From 9ccb0453c2517f367501c90be3efdec7b3cc3fb0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Oct 2023 16:44:40 -0400 Subject: [PATCH] build(deps): Bump sha2 from 0.10.7 to 0.10.8 (#775) * build(deps): Bump sha2 from 0.10.7 to 0.10.8 Bumps [sha2](https://github.com/RustCrypto/hashes) from 0.10.7 to 0.10.8. - [Commits](https://github.com/RustCrypto/hashes/compare/sha2-v0.10.7...sha2-v0.10.8) --- updated-dependencies: - dependency-name: sha2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * cargo add-exception * cargo vet prune --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Ameer Ghani --- Cargo.lock | 4 ++-- Cargo.toml | 2 +- supply-chain/config.toml | 5 +++++ supply-chain/imports.lock | 17 ----------------- 4 files changed, 8 insertions(+), 20 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 5c5d478fe..9b8832704 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -998,9 +998,9 @@ dependencies = [ [[package]] name = "sha2" -version = "0.10.7" +version = "0.10.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "479fb9d862239e610720565ca91403019f2f00410f1864c5aa7479b950a76ed8" +checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8" dependencies = [ "cfg-if", "cpufeatures", diff --git a/Cargo.toml b/Cargo.toml index 0ed20492d..64e2748c0 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -28,7 +28,7 @@ rand = { version = "0.8", optional = true } rand_core = "0.6.4" rayon = { version = "1.8.0", optional = true } serde = { version = "1.0", features = ["derive"] } -sha2 = { version = "0.10.7", optional = true } +sha2 = { version = "0.10.8", optional = true } sha3 = "0.10.8" subtle = "2.5.0" thiserror = "1.0" diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 4f4c02b94..fb500c33e 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -190,6 +190,11 @@ criteria = "safe-to-run" version = "0.7.0" criteria = "safe-to-run" +[[exemptions.sha2]] +version = "0.10.8" +criteria = "safe-to-deploy" +notes = "We do not use the new asm backend, either its feature or CPU architecture" + [[exemptions.simba]] version = "0.6.0" criteria = "safe-to-run" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 6e9fad3ed..c1874cd5a 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -470,11 +470,6 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.10.1 -> 1.10.2" -[[audits.firefox.audits.sha2]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.10.2 -> 0.10.6" - [[audits.firefox.audits.subtle]] who = "Simon Friedberger " criteria = "safe-to-deploy" @@ -608,18 +603,6 @@ approach looks reasonable. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.sha2]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.10.6 -> 0.10.7" -notes = """ -The new `unsafe` assembly backend only uses aarch64 intrinsics, via their typed -Rust APIs (aside from the SHA2-specific intrinsics that are not in Rust yet). I -did not perform a cryptographic review, but the code to load from and store into -the function arguments looks correct. -""" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.unicode-ident]] who = "Daira Hopwood " criteria = "safe-to-deploy"