From 86a00ba0eb92f21b053130ceca4c45d8c4ce3f37 Mon Sep 17 00:00:00 2001 From: Alfredo Garcia Date: Wed, 2 Oct 2024 18:25:09 -0300 Subject: [PATCH] cargo vet updates --- supply-chain/audits.toml | 384 +++++++++++++++++++++++++++++++++++++ supply-chain/config.toml | 96 +++------- supply-chain/imports.lock | 391 +++++++++++++++++++++++++++++++++----- 3 files changed, 755 insertions(+), 116 deletions(-) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index fd2e76233c1..963d1771ca3 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -1,6 +1,11 @@ # cargo-vet audits file +[[audits.anstyle]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "1.0.7 -> 1.0.8" + [[audits.axum]] who = "Alfredo Garcia " criteria = "safe-to-deploy" @@ -11,6 +16,21 @@ who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "0.3.4 -> 0.4.3" +[[audits.bip32]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.5.1 -> 0.5.2" + +[[audits.bridgetree]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.4.0 -> 0.5.0" + +[[audits.bytemuck]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "1.16.3 -> 1.16.1" + [[audits.bytes]] who = "Alfredo Garcia " criteria = "safe-to-deploy" @@ -21,6 +41,11 @@ who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "1.6.1 -> 1.7.1" +[[audits.cfg_aliases]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +version = "0.1.1" + [[audits.clap_derive]] who = "Alfredo Garcia " criteria = "safe-to-deploy" @@ -66,6 +91,18 @@ who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.4.0" +[[audits.equihash]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.2.0 -> 0.2.0@git:a1047adf0b6f324dad415db34762dc26f8367ce4" +importable = false + +[[audits.f4jumble]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.1.0 -> 0.1.0@git:a1047adf0b6f324dad415db34762dc26f8367ce4" +importable = false + [[audits.git2]] who = "Alfredo Garcia " criteria = "safe-to-deploy" @@ -81,11 +118,26 @@ who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "1.3.1 -> 1.4.1" +[[audits.hyper-util]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.1.6 -> 0.1.9" + +[[audits.incrementalmerkletree]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.5.1 -> 0.6.0" + [[audits.indexmap]] who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "2.2.6 -> 2.3.0" +[[audits.indexmap]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "2.3.0 -> 2.5.0" + [[audits.inferno]] who = "Alfredo Garcia " criteria = "safe-to-deploy" @@ -96,11 +148,26 @@ who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "0.11.20 -> 0.11.21" +[[audits.insta]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "1.39.0 -> 1.40.0" + +[[audits.libc]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.2.155 -> 0.2.159" + [[audits.libgit2-sys]] who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "0.16.2+1.7.2 -> 0.17.0+1.8.1" +[[audits.libyml]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +version = "0.0.5" + [[audits.log]] who = "Alfredo Garcia " criteria = "safe-to-deploy" @@ -131,6 +198,21 @@ who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "0.8.11 -> 1.0.1" +[[audits.nix]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +version = "0.15.0" + +[[audits.orchard]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.9.0" + +[[audits.owo-colors]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "4.0.0 -> 4.1.0" + [[audits.proptest-derive]] who = "Alfredo Garcia " criteria = "safe-to-deploy" @@ -141,6 +223,11 @@ who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "0.12.6 -> 0.13.1" +[[audits.prost]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.13.1 -> 0.13.3" + [[audits.prost-build]] who = "Alfredo Garcia " criteria = "safe-to-deploy" @@ -151,6 +238,11 @@ who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "0.12.6 -> 0.13.1" +[[audits.prost-derive]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.13.1 -> 0.13.3" + [[audits.prost-types]] who = "Alfredo Garcia " criteria = "safe-to-deploy" @@ -161,6 +253,36 @@ who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "1.10.5 -> 1.10.6" +[[audits.regex]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "1.10.6 -> 1.11.0" + +[[audits.regex-automata]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.4.7 -> 0.4.8" + +[[audits.regex-syntax]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.8.4 -> 0.8.5" + +[[audits.rlimit]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.10.1 -> 0.10.2" + +[[audits.rustix]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.38.34 -> 0.38.37" + +[[audits.sapling-crypto]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.2.0" + [[audits.serde_spanned]] who = "Alfredo Garcia " criteria = "safe-to-deploy" @@ -186,21 +308,46 @@ who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "3.8.3 -> 3.9.0" +[[audits.serde_yml]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +version = "0.0.12" + +[[audits.shardtree]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.3.1 -> 0.4.0" + [[audits.tempfile]] who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "3.10.1 -> 3.11.0" +[[audits.tempfile]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "3.11.0 -> 3.13.0" + [[audits.thiserror]] who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "1.0.61 -> 1.0.62" +[[audits.thiserror]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "1.0.63 -> 1.0.64" + [[audits.thiserror-impl]] who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "1.0.63 -> 1.0.62" +[[audits.thiserror-impl]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "1.0.63 -> 1.0.64" + [[audits.tokio]] who = "Alfredo Garcia " criteria = "safe-to-deploy" @@ -216,6 +363,16 @@ who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "2.3.0 -> 2.4.0" +[[audits.tokio-stream]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.1.15 -> 0.1.16" + +[[audits.tokio-util]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.7.11 -> 0.7.12" + [[audits.toml]] who = "Alfredo Garcia " criteria = "safe-to-deploy" @@ -261,6 +418,16 @@ who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "0.11.0 -> 0.12.0" +[[audits.tonic]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.12.1 -> 0.12.3" + +[[audits.tonic-build]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.12.1 -> 0.12.3" + [[audits.tonic-reflection]] who = "Alfredo Garcia " criteria = "safe-to-deploy" @@ -271,16 +438,233 @@ who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "0.12.0 -> 0.12.1" +[[audits.tonic-reflection]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.12.1 -> 0.12.3" + +[[audits.tower-batch-control]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.2.41-beta.14 -> 0.2.41-beta.15" + +[[audits.tower-fallback]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.2.41-beta.14 -> 0.2.41-beta.15" + +[[audits.tower-layer]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.3.2 -> 0.3.3" + +[[audits.tower-service]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.3.2 -> 0.3.3" + +[[audits.uint]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.9.5 -> 0.10.0" + [[audits.vergen]] who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "8.3.1 -> 8.3.2" +[[audits.version_check]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.9.4 -> 0.9.5" + +[[audits.windows-sys]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.52.0 -> 0.59.0" + +[[audits.windows-targets]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.52.5 -> 0.52.6" + +[[audits.windows_aarch64_gnullvm]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.52.5 -> 0.52.6" + +[[audits.windows_aarch64_msvc]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.52.5 -> 0.52.6" + +[[audits.windows_i686_gnu]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.52.5 -> 0.52.6" + +[[audits.windows_i686_gnullvm]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.52.5 -> 0.52.6" + +[[audits.windows_i686_msvc]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.52.5 -> 0.52.6" + +[[audits.windows_x86_64_gnu]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.52.5 -> 0.52.6" + +[[audits.windows_x86_64_gnullvm]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.52.5 -> 0.52.6" + +[[audits.windows_x86_64_msvc]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.52.5 -> 0.52.6" + [[audits.winnow]] who = "Alfredo Garcia " criteria = "safe-to-deploy" delta = "0.6.13 -> 0.6.18" +[[audits.zcash_address]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.4.0 -> 0.5.0" + +[[audits.zcash_address]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.5.0 -> 0.5.0@git:a1047adf0b6f324dad415db34762dc26f8367ce4" +importable = false + +[[audits.zcash_client_backend]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.12.1 -> 0.13.0" + +[[audits.zcash_client_backend]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.13.0 -> 0.13.0@git:a1047adf0b6f324dad415db34762dc26f8367ce4" +importable = false + +[[audits.zcash_encoding]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.2.1 -> 0.2.1@git:a1047adf0b6f324dad415db34762dc26f8367ce4" +importable = false + +[[audits.zcash_keys]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.3.0@git:a1047adf0b6f324dad415db34762dc26f8367ce4" +importable = false + +[[audits.zcash_primitives]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.16.0 -> 0.17.0" + +[[audits.zcash_primitives]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.17.0 -> 0.17.0@git:a1047adf0b6f324dad415db34762dc26f8367ce4" +importable = false + +[[audits.zcash_proofs]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.16.0 -> 0.17.0" + +[[audits.zcash_protocol]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.1.1 -> 0.2.0" + +[[audits.zcash_protocol]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.1.1 -> 0.3.0" + +[[audits.zcash_protocol]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.3.0@git:a1047adf0b6f324dad415db34762dc26f8367ce4" +importable = false + +[[audits.zebra-chain]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "1.0.0-beta.38 -> 1.0.0-beta.39" + +[[audits.zebra-consensus]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "1.0.0-beta.38 -> 1.0.0-beta.39" + +[[audits.zebra-grpc]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.1.0-alpha.5 -> 0.1.0-alpha.6" + +[[audits.zebra-network]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "1.0.0-beta.38 -> 1.0.0-beta.39" + +[[audits.zebra-node-services]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "1.0.0-beta.38 -> 1.0.0-beta.39" + +[[audits.zebra-rpc]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "1.0.0-beta.38 -> 1.0.0-beta.39" + +[[audits.zebra-script]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "1.0.0-beta.38 -> 1.0.0-beta.39" + +[[audits.zebra-state]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "1.0.0-beta.38 -> 1.0.0-beta.39" + +[[audits.zebra-test]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "1.0.0-beta.38 -> 1.0.0-beta.39" + +[[audits.zebra-utils]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "1.0.0-beta.38 -> 1.0.0-beta.39" + +[[audits.zebrad]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "1.8.0 -> 1.9.0" + +[[audits.zip321]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +version = "0.1.0" + +[[audits.zip321]] +who = "Alfredo Garcia " +criteria = "safe-to-deploy" +delta = "0.1.0 -> 0.1.0@git:a1047adf0b6f324dad415db34762dc26f8367ce4" +importable = false + [[trusted.clap]] criteria = "safe-to-deploy" user-id = 6743 # Ed Page (epage) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 21bfeebddba..7a20193f958 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -1,3 +1,4 @@ + # cargo-vet config file [cargo-vet] @@ -15,12 +16,36 @@ url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/ [imports.zcashd] url = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[policy.equihash] +audit-as-crates-io = true + +[policy.f4jumble] +audit-as-crates-io = true + [policy.tower-batch-control] audit-as-crates-io = true [policy.tower-fallback] audit-as-crates-io = true +[policy.zcash_address] +audit-as-crates-io = true + +[policy.zcash_client_backend] +audit-as-crates-io = true + +[policy.zcash_encoding] +audit-as-crates-io = true + +[policy.zcash_keys] +audit-as-crates-io = true + +[policy.zcash_primitives] +audit-as-crates-io = true + +[policy.zcash_protocol] +audit-as-crates-io = true + [policy.zebra-chain] audit-as-crates-io = true @@ -57,6 +82,9 @@ audit-as-crates-io = true [policy.zebrad] audit-as-crates-io = true +[policy.zip321] +audit-as-crates-io = true + [[exemptions.abscissa_core]] version = "0.7.0" criteria = "safe-to-deploy" @@ -69,10 +97,6 @@ criteria = "safe-to-deploy" version = "0.21.0" criteria = "safe-to-deploy" -[[exemptions.adler]] -version = "1.0.2" -criteria = "safe-to-deploy" - [[exemptions.aead]] version = "0.5.2" criteria = "safe-to-deploy" @@ -89,10 +113,6 @@ criteria = "safe-to-deploy" version = "1.1.3" criteria = "safe-to-deploy" -[[exemptions.allocator-api2]] -version = "0.2.18" -criteria = "safe-to-deploy" - [[exemptions.android-tzdata]] version = "0.1.1" criteria = "safe-to-deploy" @@ -197,14 +217,6 @@ criteria = "safe-to-deploy" version = "1.3.3" criteria = "safe-to-deploy" -[[exemptions.bip0039]] -version = "0.10.1" -criteria = "safe-to-deploy" - -[[exemptions.bitflags]] -version = "1.3.2" -criteria = "safe-to-deploy" - [[exemptions.bitflags-serde-legacy]] version = "0.1.1" criteria = "safe-to-deploy" @@ -249,10 +261,6 @@ criteria = "safe-to-deploy" version = "1.2.2" criteria = "safe-to-deploy" -[[exemptions.byteorder]] -version = "1.5.0" -criteria = "safe-to-deploy" - [[exemptions.bytes]] version = "1.6.0" criteria = "safe-to-deploy" @@ -369,10 +377,6 @@ criteria = "safe-to-deploy" version = "0.2.12" criteria = "safe-to-deploy" -[[exemptions.crc32fast]] -version = "1.4.2" -criteria = "safe-to-deploy" - [[exemptions.criterion]] version = "0.5.1" criteria = "safe-to-run" @@ -513,10 +517,6 @@ criteria = "safe-to-deploy" version = "0.4.2" criteria = "safe-to-deploy" -[[exemptions.flate2]] -version = "1.0.30" -criteria = "safe-to-deploy" - [[exemptions.flume]] version = "0.10.14" criteria = "safe-to-deploy" @@ -621,10 +621,6 @@ criteria = "safe-to-deploy" version = "7.5.4" criteria = "safe-to-deploy" -[[exemptions.hdwallet]] -version = "0.4.1" -criteria = "safe-to-deploy" - [[exemptions.heck]] version = "0.3.3" criteria = "safe-to-deploy" @@ -905,10 +901,6 @@ criteria = "safe-to-deploy" version = "0.2.1" criteria = "safe-to-deploy" -[[exemptions.miniz_oxide]] -version = "0.7.4" -criteria = "safe-to-deploy" - [[exemptions.mio]] version = "0.8.11" criteria = "safe-to-deploy" @@ -1033,18 +1025,10 @@ criteria = "safe-to-deploy" version = "0.9.10" criteria = "safe-to-deploy" -[[exemptions.password-hash]] -version = "0.3.2" -criteria = "safe-to-deploy" - [[exemptions.pasta_curves]] version = "0.5.1" criteria = "safe-to-deploy" -[[exemptions.pbkdf2]] -version = "0.10.1" -criteria = "safe-to-deploy" - [[exemptions.percent-encoding]] version = "2.3.1" criteria = "safe-to-deploy" @@ -1265,10 +1249,6 @@ criteria = "safe-to-deploy" version = "0.8.37" criteria = "safe-to-deploy" -[[exemptions.ring]] -version = "0.16.20" -criteria = "safe-to-deploy" - [[exemptions.ring]] version = "0.17.8" criteria = "safe-to-deploy" @@ -1461,10 +1441,6 @@ criteria = "safe-to-deploy" version = "0.1.1" criteria = "safe-to-deploy" -[[exemptions.spin]] -version = "0.5.2" -criteria = "safe-to-deploy" - [[exemptions.spin]] version = "0.9.8" criteria = "safe-to-deploy" @@ -1481,10 +1457,6 @@ criteria = "safe-to-deploy" version = "0.8.0" criteria = "safe-to-deploy" -[[exemptions.strsim]] -version = "0.11.1" -criteria = "safe-to-deploy" - [[exemptions.structopt]] version = "0.3.26" criteria = "safe-to-deploy" @@ -1633,10 +1605,6 @@ criteria = "safe-to-deploy" version = "0.1.27" criteria = "safe-to-deploy" -[[exemptions.tracing-core]] -version = "0.1.32" -criteria = "safe-to-deploy" - [[exemptions.tracing-error]] version = "0.2.0" criteria = "safe-to-deploy" @@ -1713,14 +1681,6 @@ criteria = "safe-to-deploy" version = "0.5.1" criteria = "safe-to-deploy" -[[exemptions.unsafe-libyaml]] -version = "0.2.11" -criteria = "safe-to-deploy" - -[[exemptions.untrusted]] -version = "0.7.1" -criteria = "safe-to-deploy" - [[exemptions.untrusted]] version = "0.9.0" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index b9dd505d67b..b855130e47d 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1,6 +1,10 @@ # cargo-vet imports lock +[[unpublished.zebra-scan]] +version = "0.1.0-alpha.8" +audited_as = "0.1.0-alpha.7" + [[publisher.cexpr]] version = "0.6.0" when = "2021-10-11" @@ -9,22 +13,22 @@ user-login = "emilio" user-name = "Emilio Cobos Álvarez" [[publisher.clap]] -version = "4.5.13" -when = "2024-07-31" +version = "4.5.18" +when = "2024-09-20" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap_builder]] -version = "4.5.13" -when = "2024-07-31" +version = "4.5.18" +when = "2024-09-20" user-id = 6743 user-login = "epage" user-name = "Ed Page" [[publisher.clap_derive]] -version = "4.5.13" -when = "2024-07-31" +version = "4.5.18" +when = "2024-09-20" user-id = 6743 user-login = "epage" user-name = "Ed Page" @@ -44,8 +48,8 @@ user-login = "hsivonen" user-name = "Henri Sivonen" [[publisher.serde_json]] -version = "1.0.122" -when = "2024-08-01" +version = "1.0.128" +when = "2024-09-04" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" @@ -58,15 +62,15 @@ user-login = "dtolnay" user-name = "David Tolnay" [[publisher.syn]] -version = "2.0.72" -when = "2024-07-21" +version = "2.0.79" +when = "2024-09-27" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" [[publisher.tokio]] -version = "1.39.2" -when = "2024-07-27" +version = "1.40.0" +when = "2024-08-30" user-id = 6741 user-login = "Darksonn" user-name = "Alice Ryhl" @@ -85,6 +89,19 @@ user-id = 1139 user-login = "Manishearth" user-name = "Manish Goregaokar" +[[audits.google.audits.adler]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.2" +notes = ''' +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` +and there were no hits (except in comments and in the `README.md` file). + +Note that some additional, internal notes about an older version of this crate +can be found at go/image-crate-chromium-security-review. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.async-stream]] who = "Tyler Mandry " criteria = "safe-to-deploy" @@ -146,6 +163,22 @@ version = "0.13.1" notes = "Skimmed the uses of `std` to ensure that nothing untoward is happening. Code uses `forbid(unsafe_code)` and, indeed, there are no uses of `unsafe`" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.bitflags]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.3.2" +notes = """ +Security review of earlier versions of the crate can be found at +(Google-internal, sorry): go/image-crate-chromium-security-review + +The crate exposes a function marked as `unsafe`, but doesn't use any +`unsafe` blocks (except for tests of the single `unsafe` function). I +think this justifies marking this crate as `ub-risk-1`. + +Additional review comments can be found at https://crrev.com/c/4723145/31 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.bitflags]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" @@ -179,30 +212,21 @@ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_p [[audits.google.audits.bytemuck]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" -version = "1.14.3" -notes = "Additional review notes may be found in https://crrev.com/c/5362675." -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.bytemuck]] -who = "Adrian Taylor " -criteria = "safe-to-deploy" -delta = "1.14.3 -> 1.15.0" +version = "1.16.3" +notes = """ +Review notes from the original audit (of 1.14.3) may be found in +https://crrev.com/c/5362675. Note that this audit has initially missed UB risk +that was fixed in 1.16.2 - see https://github.com/Lokathor/bytemuck/pull/258. +Because of this, the original audit has been edited to certify version `1.16.3` +instead (see also https://crrev.com/c/5771867). +""" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.bytemuck]] +[[audits.google.audits.byteorder]] who = "danakj " criteria = "safe-to-deploy" -delta = "1.15.0 -> 1.16.0" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - -[[audits.google.audits.bytemuck]] -who = "Lukasz Anforowicz " -criteria = "safe-to-deploy" -delta = "1.16.0 -> 1.16.1" -notes = """ -The delta only adds `f16` and `f128` support (with some other minor changes) -and has no impact on the audit criteria. -""" +version = "1.5.0" +notes = "Unsafe review in https://crrev.com/c/5838022" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.google.audits.cast]] @@ -217,6 +241,18 @@ criteria = "safe-to-deploy" version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.crc32fast]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.4.2" +notes = """ +Security review of earlier versions of the crate can be found at +(Google-internal, sorry): go/image-crate-chromium-security-review + +Audit comments for 1.4.2 can be found at https://crrev.com/c/4723145. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.equivalent]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -233,6 +269,41 @@ that the RNG here is not cryptographically secure. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.flate2]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.30" +notes = ''' +WARNING: This certification is a result of a **partial** audit. The +`any_zlib` code has **not** been audited. Ability to track partial +audits is tracked in https://github.com/mozilla/cargo-vet/issues/380 +Chromium does use the `any_zlib` feature(s). Accidentally depending on +this feature in the future is prevented using the `ban_features` feature +of `gnrt` - see: +https://crrev.com/c/4723145/31/third_party/rust/chromium_crates_io/gnrt_config.toml + +Security review of earlier versions of the crate can be found at +(Google-internal, sorry): go/image-crate-chromium-security-review + +I grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`. + +All `unsafe` in `flate2` is gated behind `#[cfg(feature = "any_zlib")]`: + +* The code under `src/ffi/...` will not be used because the `mod c` + declaration in `src/ffi/mod.rs` depends on the `any_zlib` config +* 7 uses of `unsafe` in `src/mem.rs` also all depend on the + `any_zlib` config: + - 2 in `fn set_dictionary` (under `impl Compress`) + - 2 in `fn set_level` (under `impl Compress`) + - 3 in `fn set_dictionary` (under `impl Decompress`) + +All hits of `'\bfs\b'` are in comments, or example code, or test code +(but not in product code). + +There were no hits of `-i cipher`, `-i crypto`, `'\bnet\b'`. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.futures]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -311,6 +382,22 @@ delta = "1.4.0 -> 1.5.0" notes = "Unsafe review notes: https://crrev.com/c/5650836" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.miniz_oxide]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "0.7.4" +notes = ''' +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` +and there were no hits, except for some mentions of "unsafe" in the `README.md` +and in a comment in `src/deflate/core.rs`. The comment discusses whether a +function should be treated as unsafe, but there is no actual `unsafe` code, so +the crate meets the `ub-risk-0` criteria. + +Note that some additional, internal notes about an older version of this crate +can be found at go/image-crate-chromium-security-review. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.nom]] who = "danakj@chromium.org" criteria = "safe-to-deploy" @@ -432,6 +519,16 @@ criteria = "safe-to-deploy" delta = "1.0.35 -> 1.0.36" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.quote]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.36 -> 1.0.37" +notes = """ +The delta just 1) inlines/expands `impl ToTokens` that used to be handled via +`primitive!` macro and 2) adds `impl ToTokens` for `CStr` and `CString`. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.rustversion]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" @@ -541,6 +638,32 @@ criteria = "safe-to-deploy" delta = "1.0.203 -> 1.0.204" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.serde]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.204 -> 1.0.207" +notes = "The small change in `src/private/ser.rs` should have no impact on `ub-risk-2`." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.207 -> 1.0.209" +notes = """ +The delta carries fairly small changes in `src/private/de.rs` and +`src/private/ser.rs` (see https://crrev.com/c/5812194/2..5). AFAICT the +delta has no impact on the `unsafe`, `from_utf8_unchecked`-related parts +of the crate (in `src/de/format.rs` and `src/ser/impls.rs`). +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.209 -> 1.0.210" +notes = "Almost no new code - just feature rearrangement" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.serde_derive]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" @@ -573,6 +696,32 @@ criteria = "safe-to-deploy" delta = "1.0.203 -> 1.0.204" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.serde_derive]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.204 -> 1.0.207" +notes = 'Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.207 -> 1.0.209" +notes = ''' +There are no code changes in this delta - see https://crrev.com/c/5812194/2..5 + +I've neverthless also grepped for `-i cipher`, `-i crypto`, `\bfs\b`, +`\bnet\b`, and `\bunsafe\b`. There were no hits. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.209 -> 1.0.210" +notes = "Almost no new code - just feature rearrangement" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.static_assertions]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" @@ -746,6 +895,12 @@ end = "2024-05-03" notes = "All code written or reviewed by Manish" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.allocator-api2]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +version = "0.2.18" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.android_system_properties]] who = "Nicolas Silva " criteria = "safe-to-deploy" @@ -834,6 +989,13 @@ version = "0.6.3" notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.cfg_aliases]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.1.1 -> 0.2.1" +notes = "Very minor changes." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.core-foundation]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" @@ -871,6 +1033,12 @@ criteria = "safe-to-deploy" delta = "1.9.0 -> 2.0.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.fastrand]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "2.0.1 -> 2.1.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.fnv]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -943,6 +1111,47 @@ delta = "0.4.18 -> 0.4.20" notes = "Only cfg attribute and internal macro changes and module refactorings" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" +[[audits.mozilla.audits.nix]] +who = "Gabriele Svelto " +criteria = "safe-to-deploy" +delta = "0.15.0 -> 0.25.0" +notes = "Plenty of new bindings but also several important bug fixes (including buffer overflows). New unsafe sections are restricted to wrappers and are no more dangerous than calling the C functions." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.nix]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.25.0 -> 0.25.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.nix]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.25.1 -> 0.26.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.nix]] +who = "Gabriele Svelto " +criteria = "safe-to-deploy" +delta = "0.26.2 -> 0.27.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.nix]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.27.1 -> 0.28.0" +notes = """ +Many new features and bugfixes. Obviously there's a lot of unsafe code calling +libc, but the usage looks correct. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.nix]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.28.0 -> 0.29.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.num-conv]] who = "Alex Franchuk " criteria = "safe-to-deploy" @@ -970,6 +1179,12 @@ version = "1.1.0" notes = "Straightforward crate with no unsafe code, does what it says on the tin." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.strsim]] +who = "Ben Dean-Kawamura " +criteria = "safe-to-deploy" +delta = "0.10.0 -> 0.11.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.synstructure]] who = "Nika Layzell " criteria = "safe-to-deploy" @@ -1017,6 +1232,17 @@ criteria = "safe-to-deploy" delta = "0.2.10 -> 0.2.18" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.tracing-core]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.1.30" +notes = """ +Most unsafe code is in implementing non-std sync primitives. Unsafe impls are +logically correct and justified in comments, and unsafe code is sound and +justified in comments. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.zerocopy]] who = "Alex Franchuk " criteria = "safe-to-deploy" @@ -1043,32 +1269,33 @@ criteria = "safe-to-deploy" delta = "1.2.0 -> 1.3.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" -[[audits.zcash.audits.fastrand]] +[[audits.zcash.audits.bip32]] who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "2.0.0 -> 2.0.1" +version = "0.5.1" +notes = """ +- Crate has no unsafe code, and sets `#![forbid(unsafe_code)]`. +- Crate has no powerful imports. Only filesystem acces is via `include_str!`, and is safe. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.bytes]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.7.1 -> 1.7.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.fastrand]] -who = "Daira-Emma Hopwood " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "2.0.1 -> 2.0.2" +delta = "2.0.0 -> 2.0.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.fastrand]] -who = "Daira-Emma Hopwood " +who = "Jack Grigg " criteria = "safe-to-deploy" -delta = "2.0.2 -> 2.1.0" -notes = """ -As noted in the changelog, this version produces different output for a given seed. -The documentation did not mention stability. It is possible that some uses relying on -determinism across the update would be broken. - -The new constants do appear to match WyRand v4.2 (modulo ordering issues that I have not checked): -https://github.com/wangyi-fudan/wyhash/blob/408620b6d12b7d667b3dd6ae39b7929a39e8fa05/wyhash.h#L145 -I have no way to check whether these constants are an improvement or not. -""" -aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" +delta = "2.1.0 -> 2.1.1" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zcash.audits.futures]] who = "Jack Grigg " @@ -1190,6 +1417,12 @@ be set correctly by `cargo`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.secp256k1]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.26.0 -> 0.27.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[audits.zcash.audits.signature]] who = "Daira Emma Hopwood " criteria = "safe-to-deploy" @@ -1268,6 +1501,34 @@ criteria = "safe-to-deploy" delta = "0.12.0 -> 0.12.1" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" +[[audits.zcash.audits.tracing-core]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.1.30 -> 0.1.31" +notes = """ +The only new `unsafe` block is to intentionally leak a scoped subscriber onto +the heap when setting it as the global default dispatcher. I checked that the +global default can only be set once and is never dropped. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.tracing-core]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.1.31 -> 0.1.32" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.visibility]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +version = "0.1.1" +notes = """ +- Crate has no unsafe code, and sets `#![forbid(unsafe_code)]`. +- Crate has no powerful imports, and exclusively provides a proc macro + that safely malleates a visibility modifier. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[audits.zcash.audits.wagyu-zcash-parameters]] who = "Sean Bowe " criteria = "safe-to-deploy" @@ -1316,6 +1577,40 @@ criteria = "safe-to-deploy" version = "0.2.92" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.zcash_address]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "0.3.2 -> 0.4.0" +notes = "This release contains no unsafe code and consists soley of added convenience methods." +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.zcash_encoding]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "0.2.0 -> 0.2.1" +notes = "This release adds minor convenience methods and involves no unsafe code." +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.zcash_keys]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "0.2.0 -> 0.3.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.zcash_primitives]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "0.15.1 -> 0.16.0" +notes = "The primary change here is the switch from the `hdwallet` dependency to using `bip32`." +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.zcash_proofs]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "0.15.0 -> 0.16.0" +notes = "This release involves only updates of previously-vetted dependencies." +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[audits.zcash.audits.zerocopy]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy"