diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 39d6b4d059..40f21f7503 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -87,10 +87,6 @@ criteria = "safe-to-deploy" version = "1.1.2" criteria = "safe-to-deploy" -[[exemptions.allocator-api2]] -version = "0.2.16" -criteria = "safe-to-deploy" - [[exemptions.amplify]] version = "4.6.0" criteria = "safe-to-deploy" @@ -223,10 +219,6 @@ criteria = "safe-to-deploy" version = "1.2.1" criteria = "safe-to-deploy" -[[exemptions.byteorder]] -version = "1.5.0" -criteria = "safe-to-deploy" - [[exemptions.bytes]] version = "1.5.0" criteria = "safe-to-deploy" @@ -1171,10 +1163,6 @@ criteria = "safe-to-deploy" version = "0.1.0" criteria = "safe-to-run" -[[exemptions.strsim]] -version = "0.11.1" -criteria = "safe-to-deploy" - [[exemptions.symbolic-common]] version = "12.9.2" criteria = "safe-to-run" @@ -1363,10 +1351,6 @@ criteria = "safe-to-deploy" version = "0.1.27" criteria = "safe-to-deploy" -[[exemptions.tracing-core]] -version = "0.1.32" -criteria = "safe-to-deploy" - [[exemptions.tracing-log]] version = "0.2.0" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 750e4537a0..fa87b37108 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -918,6 +918,13 @@ instead (see also https://crrev.com/c/5771867). """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.byteorder]] +who = "danakj " +criteria = "safe-to-deploy" +version = "1.5.0" +notes = "Unsafe review in https://crrev.com/c/5838022" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.cast]] who = "George Burgess IV " criteria = "safe-to-run" @@ -1091,12 +1098,6 @@ criteria = "safe-to-run" delta = "0.4.2 -> 0.4.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" -[[audits.google.audits.itertools]] -who = "ChromeOS" -criteria = "safe-to-run" -version = "0.10.5" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" - [[audits.google.audits.itoa]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" @@ -1872,6 +1873,12 @@ criteria = "safe-to-deploy" delta = "0.8.7 -> 0.8.11" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.allocator-api2]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +version = "0.2.18" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.android_system_properties]] who = "Nicolas Silva " criteria = "safe-to-deploy" @@ -2324,6 +2331,12 @@ criteria = "safe-to-deploy" delta = "0.6.27 -> 0.6.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.strsim]] +who = "Ben Dean-Kawamura " +criteria = "safe-to-deploy" +delta = "0.10.0 -> 0.11.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.subtle]] who = "Simon Friedberger " criteria = "safe-to-deploy" @@ -2433,6 +2446,17 @@ criteria = "safe-to-deploy" delta = "0.5.10 -> 0.5.11" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.tracing-core]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.1.30" +notes = """ +Most unsafe code is in implementing non-std sync primitives. Unsafe impls are +logically correct and justified in comments, and unsafe code is sound and +justified in comments. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.zerocopy]] who = "Alex Franchuk " criteria = "safe-to-deploy" @@ -2466,12 +2490,6 @@ criteria = "safe-to-deploy" delta = "1.1.2 -> 1.1.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.allocator-api2]] -who = "Daira-Emma Hopwood " -criteria = "safe-to-deploy" -delta = "0.2.16 -> 0.2.18" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.anyhow]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -2525,24 +2543,6 @@ delta = "0.3.69 -> 0.3.71" notes = "This crate inherently requires a lot of `unsafe` code, but the changes look plausible." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.base64]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.21.3 -> 0.21.4" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.base64]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.21.4 -> 0.21.5" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.base64]] -who = "Daira-Emma Hopwood " -criteria = "safe-to-deploy" -delta = "0.21.5 -> 0.21.7" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.blake2b_simd]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -3350,6 +3350,23 @@ criteria = "safe-to-deploy" delta = "0.6.2 -> 0.6.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.tracing-core]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.1.30 -> 0.1.31" +notes = """ +The only new `unsafe` block is to intentionally leak a scoped subscriber onto +the heap when setting it as the global default dispatcher. I checked that the +global default can only be set once and is never dropped. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.tracing-core]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.1.31 -> 0.1.32" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.tracing-subscriber]] who = "Jack Grigg " criteria = "safe-to-deploy"