, cuviper, Amanieu (#6697) We discussed this in today&#39;s Wasmtime meeting and the consensus was that we trust each of these people to have a sufficient standard of care for anything they release. This reduces our estimated audit backlog by about 184 kLOC. For the most part, the trust records I&#39;m adding here are identical to trust records that Mozilla is using. The fact that they&#39;ve also decided these publishers are trustworthy is reassuring additional evidence for our decision. The exceptions and notable cases are as follows: I&#39;ve chosen to not trust three crates by these authors that Mozilla did not trust. I suspect Mozilla simply doesn&#39;t use these crates or has manually audited them, rather than there being any problem with the crates themselves. But I&#39;ve chosen to be conservative about what we trust. - autocfg: we only have an exception for an old version, and that version is only used transitively by wasi-crypto. - env_logger: Mozilla has audited some versions; we should update, or add delta audits. - thread_local: only used by tracing-subscriber which is only used in dev-dependencies. I&#39;ve trusted one crate that Mozilla did not: libm, when published by Amanieu. We&#39;re trusting libc when published by the same author, and libm is a small extension of the same trust. Recent versions of the toml crate have been published by epage so I looked at in this process, but Mozilla only trusts the older versions which were published by alexcrichton. They&#39;ve been delta-auditing the newer versions. I&#39;ve chosen to follow their lead on this; Alex is a trusted contributor to Wasmtime anyway.
1 year ago
[[trusted.clap_derive]]
criteria = "safe-to-deploy"
user-id = 6743 # Ed Page (epage)
start = "2021-12-08"
end = "2024-07-06"
[[trusted.clap_lex]]
criteria = "safe-to-deploy"
user-id = 6743 # Ed Page (epage)
start = "2022-04-15"
end = "2024-07-06"
Update the wasm-tools family of crates (#6710) * Update wasm-tools dependencies * Get tests passing after wasm-tools update Mostly dealing with updates to `wasmparser`&#39;s API. * Update `cargo vet` for new crates * Add `equivalent`, `hashbrown`, and `quote` to the list of trusted authors. We already trust these authors for other crates. * Pull in some upstream audits for various deps. * I&#39;ve audited the `pulldown-cmark` dependency upgrade myself.
1 year ago
[[trusted.equivalent]]
criteria = "safe-to-deploy"
user-id = 539 # Josh Stone (cuviper)
start = "2023-02-05"
end = "2024-07-11"
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[trusted.fd-lock]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2022-01-21"
end = "2024-07-14"
[[trusted.filecheck]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2020-03-17"
end = "2024-07-14"
[[trusted.fs-set-times]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2020-09-15"
end = "2024-07-14"
Update the wasm-tools family of crates (#6710) * Update wasm-tools dependencies * Get tests passing after wasm-tools update Mostly dealing with updates to `wasmparser`&#39;s API. * Update `cargo vet` for new crates * Add `equivalent`, `hashbrown`, and `quote` to the list of trusted authors. We already trust these authors for other crates. * Pull in some upstream audits for various deps. * I&#39;ve audited the `pulldown-cmark` dependency upgrade myself.
1 year ago
[[trusted.hashbrown]]
criteria = "safe-to-deploy"
user-id = 2915 # Amanieu d'Antras (Amanieu)
start = "2019-04-02"
end = "2024-07-11"
Trust crates published by dtolnay, epage, cuviper, Amanieu (#6697) We discussed this in today&#39;s Wasmtime meeting and the consensus was that we trust each of these people to have a sufficient standard of care for anything they release. This reduces our estimated audit backlog by about 184 kLOC. For the most part, the trust records I&#39;m adding here are identical to trust records that Mozilla is using. The fact that they&#39;ve also decided these publishers are trustworthy is reassuring additional evidence for our decision. The exceptions and notable cases are as follows: I&#39;ve chosen to not trust three crates by these authors that Mozilla did not trust. I suspect Mozilla simply doesn&#39;t use these crates or has manually audited them, rather than there being any problem with the crates themselves. But I&#39;ve chosen to be conservative about what we trust. - autocfg: we only have an exception for an old version, and that version is only used transitively by wasi-crypto. - env_logger: Mozilla has audited some versions; we should update, or add delta audits. - thread_local: only used by tracing-subscriber which is only used in dev-dependencies. I&#39;ve trusted one crate that Mozilla did not: libm, when published by Amanieu. We&#39;re trusting libc when published by the same author, and libm is a small extension of the same trust. Recent versions of the toml crate have been published by epage so I looked at in this process, but Mozilla only trusts the older versions which were published by alexcrichton. They&#39;ve been delta-auditing the newer versions. I&#39;ve chosen to follow their lead on this; Alex is a trusted contributor to Wasmtime anyway.
1 year ago
[[trusted.indexmap]]
criteria = "safe-to-deploy"
user-id = 539 # Josh Stone (cuviper)
start = "2020-01-15"
end = "2024-07-06"
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[trusted.io-extras]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2021-11-09"
end = "2024-07-14"
[[trusted.io-lifetimes]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2021-06-12"
end = "2024-07-14"
[[trusted.is-terminal]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2022-01-22"
end = "2024-07-14"
Trust crates published by dtolnay, epage, cuviper, Amanieu (#6697) We discussed this in today&#39;s Wasmtime meeting and the consensus was that we trust each of these people to have a sufficient standard of care for anything they release. This reduces our estimated audit backlog by about 184 kLOC. For the most part, the trust records I&#39;m adding here are identical to trust records that Mozilla is using. The fact that they&#39;ve also decided these publishers are trustworthy is reassuring additional evidence for our decision. The exceptions and notable cases are as follows: I&#39;ve chosen to not trust three crates by these authors that Mozilla did not trust. I suspect Mozilla simply doesn&#39;t use these crates or has manually audited them, rather than there being any problem with the crates themselves. But I&#39;ve chosen to be conservative about what we trust. - autocfg: we only have an exception for an old version, and that version is only used transitively by wasi-crypto. - env_logger: Mozilla has audited some versions; we should update, or add delta audits. - thread_local: only used by tracing-subscriber which is only used in dev-dependencies. I&#39;ve trusted one crate that Mozilla did not: libm, when published by Amanieu. We&#39;re trusting libc when published by the same author, and libm is a small extension of the same trust. Recent versions of the toml crate have been published by epage so I looked at in this process, but Mozilla only trusts the older versions which were published by alexcrichton. They&#39;ve been delta-auditing the newer versions. I&#39;ve chosen to follow their lead on this; Alex is a trusted contributor to Wasmtime anyway.
1 year ago
[[trusted.itoa]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-05-02"
end = "2024-07-06"
[[trusted.libc]]
criteria = "safe-to-deploy"
user-id = 2915 # Amanieu d'Antras (Amanieu)
start = "2021-01-27"
end = "2024-07-06"
[[trusted.libm]]
criteria = "safe-to-deploy"
user-id = 2915 # Amanieu d'Antras (Amanieu)
start = "2022-02-06"
end = "2024-07-06"
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[trusted.linux-raw-sys]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2021-06-12"
end = "2024-07-14"
Trust crates published by dtolnay, epage, cuviper, Amanieu (#6697) We discussed this in today&#39;s Wasmtime meeting and the consensus was that we trust each of these people to have a sufficient standard of care for anything they release. This reduces our estimated audit backlog by about 184 kLOC. For the most part, the trust records I&#39;m adding here are identical to trust records that Mozilla is using. The fact that they&#39;ve also decided these publishers are trustworthy is reassuring additional evidence for our decision. The exceptions and notable cases are as follows: I&#39;ve chosen to not trust three crates by these authors that Mozilla did not trust. I suspect Mozilla simply doesn&#39;t use these crates or has manually audited them, rather than there being any problem with the crates themselves. But I&#39;ve chosen to be conservative about what we trust. - autocfg: we only have an exception for an old version, and that version is only used transitively by wasi-crypto. - env_logger: Mozilla has audited some versions; we should update, or add delta audits. - thread_local: only used by tracing-subscriber which is only used in dev-dependencies. I&#39;ve trusted one crate that Mozilla did not: libm, when published by Amanieu. We&#39;re trusting libc when published by the same author, and libm is a small extension of the same trust. Recent versions of the toml crate have been published by epage so I looked at in this process, but Mozilla only trusts the older versions which were published by alexcrichton. They&#39;ve been delta-auditing the newer versions. I&#39;ve chosen to follow their lead on this; Alex is a trusted contributor to Wasmtime anyway.
1 year ago
[[trusted.lock_api]]
criteria = "safe-to-deploy"
user-id = 2915 # Amanieu d'Antras (Amanieu)
start = "2019-05-04"
end = "2024-07-06"
Trust crates published by BurntSushi (#6734) This commit adds `cargo vet` trust entries for any crate published by BurntSushi, of which a good number are in our dependency graph. This additionally updates the `bstr` crate to its latest version and updates regex-related dependencies from other crates to avoid duplication of versions.
1 year ago
[[trusted.memchr]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
start = "2019-07-07"
end = "2024-07-15"
Trust crates published by dtolnay, epage, cuviper, Amanieu (#6697) We discussed this in today&#39;s Wasmtime meeting and the consensus was that we trust each of these people to have a sufficient standard of care for anything they release. This reduces our estimated audit backlog by about 184 kLOC. For the most part, the trust records I&#39;m adding here are identical to trust records that Mozilla is using. The fact that they&#39;ve also decided these publishers are trustworthy is reassuring additional evidence for our decision. The exceptions and notable cases are as follows: I&#39;ve chosen to not trust three crates by these authors that Mozilla did not trust. I suspect Mozilla simply doesn&#39;t use these crates or has manually audited them, rather than there being any problem with the crates themselves. But I&#39;ve chosen to be conservative about what we trust. - autocfg: we only have an exception for an old version, and that version is only used transitively by wasi-crypto. - env_logger: Mozilla has audited some versions; we should update, or add delta audits. - thread_local: only used by tracing-subscriber which is only used in dev-dependencies. I&#39;ve trusted one crate that Mozilla did not: libm, when published by Amanieu. We&#39;re trusting libc when published by the same author, and libm is a small extension of the same trust. Recent versions of the toml crate have been published by epage so I looked at in this process, but Mozilla only trusts the older versions which were published by alexcrichton. They&#39;ve been delta-auditing the newer versions. I&#39;ve chosen to follow their lead on this; Alex is a trusted contributor to Wasmtime anyway.
1 year ago
[[trusted.parking_lot]]
criteria = "safe-to-deploy"
user-id = 2915 # Amanieu d'Antras (Amanieu)
start = "2019-05-04"
end = "2024-07-06"
[[trusted.parking_lot_core]]
criteria = "safe-to-deploy"
user-id = 2915 # Amanieu d'Antras (Amanieu)
start = "2019-05-04"
end = "2024-07-06"
[[trusted.paste]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-03-19"
end = "2024-07-06"
Update the wasm-tools family of crates (#6710) * Update wasm-tools dependencies * Get tests passing after wasm-tools update Mostly dealing with updates to `wasmparser`&#39;s API. * Update `cargo vet` for new crates * Add `equivalent`, `hashbrown`, and `quote` to the list of trusted authors. We already trust these authors for other crates. * Pull in some upstream audits for various deps. * I&#39;ve audited the `pulldown-cmark` dependency upgrade myself.
1 year ago
[[trusted.quote]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-04-09"
end = "2024-07-11"
Trust crates published by BurntSushi (#6734) This commit adds `cargo vet` trust entries for any crate published by BurntSushi, of which a good number are in our dependency graph. This additionally updates the `bstr` crate to its latest version and updates regex-related dependencies from other crates to avoid duplication of versions.
1 year ago
[[trusted.regex]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
start = "2019-02-27"
end = "2024-07-15"
[[trusted.regex-automata]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
start = "2019-02-25"
end = "2024-07-15"
[[trusted.regex-syntax]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
start = "2019-03-30"
end = "2024-07-15"
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[trusted.rustix]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2021-10-29"
end = "2024-07-14"
Trust crates published by dtolnay, epage, cuviper, Amanieu (#6697) We discussed this in today&#39;s Wasmtime meeting and the consensus was that we trust each of these people to have a sufficient standard of care for anything they release. This reduces our estimated audit backlog by about 184 kLOC. For the most part, the trust records I&#39;m adding here are identical to trust records that Mozilla is using. The fact that they&#39;ve also decided these publishers are trustworthy is reassuring additional evidence for our decision. The exceptions and notable cases are as follows: I&#39;ve chosen to not trust three crates by these authors that Mozilla did not trust. I suspect Mozilla simply doesn&#39;t use these crates or has manually audited them, rather than there being any problem with the crates themselves. But I&#39;ve chosen to be conservative about what we trust. - autocfg: we only have an exception for an old version, and that version is only used transitively by wasi-crypto. - env_logger: Mozilla has audited some versions; we should update, or add delta audits. - thread_local: only used by tracing-subscriber which is only used in dev-dependencies. I&#39;ve trusted one crate that Mozilla did not: libm, when published by Amanieu. We&#39;re trusting libc when published by the same author, and libm is a small extension of the same trust. Recent versions of the toml crate have been published by epage so I looked at in this process, but Mozilla only trusts the older versions which were published by alexcrichton. They&#39;ve been delta-auditing the newer versions. I&#39;ve chosen to follow their lead on this; Alex is a trusted contributor to Wasmtime anyway.
1 year ago
[[trusted.ryu]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-05-02"
end = "2024-07-06"
Trust crates published by BurntSushi (#6734) This commit adds `cargo vet` trust entries for any crate published by BurntSushi, of which a good number are in our dependency graph. This additionally updates the `bstr` crate to its latest version and updates regex-related dependencies from other crates to avoid duplication of versions.
1 year ago
[[trusted.same-file]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
start = "2019-07-16"
end = "2024-07-15"
Trust crates published by dtolnay, epage, cuviper, Amanieu (#6697) We discussed this in today&#39;s Wasmtime meeting and the consensus was that we trust each of these people to have a sufficient standard of care for anything they release. This reduces our estimated audit backlog by about 184 kLOC. For the most part, the trust records I&#39;m adding here are identical to trust records that Mozilla is using. The fact that they&#39;ve also decided these publishers are trustworthy is reassuring additional evidence for our decision. The exceptions and notable cases are as follows: I&#39;ve chosen to not trust three crates by these authors that Mozilla did not trust. I suspect Mozilla simply doesn&#39;t use these crates or has manually audited them, rather than there being any problem with the crates themselves. But I&#39;ve chosen to be conservative about what we trust. - autocfg: we only have an exception for an old version, and that version is only used transitively by wasi-crypto. - env_logger: Mozilla has audited some versions; we should update, or add delta audits. - thread_local: only used by tracing-subscriber which is only used in dev-dependencies. I&#39;ve trusted one crate that Mozilla did not: libm, when published by Amanieu. We&#39;re trusting libc when published by the same author, and libm is a small extension of the same trust. Recent versions of the toml crate have been published by epage so I looked at in this process, but Mozilla only trusts the older versions which were published by alexcrichton. They&#39;ve been delta-auditing the newer versions. I&#39;ve chosen to follow their lead on this; Alex is a trusted contributor to Wasmtime anyway.
1 year ago
[[trusted.scopeguard]]
criteria = "safe-to-deploy"
user-id = 2915 # Amanieu d'Antras (Amanieu)
start = "2020-02-16"
end = "2024-07-06"
[[trusted.serde]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-03-01"
end = "2024-07-06"
[[trusted.serde_derive]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-03-01"
end = "2024-07-06"
[[trusted.serde_json]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-02-28"
end = "2024-07-06"
[[trusted.syn]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-03-01"
end = "2024-07-06"
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[trusted.system-interface]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2020-10-27"
end = "2024-07-14"
[[trusted.target-lexicon]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2019-03-06"
end = "2024-07-14"
Trust crates published by BurntSushi (#6734) This commit adds `cargo vet` trust entries for any crate published by BurntSushi, of which a good number are in our dependency graph. This additionally updates the `bstr` crate to its latest version and updates regex-related dependencies from other crates to avoid duplication of versions.
1 year ago
[[trusted.termcolor]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
start = "2019-06-04"
end = "2024-07-15"
Trust crates published by dtolnay, epage, cuviper, Amanieu (#6697) We discussed this in today&#39;s Wasmtime meeting and the consensus was that we trust each of these people to have a sufficient standard of care for anything they release. This reduces our estimated audit backlog by about 184 kLOC. For the most part, the trust records I&#39;m adding here are identical to trust records that Mozilla is using. The fact that they&#39;ve also decided these publishers are trustworthy is reassuring additional evidence for our decision. The exceptions and notable cases are as follows: I&#39;ve chosen to not trust three crates by these authors that Mozilla did not trust. I suspect Mozilla simply doesn&#39;t use these crates or has manually audited them, rather than there being any problem with the crates themselves. But I&#39;ve chosen to be conservative about what we trust. - autocfg: we only have an exception for an old version, and that version is only used transitively by wasi-crypto. - env_logger: Mozilla has audited some versions; we should update, or add delta audits. - thread_local: only used by tracing-subscriber which is only used in dev-dependencies. I&#39;ve trusted one crate that Mozilla did not: libm, when published by Amanieu. We&#39;re trusting libc when published by the same author, and libm is a small extension of the same trust. Recent versions of the toml crate have been published by epage so I looked at in this process, but Mozilla only trusts the older versions which were published by alexcrichton. They&#39;ve been delta-auditing the newer versions. I&#39;ve chosen to follow their lead on this; Alex is a trusted contributor to Wasmtime anyway.
1 year ago
[[trusted.thiserror]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-10-09"
end = "2024-07-06"
[[trusted.thiserror-impl]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-10-09"
end = "2024-07-06"
[[trusted.toml]]
criteria = "safe-to-deploy"
user-id = 1 # Alex Crichton (alexcrichton)
start = "2019-05-16"
end = "2024-07-06"
Trust crates published by BurntSushi (#6734) This commit adds `cargo vet` trust entries for any crate published by BurntSushi, of which a good number are in our dependency graph. This additionally updates the `bstr` crate to its latest version and updates regex-related dependencies from other crates to avoid duplication of versions.
1 year ago
[[trusted.walkdir]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
start = "2019-06-09"
end = "2024-07-15"
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[trusted.wasm-bindgen]]
criteria = "safe-to-deploy"
user-id = 1 # Alex Crichton (alexcrichton)
start = "2019-03-04"
end = "2024-07-14"
[[trusted.wasm-bindgen-backend]]
criteria = "safe-to-deploy"
user-id = 1 # Alex Crichton (alexcrichton)
start = "2019-03-04"
end = "2024-07-14"
[[trusted.wasm-bindgen-macro]]
criteria = "safe-to-deploy"
user-id = 1 # Alex Crichton (alexcrichton)
start = "2019-03-04"
end = "2024-07-14"
[[trusted.wasm-bindgen-macro-support]]
criteria = "safe-to-deploy"
user-id = 1 # Alex Crichton (alexcrichton)
start = "2019-03-04"
end = "2024-07-14"
[[trusted.wasm-bindgen-shared]]
criteria = "safe-to-deploy"
user-id = 1 # Alex Crichton (alexcrichton)
start = "2019-03-04"
end = "2024-07-14"
Start to port Wasmtime to the new wasi-io API with resources. (#7029) * Rename `Host*` things to avoid name conflicts with bindings. * Update to the latest resource-enabled wit files. * Adapting the code to the new bindings. * Update wasi-http to the resource-enabled wit deps. * Start adapting the wasi-http code to the new bindings. * Make `get_directories` always return new owned handles. * Simplify the `poll_one` implementation. * Update the wasi-preview1-component-adapter. FIXME: temporarily disable wasi-http tests. Add logging to the cli world, since stderr is now a reseource that can only be claimed once. * Work around a bug hit by poll-list, fix a bug in poll-one. * Comment out `test_fd_readwrite_invalid_fd`, which panics now. * Fix a few FIXMEs. * Use `.as_ref().trapping_unwrap()` instead of `TrappingUnwrapRef`. * Use `drop_in_place`. * Remove `State::with_mut`. * Remove the `RefCell` around the `State`. * Update to wit-bindgen 0.12. * Update wasi-http to use resources for poll and I/O. This required making incoming-body and outgoing-body resourrces too, to work with `push_input_stream_child` and `push_output_stream_child`. * Re-enable disabled tests, remove logging from the worlds. * Remove the `poll_list` workarounds that are no longer needed. * Remove logging from the adapter. That said, there is no replacement yet, so add a FIXME comment. * Reenable a test that now passes. * Remove `.descriptors_mut` and use `with_descriptors_mut` instead. Replace `.descriptors()` and `.descriptors_mut()` with functions that take closures, which limits their scope, to prevent them from invalid aliasing. * Implement dynamic borrow checking for descriptors. * Add a cargo-vet audit for wasmtime-wmemcheck. * Update cargo vet for wit-bindgen 0.12. * Cut down on duplicate sync/async resource types (#1) * Allow calling `get-directories` more than once (#2) For now `Clone` the directories into new descriptor slots as needed. * Start to lift restriction of stdio only once (#3) * Start to lift restriction of stdio only once This commit adds new `{Stdin,Stdout}Stream` traits which take over the job of the stdio streams in `WasiCtxBuilder` and `WasiCtx`. These traits bake in the ability to create a stream at any time to satisfy the API of `wasi:cli`. The TTY functionality is folded into them as while I was at it. The implementation for stdin is relatively trivial since the stdin implementation already handles multiple streams reading it. Built-in impls of the `StdinStream` trait are also provided for helper types in `preview2::pipe` which resulted in the implementation of `MemoryInputPipe` being updated to support `Clone` where all clones read the same original data. * Get tests building * Un-ignore now-passing test * Remove unneeded argument from `WasiCtxBuilder::build` * Fix tests * Remove some workarounds Stdio functions can now be called multiple times. * If `poll_oneoff` fails part-way through, clean up properly. Fix the `Drop` implementation for pollables to only drop the pollables that have been successfully added to the list. This fixes the poll_oneoff_files failure and removes a FIXME. --------- Co-authored-by: Alex Crichton &lt;alex@alexcrichton.com&gt;
1 year ago
[[trusted.wasmtime-wmemcheck]]
criteria = "safe-to-deploy"
user-id = 73222 # wasmtime-publish
start = "2023-09-20"
end = "2024-09-27"
Trust crates published by BurntSushi (#6734) This commit adds `cargo vet` trust entries for any crate published by BurntSushi, of which a good number are in our dependency graph. This additionally updates the `bstr` crate to its latest version and updates regex-related dependencies from other crates to avoid duplication of versions.
1 year ago
[[trusted.winapi-util]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
start = "2020-01-11"
end = "2024-07-15"
Replace audits for windows-rs with trusted entries. (#6595) The Bytecode Alliance didn&#39;t actually audit these crates but rather simply trusts them, per the notes. Previously we didn&#39;t have a way to express this distinction, but now we do.
1 year ago
[[trusted.windows-sys]]
criteria = "safe-to-deploy"
user-id = 64539 # Kenny Kerr (kennykerr)
start = "2021-11-15"
end = "2024-06-17"
[[trusted.windows-targets]]
criteria = "safe-to-deploy"
user-id = 64539 # Kenny Kerr (kennykerr)
start = "2022-09-09"
end = "2024-06-17"
[[trusted.windows_aarch64_gnullvm]]
criteria = "safe-to-deploy"
user-id = 64539 # Kenny Kerr (kennykerr)
start = "2022-09-01"
end = "2024-06-17"
[[trusted.windows_aarch64_msvc]]
criteria = "safe-to-deploy"
user-id = 64539 # Kenny Kerr (kennykerr)
start = "2021-11-05"
end = "2024-06-17"
[[trusted.windows_i686_gnu]]
criteria = "safe-to-deploy"
user-id = 64539 # Kenny Kerr (kennykerr)
start = "2021-10-28"
end = "2024-06-17"
[[trusted.windows_i686_msvc]]
criteria = "safe-to-deploy"
user-id = 64539 # Kenny Kerr (kennykerr)
start = "2021-10-27"
end = "2024-06-17"
[[trusted.windows_x86_64_gnu]]
criteria = "safe-to-deploy"
user-id = 64539 # Kenny Kerr (kennykerr)
start = "2021-10-28"
end = "2024-06-17"
[[trusted.windows_x86_64_gnullvm]]
criteria = "safe-to-deploy"
user-id = 64539 # Kenny Kerr (kennykerr)
start = "2022-09-01"
end = "2024-06-17"
[[trusted.windows_x86_64_msvc]]
criteria = "safe-to-deploy"
user-id = 64539 # Kenny Kerr (kennykerr)
start = "2021-10-27"
end = "2024-06-17"
Dependency gardening for Wasmtime (#6731) * Remove deny.toml exception for wasm-coredump-builder This isn&#39;t used any more so no need to continue to list this. * Update Wasmtime&#39;s pretty_env_logger dependency This removes a `deny.toml` exception for that crate, but `openvino-sys` still depends on `pretty_env_logger 0.4.0` so a new exception is added for that. * Update criterion and clap dependencies This commit started out by updating the `criterion` dependency to remove an entry in `deny.toml`, but that ended up transitively requiring a `clap` dependency upgrade from 3.x to 4.x because `criterion` uses pieces of clap 4.x. Most of this commit is then dedicated to updating clap 3.x to 4.x which was relatively simple, mostly renaming attributes here and there. * Update gimli-related dependencies I originally wanted to remove the `indexmap` clause in `deny.toml` but enough dependencies haven&#39;t updated from 1.9 to 2.0 that it wasn&#39;t possible. In the meantime though this updates some various dependencies to bring them to the latest and a few of them now use `indexmap` 2.0. * Update deps to remove `windows-sys 0.45.0` This involved updating tokio/mio and then providing new audits for new crates. The tokio exemption was updated from its old version to the new version and tokio remains un-audited. * Update `syn` to 2.x.x This required a bit of rewriting for the component-macro related bits but otherwise was pretty straightforward. The `syn` 1.x.x track is still present in the wasi-crypto tree at this time. I&#39;ve additionally added some trusted audits for my own publications of `wasm-bindgen` * Update bitflags to 2.x.x This updates Wasmtime&#39;s dependency on the `bitflags` crate to the 2.x.x track to keep it up-to-date. * Update the cap-std family of crates This bumps them all to the next major version to keep up with updates. I&#39;ve additionally added trusted entries for publishes of cap-std crates from Dan. There&#39;s still lingering references to rustix 0.37.x which will need to get weeded out over time. * Update memoffset dependency to latest Avoids having two versions in our crate graph. * Fix tests * Update try_from for wiggle flags * Fix build on AArch64 Linux * Enable `event` for rustix on Windows too
1 year ago
[[trusted.winx]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2019-08-20"
end = "2024-07-14"