You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

747 lines
24 KiB

# cargo-vet imports lock
fuzz: randomize block lowering order (#6254) * fuzz: randomize block lowering order Co-authored-by: Moritz Waser <mzrw.dev@pm.me> Co-authored-by: Remo Senekowitsch <contact@remlse.dev> * fix block lowering order randomization Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> * simplify control plane internals Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> * avoid unnecessary allocations Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> * remove unused change_order function Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> * add arbitrary 1.3.0 to cargo vet imports lock Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> * optimize ControlPlane::shuffle Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> * clarify shuffle being a noop without chaos mode Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> * reorder only direct successors of a block Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> * rename get_permutation -> shuffled Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> --------- Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me>
2 years ago
[[publisher.arbitrary]]
version = "1.3.0"
when = "2023-03-13"
user-id = 696
user-login = "fitzgen"
user-name = "Nick Fitzgerald"
wasmtime: Overhaul trampolines (#6262) This commit splits `VMCallerCheckedFuncRef::func_ptr` into three new function pointers: `VMCallerCheckedFuncRef::{wasm,array,native}_call`. Each one has a dedicated calling convention, so callers just choose the version that works for them. This is as opposed to the previous behavior where we would chain together many trampolines that converted between calling conventions, sometimes up to four on the way into Wasm and four more on the way back out. See [0] for details. [0] https://github.com/bytecodealliance/rfcs/blob/main/accepted/tail-calls.md#a-review-of-our-existing-trampolines-calling-conventions-and-call-paths Thanks to @bjorn3 for the initial idea of having multiple function pointers for different calling conventions. This is generally a nice ~5-10% speed up to our call benchmarks across the board: both Wasm-to-host and host-to-Wasm. The one exception is typed calls from Wasm to the host, which have a minor regression. We hypothesize that this is because the old hand-written assembly trampolines did not maintain a call frame and do a tail call, but the new Cranelift-generated trampolines do maintain a call frame and do a regular call. The regression is only a couple nanoseconds, which seems well-explained by these differences explain, and ultimately is not a big deal. However, this does lead to a ~5% code size regression for compiled modules. Before, we compiled a trampoline per escaping function's signature and we deduplicated these trampolines by signature. Now we compile two trampolines per escaping function: one for if the host calls via the array calling convention and one for it the host calls via the native calling convention. Additionally, we compile a trampoline for every type in the module, in case there is a native calling convention function from the host that we `call_indirect` of that type. Much of this is in the `.eh_frame` section in the compiled module, because each of our trampolines needs an entry there. Note that the `.eh_frame` section is not required for Wasmtime's correctness, and you can disable its generation to shrink compiled module code size; we just emit it to play nice with external unwinders and profilers. We believe there are code size gains available for follow up work to offset this code size regression in the future. Backing up a bit: the reason each Wasm module needs to provide these Wasm-to-native trampolines is because `wasmtime::Func::wrap` and friends allow embedders to create functions even when there is no compiler available, so they cannot bring their own trampoline. Instead the Wasm module has to supply it. This in turn means that we need to look up and patch in these Wasm-to-native trampolines during roughly instantiation time. But instantiation is super hot, and we don't want to add more passes over imports or any extra work on this path. So we integrate with `wasmtime::InstancePre` to patch these trampolines in ahead of time. Co-Authored-By: Jamey Sharp <jsharp@fastly.com> Co-Authored-By: Alex Crichton <alex@alexcrichton.com> prtest:full
2 years ago
[[publisher.bumpalo]]
version = "3.12.0"
when = "2023-01-17"
user-id = 696
user-login = "fitzgen"
user-name = "Nick Fitzgerald"
fuzz: randomize block lowering order (#6254) * fuzz: randomize block lowering order Co-authored-by: Moritz Waser <mzrw.dev@pm.me> Co-authored-by: Remo Senekowitsch <contact@remlse.dev> * fix block lowering order randomization Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> * simplify control plane internals Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> * avoid unnecessary allocations Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> * remove unused change_order function Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> * add arbitrary 1.3.0 to cargo vet imports lock Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> * optimize ControlPlane::shuffle Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> * clarify shuffle being a noop without chaos mode Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> * reorder only direct successors of a block Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> * rename get_permutation -> shuffled Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me> --------- Co-authored-by: Falk Zwimpfer <24669719+FalkZ@users.noreply.github.com> Co-authored-by: Moritz Waser <mzrw.dev@pm.me>
2 years ago
[[publisher.derive_arbitrary]]
version = "1.3.0"
when = "2023-03-13"
user-id = 696
user-login = "fitzgen"
user-name = "Nick Fitzgerald"
[[publisher.regalloc2]]
version = "0.9.0"
when = "2023-05-17"
user-id = 187138
user-login = "elliottt"
user-name = "Trevor Elliott"
[[publisher.unicode-segmentation]]
version = "1.10.1"
when = "2023-01-31"
user-id = 1139
user-login = "Manishearth"
user-name = "Manish Goregaokar"
[[publisher.unicode-width]]
version = "0.1.9"
when = "2021-09-16"
user-id = 1139
user-login = "Manishearth"
user-name = "Manish Goregaokar"
[[publisher.unicode-xid]]
version = "0.2.3"
when = "2022-05-02"
user-id = 1139
user-login = "Manishearth"
user-name = "Manish Goregaokar"
[[publisher.wasm-encoder]]
version = "0.26.0"
when = "2023-04-27"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wasm-encoder]]
version = "0.27.0"
when = "2023-05-15"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wasm-encoder]]
version = "0.29.0"
when = "2023-05-26"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wasm-metadata]]
version = "0.5.0"
when = "2023-04-27"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
Refactor test-programs to build modules and components (#6385) * wasi-tests and wasi-http-tests no longer have their own workspace * wasi-tests: fix warnings * rewrite the test-programs build.rs to generate {package}_modules.rs and _components.rs The style is cribbed from preview2-prototying repo, but I ended up refactoring it a bit. * better escaping should help with windows? * long form cap-std-sync and tokio test suites * convert wasi-http test * fixes, comments * apply cargo fmt to whole workspace * bump test-programs and wasi-http-tests to all use common dependency versions wit-bindgen 0.6.0 and wit-component 0.7.4 * add new audits * cargo vet prune * package and supply chain updates to fix vulnerabilities h2 upgraded from 0.3.16 -> 0.3.19 to fix vulnerability tempfile upgraded from 0.3.3 -> 0.3.5 to eliminate dep on vulnerable remove_dir_all * deny: temporarily allow duplicate wasm-encoder, wasmparser, wit-parser prtest:full * convert more dependencies to { workspace = true } Alex asked me to do thsi for wit-component and wit-bindgen, and I found a few more (cfg-if, tempfile, filecheck, anyhow... I also reorganized the workspace dependencies section to make the ones our team maintains more clearly separated from our external dependencies. * test-programs build: ensure that the user writes a #[test] for each module, component * fix build of wasi-tests on windows * misspelled macos * mark wasi-tests crate test=false so we dont try building it natively... * mark wasi-http-tests test=false as well * try getting the cargo keys right * just exclude wasi-tests and wasi-http-tests in run-tests.sh * interesting paths fails on windows * misspelling so nice i did it twice * new cargo deny exception: ignore all of wit-bindgen's dependencies * auto-import wildcard vets
2 years ago
[[publisher.wasm-metadata]]
version = "0.6.0"
when = "2023-05-15"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wasm-metadata]]
version = "0.8.0"
when = "2023-05-26"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wasm-mutate]]
version = "0.2.25"
when = "2023-05-15"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wasm-mutate]]
version = "0.2.27"
when = "2023-05-26"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wasm-smith]]
version = "0.12.8"
when = "2023-05-15"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wasm-smith]]
version = "0.12.10"
when = "2023-05-26"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wasmparser]]
version = "0.104.0"
when = "2023-04-27"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wasmparser]]
version = "0.105.0"
when = "2023-05-15"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wasmparser]]
version = "0.107.0"
when = "2023-05-26"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wasmprinter]]
version = "0.2.57"
when = "2023-05-15"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wasmprinter]]
version = "0.2.59"
when = "2023-05-26"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wast]]
version = "58.0.0"
when = "2023-05-15"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wast]]
version = "60.0.0"
when = "2023-05-26"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wat]]
version = "1.0.64"
when = "2023-05-15"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wat]]
version = "1.0.66"
when = "2023-05-26"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wit-bindgen]]
version = "0.7.0"
when = "2023-05-26"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wit-bindgen-core]]
version = "0.7.0"
when = "2023-05-26"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wit-bindgen-rust]]
version = "0.7.0"
when = "2023-05-26"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wit-bindgen-rust-lib]]
version = "0.7.0"
when = "2023-05-26"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wit-bindgen-rust-macro]]
version = "0.7.0"
when = "2023-05-26"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wit-component]]
version = "0.8.2"
when = "2023-04-27"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wit-component]]
version = "0.9.0"
when = "2023-05-16"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
Refactor test-programs to build modules and components (#6385) * wasi-tests and wasi-http-tests no longer have their own workspace * wasi-tests: fix warnings * rewrite the test-programs build.rs to generate {package}_modules.rs and _components.rs The style is cribbed from preview2-prototying repo, but I ended up refactoring it a bit. * better escaping should help with windows? * long form cap-std-sync and tokio test suites * convert wasi-http test * fixes, comments * apply cargo fmt to whole workspace * bump test-programs and wasi-http-tests to all use common dependency versions wit-bindgen 0.6.0 and wit-component 0.7.4 * add new audits * cargo vet prune * package and supply chain updates to fix vulnerabilities h2 upgraded from 0.3.16 -> 0.3.19 to fix vulnerability tempfile upgraded from 0.3.3 -> 0.3.5 to eliminate dep on vulnerable remove_dir_all * deny: temporarily allow duplicate wasm-encoder, wasmparser, wit-parser prtest:full * convert more dependencies to { workspace = true } Alex asked me to do thsi for wit-component and wit-bindgen, and I found a few more (cfg-if, tempfile, filecheck, anyhow... I also reorganized the workspace dependencies section to make the ones our team maintains more clearly separated from our external dependencies. * test-programs build: ensure that the user writes a #[test] for each module, component * fix build of wasi-tests on windows * misspelled macos * mark wasi-tests crate test=false so we dont try building it natively... * mark wasi-http-tests test=false as well * try getting the cargo keys right * just exclude wasi-tests and wasi-http-tests in run-tests.sh * interesting paths fails on windows * misspelling so nice i did it twice * new cargo deny exception: ignore all of wit-bindgen's dependencies * auto-import wildcard vets
2 years ago
[[publisher.wit-component]]
version = "0.11.0"
when = "2023-05-26"
Refactor test-programs to build modules and components (#6385) * wasi-tests and wasi-http-tests no longer have their own workspace * wasi-tests: fix warnings * rewrite the test-programs build.rs to generate {package}_modules.rs and _components.rs The style is cribbed from preview2-prototying repo, but I ended up refactoring it a bit. * better escaping should help with windows? * long form cap-std-sync and tokio test suites * convert wasi-http test * fixes, comments * apply cargo fmt to whole workspace * bump test-programs and wasi-http-tests to all use common dependency versions wit-bindgen 0.6.0 and wit-component 0.7.4 * add new audits * cargo vet prune * package and supply chain updates to fix vulnerabilities h2 upgraded from 0.3.16 -> 0.3.19 to fix vulnerability tempfile upgraded from 0.3.3 -> 0.3.5 to eliminate dep on vulnerable remove_dir_all * deny: temporarily allow duplicate wasm-encoder, wasmparser, wit-parser prtest:full * convert more dependencies to { workspace = true } Alex asked me to do thsi for wit-component and wit-bindgen, and I found a few more (cfg-if, tempfile, filecheck, anyhow... I also reorganized the workspace dependencies section to make the ones our team maintains more clearly separated from our external dependencies. * test-programs build: ensure that the user writes a #[test] for each module, component * fix build of wasi-tests on windows * misspelled macos * mark wasi-tests crate test=false so we dont try building it natively... * mark wasi-http-tests test=false as well * try getting the cargo keys right * just exclude wasi-tests and wasi-http-tests in run-tests.sh * interesting paths fails on windows * misspelling so nice i did it twice * new cargo deny exception: ignore all of wit-bindgen's dependencies * auto-import wildcard vets
2 years ago
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wit-parser]]
version = "0.7.1"
when = "2023-04-27"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[publisher.wit-parser]]
version = "0.8.0"
when = "2023-05-26"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"
[[audits.embark-studios.audits.anyhow]]
who = "Johan Andersson <opensource@embark-studios.com>"
criteria = "safe-to-deploy"
version = "1.0.58"
[[audits.embark-studios.audits.cty]]
who = "Johan Andersson <opensource@embark-studios.com>"
criteria = "safe-to-deploy"
version = "0.2.2"
notes = "Inspected it and is a tiny crate with just type definitions"
[[audits.embark-studios.audits.epaint]]
who = "Johan Andersson <opensource@embark-studios.com>"
criteria = "safe-to-deploy"
violation = "<0.20.0"
notes = "Specified crate license does not include licenses of embedded fonts if using default features or the `default_fonts` feature. Tracked in: https://github.com/emilk/egui/issues/2321"
[[audits.embark-studios.audits.webpki-roots]]
who = "Johan Andersson <opensource@embark-studios.com>"
criteria = "safe-to-deploy"
version = "0.22.4"
notes = "Inspected it to confirm that it only contains data definitions and no runtime code"
[[audits.google.audits.fastrand]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
version = "1.9.0"
notes = """
`does-not-implement-crypto` is certified because this crate explicitly says
that the RNG here is not cryptographically secure.
"""
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.libfuzzer-sys]]
who = "ChromeOS"
criteria = "safe-to-run"
version = "0.4.4"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.miniz_oxide]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
version = "0.6.2"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.proc-macro-error-attr]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
version = "1.0.4"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.static_assertions]]
who = "ChromeOS"
criteria = "safe-to-run"
version = "1.1.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.version_check]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
version = "0.9.4"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT"
[[audits.isrg.audits.block-buffer]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
version = "0.9.0"
[[audits.isrg.audits.opaque-debug]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
version = "0.3.0"
[[audits.isrg.audits.universal-hash]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
version = "0.4.1"
[[audits.isrg.audits.untrusted]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
version = "0.7.1"
[[audits.isrg.audits.wasm-bindgen-shared]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
version = "0.2.83"
[[audits.mozilla.wildcard-audits.unicode-segmentation]]
who = "Manish Goregaokar <manishsmail@gmail.com>"
criteria = "safe-to-deploy"
user-id = 1139
start = "2019-05-15"
end = "2024-05-03"
notes = "All code written or reviewed by Manish"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.wildcard-audits.unicode-width]]
who = "Manish Goregaokar <manishsmail@gmail.com>"
criteria = "safe-to-deploy"
user-id = 1139
start = "2019-12-05"
end = "2024-05-03"
notes = "All code written or reviewed by Manish"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.wildcard-audits.unicode-xid]]
who = "Manish Goregaokar <manishsmail@gmail.com>"
criteria = "safe-to-deploy"
user-id = 1139
start = "2019-07-25"
end = "2024-05-03"
notes = "All code written or reviewed by Manish"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.anyhow]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.57 -> 1.0.61"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.anyhow]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
delta = "1.0.58 -> 1.0.57"
notes = "No functional differences, just CI config and docs."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.anyhow]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.61 -> 1.0.62"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.anyhow]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.62 -> 1.0.68"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.anyhow]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.68 -> 1.0.69"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.autocfg]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = "All code written or reviewed by Josh Stone."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.bit-set]]
who = "Aria Beingessner <a.beingessner@gmail.com>"
criteria = "safe-to-deploy"
version = "0.5.2"
notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.bit-vec]]
who = "Aria Beingessner <a.beingessner@gmail.com>"
criteria = "safe-to-deploy"
version = "0.6.3"
notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.bitflags]]
who = "Alex Franchuk <afranchuk@mozilla.com>"
criteria = "safe-to-deploy"
delta = "1.3.2 -> 2.0.2"
notes = "Removal of some unsafe code/methods. No changes to externals, just some refactoring (mostly internal)."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.bitflags]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
delta = "2.0.2 -> 2.1.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.crypto-common]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.3 -> 0.1.6"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.debugid]]
who = "Gabriele Svelto <gsvelto@mozilla.com>"
criteria = "safe-to-deploy"
version = "0.8.0"
notes = "This crates was written by Sentry and I've fully audited it as Firefox crash reporting machinery relies on it."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.either]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
version = "1.6.1"
notes = """
Straightforward crate providing the Either enum and trait implementations with
no unsafe code.
"""
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
[[audits.mozilla.audits.encoding_rs]]
who = "Henri Sivonen <hsivonen@hsivonen.fi>"
criteria = "safe-to-deploy"
version = "0.8.31"
notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.env_logger]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.9.0 -> 0.9.3"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.env_logger]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
delta = "0.9.3 -> 0.10.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.flagset]]
who = "Ryan Hunt <rhunt@eqrion.net>"
criteria = "safe-to-deploy"
version = "0.4.3"
notes = "Uses no ambient capabilities, vetted the one instance of unsafe."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.fnv]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
version = "1.0.7"
notes = "Simple hasher implementation with no unsafe code."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.fxhash]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
version = "0.2.1"
notes = "Straightforward crate with no unsafe code, does what it says on the tin."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.getrandom]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.2.6 -> 0.2.7"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.getrandom]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.2.7 -> 0.2.8"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.getrandom]]
who = "Yannis Juglaret <yjuglaret@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.2.8 -> 0.2.9"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.half]]
who = "John M. Schanck <jschanck@mozilla.com>"
criteria = "safe-to-deploy"
version = "1.8.2"
notes = """
This crate contains unsafe code for bitwise casts to/from binary16 floating-point
format. I've reviewed these and found no issues. There are no uses of ambient
capabilities.
"""
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.hashbrown]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
version = "0.12.3"
notes = "This version is used in rust's libstd, so effectively we're already trusting it"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.hermit-abi]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.19 -> 0.2.6"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.lazy_static]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
version = "1.4.0"
notes = "I have read over the macros, and audited the unsafe code."
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
[[audits.mozilla.audits.log]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
version = "0.4.17"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.memoffset]]
who = "Gabriele Svelto <gsvelto@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.6.5 -> 0.7.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.num-integer]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
version = "0.1.45"
notes = "All code written or reviewed by Josh Stone."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.num-iter]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
version = "0.1.43"
notes = "All code written or reviewed by Josh Stone."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.num-traits]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
version = "0.2.15"
notes = "All code written or reviewed by Josh Stone."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.num_cpus]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.13.1 -> 1.14.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.num_cpus]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.14.0 -> 1.15.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.once_cell]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.12.0 -> 1.13.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.once_cell]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.13.1 -> 1.16.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.proc-macro2]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
version = "1.0.39"
notes = """
`proc-macro2` acts as either a thin(-ish) wrapper around the std-provided
`proc_macro` crate, or as a fallback implementation of the crate, depending on
where it is used.
If using this crate on older versions of rustc (1.56 and earlier), it will
temporarily replace the panic handler while initializing in order to detect if
it is running within a `proc_macro`, which could lead to surprising behaviour.
This should not be an issue for more recent compiler versions, which support
`proc_macro::is_available()`.
The `proc-macro2` crate's fallback behaviour is not identical to the complex
behaviour of the rustc compiler (e.g. it does not perform unicode normalization
for identifiers), however it behaves well enough for its intended use-case
(tests and scripts processing rust code).
`proc-macro2` does not use unsafe code, however exposes one `unsafe` API to
allow bypassing checks in the fallback implementation when constructing
`Literal` using `from_str_unchecked`. This was intended to only be used by the
`quote!` macro, however it has been removed
(https://github.com/dtolnay/quote/commit/f621fe64a8a501cae8e95ebd6848e637bbc79078),
and is likely completely unused. Even when used, this API shouldn't be able to
cause unsoundness.
"""
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.proc-macro2]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.39 -> 1.0.43"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.proc-macro2]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.43 -> 1.0.49"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.proc-macro2]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.49 -> 1.0.51"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.quote]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
version = "1.0.18"
notes = """
`quote` is a utility crate used by proc-macros to generate TokenStreams
conveniently from source code. The bulk of the logic is some complex
interlocking `macro_rules!` macros which are used to parse and build the
`TokenStream` within the proc-macro.
This crate contains no unsafe code, and the internal logic, while difficult to
read, is generally straightforward. I have audited the the quote macros, ident
formatter, and runtime logic.
"""
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.quote]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.18 -> 1.0.21"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.quote]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.21 -> 1.0.23"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.rayon]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
version = "1.5.3"
notes = "All code written or reviewed by Josh Stone or Niko Matsakis."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.rayon-core]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
version = "1.9.3"
notes = "All code written or reviewed by Josh Stone or Niko Matsakis."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.rustc-hash]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = "Straightforward crate with no unsafe code, does what it says on the tin."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.similar]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
version = "2.2.0"
notes = """
Algorithm crate implemented entirely in safe rust. Does no platform-specific
logic, only implementing diffing and string manipulation algorithms.
"""
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
[[audits.mozilla.audits.slab]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.4.6 -> 0.4.7"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.socket2]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.4.4 -> 0.4.7"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.synstructure]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
version = "0.12.6"
notes = """
I am the primary author of the `synstructure` crate, and its current
maintainer. The one use of `unsafe` is unnecessary, but documented and
harmless. It will be removed in the next version.
"""
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.unicode-normalization]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.19 -> 0.1.20"
notes = "I am the author of most of these changes upstream, and prepared the release myself, at which point I looked at the other changes since 0.1.19."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.unicode-normalization]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.20 -> 0.1.21"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"