cranelift/supply-chain/config.toml

# cargo-vet config file

[cargo-vet]
version = "0.8"

[imports.embark-studios]
url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml"

[imports.fermyon]
url = "https://raw.githubusercontent.com/fermyon/spin/main/supply-chain/audits.toml"

[imports.google]
url = [
    "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT",
    "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT",
]

[imports.isrg]
url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml"

[imports.mozilla]
url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml"

[policy.cranelift]
audit-as-crates-io = true

[policy.cranelift-bforest]
audit-as-crates-io = true

[policy.cranelift-codegen]
audit-as-crates-io = true

[policy.cranelift-codegen-meta]
audit-as-crates-io = true

[policy.cranelift-codegen-shared]
audit-as-crates-io = true

[policy.cranelift-control]
audit-as-crates-io = true

[policy.cranelift-entity]
audit-as-crates-io = true

[policy.cranelift-frontend]
audit-as-crates-io = true

[policy.cranelift-interpreter]
audit-as-crates-io = true

[policy.cranelift-isle]
audit-as-crates-io = true

[policy.cranelift-jit]
audit-as-crates-io = true

[policy.cranelift-module]
audit-as-crates-io = true

[policy.cranelift-native]
audit-as-crates-io = true

[policy.cranelift-object]
audit-as-crates-io = true

[policy.cranelift-reader]
audit-as-crates-io = true

[policy.cranelift-serde]
audit-as-crates-io = true

[policy.cranelift-wasm]
audit-as-crates-io = true

[policy.isle-fuzz]
criteria = "safe-to-run"

[policy.wasi-cap-std-sync]
audit-as-crates-io = true

[policy.wasi-common]
audit-as-crates-io = true

[policy.wasi-tokio]
audit-as-crates-io = true

[policy.wasmtime]
audit-as-crates-io = true

[policy.wasmtime-asm-macros]
audit-as-crates-io = true

[policy.wasmtime-cache]
audit-as-crates-io = true

[policy.wasmtime-cli]
audit-as-crates-io = true

[policy.wasmtime-cli-flags]
audit-as-crates-io = true

[policy.wasmtime-component-macro]
audit-as-crates-io = true

[policy.wasmtime-component-util]
audit-as-crates-io = true

[policy.wasmtime-cranelift]
audit-as-crates-io = true

[policy.wasmtime-cranelift-shared]
audit-as-crates-io = true

[policy.wasmtime-environ]
audit-as-crates-io = true

[policy.wasmtime-environ-fuzz]
criteria = "safe-to-run"

[policy.wasmtime-explorer]
audit-as-crates-io = true

[policy.wasmtime-fiber]
audit-as-crates-io = true

[policy.wasmtime-fuzz]
criteria = "safe-to-run"

[policy.wasmtime-fuzzing]
criteria = "safe-to-run"

[policy.wasmtime-jit]
audit-as-crates-io = true

[policy.wasmtime-jit-debug]
audit-as-crates-io = true

[policy.wasmtime-jit-icache-coherence]
audit-as-crates-io = true

[policy.wasmtime-runtime]
audit-as-crates-io = true

[policy.wasmtime-types]
audit-as-crates-io = true

[policy.wasmtime-versioned-export-macros]
audit-as-crates-io = false

[policy.wasmtime-wasi]
audit-as-crates-io = true

[policy.wasmtime-wasi-http]
audit-as-crates-io = true

[policy.wasmtime-wasi-nn]
audit-as-crates-io = true

[policy.wasmtime-wasi-threads]
audit-as-crates-io = true

[policy.wasmtime-wast]
audit-as-crates-io = true

[policy.wasmtime-winch]
audit-as-crates-io = true

[policy.wasmtime-wit-bindgen]
audit-as-crates-io = true

[policy.wiggle]
audit-as-crates-io = true

[policy.wiggle-generate]
audit-as-crates-io = true

[policy.wiggle-macro]
audit-as-crates-io = true

[policy.wiggle-test]
audit-as-crates-io = true

[policy.winch-codegen]
audit-as-crates-io = true

[policy.witx]
audit-as-crates-io = false

[[exemptions.addr2line]]
version = "0.17.0"
criteria = "safe-to-deploy"

[[exemptions.ahash]]
version = "0.7.6"
criteria = "safe-to-deploy"

[[exemptions.bincode]]
version = "1.3.3"
criteria = "safe-to-deploy"

[[exemptions.bitflags]]
version = "1.3.2"
criteria = "safe-to-deploy"

[[exemptions.bytes]]
version = "1.1.0"
criteria = "safe-to-deploy"

[[exemptions.capstone]]
version = "0.9.0"
criteria = "safe-to-deploy"

[[exemptions.capstone-sys]]
version = "0.13.0"
criteria = "safe-to-deploy"

[[exemptions.cast]]
version = "0.2.7"
criteria = "safe-to-run"

[[exemptions.console]]
version = "0.15.0"
criteria = "safe-to-deploy"

[[exemptions.cpp_demangle]]
version = "0.3.5"
criteria = "safe-to-deploy"

[[exemptions.cpufeatures]]
version = "0.2.2"
criteria = "safe-to-deploy"

[[exemptions.crc32fast]]
version = "1.3.2"
criteria = "safe-to-deploy"

[[exemptions.criterion]]
version = "0.3.5"
criteria = "safe-to-run"

[[exemptions.criterion-plot]]
version = "0.4.4"
criteria = "safe-to-run"

[[exemptions.crossbeam-channel]]
version = "0.5.4"
criteria = "safe-to-deploy"

[[exemptions.crossbeam-deque]]
version = "0.8.1"
criteria = "safe-to-deploy"

[[exemptions.crossbeam-epoch]]
version = "0.9.9"
criteria = "safe-to-deploy"

[[exemptions.crossbeam-utils]]
version = "0.8.10"
criteria = "safe-to-deploy"

[[exemptions.digest]]
version = "0.9.0"
criteria = "safe-to-deploy"

[[exemptions.directories-next]]
version = "2.0.0"
criteria = "safe-to-deploy"

[[exemptions.dirs-next]]
version = "2.0.0"
criteria = "safe-to-deploy"

[[exemptions.dirs-sys-next]]
version = "0.1.2"
criteria = "safe-to-deploy"

[[exemptions.downcast-rs]]
version = "1.2.0"
criteria = "safe-to-run"

[[exemptions.egg]]
version = "0.6.0"
criteria = "safe-to-run"

[[exemptions.encode_unicode]]
version = "0.3.6"
criteria = "safe-to-deploy"

[[exemptions.env_logger]]
version = "0.7.1"
criteria = "safe-to-deploy"

[[exemptions.env_logger]]
version = "0.9.0"
criteria = "safe-to-deploy"

[[exemptions.fallible-iterator]]
version = "0.2.0"
criteria = "safe-to-deploy"

[[exemptions.filetime]]
version = "0.2.16"
criteria = "safe-to-run"

[[exemptions.fslock]]
version = "0.1.8"
criteria = "safe-to-run"

[[exemptions.futures-task]]
version = "0.3.27"
criteria = "safe-to-deploy"
notes = "deferring this vetting until Alex gets back from vacation"

[[exemptions.futures-util]]
version = "0.3.27"
criteria = "safe-to-deploy"
notes = "this is 25k lines and contains over 149 uses of the substring unsafe. it is a huge grab bag of complexity with no practical way to audit it"

[[exemptions.generic-array]]
version = "0.14.5"
criteria = "safe-to-deploy"

[[exemptions.getrandom]]
version = "0.2.6"
criteria = "safe-to-deploy"

[[exemptions.gimli]]
version = "0.26.1"
criteria = "safe-to-deploy"

[[exemptions.h2]]
version = "0.3.19"
criteria = "safe-to-deploy"
notes = "we are exempting tokio, hyper, and their tightly coupled dependencies by the same authors, expecting that the authors at aws will publish attestions we can import at some point soon"

[[exemptions.hermit-abi]]
version = "0.1.19"
criteria = "safe-to-deploy"

[[exemptions.hermit-abi]]
version = "0.2.0"
criteria = "safe-to-deploy"

[[exemptions.http]]
version = "0.2.9"
criteria = "safe-to-deploy"
notes = "we are exempting tokio, hyper, and their tightly coupled dependencies by the same authors, expecting that the authors at aws will publish attestions we can import at some point soon"

[[exemptions.httparse]]
version = "1.8.0"
criteria = "safe-to-deploy"
notes = "we are exempting tokio, hyper, and their tightly coupled dependencies by the same authors, expecting that the authors at aws will publish attestions we can import at some point soon"

[[exemptions.humantime]]
version = "1.3.0"
criteria = "safe-to-deploy"

[[exemptions.humantime]]
version = "2.1.0"
criteria = "safe-to-deploy"

[[exemptions.hyper]]
version = "1.0.0-rc.3"
criteria = "safe-to-deploy"
notes = "we are exempting tokio, hyper, and their tightly coupled dependencies by the same authors, expecting that the authors at aws will publish attestions we can import at some point soon"

[[exemptions.indicatif]]
version = "0.13.0"
criteria = "safe-to-deploy"

[[exemptions.instant]]
version = "0.1.12"
criteria = "safe-to-deploy"

[[exemptions.ipnet]]
version = "2.5.0"
criteria = "safe-to-deploy"

[[exemptions.itertools]]
version = "0.10.3"
criteria = "safe-to-deploy"

[[exemptions.jobserver]]
version = "0.1.24"
criteria = "safe-to-deploy"

[[exemptions.js-sys]]
version = "0.3.57"
criteria = "safe-to-deploy"
notes = "dependency of ring for wasm32 browser platform, which our project does not target"

[[exemptions.libloading]]
version = "0.7.3"
criteria = "safe-to-deploy"

[[exemptions.listenfd]]
version = "1.0.0"
criteria = "safe-to-deploy"

[[exemptions.mach]]
version = "0.3.2"
criteria = "safe-to-deploy"

[[exemptions.maybe-owned]]
version = "0.3.4"
criteria = "safe-to-deploy"

[[exemptions.memmap2]]
version = "0.2.3"
criteria = "safe-to-deploy"

[[exemptions.memoffset]]
version = "0.6.5"
criteria = "safe-to-deploy"

[[exemptions.mio]]
version = "0.8.6"
criteria = "safe-to-deploy"
notes = "we are exempting tokio, hyper, and their tightly coupled dependencies by the same authors, expecting that the authors at aws will publish attestions we can import at some point soon"

[[exemptions.num_cpus]]
version = "1.13.1"
criteria = "safe-to-deploy"

[[exemptions.number_prefix]]
version = "0.3.0"
criteria = "safe-to-deploy"

[[exemptions.object]]
version = "0.29.0"
criteria = "safe-to-deploy"

[[exemptions.ocaml-boxroot-sys]]
version = "0.2.0"
criteria = "safe-to-run"

[[exemptions.ocaml-interop]]
version = "0.8.8"
criteria = "safe-to-run"

[[exemptions.ocaml-sys]]
version = "0.22.3"
criteria = "safe-to-run"

[[exemptions.once_cell]]
version = "1.12.0"
criteria = "safe-to-deploy"

[[exemptions.openvino-finder]]
version = "0.4.1"
criteria = "safe-to-deploy"

[[exemptions.openvino-sys]]
version = "0.4.1"
criteria = "safe-to-deploy"

[[exemptions.plotters]]
version = "0.3.1"
criteria = "safe-to-run"

[[exemptions.plotters-backend]]
version = "0.3.2"
criteria = "safe-to-run"

[[exemptions.plotters-svg]]
version = "0.3.1"
criteria = "safe-to-run"

[[exemptions.ppv-lite86]]
version = "0.2.16"
criteria = "safe-to-deploy"

[[exemptions.pretty_env_logger]]
version = "0.4.0"
criteria = "safe-to-deploy"

[[exemptions.proptest]]
version = "1.0.0"
criteria = "safe-to-deploy"

[[exemptions.psm]]
version = "0.1.18"
criteria = "safe-to-deploy"

[[exemptions.quick-error]]
version = "1.2.3"
criteria = "safe-to-deploy"

[[exemptions.quick-error]]
version = "2.0.1"
criteria = "safe-to-deploy"

[[exemptions.rand]]
version = "0.8.5"
criteria = "safe-to-deploy"

[[exemptions.rand_chacha]]
version = "0.3.1"
criteria = "safe-to-deploy"

[[exemptions.rand_xorshift]]
version = "0.3.0"
criteria = "safe-to-deploy"

[[exemptions.redox_syscall]]
version = "0.2.13"
criteria = "safe-to-deploy"

[[exemptions.redox_syscall]]
version = "0.3.5"
criteria = "safe-to-deploy"

[[exemptions.redox_users]]
version = "0.4.3"
criteria = "safe-to-deploy"

[[exemptions.region]]
version = "2.2.0"
criteria = "safe-to-deploy"

[[exemptions.ring]]
version = "0.16.20"
criteria = "safe-to-deploy"
notes = "contains assembly language and object file implementations of crypto primitives for a very large number of platforms"

[[exemptions.rusty-fork]]
version = "0.3.0"
criteria = "safe-to-deploy"

[[exemptions.sharded-slab]]
version = "0.1.4"
criteria = "safe-to-run"

[[exemptions.shellexpand]]
version = "2.1.0"
criteria = "safe-to-deploy"

[[exemptions.shuffling-allocator]]
version = "1.1.2"
criteria = "safe-to-deploy"

[[exemptions.slice-group-by]]
version = "0.3.0"
criteria = "safe-to-deploy"

[[exemptions.smallvec]]
version = "1.8.0"
criteria = "safe-to-deploy"

[[exemptions.socket2]]
version = "0.4.4"
criteria = "safe-to-deploy"

[[exemptions.souper-ir]]
version = "2.1.0"
criteria = "safe-to-deploy"

[[exemptions.spin]]
version = "0.5.2"
criteria = "safe-to-deploy"

[[exemptions.stable_deref_trait]]
version = "1.2.0"
criteria = "safe-to-deploy"

[[exemptions.strsim]]
version = "0.10.0"
criteria = "safe-to-deploy"

[[exemptions.symbolic_expressions]]
version = "5.0.3"
criteria = "safe-to-run"

[[exemptions.tempfile]]
version = "3.3.0"
criteria = "safe-to-deploy"

[[exemptions.terminal_size]]
version = "0.1.17"
criteria = "safe-to-deploy"

[[exemptions.thread_local]]
version = "1.1.4"
criteria = "safe-to-run"

[[exemptions.tinytemplate]]
version = "1.2.1"
criteria = "safe-to-run"

[[exemptions.tokio]]
version = "1.29.1"
criteria = "safe-to-deploy"
notes = "we are exempting tokio, hyper, and their tightly coupled dependencies by the same authors, expecting that the authors at aws will publish attestions we can import at some point soon"

[[exemptions.tokio-macros]]
version = "1.7.0"
criteria = "safe-to-deploy"

[[exemptions.tracing]]
version = "0.1.34"
criteria = "safe-to-deploy"

[[exemptions.tracing-attributes]]
version = "0.1.21"
criteria = "safe-to-deploy"

[[exemptions.tracing-core]]
version = "0.1.28"
criteria = "safe-to-deploy"

[[exemptions.tracing-subscriber]]
version = "0.3.11"
criteria = "safe-to-run"

[[exemptions.typenum]]
version = "1.15.0"
criteria = "safe-to-deploy"

[[exemptions.uuid]]
version = "1.0.0"
criteria = "safe-to-deploy"

[[exemptions.v8]]
version = "0.74.1"
criteria = "safe-to-run"

[[exemptions.wait-timeout]]
version = "0.2.0"
criteria = "safe-to-deploy"

[[exemptions.wasi]]
version = "0.11.0+wasi-snapshot-preview1"
criteria = "safe-to-deploy"

[[exemptions.web-sys]]
version = "0.3.57"
criteria = "safe-to-deploy"
notes = "dependency of ring for wasm32 browser platform, which our project does not target"

[[exemptions.which]]
version = "4.2.5"
criteria = "safe-to-run"

[[exemptions.winapi]]
version = "0.3.9"
criteria = "safe-to-deploy"

[[exemptions.winapi-i686-pc-windows-gnu]]
version = "0.4.0"
criteria = "safe-to-deploy"

[[exemptions.winapi-x86_64-pc-windows-gnu]]
version = "0.4.0"
criteria = "safe-to-deploy"

[[exemptions.zstd]]
version = "0.11.1+zstd.1.5.2"
criteria = "safe-to-deploy"

[[exemptions.zstd-safe]]
version = "5.0.1+zstd.1.5.2"
criteria = "safe-to-deploy"

[[exemptions.zstd-sys]]
version = "2.0.1+zstd.1.5.2"
criteria = "safe-to-deploy"