github
/
cranelift
mirror of https://github.com/bytecodealliance/wasmtime.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10837 Commits
49 Branches
140 Tags
128 MiB
Tree: 121094054b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '121094054b'
${ noResults }
cranelift/supply-chain/audits.toml

1346 lines
40 KiB
Raw Normal View History

Enable cargo-vet (#4444) * Initialize cargo-vet on wasmtime. * Add cargo-vet to CI. * Add README.
2 years ago
# cargo-vet audits file
Add cargo-vet updates for audit backlog. (#5708)
2 years ago
[[audits.ahash]]
who = "Chris Fallin <chris@cfallin.org>"
criteria = "safe-to-deploy"
delta = "0.7.6 -> 0.8.2"
Update wasm-tools crates (#5130) * Update wasm-tools crates Mostly just a hygienic update, nothing major here * Fix fuzz compile * Fix test expectations
2 years ago
[[audits.anyhow]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "1.0.62 -> 1.0.66"
notes = """
This update looks to be related to minor fixes and mostly integrating with a
nightly feature in the standard library for backtrace integration. No undue
`unsafe` is added and nothing unsurprising for the `anyhow` crate is happening
here.
"""
Add some more audits for my own crates (#4837) Mostly stuff that Firefox is using and asked me to publish audits for, but a couple are in our dep tree as well.
2 years ago
[[audits.arbitrary]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = "I am the author of this crate."
[[audits.arbitrary]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "1.1.4"
notes = "I am the author of this crate."
Cranelift: Harvest each Souper LHS into its own file (#5649) * Cranelift: Harvest each Souper LHS into its own file Souper only handles one input LHS at a time, so this makes it way easier to script. Don&#39;t need to try and parse each LHS. * Add audit of `arrayref` version 0.3.6 * Add audit of `constant_time_eq` version 0.2.4
2 years ago
[[audits.arrayref]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "0.3.6"
notes = """
Unsafe code, but its logic looks good to me. Necessary given what it is
doing. Well tested, has quickchecks.
"""
Cranelift: Use bump allocation in `remove_constant_phis` pass (#4710) * Cranelift: Use bump allocation in `remove_constant_phis` pass This makes compilation 2-6% faster for Sightglass&#39;s bz2 benchmark: ``` compilation :: cycles :: benchmarks/bz2/benchmark.wasm Δ = 7290648.36 ± 4245152.07 (confidence = 99%) bump.so is 1.02x to 1.06x faster than main.so! [166388177 183238542.98 214732518] bump.so [172836648 190529191.34 217514271] main.so compilation :: cycles :: benchmarks/pulldown-cmark/benchmark.wasm No difference in performance. [182220055 225793551.12 277857575] bump.so [193212613 227784078.61 277175335] main.so compilation :: cycles :: benchmarks/spidermonkey/benchmark.wasm No difference in performance. [3848442474 4295214144.37 4665127241] bump.so [3969505457 4262415290.10 4563869974] main.so ``` * Add audit for `bumpalo` * Add an audit of `arrayvec` version 0.7.2 * Remove unnecessary `collect` into `Vec` I wasn&#39;t able to measure any perf difference here, but its nice to do anyways. * Use a `SecondaryMap` for keeping track of summaries
2 years ago
[[audits.arrayvec]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "0.7.2"
notes = """
Well documented invariants, good assertions for those invariants in unsafe code,
and tested with MIRI to boot. LGTM.
"""
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
[[audits.atty]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.14"
notes = """
Contains only unsafe code for what this crate's purpose is and only accesses
the environment's terminal information when asked. Does its stated purpose and
no more.
"""
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.backtrace]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.3.66"
notes = "I am the author of this crate."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.base64]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.21.0"
notes = "This crate has no dependencies, no build.rs, and contains no unsafe code."
cargo-vet: audit base64 0.21.0 (#5707)
2 years ago
[[audits.base64]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-run"
version = "0.21.0"
notes = "This crate has no dependencies, no build.rs, and contains no unsafe code."
Upgrade sha2 to 0.10.2 in wasmtime (#4749)
2 years ago
[[audits.block-buffer]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
delta = "0.9.0 -> 0.10.2"
Cranelift: Use bump allocation in `remove_constant_phis` pass (#4710) * Cranelift: Use bump allocation in `remove_constant_phis` pass This makes compilation 2-6% faster for Sightglass&#39;s bz2 benchmark: ``` compilation :: cycles :: benchmarks/bz2/benchmark.wasm Δ = 7290648.36 ± 4245152.07 (confidence = 99%) bump.so is 1.02x to 1.06x faster than main.so! [166388177 183238542.98 214732518] bump.so [172836648 190529191.34 217514271] main.so compilation :: cycles :: benchmarks/pulldown-cmark/benchmark.wasm No difference in performance. [182220055 225793551.12 277857575] bump.so [193212613 227784078.61 277175335] main.so compilation :: cycles :: benchmarks/spidermonkey/benchmark.wasm No difference in performance. [3848442474 4295214144.37 4665127241] bump.so [3969505457 4262415290.10 4563869974] main.so ``` * Add audit for `bumpalo` * Add an audit of `arrayvec` version 0.7.2 * Remove unnecessary `collect` into `Vec` I wasn&#39;t able to measure any perf difference here, but its nice to do anyways. * Use a `SecondaryMap` for keeping track of summaries
2 years ago
[[audits.bumpalo]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "3.9.1"
notes = "I am the author of this crate."
Update bumpalo to 3.11.1 (#5070)
2 years ago
[[audits.bumpalo]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "3.11.1"
notes = "I am the author of this crate."
Optimize the WASI `random_get` implementation. (#4917) * Optimize the WASI `random_get` implementation. Use `StdRng` instead of the `OsRng` in the default implementation of `random_get`. This uses a userspace CSPRNG, making `random_get` 3x faster in simple benchmarks. * Update cargo-vet audits for cap-std 0.25.3. * Update all cap-std packages to 0.25.3.
2 years ago
[[audits.cap-fs-ext]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
Update to cap-std 0.26. (#4940) * Update to cap-std 0.26. This is primarily to pull in bytecodealliance/cap-std#271, the fix for #4936, compilation on Rust nightly on Windows. It also updates to rustix 0.35.10, to pull in bytecodealliance/rustix#403, the fix for bytecodealliance/rustix#402, compilation on newer versions of the libc crate, which changed a public function from `unsafe` to safe. Fixes #4936. * Update the system-interface audit for 0.23. * Update the libc supply-chain config version.
2 years ago
version = "0.26.0"
Optimize the WASI `random_get` implementation. (#4917) * Optimize the WASI `random_get` implementation. Use `StdRng` instead of the `OsRng` in the default implementation of `random_get`. This uses a userspace CSPRNG, making `random_get` 3x faster in simple benchmarks. * Update cargo-vet audits for cap-std 0.25.3. * Update all cap-std packages to 0.25.3.
2 years ago
notes = "The Bytecode Alliance is the author of this crate"
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.cap-fs-ext]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "1.0.1"
notes = "The Bytecode Alliance is the author of this crate"
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.cap-fs-ext]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.1 -> 1.0.5"
notes = "The Bytecode Alliance is the author of this crate."
Optimize the WASI `random_get` implementation. (#4917) * Optimize the WASI `random_get` implementation. Use `StdRng` instead of the `OsRng` in the default implementation of `random_get`. This uses a userspace CSPRNG, making `random_get` 3x faster in simple benchmarks. * Update cargo-vet audits for cap-std 0.25.3. * Update all cap-std packages to 0.25.3.
2 years ago
[[audits.cap-primitives]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
Update to cap-std 0.26. (#4940) * Update to cap-std 0.26. This is primarily to pull in bytecodealliance/cap-std#271, the fix for #4936, compilation on Rust nightly on Windows. It also updates to rustix 0.35.10, to pull in bytecodealliance/rustix#403, the fix for bytecodealliance/rustix#402, compilation on newer versions of the libc crate, which changed a public function from `unsafe` to safe. Fixes #4936. * Update the system-interface audit for 0.23. * Update the libc supply-chain config version.
2 years ago
version = "0.26.0"
Optimize the WASI `random_get` implementation. (#4917) * Optimize the WASI `random_get` implementation. Use `StdRng` instead of the `OsRng` in the default implementation of `random_get`. This uses a userspace CSPRNG, making `random_get` 3x faster in simple benchmarks. * Update cargo-vet audits for cap-std 0.25.3. * Update all cap-std packages to 0.25.3.
2 years ago
notes = "The Bytecode Alliance is the author of this crate"
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.cap-primitives]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "1.0.1"
notes = "The Bytecode Alliance is the author of this crate"
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.cap-primitives]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.1 -> 1.0.5"
notes = "The Bytecode Alliance is the author of this crate."
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
[[audits.cap-rand]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Update to cap-std 0.26. (#4940) * Update to cap-std 0.26. This is primarily to pull in bytecodealliance/cap-std#271, the fix for #4936, compilation on Rust nightly on Windows. It also updates to rustix 0.35.10, to pull in bytecodealliance/rustix#403, the fix for bytecodealliance/rustix#402, compilation on newer versions of the libc crate, which changed a public function from `unsafe` to safe. Fixes #4936. * Update the system-interface audit for 0.23. * Update the libc supply-chain config version.
2 years ago
version = "0.26.0"
Optimize the WASI `random_get` implementation. (#4917) * Optimize the WASI `random_get` implementation. Use `StdRng` instead of the `OsRng` in the default implementation of `random_get`. This uses a userspace CSPRNG, making `random_get` 3x faster in simple benchmarks. * Update cargo-vet audits for cap-std 0.25.3. * Update all cap-std packages to 0.25.3.
2 years ago
notes = "The Bytecode Alliance is the author of this crate"
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.cap-rand]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "1.0.1"
notes = "The Bytecode Alliance is the author of this crate"
Optimize the WASI `random_get` implementation. (#4917) * Optimize the WASI `random_get` implementation. Use `StdRng` instead of the `OsRng` in the default implementation of `random_get`. This uses a userspace CSPRNG, making `random_get` 3x faster in simple benchmarks. * Update cargo-vet audits for cap-std 0.25.3. * Update all cap-std packages to 0.25.3.
2 years ago
[[audits.cap-std]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
Update to cap-std 0.26. (#4940) * Update to cap-std 0.26. This is primarily to pull in bytecodealliance/cap-std#271, the fix for #4936, compilation on Rust nightly on Windows. It also updates to rustix 0.35.10, to pull in bytecodealliance/rustix#403, the fix for bytecodealliance/rustix#402, compilation on newer versions of the libc crate, which changed a public function from `unsafe` to safe. Fixes #4936. * Update the system-interface audit for 0.23. * Update the libc supply-chain config version.
2 years ago
version = "0.26.0"
Optimize the WASI `random_get` implementation. (#4917) * Optimize the WASI `random_get` implementation. Use `StdRng` instead of the `OsRng` in the default implementation of `random_get`. This uses a userspace CSPRNG, making `random_get` 3x faster in simple benchmarks. * Update cargo-vet audits for cap-std 0.25.3. * Update all cap-std packages to 0.25.3.
2 years ago
notes = "The Bytecode Alliance is the author of this crate"
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.cap-std]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "1.0.1"
notes = "The Bytecode Alliance is the author of this crate"
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.cap-std]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.1 -> 1.0.5"
notes = "The Bytecode Alliance is the author of this crate."
Optimize the WASI `random_get` implementation. (#4917) * Optimize the WASI `random_get` implementation. Use `StdRng` instead of the `OsRng` in the default implementation of `random_get`. This uses a userspace CSPRNG, making `random_get` 3x faster in simple benchmarks. * Update cargo-vet audits for cap-std 0.25.3. * Update all cap-std packages to 0.25.3.
2 years ago
[[audits.cap-tempfile]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-run"
Update to cap-std 0.26. (#4940) * Update to cap-std 0.26. This is primarily to pull in bytecodealliance/cap-std#271, the fix for #4936, compilation on Rust nightly on Windows. It also updates to rustix 0.35.10, to pull in bytecodealliance/rustix#403, the fix for bytecodealliance/rustix#402, compilation on newer versions of the libc crate, which changed a public function from `unsafe` to safe. Fixes #4936. * Update the system-interface audit for 0.23. * Update the libc supply-chain config version.
2 years ago
version = "0.26.0"
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
notes = "The Bytecode Alliance is the author of this crate"
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.cap-tempfile]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-run"
version = "1.0.1"
notes = "The Bytecode Alliance is the author of this crate"
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
[[audits.cap-time-ext]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
Update to cap-std 0.26. (#4940) * Update to cap-std 0.26. This is primarily to pull in bytecodealliance/cap-std#271, the fix for #4936, compilation on Rust nightly on Windows. It also updates to rustix 0.35.10, to pull in bytecodealliance/rustix#403, the fix for bytecodealliance/rustix#402, compilation on newer versions of the libc crate, which changed a public function from `unsafe` to safe. Fixes #4936. * Update the system-interface audit for 0.23. * Update the libc supply-chain config version.
2 years ago
version = "0.26.0"
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
notes = "The Bytecode Alliance is the author of this crate."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.cap-time-ext]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "1.0.1"
notes = "The Bytecode Alliance is the author of this crate."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.cap-time-ext]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.1 -> 1.0.5"
notes = "The Bytecode Alliance is the author of this crate."
Drop a few crates from our dependency graph (#5009) A minor update of a few other crates drops `semver` and `rustc_version` from `Cargo.lock`. I&#39;ve audited the deltas in versions for the other crates here as well and they all look good.
2 years ago
[[audits.cast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
delta = "0.2.7 -> 0.3.0"
notes = """
This release appears to have brought support for 128-bit integers and removed a
`transmute` around converting between float bits and the float itself.
Otherwise no major changes except what was presumably minor API breaking changes
due to the major version bump.
"""
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.cc]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.73"
notes = "I am the author of this crate."
[[audits.cfg-if]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.0"
notes = "I am the author of this crate."
cranelift-isle: Rewrite error reporting (#5318) There were several issues with ISLE&#39;s existing error reporting implementation. - When using Miette for more readable error reports, it would panic if errors were reported from multiple files in the same run. - Miette is pretty heavy-weight for what we&#39;re doing, with a lot of dependencies. - The `Error::Errors` enum variant led to normalization steps in many places, to avoid using that variant to represent a single error. This commit: - replaces Miette with codespan-reporting - gets rid of a bunch of cargo-vet exemptions - replaces the `Error::Errors` variant with a new `Errors` type - removes source info from `Error` variants so they&#39;re easy to construct - adds source info only when formatting `Errors` - formats `Errors` with a custom `Debug` impl - shares common code between ISLE&#39;s callers, islec and cranelift-codegen - includes a source snippet even with fancy-errors disabled I tried to make this a series of smaller commits but I couldn&#39;t find any good split points; everything was too entangled with everything else.
2 years ago
[[audits.codespan-reporting]]
who = "Jamey Sharp <jsharp@fastly.com>"
criteria = "safe-to-deploy"
version = "0.11.1"
notes = "This library uses `forbid(unsafe_code)` and has no filesystem or network I/O."
Cranelift: Harvest each Souper LHS into its own file (#5649) * Cranelift: Harvest each Souper LHS into its own file Souper only handles one input LHS at a time, so this makes it way easier to script. Don&#39;t need to try and parse each LHS. * Add audit of `arrayref` version 0.3.6 * Add audit of `constant_time_eq` version 0.2.4
2 years ago
[[audits.constant_time_eq]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "0.2.4"
notes = "A few tiny blocks of `unsafe` but each of them is very obviously correct."
Drop a few crates from our dependency graph (#5009) A minor update of a few other crates drops `semver` and `rustc_version` from `Cargo.lock`. I&#39;ve audited the deltas in versions for the other crates here as well and they all look good.
2 years ago
[[audits.criterion]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
delta = "0.3.5 -> 0.3.6"
notes = """
There were no major changes to code in this update, mostly just stylistic and
updating some version dependency requirements.
"""
[[audits.criterion-plot]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
delta = "0.4.4 -> 0.4.5"
notes = """
No major changes in this update, it was almost entirely stylistic with what
appears to be a few clippy fixes here and there.
"""
Upgrade sha2 to 0.10.2 in wasmtime (#4749)
2 years ago
[[audits.crypto-common]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
version = "0.1.3"
Add some more audits for my own crates (#4837) Mostly stuff that Firefox is using and asked me to publish audits for, but a couple are in our dep tree as well.
2 years ago
[[audits.derive_arbitrary]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = "I am the author of this crate."
[[audits.derive_arbitrary]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "1.1.4"
notes = "I am the author of this crate."
Upgrade sha2 to 0.10.2 in wasmtime (#4749)
2 years ago
[[audits.digest]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
delta = "0.9.0 -> 0.10.3"
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.fd-lock]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "3.0.9"
notes = "This crate uses unsafe to make Windows syscalls, to borrow an Fd with an appropriate lifetime, and to zero a windows API structure that appears to have a valid representation with zeroed memory."
[[audits.fd-lock]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "3.0.9 -> 3.0.10"
notes = "Just a dependency version bump"
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
[[audits.file-per-thread-logger]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.5"
notes = """
Contains no unsafe code but does write log files to the filesystem. Log files
are only created when requested by the application, however, and otherwise
only does its stated purpose.
"""
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.form_urlencoded]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = """
This is a small crate for working with url-encoded forms which doesn't have any
more than what it says on the tin. Contains one `unsafe` block related to
performance around utf-8 validation which is fairly easy to verify as correct.
"""
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.fs-set-times]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.18.0"
notes = "I am the author of this crate."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.fs-set-times]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.18.0 -> 0.18.1"
notes = "The Bytecode Alliance is the author of this crate."
Add cargo-vet updates for audit backlog. (#5708)
2 years ago
[[audits.hashbrown]]
who = "Chris Fallin <chris@cfallin.org>"
criteria = "safe-to-deploy"
delta = "0.12.3 -> 0.13.1"
notes = "The diff looks plausible. Much of it is low-level memory-layout code and I can't be 100% certain without a deeper dive into the implementation logic, but nothing looks actively malicious."
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
[[audits.heck]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.4.0"
notes = "Contains `forbid_unsafe` and only uses `std::fmt` from the standard library. Otherwise only contains string manipulation."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.hermit-abi]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.2.0 -> 0.3.0"
Add some more audits for my own crates (#4837) Mostly stuff that Firefox is using and asked me to publish audits for, but a couple are in our dep tree as well.
2 years ago
[[audits.id-arena]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "2.2.1"
notes = "I am the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.idna]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.3.0"
notes = """
This is a crate without unsafe code or usage of the standard library. The large
size of this crate comes from the large generated unicode tables file. This
crate is broadly used throughout the ecosystem and does not contain anything
suspicious.
"""
Update `wasmi` used in differential fuzzing (#5104) * Update `wasmi` used in differential fuzzing Closes #4818 Closes #5102 * Add audits
2 years ago
[[audits.indexmap-nostd]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.4.0"
notes = """
I've verified that this is a sliced-down version of the `indexmap` crate which
is otherwise certified. This doesn't contain unnecessary `unsafe` and
additionally doesn't reach for ambient capabilities.
"""
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.io-extras]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.17.0"
notes = "I am the author of this crate."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.io-extras]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.17.0 -> 0.17.2"
notes = "The Bytecode Alliance is the author of this crate."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.io-lifetimes]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "1.0.3"
notes = "I am the author of this crate."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.io-lifetimes]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.3 -> 1.0.5"
notes = "The Bytecode Alliance is the author of this crate."
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
[[audits.is-terminal]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.3.0"
notes = "Contains only unsafe code for interacting with the crate's intended purpose."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.is-terminal]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.4.1"
notes = "Contains only unsafe code for interacting with the crate's intended purpose."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.is-terminal]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.4.1 -> 0.4.3"
notes = "The Bytecode Alliance is the author of this crate."
Fix compile errors on FreeBSD x64/arm64 (#5606) * Fix compile error on FreeBSD x64 * Fix compile on FreeBSD arm64 * Update Cargo.lock for ittapi * vet: certify diff for ittapi libraries Co-authored-by: Andrew Brown &lt;andrew.brown@intel.com&gt;
2 years ago
[[audits.ittapi]]
who = "Andrew Brown <andrew.brown@intel.com>"
criteria = "safe-to-deploy"
delta = "0.3.1 -> 0.3.3"
notes = "I am the author of this crate."
[[audits.ittapi-sys]]
who = "Andrew Brown <andrew.brown@intel.com>"
criteria = "safe-to-deploy"
delta = "0.3.1 -> 0.3.3"
notes = "Unsafe code is due to auto-generated bindings to a widely-deployed C library."
Add some more audits for my own crates (#4837) Mostly stuff that Firefox is using and asked me to publish audits for, but a couple are in our dep tree as well.
2 years ago
[[audits.leb128]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "0.2.5"
notes = "I am the author of this crate."
Update libfuzzer to 0.4.5 (#5068) * Update `libfuzzer-sys` to 0.4.5 * Set fuzzing crates as `safe-to-run` in `cargo-vet` Rather than `safe-to-deploy`.
2 years ago
[[audits.libfuzzer-sys]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-run"
delta = "0.4.3 -> 0.4.4"
notes = "I am the author of this crate."
[[audits.libfuzzer-sys]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-run"
delta = "0.4.4 -> 0.4.5"
notes = "I am the author of this crate."
Add some more audits for my own crates (#4837) Mostly stuff that Firefox is using and asked me to publish audits for, but a couple are in our dep tree as well.
2 years ago
cranelift: Upgrade libm to 0.2.4 (#4670) * cranelift: Upgrade libm to 0.2.4 This resolves an issue with incorrect fmaf on the x86_64-pc-windows-gnu target under some inputs. See: #4517 * supply-chain: Vet `libm` 0.2.4
2 years ago
[[audits.libm]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.2.2 -> 0.2.4"
notes = """
This diff primarily fixes a few issues with the `fma`-related functions,
but also contains some other minor fixes as well. Everything looks A-OK and
as expected.
"""
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.linux-raw-sys]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.1.3"
notes = "I am the author of this crate."
Add some audits for some low-hanging fruit (#4836) I looked through some of our smaller dependencies to vet them and add an audit for them. These were the ones that were all &#34;obviously correct&#34; to me before I ran out of steam reviewing other crates.
2 years ago
[[audits.memfd]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.6.1"
notes = """
Does not interact with the system in any way than otherwise instructed to.
Contains unsafe blocks but are encapsulated and required for the operation at
hand.
"""
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.memfd]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.6.2"
notes = """
The only changes from 0.6.1 were from my own PR which updated memfd to newer
dependencies.
"""
Update `regalloc2` to v0.4.2 (#5169)
2 years ago
[[audits.memory_units]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
delta = "0.3.0 -> 0.4.0"
notes = """
This bump only changed from a function to an associated `const` and trivially
contains no significant changes.
"""
Add cargo-vet updates for audit backlog. (#5708)
2 years ago
[[audits.object]]
who = "Chris Fallin <chris@cfallin.org>"
criteria = "safe-to-deploy"
delta = "0.29.0 -> 0.30.1"
[[audits.once_cell]]
who = "Chris Fallin <chris@cfallin.org>"
criteria = "safe-to-deploy"
delta = "1.16.0 -> 1.17.0"
Make WASI-NN classes send and/or sync (#5077) * Make send and remove wrapper around WasiNnCtx· This removes the wrapper around WasiNnCtx and no longer requires borrow_mut(). Once send/sync changes in OpenVINO crate are merged in it will allow·use by frameworks that requires this trait. * Bump openvino to compatible version. * BackendExecutionContext should be Send and Sync * Fix rust format issues. * Update Cargo.lock for openvino * Audit changes to openvino crates.
2 years ago
[[audits.openvino]]
who = "Matthew Tamayo-Rios <matthew@geekbeast.com>"
criteria = "safe-to-deploy"
version = "0.4.2"
notes = """
I am the author of most of these changes.
"""
[[audits.openvino-finder]]
who = "Matthew Tamayo-Rios <matthew@geekbeast.com>"
criteria = "safe-to-deploy"
delta = "0.4.1 -> 0.4.2"
notes = """
Only updates to Cargo file for versioning.
"""
[[audits.openvino-sys]]
who = "Matthew Tamayo-Rios <matthew@geekbeast.com>"
criteria = "safe-to-deploy"
delta = "0.4.1 -> 0.4.2"
notes = """
Only updates to tests to use new rust functions for mut pointers.
"""
Add some more audits for my own crates (#4837) Mostly stuff that Firefox is using and asked me to publish audits for, but a couple are in our dep tree as well.
2 years ago
[[audits.peeking_take_while]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "1.0.0"
notes = "I am the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.percent-encoding]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "2.2.0"
notes = """
This crate is a single-file crate that does what it says on the tin. There are
a few `unsafe` blocks related to utf-8 validation which are locally verifiable
as correct and otherwise this crate is good to go.
"""
Add a `wasmtime::component::bindgen!` macro (#5317) * Import Wasmtime support from the `wit-bindgen` repo This commit imports the `wit-bindgen-gen-host-wasmtime-rust` crate from the `wit-bindgen` repository into the upstream Wasmtime repository. I&#39;ve chosen to not import the full history here since the crate is relatively small and doesn&#39;t have a ton of complexity. While the history of the crate is quite long the current iteration of the crate&#39;s history is relatively short so there&#39;s not a ton of import there anyway. The thinking is that this can now continue to evolve in-tree. * Refactor `wasmtime-component-macro` a bit Make room for a `wit_bindgen` macro to slot in. * Add initial support for a `bindgen` macro * Add tests for `wasmtime::component::bindgen!` * Improve error forgetting `async` feature * Add end-to-end tests for bindgen * Add an audit of `unicase` * Add a license to the test-helpers crate * Add vet entry for `pulldown-cmark` * Update publish script with new crate * Try to fix publish script * Update audits * Update lock file
2 years ago
[[audits.pulldown-cmark]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.8.0"
notes = """
This crate has `unsafe` blocks and they're all related to SIMD-acceleration and
are otherwise not doing other `unsafe` operations. Additionally the crate does
not do anything other than markdown rendering as is expected.
"""
Upgrade regalloc2 -&gt; 0.3.2 (#4603) Includes a modest improvement in memory usage and performance by removing analysis that was only used during fuzzing.
2 years ago
[[audits.regalloc2]]
who = "Jamey Sharp <jsharp@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.3.1 -> 0.3.2"
notes = "The Bytecode Alliance is the author of this crate."
Cranelift: use regalloc2 constraints on caller side of ABI code. (#4892) * Cranelift: use regalloc2 constraints on caller side of ABI code. This PR updates the shared ABI code and backends to use register-operand constraints rather than explicit pinned-vreg moves for register arguments and return values. The s390x backend was not updated, because it has its own implementation of ABI code. Ideally we could converge back to the code shared by x64 and aarch64 (which didn&#39;t exist when s390x ported calls to ISLE, so the current situation is underestandable, to be clear!). I&#39;ll leave this for future work. This PR exposed several places where regalloc2 needed to be a bit more flexible with constraints; it requires regalloc2#74 to be merged and pulled in. * Update to regalloc2 0.3.3. In addition to version bump, this required removing two asserts as `SpillSlot`s no longer carry their class (so we can&#39;t assert that they have the correct class). * Review comments. * Filetest updates. * Add cargo-vet audit for regalloc2 0.3.2 -&gt; 0.3.3 upgrade. * Update to regalloc2 0.4.0.
2 years ago
[[audits.regalloc2]]
who = "Chris Fallin <chris@cfallin.org>"
criteria = "safe-to-deploy"
delta = "0.3.2 -> 0.4.0"
notes = "The Bytecode Alliance is the author of this crate."
Upgrade to regalloc2 0.4.1. (#4945) * Upgrade to regalloc2 0.4.1. Incorporates bytecodealliance/regalloc2#85, which fixes a fuzzbug related to constraints and liverange splits. * Add audit of regalloc2 upgrade.
2 years ago
[[audits.regalloc2]]
who = "Chris Fallin <chris@cfallin.org>"
criteria = "safe-to-deploy"
delta = "0.4.0 -> 0.4.1"
notes = "The Bytecode Alliance is the author of this crate."
Update `regalloc2` to v0.4.2 (#5169)
2 years ago
[[audits.regalloc2]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.4.1 -> 0.4.2"
notes = "The Bytecode Alliance is the author of this crate."
Bump regalloc2 to 0.5.0 (#5345) * Bump the regalloc2 dependency to 0.5.0 * Replace preg_set_from_machine_env with PRegSet::from * Vet the regalloc2 update
2 years ago
[[audits.regalloc2]]
who = "Trevor Elliott <telliott@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.4.2 -> 0.5.0"
notes = "The Bytecode Alliance is the author of this crate."
Bump regalloc2 to version 0.5.1 (#5387) Bump regalloc2 to version 0.5.1.
2 years ago
[[audits.regalloc2]]
who = "Trevor Elliott <telliott@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.5.0 -> 0.5.1"
notes = "The Bytecode Alliance is the author of this crate."
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.rustc-demangle]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.21"
notes = "I am the author of this crate."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.rustix]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.36.4"
notes = "The Bytecode Alliance is the author of this crate."
Update to rustix 0.36.7. (#5590) This fixes compilation on armv7-unknown-freebsd, as reported [here]. [here]: https://github.com/bytecodealliance/wasmtime/issues/5499#issuecomment-1383157702
2 years ago
[[audits.rustix]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.36.7"
notes = "The Bytecode Alliance is the author of this crate."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.rustix]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.36.7 -> 0.36.8"
notes = "The Bytecode Alliance is the author of this crate."
Upgrade sha2 to 0.10.2 in wasmtime (#4749)
2 years ago
[[audits.sha2]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
delta = "0.9.9 -> 0.10.2"
notes = "This upgrade is mostly a code refactor, as far as I can tell. No new uses of unsafe nor any new ambient capabilities usage."
Update `wasmi` used in differential fuzzing (#5104) * Update `wasmi` used in differential fuzzing Closes #4818 Closes #5102 * Add audits
2 years ago
[[audits.spin]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.9.4"
notes = """
I've verified the contents of this crate and that while they contain `unsafe`
it's exclusively around implementing atomic primitive where some `unsafe` is to
be expected. Otherwise this crate does not unduly access ambient capabilities
and does what it says on the tin, providing spin-based synchronization
primitives.
"""
Import cargo-vet audits from Mozilla (#4792) * Bump cargo-vet to 0.3. * Add Mozilla as a trusted import for audits.
2 years ago
[[audits.system-interface]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
Update to cap-std 0.26. (#4940) * Update to cap-std 0.26. This is primarily to pull in bytecodealliance/cap-std#271, the fix for #4936, compilation on Rust nightly on Windows. It also updates to rustix 0.35.10, to pull in bytecodealliance/rustix#403, the fix for bytecodealliance/rustix#402, compilation on newer versions of the libc crate, which changed a public function from `unsafe` to safe. Fixes #4936. * Update the system-interface audit for 0.23. * Update the libc supply-chain config version.
2 years ago
version = "0.23.0"
Import cargo-vet audits from Mozilla (#4792) * Bump cargo-vet to 0.3. * Add Mozilla as a trusted import for audits.
2 years ago
notes = "The Bytecode Alliance is the author of this crate."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.system-interface]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.25.0"
notes = "The Bytecode Alliance is the author of this crate."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.system-interface]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.25.0 -> 0.25.4"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.tinyvec]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.6.0"
notes = """
This crate, while it implements collections, does so without `std::*` APIs and
without `unsafe`. Skimming the crate everything looks reasonable and what one
would expect from idiomatic safe collections in Rust.
"""
[[audits.tinyvec_macros]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.0"
notes = """
This is a trivial crate which only contains a singular macro definition which is
intended to multiplex across the internal representation of a tinyvec,
presumably. This trivially doesn't contain anything bad.
"""
Update tokio to resolve dependabot warning (#5607) This doesn&#39;t fully update tokio since the update to the latest version has quite a few changes I&#39;d prefer to not audit at the moment, but it updates to a patched version.
2 years ago
[[audits.tokio]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "1.18.1 -> 1.18.4"
notes = """
This looks to be a minor release primarily to fix a security-related Windows
issue plus some reorganization around lazy initialization. Altogether nothing
amiss here.
"""
Add a `wasmtime::component::bindgen!` macro (#5317) * Import Wasmtime support from the `wit-bindgen` repo This commit imports the `wit-bindgen-gen-host-wasmtime-rust` crate from the `wit-bindgen` repository into the upstream Wasmtime repository. I&#39;ve chosen to not import the full history here since the crate is relatively small and doesn&#39;t have a ton of complexity. While the history of the crate is quite long the current iteration of the crate&#39;s history is relatively short so there&#39;s not a ton of import there anyway. The thinking is that this can now continue to evolve in-tree. * Refactor `wasmtime-component-macro` a bit Make room for a `wit_bindgen` macro to slot in. * Add initial support for a `bindgen` macro * Add tests for `wasmtime::component::bindgen!` * Improve error forgetting `async` feature * Add end-to-end tests for bindgen * Add an audit of `unicase` * Add a license to the test-helpers crate * Add vet entry for `pulldown-cmark` * Update publish script with new crate * Try to fix publish script * Update audits * Update lock file
2 years ago
[[audits.unicase]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "2.6.0"
notes = """
This crate contains no `unsafe` code and no unnecessary use of the standard
library.
"""
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.unicode-bidi]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.3.8"
notes = """
This crate has no unsafe code and does not use `std::*`. Skimming the crate it
does not attempt to out of the bounds of what it's already supposed to be doing.
"""
[[audits.unicode-normalization]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.19"
notes = """
This crate contains one usage of `unsafe` which I have manually checked to see
it as correct. This crate's size comes in large part due to the generated
unicode tables that it contains. This crate is additionally widely used
throughout the ecosystem and skimming the crate shows no usage of `std::*` APIs
and nothing suspicious.
"""
[[audits.url]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "2.3.1"
notes = """
This crate contains no `unsafe` code and otherwise doesn't use any functionality
it's not supposed to from `std` or such. This crate is the defacto standard for
URL parsing in the Rust community with widespread usage to battle-test, harden,
and suss out bugs. I've historically reviewed this crate in the past and it
is similar to what it once was back then. Skimming over the crate there is
nothing suspicious and it's everything you'd expect a Rust URL parser to be.
"""
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.14.0"
notes = "The Bytecode Alliance is the author of this crate."
Add `*.wast` support for invoking components (#4526) This commit builds on bytecodealliance/wasm-tools#690 to add support to testing of the component model to execute functions when running `*.wast` files. This support is all built on #4442 as functions are invoked through a &#34;dynamic&#34; API. Right now the testing and integration is fairly crude but I&#39;m hoping that we can try to improve it over time as necessary. For now this should provide a hopefully more convenient syntax for unit tests and the like.
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.15.0"
notes = "The Bytecode Alliance is the author of this crate."
Upgrade wasm-tools crates, namely the component model (#4715) * Upgrade wasm-tools crates, namely the component model This commit pulls in the latest versions of all of the `wasm-tools` family of crates. There were two major changes that happened in `wasm-tools` in the meantime: * bytecodealliance/wasm-tools#697 - this commit introduced a new API for more efficiently reading binary operators from a wasm binary. The old `Operator`-based reading was left in place, however, and continues to be what Wasmtime uses. I hope to update Wasmtime in a future PR to use this new API, but for now the biggest change is... * bytecodealliance/wasm-tools#703 - this commit was a major update to the component model AST. This commit almost entirely deals with the fallout of this change. The changes made to the component model were: 1. The `unit` type no longer exists. This was generally a simple change where the `Unit` case in a few different locations were all removed. 2. The `expected` type was renamed to `result`. This similarly was relatively lightweight and mostly just a renaming on the surface. I took this opportunity to rename `val::Result` to `val::ResultVal` and `types::Result` to `types::ResultType` to avoid clashing with the standard library types. The `Option`-based types were handled with this as well. 3. The payload type of `variant` and `result` types are now optional. This affected many locations that calculate flat type representations, ABI information, etc. The `#[derive(ComponentType)]` macro now specifically handles Rust-defined `enum` types which have no payload to the equivalent in the component model. 4. Functions can now return multiple parameters. This changed the signature of invoking component functions because the return value is now bound by `ComponentNamedList` (renamed from `ComponentParams`). This had a large effect in the tests, fuzz test case generation, etc. 5. Function types with 2-or-more parameters/results must uniquely name all parameters/results. This mostly affected the text format used throughout the tests. I haven&#39;t added specifically new tests for multi-return but I changed a number of tests to use it. Additionally I&#39;ve updated the fuzzers to all exercise multi-return as well so I think we should get some good coverage with that. * Update version numbers * Use crates.io
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.16.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what&#39;s probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.17.0"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5010) * Update the wasm-tools family of crates Only minor updates here, mostly internal changes and no binary-related changes today. * Fix test expectation
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.18.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5130) * Update wasm-tools crates Mostly just a hygienic update, nothing major here * Fix fuzz compile * Fix test expectations
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.19.0"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.20.0"
notes = "The Bytecode Alliance is the author of this crate."
Update WIT tooling used by Wasmtime (#5565) * Update WIT tooling used by Wasmtime This commit updates the WIT tooling, namely the wasm-tools family of crates, with recent updates. Notably: * bytecodealliance/wasm-tools#867 * bytecodealliance/wasm-tools#871 This updates index spaces in components and additionally bumps the minimum required version of the component binary format to be consumed by Wasmtime (because of the index space changes). Additionally WIT tooling now fully supports `use`. Note that WIT tooling doesn&#39;t, at this time, fully support packages and depending on remotely defined WIT packages. Currently WIT still needs to be vendored in the project. It&#39;s hoped that future work with `cargo component` and possible integration here could make the story about depending on remotely-defined WIT more ergonomic and streamlined. * Fix `bindgen!` codegen tests * Add a test for `use` paths an implement support * Update to crates.io versions of wasm-tools * Uncomment codegen tests
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.21.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5631) Nothing major pulled in here, but wanted to update to the latest versions which enable tail calls by default. When used in Wasmtime, however, the feature is disabled without the possibility of being enabled since it&#39;s not implemented.
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.22.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5248) No major updates, just keeping up-to-date.
2 years ago
[[audits.wasm-encoder]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.19.0 -> 0.19.1"
notes = "The Bytecode Alliance is the author of this crate."
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.5"
notes = "The Bytecode Alliance is the author of this crate."
Add `*.wast` support for invoking components (#4526) This commit builds on bytecodealliance/wasm-tools#690 to add support to testing of the component model to execute functions when running `*.wast` files. This support is all built on #4442 as functions are invoked through a &#34;dynamic&#34; API. Right now the testing and integration is fairly crude but I&#39;m hoping that we can try to improve it over time as necessary. For now this should provide a hopefully more convenient syntax for unit tests and the like.
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.6"
notes = "The Bytecode Alliance is the author of this crate."
Upgrade wasm-tools crates, namely the component model (#4715) * Upgrade wasm-tools crates, namely the component model This commit pulls in the latest versions of all of the `wasm-tools` family of crates. There were two major changes that happened in `wasm-tools` in the meantime: * bytecodealliance/wasm-tools#697 - this commit introduced a new API for more efficiently reading binary operators from a wasm binary. The old `Operator`-based reading was left in place, however, and continues to be what Wasmtime uses. I hope to update Wasmtime in a future PR to use this new API, but for now the biggest change is... * bytecodealliance/wasm-tools#703 - this commit was a major update to the component model AST. This commit almost entirely deals with the fallout of this change. The changes made to the component model were: 1. The `unit` type no longer exists. This was generally a simple change where the `Unit` case in a few different locations were all removed. 2. The `expected` type was renamed to `result`. This similarly was relatively lightweight and mostly just a renaming on the surface. I took this opportunity to rename `val::Result` to `val::ResultVal` and `types::Result` to `types::ResultType` to avoid clashing with the standard library types. The `Option`-based types were handled with this as well. 3. The payload type of `variant` and `result` types are now optional. This affected many locations that calculate flat type representations, ABI information, etc. The `#[derive(ComponentType)]` macro now specifically handles Rust-defined `enum` types which have no payload to the equivalent in the component model. 4. Functions can now return multiple parameters. This changed the signature of invoking component functions because the return value is now bound by `ComponentNamedList` (renamed from `ComponentParams`). This had a large effect in the tests, fuzz test case generation, etc. 5. Function types with 2-or-more parameters/results must uniquely name all parameters/results. This mostly affected the text format used throughout the tests. I haven&#39;t added specifically new tests for multi-return but I changed a number of tests to use it. Additionally I&#39;ve updated the fuzzers to all exercise multi-return as well so I think we should get some good coverage with that. * Update version numbers * Use crates.io
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.7"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what&#39;s probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.8"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5010) * Update the wasm-tools family of crates Only minor updates here, mostly internal changes and no binary-related changes today. * Fix test expectation
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.9"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5130) * Update wasm-tools crates Mostly just a hygienic update, nothing major here * Fix fuzz compile * Fix test expectations
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.2.10"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5248) No major updates, just keeping up-to-date.
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.2.11"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.2.12"
notes = "The Bytecode Alliance is the author of this crate."
Update some wasm-tools crates (#5422) Notably this pulls in https://github.com/bytecodealliance/wasm-tools/pull/862 which should fix some fuzz bugs on oss-fuzz.
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.2.13"
notes = "The Bytecode Alliance is the author of this crate."
Update WIT tooling used by Wasmtime (#5565) * Update WIT tooling used by Wasmtime This commit updates the WIT tooling, namely the wasm-tools family of crates, with recent updates. Notably: * bytecodealliance/wasm-tools#867 * bytecodealliance/wasm-tools#871 This updates index spaces in components and additionally bumps the minimum required version of the component binary format to be consumed by Wasmtime (because of the index space changes). Additionally WIT tooling now fully supports `use`. Note that WIT tooling doesn&#39;t, at this time, fully support packages and depending on remotely defined WIT packages. Currently WIT still needs to be vendored in the project. It&#39;s hoped that future work with `cargo component` and possible integration here could make the story about depending on remotely-defined WIT more ergonomic and streamlined. * Fix `bindgen!` codegen tests * Add a test for `use` paths an implement support * Update to crates.io versions of wasm-tools * Uncomment codegen tests
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.2.14"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5631) Nothing major pulled in here, but wanted to update to the latest versions which enable tail calls by default. When used in Wasmtime, however, the feature is disabled without the possibility of being enabled since it&#39;s not implemented.
2 years ago
[[audits.wasm-mutate]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.2.16"
notes = "The Bytecode Alliance is the author of this crate."
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.11.2"
notes = "The Bytecode Alliance is the author of this crate."
Add `*.wast` support for invoking components (#4526) This commit builds on bytecodealliance/wasm-tools#690 to add support to testing of the component model to execute functions when running `*.wast` files. This support is all built on #4442 as functions are invoked through a &#34;dynamic&#34; API. Right now the testing and integration is fairly crude but I&#39;m hoping that we can try to improve it over time as necessary. For now this should provide a hopefully more convenient syntax for unit tests and the like.
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.11.3"
notes = "The Bytecode Alliance is the author of this crate."
Upgrade wasm-tools crates, namely the component model (#4715) * Upgrade wasm-tools crates, namely the component model This commit pulls in the latest versions of all of the `wasm-tools` family of crates. There were two major changes that happened in `wasm-tools` in the meantime: * bytecodealliance/wasm-tools#697 - this commit introduced a new API for more efficiently reading binary operators from a wasm binary. The old `Operator`-based reading was left in place, however, and continues to be what Wasmtime uses. I hope to update Wasmtime in a future PR to use this new API, but for now the biggest change is... * bytecodealliance/wasm-tools#703 - this commit was a major update to the component model AST. This commit almost entirely deals with the fallout of this change. The changes made to the component model were: 1. The `unit` type no longer exists. This was generally a simple change where the `Unit` case in a few different locations were all removed. 2. The `expected` type was renamed to `result`. This similarly was relatively lightweight and mostly just a renaming on the surface. I took this opportunity to rename `val::Result` to `val::ResultVal` and `types::Result` to `types::ResultType` to avoid clashing with the standard library types. The `Option`-based types were handled with this as well. 3. The payload type of `variant` and `result` types are now optional. This affected many locations that calculate flat type representations, ABI information, etc. The `#[derive(ComponentType)]` macro now specifically handles Rust-defined `enum` types which have no payload to the equivalent in the component model. 4. Functions can now return multiple parameters. This changed the signature of invoking component functions because the return value is now bound by `ComponentNamedList` (renamed from `ComponentParams`). This had a large effect in the tests, fuzz test case generation, etc. 5. Function types with 2-or-more parameters/results must uniquely name all parameters/results. This mostly affected the text format used throughout the tests. I haven&#39;t added specifically new tests for multi-return but I changed a number of tests to use it. Additionally I&#39;ve updated the fuzzers to all exercise multi-return as well so I think we should get some good coverage with that. * Update version numbers * Use crates.io
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.11.4"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what&#39;s probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.11.5"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5010) * Update the wasm-tools family of crates Only minor updates here, mostly internal changes and no binary-related changes today. * Fix test expectation
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.11.6"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5130) * Update wasm-tools crates Mostly just a hygienic update, nothing major here * Fix fuzz compile * Fix test expectations
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.11.7"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5248) No major updates, just keeping up-to-date.
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.11.8"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.11.9"
notes = "The Bytecode Alliance is the author of this crate."
Update some wasm-tools crates (#5422) Notably this pulls in https://github.com/bytecodealliance/wasm-tools/pull/862 which should fix some fuzz bugs on oss-fuzz.
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.11.10"
notes = "The Bytecode Alliance is the author of this crate."
Update WIT tooling used by Wasmtime (#5565) * Update WIT tooling used by Wasmtime This commit updates the WIT tooling, namely the wasm-tools family of crates, with recent updates. Notably: * bytecodealliance/wasm-tools#867 * bytecodealliance/wasm-tools#871 This updates index spaces in components and additionally bumps the minimum required version of the component binary format to be consumed by Wasmtime (because of the index space changes). Additionally WIT tooling now fully supports `use`. Note that WIT tooling doesn&#39;t, at this time, fully support packages and depending on remotely defined WIT packages. Currently WIT still needs to be vendored in the project. It&#39;s hoped that future work with `cargo component` and possible integration here could make the story about depending on remotely-defined WIT more ergonomic and streamlined. * Fix `bindgen!` codegen tests * Add a test for `use` paths an implement support * Update to crates.io versions of wasm-tools * Uncomment codegen tests
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.11.11"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5631) Nothing major pulled in here, but wanted to update to the latest versions which enable tail calls by default. When used in Wasmtime, however, the feature is disabled without the possibility of being enabled since it&#39;s not implemented.
2 years ago
[[audits.wasm-smith]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.12.0"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.wasmi]]
who = "Robin Freyler <robin.freyler@gmail.com>"
criteria = "safe-to-run"
version = "0.20.0"
notes = """
I am the author of this crate. It contains unsafe Rust code.
However, the crate does not read or write data from any parts of the filesystem,
it does not install software upon compilation e.g. via build scripts,
it does not connect to network endpoints and does not misuse system resources.
If any of the above happens it is either by the user explicitly telling the
crate to do so (it is an interpreter) or due to a bug or other unintended
behavior.
"""
Update `wasmi` used in differential fuzzing (#5104) * Update `wasmi` used in differential fuzzing Closes #4818 Closes #5102 * Add audits
2 years ago
[[audits.wasmi_arena]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.1.0"
notes = """
This crate contains no `unsafe` code and doesn't reach in unnecessarily to the
standard library or anything like that. This only contains a few data structures
used by `wasmi` and various idiomatic Rust trait implementations.
"""
[[audits.wasmi_core]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.4.0"
notes = """
This crate contains no `unsafe` code and otherwise is only the bits and bobs for
the internals of a wasm implementation. Reading over this crate there is no
unexpected usage of the filesystem or things like that and otherwise is mostly
plumbing for all the integer operations in core wasm.
"""
Update `wasmi` to `0.20.0` in `wasmtime-fuzzing` (#5256) * update wasmi to 0.20 in wasmtime-fuzzing * add cargo-vet entries for wasmi_core 0.5.0 and wasmi 0.20.0
2 years ago
[[audits.wasmi_core]]
who = "Robin Freyler <robin.freyler@gmail.com>"
criteria = "safe-to-run"
version = "0.5.0"
notes = "See notes for version 0.4.0"
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.87.0"
notes = "The Bytecode Alliance is the author of this crate."
Add `*.wast` support for invoking components (#4526) This commit builds on bytecodealliance/wasm-tools#690 to add support to testing of the component model to execute functions when running `*.wast` files. This support is all built on #4442 as functions are invoked through a &#34;dynamic&#34; API. Right now the testing and integration is fairly crude but I&#39;m hoping that we can try to improve it over time as necessary. For now this should provide a hopefully more convenient syntax for unit tests and the like.
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.88.0"
notes = "The Bytecode Alliance is the author of this crate."
Upgrade wasm-tools crates, namely the component model (#4715) * Upgrade wasm-tools crates, namely the component model This commit pulls in the latest versions of all of the `wasm-tools` family of crates. There were two major changes that happened in `wasm-tools` in the meantime: * bytecodealliance/wasm-tools#697 - this commit introduced a new API for more efficiently reading binary operators from a wasm binary. The old `Operator`-based reading was left in place, however, and continues to be what Wasmtime uses. I hope to update Wasmtime in a future PR to use this new API, but for now the biggest change is... * bytecodealliance/wasm-tools#703 - this commit was a major update to the component model AST. This commit almost entirely deals with the fallout of this change. The changes made to the component model were: 1. The `unit` type no longer exists. This was generally a simple change where the `Unit` case in a few different locations were all removed. 2. The `expected` type was renamed to `result`. This similarly was relatively lightweight and mostly just a renaming on the surface. I took this opportunity to rename `val::Result` to `val::ResultVal` and `types::Result` to `types::ResultType` to avoid clashing with the standard library types. The `Option`-based types were handled with this as well. 3. The payload type of `variant` and `result` types are now optional. This affected many locations that calculate flat type representations, ABI information, etc. The `#[derive(ComponentType)]` macro now specifically handles Rust-defined `enum` types which have no payload to the equivalent in the component model. 4. Functions can now return multiple parameters. This changed the signature of invoking component functions because the return value is now bound by `ComponentNamedList` (renamed from `ComponentParams`). This had a large effect in the tests, fuzz test case generation, etc. 5. Function types with 2-or-more parameters/results must uniquely name all parameters/results. This mostly affected the text format used throughout the tests. I haven&#39;t added specifically new tests for multi-return but I changed a number of tests to use it. Additionally I&#39;ve updated the fuzzers to all exercise multi-return as well so I think we should get some good coverage with that. * Update version numbers * Use crates.io
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.89.0"
notes = "The Bytecode Alliance is the author of this crate."
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.89.1"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what&#39;s probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.91.0"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5010) * Update the wasm-tools family of crates Only minor updates here, mostly internal changes and no binary-related changes today. * Fix test expectation
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.92.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5130) * Update wasm-tools crates Mostly just a hygienic update, nothing major here * Fix fuzz compile * Fix test expectations
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.93.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5248) No major updates, just keeping up-to-date.
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.94.0"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.95.0"
notes = "The Bytecode Alliance is the author of this crate."
Update some wasm-tools crates (#5422) Notably this pulls in https://github.com/bytecodealliance/wasm-tools/pull/862 which should fix some fuzz bugs on oss-fuzz.
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.96.0"
notes = "The Bytecode Alliance is the author of this crate."
Update WIT tooling used by Wasmtime (#5565) * Update WIT tooling used by Wasmtime This commit updates the WIT tooling, namely the wasm-tools family of crates, with recent updates. Notably: * bytecodealliance/wasm-tools#867 * bytecodealliance/wasm-tools#871 This updates index spaces in components and additionally bumps the minimum required version of the component binary format to be consumed by Wasmtime (because of the index space changes). Additionally WIT tooling now fully supports `use`. Note that WIT tooling doesn&#39;t, at this time, fully support packages and depending on remotely defined WIT packages. Currently WIT still needs to be vendored in the project. It&#39;s hoped that future work with `cargo component` and possible integration here could make the story about depending on remotely-defined WIT more ergonomic and streamlined. * Fix `bindgen!` codegen tests * Add a test for `use` paths an implement support * Update to crates.io versions of wasm-tools * Uncomment codegen tests
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.97.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5631) Nothing major pulled in here, but wanted to update to the latest versions which enable tail calls by default. When used in Wasmtime, however, the feature is disabled without the possibility of being enabled since it&#39;s not implemented.
2 years ago
[[audits.wasmparser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.99.0"
notes = "The Bytecode Alliance is the author of this crate."
Update `wasmi` used in differential fuzzing (#5104) * Update `wasmi` used in differential fuzzing Closes #4818 Closes #5102 * Add audits
2 years ago
[[audits.wasmparser-nostd]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.91.0"
notes = """
I have certified that this crate is a one-to-one fork of `wasmparser` with
updates exclusively for the usage on targets without the standard library.
This crate is otherwise primarily authored by the Bytecode Alliance and
otherwise certified.
"""
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.37"
notes = "The Bytecode Alliance is the author of this crate."
Add `*.wast` support for invoking components (#4526) This commit builds on bytecodealliance/wasm-tools#690 to add support to testing of the component model to execute functions when running `*.wast` files. This support is all built on #4442 as functions are invoked through a &#34;dynamic&#34; API. Right now the testing and integration is fairly crude but I&#39;m hoping that we can try to improve it over time as necessary. For now this should provide a hopefully more convenient syntax for unit tests and the like.
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.38"
notes = "The Bytecode Alliance is the author of this crate."
Upgrade wasm-tools crates, namely the component model (#4715) * Upgrade wasm-tools crates, namely the component model This commit pulls in the latest versions of all of the `wasm-tools` family of crates. There were two major changes that happened in `wasm-tools` in the meantime: * bytecodealliance/wasm-tools#697 - this commit introduced a new API for more efficiently reading binary operators from a wasm binary. The old `Operator`-based reading was left in place, however, and continues to be what Wasmtime uses. I hope to update Wasmtime in a future PR to use this new API, but for now the biggest change is... * bytecodealliance/wasm-tools#703 - this commit was a major update to the component model AST. This commit almost entirely deals with the fallout of this change. The changes made to the component model were: 1. The `unit` type no longer exists. This was generally a simple change where the `Unit` case in a few different locations were all removed. 2. The `expected` type was renamed to `result`. This similarly was relatively lightweight and mostly just a renaming on the surface. I took this opportunity to rename `val::Result` to `val::ResultVal` and `types::Result` to `types::ResultType` to avoid clashing with the standard library types. The `Option`-based types were handled with this as well. 3. The payload type of `variant` and `result` types are now optional. This affected many locations that calculate flat type representations, ABI information, etc. The `#[derive(ComponentType)]` macro now specifically handles Rust-defined `enum` types which have no payload to the equivalent in the component model. 4. Functions can now return multiple parameters. This changed the signature of invoking component functions because the return value is now bound by `ComponentNamedList` (renamed from `ComponentParams`). This had a large effect in the tests, fuzz test case generation, etc. 5. Function types with 2-or-more parameters/results must uniquely name all parameters/results. This mostly affected the text format used throughout the tests. I haven&#39;t added specifically new tests for multi-return but I changed a number of tests to use it. Additionally I&#39;ve updated the fuzzers to all exercise multi-return as well so I think we should get some good coverage with that. * Update version numbers * Use crates.io
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.39"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what&#39;s probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.40"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5010) * Update the wasm-tools family of crates Only minor updates here, mostly internal changes and no binary-related changes today. * Fix test expectation
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.41"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5130) * Update wasm-tools crates Mostly just a hygienic update, nothing major here * Fix fuzz compile * Fix test expectations
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.42"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5248) No major updates, just keeping up-to-date.
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.43"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.44"
notes = "The Bytecode Alliance is the author of this crate."
Update some wasm-tools crates (#5422) Notably this pulls in https://github.com/bytecodealliance/wasm-tools/pull/862 which should fix some fuzz bugs on oss-fuzz.
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.45"
notes = "The Bytecode Alliance is the author of this crate."
Update WIT tooling used by Wasmtime (#5565) * Update WIT tooling used by Wasmtime This commit updates the WIT tooling, namely the wasm-tools family of crates, with recent updates. Notably: * bytecodealliance/wasm-tools#867 * bytecodealliance/wasm-tools#871 This updates index spaces in components and additionally bumps the minimum required version of the component binary format to be consumed by Wasmtime (because of the index space changes). Additionally WIT tooling now fully supports `use`. Note that WIT tooling doesn&#39;t, at this time, fully support packages and depending on remotely defined WIT packages. Currently WIT still needs to be vendored in the project. It&#39;s hoped that future work with `cargo component` and possible integration here could make the story about depending on remotely-defined WIT more ergonomic and streamlined. * Fix `bindgen!` codegen tests * Add a test for `use` paths an implement support * Update to crates.io versions of wasm-tools * Uncomment codegen tests
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.46"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5631) Nothing major pulled in here, but wanted to update to the latest versions which enable tail calls by default. When used in Wasmtime, however, the feature is disabled without the possibility of being enabled since it&#39;s not implemented.
2 years ago
[[audits.wasmprinter]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.2.49"
notes = "The Bytecode Alliance is the author of this crate."
Fill out some initial audit metadata (#4527) This fills out a few items which come from the wasm-tools repository as well as a few crates that I&#39;m personally the author of.
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "35.0.2"
notes = "The Bytecode Alliance is the author of this crate."
Bump wat/wast crates (#4524) * Bump wat/wast crates Pull in upstream updates, nothing major, just keeping up-to-date. * Record audit log for new crates
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "44.0.0"
notes = "The Bytecode Alliance is the author of this crate"
Add `*.wast` support for invoking components (#4526) This commit builds on bytecodealliance/wasm-tools#690 to add support to testing of the component model to execute functions when running `*.wast` files. This support is all built on #4442 as functions are invoked through a &#34;dynamic&#34; API. Right now the testing and integration is fairly crude but I&#39;m hoping that we can try to improve it over time as necessary. For now this should provide a hopefully more convenient syntax for unit tests and the like.
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "45.0.0"
notes = "The Bytecode Alliance is the author of this crate"
Upgrade wasm-tools crates, namely the component model (#4715) * Upgrade wasm-tools crates, namely the component model This commit pulls in the latest versions of all of the `wasm-tools` family of crates. There were two major changes that happened in `wasm-tools` in the meantime: * bytecodealliance/wasm-tools#697 - this commit introduced a new API for more efficiently reading binary operators from a wasm binary. The old `Operator`-based reading was left in place, however, and continues to be what Wasmtime uses. I hope to update Wasmtime in a future PR to use this new API, but for now the biggest change is... * bytecodealliance/wasm-tools#703 - this commit was a major update to the component model AST. This commit almost entirely deals with the fallout of this change. The changes made to the component model were: 1. The `unit` type no longer exists. This was generally a simple change where the `Unit` case in a few different locations were all removed. 2. The `expected` type was renamed to `result`. This similarly was relatively lightweight and mostly just a renaming on the surface. I took this opportunity to rename `val::Result` to `val::ResultVal` and `types::Result` to `types::ResultType` to avoid clashing with the standard library types. The `Option`-based types were handled with this as well. 3. The payload type of `variant` and `result` types are now optional. This affected many locations that calculate flat type representations, ABI information, etc. The `#[derive(ComponentType)]` macro now specifically handles Rust-defined `enum` types which have no payload to the equivalent in the component model. 4. Functions can now return multiple parameters. This changed the signature of invoking component functions because the return value is now bound by `ComponentNamedList` (renamed from `ComponentParams`). This had a large effect in the tests, fuzz test case generation, etc. 5. Function types with 2-or-more parameters/results must uniquely name all parameters/results. This mostly affected the text format used throughout the tests. I haven&#39;t added specifically new tests for multi-return but I changed a number of tests to use it. Additionally I&#39;ve updated the fuzzers to all exercise multi-return as well so I think we should get some good coverage with that. * Update version numbers * Use crates.io
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "46.0.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what&#39;s probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "47.0.0"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5010) * Update the wasm-tools family of crates Only minor updates here, mostly internal changes and no binary-related changes today. * Fix test expectation
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "47.0.1"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5130) * Update wasm-tools crates Mostly just a hygienic update, nothing major here * Fix fuzz compile * Fix test expectations
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "48.0.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5248) No major updates, just keeping up-to-date.
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "49.0.0"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "50.0.0"
notes = "The Bytecode Alliance is the author of this crate."
Update WIT tooling used by Wasmtime (#5565) * Update WIT tooling used by Wasmtime This commit updates the WIT tooling, namely the wasm-tools family of crates, with recent updates. Notably: * bytecodealliance/wasm-tools#867 * bytecodealliance/wasm-tools#871 This updates index spaces in components and additionally bumps the minimum required version of the component binary format to be consumed by Wasmtime (because of the index space changes). Additionally WIT tooling now fully supports `use`. Note that WIT tooling doesn&#39;t, at this time, fully support packages and depending on remotely defined WIT packages. Currently WIT still needs to be vendored in the project. It&#39;s hoped that future work with `cargo component` and possible integration here could make the story about depending on remotely-defined WIT more ergonomic and streamlined. * Fix `bindgen!` codegen tests * Add a test for `use` paths an implement support * Update to crates.io versions of wasm-tools * Uncomment codegen tests
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "51.0.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5631) Nothing major pulled in here, but wanted to update to the latest versions which enable tail calls by default. When used in Wasmtime, however, the feature is disabled without the possibility of being enabled since it&#39;s not implemented.
2 years ago
[[audits.wast]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "52.0.2"
notes = "The Bytecode Alliance is the author of this crate."
Bump wat/wast crates (#4524) * Bump wat/wast crates Pull in upstream updates, nothing major, just keeping up-to-date. * Record audit log for new crates
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.46"
notes = "The Bytecode Alliance is the author of this crate."
Enable cargo-vet (#4444) * Initialize cargo-vet on wasmtime. * Add cargo-vet to CI. * Add README.
2 years ago
Add `*.wast` support for invoking components (#4526) This commit builds on bytecodealliance/wasm-tools#690 to add support to testing of the component model to execute functions when running `*.wast` files. This support is all built on #4442 as functions are invoked through a &#34;dynamic&#34; API. Right now the testing and integration is fairly crude but I&#39;m hoping that we can try to improve it over time as necessary. For now this should provide a hopefully more convenient syntax for unit tests and the like.
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.47"
notes = "The Bytecode Alliance is the author of this crate."
Upgrade wasm-tools crates, namely the component model (#4715) * Upgrade wasm-tools crates, namely the component model This commit pulls in the latest versions of all of the `wasm-tools` family of crates. There were two major changes that happened in `wasm-tools` in the meantime: * bytecodealliance/wasm-tools#697 - this commit introduced a new API for more efficiently reading binary operators from a wasm binary. The old `Operator`-based reading was left in place, however, and continues to be what Wasmtime uses. I hope to update Wasmtime in a future PR to use this new API, but for now the biggest change is... * bytecodealliance/wasm-tools#703 - this commit was a major update to the component model AST. This commit almost entirely deals with the fallout of this change. The changes made to the component model were: 1. The `unit` type no longer exists. This was generally a simple change where the `Unit` case in a few different locations were all removed. 2. The `expected` type was renamed to `result`. This similarly was relatively lightweight and mostly just a renaming on the surface. I took this opportunity to rename `val::Result` to `val::ResultVal` and `types::Result` to `types::ResultType` to avoid clashing with the standard library types. The `Option`-based types were handled with this as well. 3. The payload type of `variant` and `result` types are now optional. This affected many locations that calculate flat type representations, ABI information, etc. The `#[derive(ComponentType)]` macro now specifically handles Rust-defined `enum` types which have no payload to the equivalent in the component model. 4. Functions can now return multiple parameters. This changed the signature of invoking component functions because the return value is now bound by `ComponentNamedList` (renamed from `ComponentParams`). This had a large effect in the tests, fuzz test case generation, etc. 5. Function types with 2-or-more parameters/results must uniquely name all parameters/results. This mostly affected the text format used throughout the tests. I haven&#39;t added specifically new tests for multi-return but I changed a number of tests to use it. Additionally I&#39;ve updated the fuzzers to all exercise multi-return as well so I think we should get some good coverage with that. * Update version numbers * Use crates.io
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.48"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5130) * Update wasm-tools crates Mostly just a hygienic update, nothing major here * Fix fuzz compile * Fix test expectations
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.50"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5248) No major updates, just keeping up-to-date.
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.51"
notes = "The Bytecode Alliance is the author of this crate."
Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports.
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.52"
notes = "The Bytecode Alliance is the author of this crate."
Update WIT tooling used by Wasmtime (#5565) * Update WIT tooling used by Wasmtime This commit updates the WIT tooling, namely the wasm-tools family of crates, with recent updates. Notably: * bytecodealliance/wasm-tools#867 * bytecodealliance/wasm-tools#871 This updates index spaces in components and additionally bumps the minimum required version of the component binary format to be consumed by Wasmtime (because of the index space changes). Additionally WIT tooling now fully supports `use`. Note that WIT tooling doesn&#39;t, at this time, fully support packages and depending on remotely defined WIT packages. Currently WIT still needs to be vendored in the project. It&#39;s hoped that future work with `cargo component` and possible integration here could make the story about depending on remotely-defined WIT more ergonomic and streamlined. * Fix `bindgen!` codegen tests * Add a test for `use` paths an implement support * Update to crates.io versions of wasm-tools * Uncomment codegen tests
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.53"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5631) Nothing major pulled in here, but wanted to update to the latest versions which enable tail calls by default. When used in Wasmtime, however, the feature is disabled without the possibility of being enabled since it&#39;s not implemented.
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.56"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what&#39;s probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates
2 years ago
[[audits.wat]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "1.0.48 -> 1.0.49"
notes = "The Bytecode Alliance is the author of this crate."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.windows-sys]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.42.0"
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.windows-sys]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.42.0 -> 0.45.0"
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
[[audits.windows-targets]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.42.1"
notes = "This is a Windows API bindings library maintained by Microsoft themselves. Additionally, this particular crate is empty and just collects a bunch of dependencies, which are not exported, so I don't understand why it exists at all."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.windows_aarch64_gnullvm]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.42.0"
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.windows_aarch64_gnullvm]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.42.0 -> 0.42.1"
notes = "This is a Windows API bindings library maintained by Microsoft themselves. The diff is just adding license files."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.windows_aarch64_msvc]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.42.0"
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.windows_aarch64_msvc]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.42.0 -> 0.42.1"
notes = "This is a Windows API bindings library maintained by Microsoft themselves. The diff is just adding license files."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.windows_i686_gnu]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.42.0"
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.windows_i686_gnu]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.42.0 -> 0.42.1"
notes = "This is a Windows API bindings library maintained by Microsoft themselves. The diff is just adding license files."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.windows_i686_msvc]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.42.0"
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.windows_i686_msvc]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.42.0 -> 0.42.1"
notes = "This is a Windows API bindings library maintained by Microsoft themselves. The diff is just adding license files."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.windows_x86_64_gnu]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.42.0"
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.windows_x86_64_gnu]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.42.0 -> 0.42.1"
notes = "This is a Windows API bindings library maintained by Microsoft themselves. The diff is just adding license files."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.windows_x86_64_gnullvm]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.42.0"
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.windows_x86_64_gnullvm]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.42.0 -> 0.42.1"
notes = "This is a Windows API bindings library maintained by Microsoft themselves. The diff is just adding license files."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.windows_x86_64_msvc]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.42.0"
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.windows_x86_64_msvc]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.42.0 -> 0.42.1"
notes = "This is a Windows API bindings library maintained by Microsoft themselves. The diff is just adding license files."
Update to cap-std 1.0, io-lifetimes 1.0. (#5330) The main change here is that io-lifetimes 1.0 switches to use the I/O safety feature in the standard library rather than providing its own copy. This also updates to windows-sys 0.42.0 and rustix 0.36.
2 years ago
[[audits.winx]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.34.0"
notes = "I am the author of this crate."
Cargo update cap-std family, and audit deps (#5710) * update cap-std family and its deps, and audit them * audit base64: append a safe-to-deploy entry I mistakenly marked it safe-to-run not understanding that safe-to-deploy was required. * update to fd-lock 3.0.10 eliminates duplicate dep on windows-sys
2 years ago
[[audits.winx]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.34.0 -> 0.35.0"
notes = "Dan Gohman, a Bytecode Alliance core contributor, is the author of this crate."
Add a `wasmtime::component::bindgen!` macro (#5317) * Import Wasmtime support from the `wit-bindgen` repo This commit imports the `wit-bindgen-gen-host-wasmtime-rust` crate from the `wit-bindgen` repository into the upstream Wasmtime repository. I&#39;ve chosen to not import the full history here since the crate is relatively small and doesn&#39;t have a ton of complexity. While the history of the crate is quite long the current iteration of the crate&#39;s history is relatively short so there&#39;s not a ton of import there anyway. The thinking is that this can now continue to evolve in-tree. * Refactor `wasmtime-component-macro` a bit Make room for a `wit_bindgen` macro to slot in. * Add initial support for a `bindgen` macro * Add tests for `wasmtime::component::bindgen!` * Improve error forgetting `async` feature * Add end-to-end tests for bindgen * Add an audit of `unicase` * Add a license to the test-helpers crate * Add vet entry for `pulldown-cmark` * Update publish script with new crate * Try to fix publish script * Update audits * Update lock file
2 years ago
[[audits.wit-parser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.3.0"
notes = "The Bytecode Alliance is the author of this crate."
Fix built with latest `wit-parser` crate (#5393) A mistake was made in the publication of `wit-parser` where a breaking change was made without bumping its major version, causing build issues on `main` if `wit-parser` is updated. This commit updates `wit-parser` to the latest and we&#39;ll handle breaking changes better next time. Closes #5390
2 years ago
[[audits.wit-parser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.3.1"
notes = "The Bytecode Alliance is the author of this crate."
Update WIT tooling used by Wasmtime (#5565) * Update WIT tooling used by Wasmtime This commit updates the WIT tooling, namely the wasm-tools family of crates, with recent updates. Notably: * bytecodealliance/wasm-tools#867 * bytecodealliance/wasm-tools#871 This updates index spaces in components and additionally bumps the minimum required version of the component binary format to be consumed by Wasmtime (because of the index space changes). Additionally WIT tooling now fully supports `use`. Note that WIT tooling doesn&#39;t, at this time, fully support packages and depending on remotely defined WIT packages. Currently WIT still needs to be vendored in the project. It&#39;s hoped that future work with `cargo component` and possible integration here could make the story about depending on remotely-defined WIT more ergonomic and streamlined. * Fix `bindgen!` codegen tests * Add a test for `use` paths an implement support * Update to crates.io versions of wasm-tools * Uncomment codegen tests
2 years ago
[[audits.wit-parser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.4.0"
notes = "The Bytecode Alliance is the author of this crate."
Update wasm-tools crates (#5631) Nothing major pulled in here, but wanted to update to the latest versions which enable tail calls by default. When used in Wasmtime, however, the feature is disabled without the possibility of being enabled since it&#39;s not implemented.
2 years ago
[[audits.wit-parser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.4.1"
notes = "The Bytecode Alliance is the author of this crate."
Update to the latest `wit-parser` (#5694) This notably pulls in support in WIT for types-in-worlds.
2 years ago
[[audits.wit-parser]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.5.0"
notes = "The Bytecode Alliance is the author of this crate."