diff --git a/Cargo.lock b/Cargo.lock index cbe6f62..98c33f6 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -408,9 +408,9 @@ checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6" [[package]] name = "clap_mangen" -version = "0.2.24" +version = "0.2.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fbae9cbfdc5d4fa8711c09bd7b83f644cb48281ac35bf97af3e47b0675864bdf" +checksum = "27b4c3c54b30f0d9adcb47f25f61fcce35c4dd8916638c6b82fbd5f4fb4179e2" dependencies = [ "clap", "roff", @@ -1408,7 +1408,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34" dependencies = [ "cfg-if", - "windows-targets 0.48.5", + "windows-targets 0.52.6", ] [[package]] diff --git a/Cargo.toml b/Cargo.toml index 368b891..e1d86e1 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -48,7 +48,7 @@ rand = "0.8.5" typenum = "1.17.0" log = { version = "0.4.22" } clap = { version = "4.5.23", features = ["derive"] } -clap_mangen = "0.2.24" +clap_mangen = "0.2.29" clap_complete = "4.5.40" serde = { version = "1.0.217", features = ["derive"] } arbitrary = { version = "1.4.1", features = ["derive"] } diff --git a/supply-chain/config.toml b/supply-chain/config.toml index e344e32..1b5f913 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -142,7 +142,7 @@ version = "0.7.4" criteria = "safe-to-deploy" [[exemptions.clap_mangen]] -version = "0.2.24" +version = "0.2.29" criteria = "safe-to-deploy" [[exemptions.cmake]] @@ -257,10 +257,6 @@ criteria = "safe-to-deploy" version = "0.10.2" criteria = "safe-to-deploy" -[[exemptions.fastrand]] -version = "2.3.0" -criteria = "safe-to-deploy" - [[exemptions.findshlibs]] version = "0.10.2" criteria = "safe-to-run" @@ -285,10 +281,6 @@ criteria = "safe-to-deploy" version = "0.2.15" criteria = "safe-to-deploy" -[[exemptions.gimli]] -version = "0.31.1" -criteria = "safe-to-deploy" - [[exemptions.hash32]] version = "0.2.1" criteria = "safe-to-deploy" @@ -529,10 +521,6 @@ criteria = "safe-to-deploy" version = "1.0.15" criteria = "safe-to-deploy" -[[exemptions.pin-project-lite]] -version = "0.2.16" -criteria = "safe-to-deploy" - [[exemptions.pkg-config]] version = "0.3.31" criteria = "safe-to-deploy" @@ -581,14 +569,6 @@ criteria = "safe-to-deploy" version = "0.9.0" criteria = "safe-to-deploy" -[[exemptions.rand_chacha]] -version = "0.9.0" -criteria = "safe-to-deploy" - -[[exemptions.rand_core]] -version = "0.9.3" -criteria = "safe-to-deploy" - [[exemptions.redox_syscall]] version = "0.5.9" criteria = "safe-to-deploy" @@ -733,10 +713,6 @@ criteria = "safe-to-deploy" version = "1.0.17" criteria = "safe-to-deploy" -[[exemptions.utf8parse]] -version = "0.2.2" -criteria = "safe-to-deploy" - [[exemptions.uuid]] version = "1.14.0" criteria = "safe-to-deploy" @@ -847,7 +823,7 @@ criteria = "safe-to-deploy" [[exemptions.windows-targets]] version = "0.48.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows-targets]] version = "0.52.6" @@ -859,7 +835,7 @@ criteria = "safe-to-deploy" [[exemptions.windows_aarch64_gnullvm]] version = "0.48.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows_aarch64_gnullvm]] version = "0.52.6" @@ -871,7 +847,7 @@ criteria = "safe-to-deploy" [[exemptions.windows_aarch64_msvc]] version = "0.48.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows_aarch64_msvc]] version = "0.52.6" @@ -883,7 +859,7 @@ criteria = "safe-to-deploy" [[exemptions.windows_i686_gnu]] version = "0.48.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows_i686_gnu]] version = "0.52.6" @@ -899,7 +875,7 @@ criteria = "safe-to-deploy" [[exemptions.windows_i686_msvc]] version = "0.48.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows_i686_msvc]] version = "0.52.6" @@ -911,7 +887,7 @@ criteria = "safe-to-deploy" [[exemptions.windows_x86_64_gnu]] version = "0.48.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows_x86_64_gnu]] version = "0.52.6" @@ -923,7 +899,7 @@ criteria = "safe-to-deploy" [[exemptions.windows_x86_64_gnullvm]] version = "0.48.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows_x86_64_gnullvm]] version = "0.52.6" @@ -935,7 +911,7 @@ criteria = "safe-to-deploy" [[exemptions.windows_x86_64_msvc]] version = "0.48.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.windows_x86_64_msvc]] version = "0.52.6" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index babb9a4..445f975 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -35,7 +35,7 @@ who = "Alex Crichton " criteria = "safe-to-deploy" user-id = 73222 # wasmtime-publish start = "2023-01-01" -end = "2025-05-08" +end = "2026-06-03" notes = """ The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate publication of this crate from CI. This repository requires all PRs are reviewed @@ -144,6 +144,21 @@ who = "Dan Gohman " criteria = "safe-to-deploy" delta = "0.3.9 -> 0.3.10" +[[audits.bytecode-alliance.audits.fastrand]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "2.0.0 -> 2.0.1" +notes = """ +This update had a few doc updates but no otherwise-substantial source code +updates. +""" + +[[audits.bytecode-alliance.audits.fastrand]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "2.1.1 -> 2.3.0" +notes = "Minor refactoring, nothing new." + [[audits.bytecode-alliance.audits.futures]] who = "Joel Dice " criteria = "safe-to-deploy" @@ -190,6 +205,18 @@ who = "Pat Hickey " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.31" +[[audits.bytecode-alliance.audits.gimli]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.29.0 -> 0.31.0" +notes = "Various updates here and there, nothing too major, what you'd expect from a DWARF parsing crate." + +[[audits.bytecode-alliance.audits.gimli]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.31.0 -> 0.31.1" +notes = "No fundmanetally new `unsafe` code, some small refactoring of existing code. Lots of changes in tests, not as many changes in the rest of the crate. More dwarf!" + [[audits.bytecode-alliance.audits.heck]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -249,6 +276,12 @@ criteria = "safe-to-deploy" version = "1.0.0" notes = "I am the author of this crate." +[[audits.bytecode-alliance.audits.pin-project-lite]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.2.13 -> 0.2.14" +notes = "No substantive changes in this update" + [[audits.bytecode-alliance.audits.pin-utils]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -301,6 +334,12 @@ criteria = "safe-to-deploy" version = "1.0.40" notes = "Found no unsafe or ambient capabilities used" +[[audits.embark-studios.audits.utf8parse]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "0.2.1" +notes = "Single unsafe usage that looks sound, no ambient capabilities" + [[audits.fermyon.audits.oorandom]] who = "Radu Matei " criteria = "safe-to-run" @@ -411,6 +450,16 @@ delta = "1.0.1 -> 1.0.2" notes = "No changes to any .rs files or Rust code." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.fastrand]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.9.0" +notes = """ +`does-not-implement-crypto` is certified because this crate explicitly says +that the RNG here is not cryptographically secure. +""" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.glob]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -554,6 +603,20 @@ version = "0.1.46" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.pin-project-lite]] +who = "David Koloski " +criteria = "safe-to-deploy" +version = "0.2.9" +notes = "Reviewed on https://fxrev.dev/824504" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.pin-project-lite]] +who = "David Koloski " +criteria = "safe-to-deploy" +delta = "0.2.9 -> 0.2.13" +notes = "Audited at https://fxrev.dev/946396" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.proc-macro-error-attr]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -708,6 +771,24 @@ For more detailed unsafe review notes please see https://crrev.com/c/6362797 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.rand_chacha]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "0.3.1" +notes = """ +For more detailed unsafe review notes please see https://crrev.com/c/6362797 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rand_core]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "0.6.4" +notes = """ +For more detailed unsafe review notes please see https://crrev.com/c/6362797 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.regex-syntax]] who = "Manish Goregaokar " criteria = "safe-to-deploy" @@ -1160,11 +1241,21 @@ who = "David Cook " criteria = "safe-to-deploy" version = "0.3.1" +[[audits.isrg.audits.rand_chacha]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.3.1 -> 0.9.0" + [[audits.isrg.audits.rand_core]] who = "David Cook " criteria = "safe-to-deploy" version = "0.6.3" +[[audits.isrg.audits.rand_core]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.6.4 -> 0.9.3" + [[audits.isrg.audits.rayon]] who = "Brandon Pitman " criteria = "safe-to-deploy" @@ -1379,6 +1470,25 @@ criteria = "safe-to-deploy" delta = "0.3.1 -> 0.3.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.fastrand]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.9.0 -> 2.0.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.fastrand]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "2.0.1 -> 2.1.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.fastrand]] +who = "Chris Martin " +criteria = "safe-to-deploy" +delta = "2.1.0 -> 2.1.1" +notes = "Fairly trivial changes, no chance of security regression." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.fnv]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -1409,6 +1519,23 @@ documentation. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.gimli]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.30.0" +notes = """ +Unsafe code blocks are sound. Minimal dependencies used. No use of +side-effectful std functions. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.gimli]] +who = "Chris Martin " +criteria = "safe-to-deploy" +delta = "0.30.0 -> 0.29.0" +notes = "No unsafe code, mostly algorithms and parsing. Very unlikely to cause security issues." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.hex]] who = "Simon Friedberger " criteria = "safe-to-deploy" @@ -1428,6 +1555,16 @@ delta = "1.0.0 -> 0.1.2" notes = "Small refactor of some simple iterator logic, no unsafe code or capabilities." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.pin-project-lite]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +delta = "0.2.14 -> 0.2.16" +notes = """ +Only functional change is to work around a bug in the negative_impls feature +(https://github.com/taiki-e/pin-project/issues/340#issuecomment-2432146009) +""" +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + [[audits.mozilla.audits.rand_core]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -1491,6 +1628,12 @@ criteria = "safe-to-deploy" delta = "1.0.43 -> 1.0.69" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" +[[audits.mozilla.audits.utf8parse]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +delta = "0.2.1 -> 0.2.2" +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + [[audits.mozilla.audits.zeroize]] who = "Benjamin Beurdouche " criteria = "safe-to-deploy"