cranelift/supply-chain/imports.lock


# cargo-vet imports lock

[[audits.mozilla.audits.anyhow]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.57 -> 1.0.61"

[[audits.mozilla.audits.anyhow]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.61 -> 1.0.62"

[[audits.mozilla.audits.autocfg]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = "All code written or reviewed by Josh Stone."

[[audits.mozilla.audits.bit-set]]
who = "Aria Beingessner <a.beingessner@gmail.com>"
criteria = "safe-to-deploy"
version = "0.5.2"
notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues."

[[audits.mozilla.audits.bit-vec]]
who = "Aria Beingessner <a.beingessner@gmail.com>"
criteria = "safe-to-deploy"
version = "0.6.3"
notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine."

[[audits.mozilla.audits.crypto-common]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.3 -> 0.1.6"

[[audits.mozilla.audits.encoding_rs]]
who = "Henri Sivonen <hsivonen@hsivonen.fi>"
criteria = "safe-to-deploy"
version = "0.8.31"
notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ."

[[audits.mozilla.audits.flagset]]
who = "Ryan Hunt <rhunt@eqrion.net>"
criteria = "safe-to-deploy"
version = "0.4.3"
notes = "Uses no ambient capabilities, vetted the one instance of unsafe."

[[audits.mozilla.audits.fnv]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
version = "1.0.7"
notes = "Simple hasher implementation with no unsafe code."

[[audits.mozilla.audits.fxhash]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
version = "0.2.1"
notes = "Straightforward crate with no unsafe code, does what it says on the tin."

[[audits.mozilla.audits.half]]
who = "John M. Schanck <jschanck@mozilla.com>"
criteria = "safe-to-deploy"
version = "1.8.2"
notes = """
This crate contains unsafe code for bitwise casts to/from binary16 floating-point
format. I've reviewed these and found no issues. There are no uses of ambient
capabilities.
"""

[[audits.mozilla.audits.hashbrown]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
version = "0.12.3"
notes = "This version is used in rust's libstd, so effectively we're already trusting it"

[[audits.mozilla.audits.hermit-abi]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.19 -> 0.2.6"

[[audits.mozilla.audits.log]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
version = "0.4.17"

[[audits.mozilla.audits.memoffset]]
who = "Gabriele Svelto <gsvelto@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.6.5 -> 0.7.1"

[[audits.mozilla.audits.miniz_oxide]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.5.3 -> 0.6.2"

[[audits.mozilla.audits.num-integer]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
version = "0.1.45"
notes = "All code written or reviewed by Josh Stone."

[[audits.mozilla.audits.num-iter]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
version = "0.1.43"
notes = "All code written or reviewed by Josh Stone."

[[audits.mozilla.audits.num-traits]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
version = "0.2.15"
notes = "All code written or reviewed by Josh Stone."

[[audits.mozilla.audits.num_cpus]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.13.1 -> 1.14.0"

[[audits.mozilla.audits.num_cpus]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.14.0 -> 1.15.0"

[[audits.mozilla.audits.once_cell]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.12.0 -> 1.13.1"

[[audits.mozilla.audits.once_cell]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.13.1 -> 1.16.0"

[[audits.mozilla.audits.quote]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
version = "1.0.18"
notes = """
`quote` is a utility crate used by proc-macros to generate TokenStreams
conveniently from source code. The bulk of the logic is some complex
interlocking `macro_rules!` macros which are used to parse and build the
`TokenStream` within the proc-macro.

This crate contains no unsafe code, and the internal logic, while difficult to
read, is generally straightforward. I have audited the the quote macros, ident
formatter, and runtime logic.
"""

[[audits.mozilla.audits.synstructure]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
version = "0.12.6"
notes = """
I am the primary author of the `synstructure` crate, and its current
maintainer. The one use of `unsafe` is unnecessary, but documented and
harmless. It will be removed in the next version.
"""

[[audits.mozilla.audits.unicode-normalization]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.19 -> 0.1.20"
notes = "I am the author of most of these changes upstream, and prepared the release myself, at which point I looked at the other changes since 0.1.19."

[[audits.mozilla.audits.unicode-normalization]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.20 -> 0.1.21"
Enable cargo-vet (#4444) * Initialize cargo-vet on wasmtime. * Add cargo-vet to CI. * Add README. 2 years ago
			`# cargo-vet imports lock`

Import cargo-vet audits from Mozilla (#4792) * Bump cargo-vet to 0.3. * Add Mozilla as a trusted import for audits. 2 years ago			`[[audits.mozilla.audits.anyhow]]`
			`who = "Mike Hommey <mh+mozilla@glandium.org>"`
			`criteria = "safe-to-deploy"`
			`delta = "1.0.57 -> 1.0.61"`

			`[[audits.mozilla.audits.anyhow]]`
			`who = "Mike Hommey <mh+mozilla@glandium.org>"`
			`criteria = "safe-to-deploy"`
			`delta = "1.0.61 -> 1.0.62"`

Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what's probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates 2 years ago			`[[audits.mozilla.audits.autocfg]]`
			`who = "Josh Stone <jistone@redhat.com>"`
			`criteria = "safe-to-deploy"`
			`version = "1.1.0"`
			`notes = "All code written or reviewed by Josh Stone."`

Import cargo-vet audits from Mozilla (#4792) * Bump cargo-vet to 0.3. * Add Mozilla as a trusted import for audits. 2 years ago			`[[audits.mozilla.audits.bit-set]]`
			`who = "Aria Beingessner <a.beingessner@gmail.com>"`
			`criteria = "safe-to-deploy"`
			`version = "0.5.2"`
			`notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues."`

			`[[audits.mozilla.audits.bit-vec]]`
			`who = "Aria Beingessner <a.beingessner@gmail.com>"`
			`criteria = "safe-to-deploy"`
			`version = "0.6.3"`
			`notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine."`

Upgrade sha2 to 0.10.2 in wasmtime (#4749) 2 years ago			`[[audits.mozilla.audits.crypto-common]]`
			`who = "Mike Hommey <mh+mozilla@glandium.org>"`
			`criteria = "safe-to-deploy"`
			`delta = "0.1.3 -> 0.1.6"`

Import cargo-vet audits from Mozilla (#4792) * Bump cargo-vet to 0.3. * Add Mozilla as a trusted import for audits. 2 years ago			`[[audits.mozilla.audits.encoding_rs]]`
			`who = "Henri Sivonen <hsivonen@hsivonen.fi>"`
			`criteria = "safe-to-deploy"`
			`version = "0.8.31"`
			`notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ."`

			`[[audits.mozilla.audits.flagset]]`
			`who = "Ryan Hunt <rhunt@eqrion.net>"`
			`criteria = "safe-to-deploy"`
			`version = "0.4.3"`
			`notes = "Uses no ambient capabilities, vetted the one instance of unsafe."`

			`[[audits.mozilla.audits.fnv]]`
			`who = "Bobby Holley <bobbyholley@gmail.com>"`
			`criteria = "safe-to-deploy"`
			`version = "1.0.7"`
			`notes = "Simple hasher implementation with no unsafe code."`

			`[[audits.mozilla.audits.fxhash]]`
			`who = "Bobby Holley <bobbyholley@gmail.com>"`
			`criteria = "safe-to-deploy"`
			`version = "0.2.1"`
			`notes = "Straightforward crate with no unsafe code, does what it says on the tin."`

Add a `wasmtime::component::bindgen!` macro (#5317) * Import Wasmtime support from the `wit-bindgen` repo This commit imports the `wit-bindgen-gen-host-wasmtime-rust` crate from the `wit-bindgen` repository into the upstream Wasmtime repository. I've chosen to not import the full history here since the crate is relatively small and doesn't have a ton of complexity. While the history of the crate is quite long the current iteration of the crate's history is relatively short so there's not a ton of import there anyway. The thinking is that this can now continue to evolve in-tree. * Refactor `wasmtime-component-macro` a bit Make room for a `wit_bindgen` macro to slot in. * Add initial support for a `bindgen` macro * Add tests for `wasmtime::component::bindgen!` * Improve error forgetting `async` feature * Add end-to-end tests for bindgen * Add an audit of `unicase` * Add a license to the test-helpers crate * Add vet entry for `pulldown-cmark` * Update publish script with new crate * Try to fix publish script * Update audits * Update lock file 2 years ago			`[[audits.mozilla.audits.half]]`
			`who = "John M. Schanck <jschanck@mozilla.com>"`
			`criteria = "safe-to-deploy"`
			`version = "1.8.2"`
			`notes = """`
			`This crate contains unsafe code for bitwise casts to/from binary16 floating-point`
			`format. I've reviewed these and found no issues. There are no uses of ambient`
			`capabilities.`
			`"""`

Import cargo-vet audits from Mozilla (#4792) * Bump cargo-vet to 0.3. * Add Mozilla as a trusted import for audits. 2 years ago			`[[audits.mozilla.audits.hashbrown]]`
			`who = "Mike Hommey <mh+mozilla@glandium.org>"`
			`criteria = "safe-to-deploy"`
			`version = "0.12.3"`
			`notes = "This version is used in rust's libstd, so effectively we're already trusting it"`

Add vet entries for coredump support (#5878) * Update the `num_cpus` crate Audits for this update provided from our import from Mozilla. * Add vet entries for coredump support 2 years ago			`[[audits.mozilla.audits.hermit-abi]]`
			`who = "Mike Hommey <mh+mozilla@glandium.org>"`
			`criteria = "safe-to-deploy"`
			`delta = "0.1.19 -> 0.2.6"`

Import cargo-vet audits from Mozilla (#4792) * Bump cargo-vet to 0.3. * Add Mozilla as a trusted import for audits. 2 years ago			`[[audits.mozilla.audits.log]]`
			`who = "Mike Hommey <mh+mozilla@glandium.org>"`
			`criteria = "safe-to-deploy"`
			`version = "0.4.17"`

Add cargo-vet entries for dependency update (#5778) This adds vet entries for the updates being performed in #5513 2 years ago			`[[audits.mozilla.audits.memoffset]]`
			`who = "Gabriele Svelto <gsvelto@mozilla.com>"`
			`criteria = "safe-to-deploy"`
			`delta = "0.6.5 -> 0.7.1"`

			`[[audits.mozilla.audits.miniz_oxide]]`
			`who = "Mike Hommey <mh+mozilla@glandium.org>"`
			`criteria = "safe-to-deploy"`
			`delta = "0.5.3 -> 0.6.2"`

Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what's probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates 2 years ago			`[[audits.mozilla.audits.num-integer]]`
			`who = "Josh Stone <jistone@redhat.com>"`
			`criteria = "safe-to-deploy"`
			`version = "0.1.45"`
			`notes = "All code written or reviewed by Josh Stone."`

			`[[audits.mozilla.audits.num-iter]]`
			`who = "Josh Stone <jistone@redhat.com>"`
			`criteria = "safe-to-deploy"`
			`version = "0.1.43"`
			`notes = "All code written or reviewed by Josh Stone."`

			`[[audits.mozilla.audits.num-traits]]`
			`who = "Josh Stone <jistone@redhat.com>"`
			`criteria = "safe-to-deploy"`
			`version = "0.2.15"`
			`notes = "All code written or reviewed by Josh Stone."`

Add vet entries for coredump support (#5878) * Update the `num_cpus` crate Audits for this update provided from our import from Mozilla. * Add vet entries for coredump support 2 years ago			`[[audits.mozilla.audits.num_cpus]]`
			`who = "Mike Hommey <mh+mozilla@glandium.org>"`
			`criteria = "safe-to-deploy"`
			`delta = "1.13.1 -> 1.14.0"`

			`[[audits.mozilla.audits.num_cpus]]`
			`who = "Mike Hommey <mh+mozilla@glandium.org>"`
			`criteria = "safe-to-deploy"`
			`delta = "1.14.0 -> 1.15.0"`

Import cargo-vet audits from Mozilla (#4792) * Bump cargo-vet to 0.3. * Add Mozilla as a trusted import for audits. 2 years ago			`[[audits.mozilla.audits.once_cell]]`
			`who = "Mike Hommey <mh+mozilla@glandium.org>"`
			`criteria = "safe-to-deploy"`
			`delta = "1.12.0 -> 1.13.1"`

Add cargo-vet updates for audit backlog. (#5708) 2 years ago			`[[audits.mozilla.audits.once_cell]]`
			`who = "Mike Hommey <mh+mozilla@glandium.org>"`
			`criteria = "safe-to-deploy"`
			`delta = "1.13.1 -> 1.16.0"`

Update wasm-tools dependencies (#4970) * Update wasm-tools dependencies This update brings in a number of features such as: * The component model binary format and AST has been slightly adjusted in a few locations. Names are dropped from parameters/results now in the internal representation since they were not used anyway. At this time the ability to bind a multi-return function has not been exposed. * The `wasmparser` validator pass will now share allocations with prior functions, providing what's probably a very minor speedup for Wasmtime itself. * The text format for many component-related tests now requires named parameters. * Some new relaxed-simd instructions are updated to be ignored. I hope to have a follow-up to expose the multi-return ability to the embedding API of components. * Update audit information for new crates 2 years ago			`[[audits.mozilla.audits.quote]]`
			`who = "Nika Layzell <nika@thelayzells.com>"`
			`criteria = "safe-to-deploy"`
			`version = "1.0.18"`
			`notes = """`
			`quote` is a utility crate used by proc-macros to generate TokenStreams
			`conveniently from source code. The bulk of the logic is some complex`
			interlocking `macro_rules!` macros which are used to parse and build the
			`TokenStream` within the proc-macro.

			`This crate contains no unsafe code, and the internal logic, while difficult to`
			`read, is generally straightforward. I have audited the the quote macros, ident`
			`formatter, and runtime logic.`
			`"""`

			`[[audits.mozilla.audits.synstructure]]`
			`who = "Nika Layzell <nika@thelayzells.com>"`
			`criteria = "safe-to-deploy"`
			`version = "0.12.6"`
			`notes = """`
			I am the primary author of the `synstructure` crate, and its current
			maintainer. The one use of `unsafe` is unnecessary, but documented and
			`harmless. It will be removed in the next version.`
			`"""`

Update the wasm-tools family of crates (#5310) Most of the changes here are the updates to the component model which includes optional URL fields in imports/exports. 2 years ago			`[[audits.mozilla.audits.unicode-normalization]]`
			`who = "Mike Hommey <mh+mozilla@glandium.org>"`
			`criteria = "safe-to-deploy"`
			`delta = "0.1.19 -> 0.1.20"`
			`notes = "I am the author of most of these changes upstream, and prepared the release myself, at which point I looked at the other changes since 0.1.19."`

			`[[audits.mozilla.audits.unicode-normalization]]`
			`who = "Mike Hommey <mh+mozilla@glandium.org>"`
			`criteria = "safe-to-deploy"`
			`delta = "0.1.20 -> 0.1.21"`