diff --git a/bestool/supply-chain/audits.toml b/bestool/supply-chain/audits.toml index 3788ad0..c85ef05 100644 --- a/bestool/supply-chain/audits.toml +++ b/bestool/supply-chain/audits.toml @@ -1,11 +1,36 @@ # cargo-vet audits file +[[audits.bitflags]] +who = "Ben Brown <ralim@ralimtek.com>" +criteria = "safe-to-deploy" +delta = "2.4.1 -> 2.4.2" + +[[audits.io-kit-sys]] +who = "Ben Brown <ralim@ralimtek.com>" +criteria = "safe-to-deploy" +version = "0.4.0" + [[audits.pkg-config]] who = "Ben V. Brown <Ralim@Ralimtek.com>" criteria = "safe-to-deploy" delta = "0.3.26 -> 0.3.27" +[[audits.pkg-config]] +who = "Ben Brown <ralim@ralimtek.com>" +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.29" + +[[audits.serialport]] +who = "Ben Brown <ralim@ralimtek.com>" +criteria = "safe-to-deploy" +delta = "4.2.2 -> 4.3.0" + +[[audits.unescaper]] +who = "Ben Brown <ralim@ralimtek.com>" +criteria = "safe-to-deploy" +version = "0.1.4" + [[trusted.aho-corasick]] criteria = "safe-to-deploy" user-id = 189 # Andrew Gallant (BurntSushi) @@ -78,6 +103,18 @@ user-id = 2915 # Amanieu d'Antras (Amanieu) start = "2021-01-27" end = "2024-11-26" +[[trusted.libc]] +criteria = "safe-to-deploy" +user-id = 51017 # Yuki Okushi (JohnTitor) +start = "2020-03-17" +end = "2025-01-27" + +[[trusted.mach2]] +criteria = "safe-to-deploy" +user-id = 51017 # Yuki Okushi (JohnTitor) +start = "2021-11-15" +end = "2025-01-27" + [[trusted.memchr]] criteria = "safe-to-deploy" user-id = 189 # Andrew Gallant (BurntSushi) diff --git a/bestool/supply-chain/config.toml b/bestool/supply-chain/config.toml index 1709067..ee79313 100644 --- a/bestool/supply-chain/config.toml +++ b/bestool/supply-chain/config.toml @@ -2,7 +2,7 @@ # cargo-vet config file [cargo-vet] -version = "0.8" +version = "0.9" [imports.bytecode-alliance] url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" @@ -22,14 +22,6 @@ url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" [imports.zcash] url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml" -[[exemptions.CoreFoundation-sys]] -version = "0.1.4" -criteria = "safe-to-deploy" - -[[exemptions.IOKit-sys]] -version = "0.1.5" -criteria = "safe-to-deploy" - [[exemptions.bitflags]] version = "1.3.2" criteria = "safe-to-deploy" @@ -50,10 +42,6 @@ criteria = "safe-to-deploy" version = "0.1.4" criteria = "safe-to-deploy" -[[exemptions.mach]] -version = "0.1.2" -criteria = "safe-to-deploy" - [[exemptions.nix]] version = "0.26.4" criteria = "safe-to-deploy" @@ -66,10 +54,6 @@ criteria = "safe-to-deploy" version = "4.2.2" criteria = "safe-to-deploy" -[[exemptions.sharded-slab]] -version = "0.1.7" -criteria = "safe-to-deploy" - [[exemptions.strsim]] version = "0.10.0" criteria = "safe-to-deploy" @@ -90,10 +74,6 @@ criteria = "safe-to-deploy" version = "0.2.0" criteria = "safe-to-deploy" -[[exemptions.tracing-subscriber]] -version = "0.3.18" -criteria = "safe-to-deploy" - [[exemptions.winapi]] version = "0.3.9" criteria = "safe-to-deploy" diff --git a/bestool/supply-chain/imports.lock b/bestool/supply-chain/imports.lock index 4c329ff..0e0858e 100644 --- a/bestool/supply-chain/imports.lock +++ b/bestool/supply-chain/imports.lock @@ -9,8 +9,8 @@ user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.anstream]] -version = "0.6.4" -when = "2023-09-29" +version = "0.6.11" +when = "2024-01-18" user-id = 6743 user-login = "epage" user-name = "Ed Page" @@ -23,36 +23,36 @@ user-login = "epage" user-name = "Ed Page" [[publisher.anstyle-parse]] -version = "0.2.2" -when = "2023-09-28" +version = "0.2.3" +when = "2023-12-04" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle-query]] -version = "1.0.0" -when = "2023-04-13" +version = "1.0.2" +when = "2023-12-08" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.anstyle-wincon]] -version = "3.0.1" -when = "2023-09-29" +version = "3.0.2" +when = "2023-12-04" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap]] -version = "4.4.8" -when = "2023-11-10" +version = "4.4.18" +when = "2024-01-16" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap_builder]] -version = "4.4.8" -when = "2023-11-10" +version = "4.4.18" +when = "2024-01-16" user-id = 6743 user-login = "epage" user-name = "Ed Page" @@ -78,44 +78,58 @@ user-id = 6743 user-login = "epage" user-name = "Ed Page" +[[publisher.core-foundation-sys]] +version = "0.8.4" +when = "2023-04-03" +user-id = 5946 +user-login = "jrmuizel" +user-name = "Jeff Muizelaar" + [[publisher.libc]] -version = "0.2.146" -when = "2023-06-06" -user-id = 2915 -user-login = "Amanieu" -user-name = "Amanieu d'Antras" +version = "0.2.152" +when = "2024-01-07" +user-id = 51017 +user-login = "JohnTitor" +user-name = "Yuki Okushi" + +[[publisher.mach2]] +version = "0.4.2" +when = "2023-12-19" +user-id = 51017 +user-login = "JohnTitor" +user-name = "Yuki Okushi" [[publisher.memchr]] -version = "2.6.4" -when = "2023-10-01" +version = "2.7.1" +when = "2023-12-28" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.proc-macro2]] -version = "1.0.69" -when = "2023-10-09" +version = "1.0.78" +when = "2024-01-21" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.quote]] -version = "1.0.33" -when = "2023-08-17" +version = "1.0.35" +when = "2024-01-02" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.regex]] -version = "1.10.2" -when = "2023-10-16" +version = "1.10.3" +when = "2024-01-21" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.regex-automata]] -version = "0.4.3" -when = "2023-10-16" +version = "0.4.5" +when = "2024-01-25" user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" @@ -135,29 +149,29 @@ user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.smallvec]] -version = "1.11.2" -when = "2023-11-09" +version = "1.13.1" +when = "2024-01-19" user-id = 2017 user-login = "mbrubeck" user-name = "Matt Brubeck" [[publisher.syn]] -version = "2.0.39" -when = "2023-11-06" +version = "2.0.48" +when = "2024-01-04" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.thiserror]] -version = "1.0.50" -when = "2023-10-19" +version = "1.0.56" +when = "2024-01-02" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.thiserror-impl]] -version = "1.0.50" -when = "2023-10-19" +version = "1.0.56" +when = "2024-01-02" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" @@ -184,92 +198,108 @@ user-login = "carllerche" user-name = "Carl Lerche" [[publisher.windows-sys]] -version = "0.48.0" -when = "2023-03-31" +version = "0.52.0" +when = "2023-11-15" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows-targets]] -version = "0.48.5" -when = "2023-08-18" +version = "0.52.0" +when = "2023-11-15" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_gnullvm]] -version = "0.48.5" -when = "2023-08-18" +version = "0.52.0" +when = "2023-11-15" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_aarch64_msvc]] -version = "0.48.5" -when = "2023-08-18" +version = "0.52.0" +when = "2023-11-15" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_gnu]] -version = "0.48.5" -when = "2023-08-18" +version = "0.52.0" +when = "2023-11-15" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_i686_msvc]] -version = "0.48.5" -when = "2023-08-18" +version = "0.52.0" +when = "2023-11-15" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnu]] -version = "0.48.5" -when = "2023-08-18" +version = "0.52.0" +when = "2023-11-15" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_gnullvm]] -version = "0.48.5" -when = "2023-08-18" +version = "0.52.0" +when = "2023-11-15" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.windows_x86_64_msvc]] -version = "0.48.5" -when = "2023-08-18" +version = "0.52.0" +when = "2023-11-15" user-id = 64539 user-login = "kennykerr" user-name = "Kenny Kerr" +[[audits.bytecode-alliance.audits.bitflags]] +who = "Jamey Sharp <jsharp@fastly.com>" +criteria = "safe-to-deploy" +delta = "2.1.0 -> 2.2.1" +notes = """ +This version adds unsafe impls of traits from the bytemuck crate when built +with that library enabled, but I believe the impls satisfy the documented +safety requirements for bytemuck. The other changes are minor. +""" + +[[audits.bytecode-alliance.audits.bitflags]] +who = "Alex Crichton <alex@alexcrichton.com>" +criteria = "safe-to-deploy" +delta = "2.3.2 -> 2.3.3" +notes = """ +Nothing outside the realm of what one would expect from a bitflags generator, +all as expected. +""" + [[audits.bytecode-alliance.audits.cfg-if]] who = "Alex Crichton <alex@alexcrichton.com>" criteria = "safe-to-deploy" version = "1.0.0" notes = "I am the author of this crate." +[[audits.bytecode-alliance.audits.core-foundation-sys]] +who = "Dan Gohman <dev@sunfishcode.online>" +criteria = "safe-to-deploy" +delta = "0.8.4 -> 0.8.6" +notes = """ +The changes here are all typical bindings updates: new functions, types, and +constants. I have not audited all the bindings for ABI conformance. +""" + [[audits.bytecode-alliance.audits.heck]] who = "Alex Crichton <alex@alexcrichton.com>" criteria = "safe-to-deploy" version = "0.4.0" notes = "Contains `forbid_unsafe` and only uses `std::fmt` from the standard library. Otherwise only contains string manipulation." -[[audits.bytecode-alliance.audits.libc]] -who = "Alex Crichton <alex@alexcrichton.com>" -criteria = "safe-to-deploy" -delta = "0.2.146 -> 0.2.147" -notes = "Only new type definitions and updating others for some platforms, no major changes" - -[[audits.bytecode-alliance.audits.libc]] -who = "Alex Crichton <alex@alexcrichton.com>" -criteria = "safe-to-deploy" -delta = "0.2.148 -> 0.2.149" -notes = "Lots of new functions and constants for new platforms and nothing out of the ordinary for what one would expect of the `libc` crate." - [[audits.bytecode-alliance.audits.nu-ansi-term]] who = "Pat Hickey <phickey@fastly.com>" criteria = "safe-to-deploy" @@ -288,6 +318,17 @@ criteria = "safe-to-deploy" version = "0.3.25" notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably." +[[audits.bytecode-alliance.audits.sharded-slab]] +who = "Pat Hickey <phickey@fastly.com>" +criteria = "safe-to-deploy" +version = "0.1.4" +notes = "I always really enjoy reading eliza's code, she left perfect comments at every use of unsafe." + +[[audits.bytecode-alliance.audits.tracing-subscriber]] +who = "Pat Hickey <phickey@fastly.com>" +criteria = "safe-to-deploy" +version = "0.3.17" + [audits.fermyon.audits] [[audits.google.audits.pin-project-lite]] @@ -304,10 +345,20 @@ version = "0.2.1" notes = "Reviewed on https://fxrev.dev/904811" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" -[[audits.isrg.audits.libc]] +[[audits.isrg.audits.once_cell]] who = "Brandon Pitman <bran@bran.land>" criteria = "safe-to-deploy" -delta = "0.2.149 -> 0.2.150" +delta = "1.18.0 -> 1.19.0" + +[[audits.mozilla.wildcard-audits.core-foundation-sys]] +who = "Bobby Holley <bobbyholley@gmail.com>" +criteria = "safe-to-deploy" +user-id = 5946 # Jeff Muizelaar (jrmuizel) +start = "2020-10-14" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.bitflags]] who = "Alex Franchuk <afranchuk@mozilla.com>" @@ -316,6 +367,31 @@ delta = "1.3.2 -> 2.0.2" notes = "Removal of some unsafe code/methods. No changes to externals, just some refactoring (mostly internal)." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.bitflags]] +who = "Nicolas Silva <nical@fastmail.com>" +criteria = "safe-to-deploy" +delta = "2.0.2 -> 2.1.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bitflags]] +who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>" +criteria = "safe-to-deploy" +delta = "2.2.1 -> 2.3.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bitflags]] +who = "Mike Hommey <mh+mozilla@glandium.org>" +criteria = "safe-to-deploy" +delta = "2.3.3 -> 2.4.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bitflags]] +who = "Jan-Erik Rediger <jrediger@mozilla.com>" +criteria = "safe-to-deploy" +delta = "2.4.0 -> 2.4.1" +notes = "Only allowing new clippy lints" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + [[audits.mozilla.audits.heck]] who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" @@ -329,12 +405,6 @@ version = "1.4.0" notes = "I have read over the macros, and audited the unsafe code." aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" -[[audits.mozilla.audits.libc]] -who = "Mike Hommey <mh+mozilla@glandium.org>" -criteria = "safe-to-deploy" -delta = "0.2.147 -> 0.2.148" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.log]] who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" @@ -348,12 +418,6 @@ delta = "0.4.17 -> 0.4.18" notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed." aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" -[[audits.mozilla.audits.mach2]] -who = "Gabriele Svelto <gsvelto@mozilla.com>" -criteria = "safe-to-deploy" -version = "0.4.1" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.pkg-config]] who = "Mike Hommey <mh+mozilla@glandium.org>" criteria = "safe-to-deploy" @@ -377,3 +441,16 @@ who = "Jack Grigg <jack@electriccoin.co>" criteria = "safe-to-deploy" delta = "0.2.9 -> 0.2.13" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.sharded-slab]] +who = "Jack Grigg <jack@electriccoin.co>" +criteria = "safe-to-deploy" +delta = "0.1.4 -> 0.1.7" +notes = "Only change to an `unsafe` block is to fix a clippy lint." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.tracing-subscriber]] +who = "Jack Grigg <jack@electriccoin.co>" +criteria = "safe-to-deploy" +delta = "0.3.17 -> 0.3.18" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"