diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 77d4c889..aa138d30 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -2,7 +2,7 @@ # cargo-vet config file [cargo-vet] -version = "0.8" +version = "0.9" [imports.bytecode-alliance] url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" @@ -181,10 +181,6 @@ criteria = "safe-to-deploy" version = "0.3.2" criteria = "safe-to-deploy" -[[exemptions.core-foundation-sys]] -version = "0.8.6" -criteria = "safe-to-deploy" - [[exemptions.cpp_demangle]] version = "0.4.3" criteria = "safe-to-run" @@ -365,14 +361,6 @@ criteria = "safe-to-deploy" version = "0.8.3" criteria = "safe-to-deploy" -[[exemptions.iana-time-zone]] -version = "0.1.59" -criteria = "safe-to-deploy" - -[[exemptions.iana-time-zone-haiku]] -version = "0.1.2" -criteria = "safe-to-deploy" - [[exemptions.indexmap]] version = "2.0.0" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 9049f4f0..78b258b7 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -8,6 +8,13 @@ user-id = 696 user-login = "fitzgen" user-name = "Nick Fitzgerald" +[[publisher.core-foundation-sys]] +version = "0.8.4" +when = "2023-04-03" +user-id = 5946 +user-login = "jrmuizel" +user-name = "Jeff Muizelaar" + [[publisher.windows-sys]] version = "0.45.0" when = "2023-01-21" @@ -270,6 +277,15 @@ criteria = "safe-to-deploy" version = "1.0.0" notes = "I am the author of this crate." +[[audits.bytecode-alliance.audits.core-foundation-sys]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "0.8.4 -> 0.8.6" +notes = """ +The changes here are all typical bindings updates: new functions, types, and +constants. I have not audited all the bindings for ABI conformance. +""" + [[audits.bytecode-alliance.audits.criterion]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -328,6 +344,20 @@ criteria = "safe-to-deploy" version = "0.3.27" notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." +[[audits.bytecode-alliance.audits.iana-time-zone]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +version = "0.1.59" +notes = """ +I also manually ran windows-bindgen and confirmed that the output matches +the bindings checked into the repo. +""" + +[[audits.bytecode-alliance.audits.iana-time-zone-haiku]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +version = "0.1.2" + [[audits.bytecode-alliance.audits.libm]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -900,6 +930,16 @@ who = "David Cook " criteria = "safe-to-deploy" version = "0.2.83" +[[audits.mozilla.wildcard-audits.core-foundation-sys]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +user-id = 5946 # Jeff Muizelaar (jrmuizel) +start = "2020-10-14" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.android_system_properties]] who = "Nicolas Silva " criteria = "safe-to-deploy"