[criteria.crypto-safe] description = """ All crypto algorithms in this crate have been reviewed by a relevant expert. **Note**: If a crate does not implement crypto, use `does-not-implement-crypto`, which implies `crypto-safe`, but does not require expert review in order to audit for.""" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [criteria.does-not-implement-crypto] description = """ Inspection reveals that the crate in question does not attempt to implement any cryptographic algorithms on its own. Note that certification of this does not require an expert on all forms of cryptography: it's expected for crates we import to be \"good enough\" citizens, so they'll at least be forthcoming if they try to implement something cryptographic. When in doubt, please ask an expert.""" implies = "crypto-safe" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [criteria.rule-of-two-safe-to-deploy] description = """ This is a stronger requirement than the built-in safe-to-deploy criteria, motivated by Chromium's rule-of-two related requirements: https://chromium.googlesource.com/chromium/src/+/master/docs/security/rule-of-2.md#unsafe-code-in-safe-languages This crate will not introduce a serious security vulnerability to production software exposed to untrusted input. Auditors are not required to perform a full logic review of the entire crate. Rather, they must review enough to fully reason about the behavior of all unsafe blocks and usage of powerful imports. For any reasonable usage of the crate in real-world software, an attacker must not be able to manipulate the runtime behavior of these sections in an exploitable or surprising way. Ideally, ambient capabilities (e.g. filesystem access) are hardened against manipulation and consistent with the advertised behavior of the crate. However, some discretion is permitted. In such cases, the nature of the discretion should be recorded in the `notes` field of the audit record. Any unsafe code in this crate must, in general, be kept well-contained, and documentation must exist to describe how Rust's invariants are being upheld despite the unsafe block(s). Nontrivial uses of unsafe must be reviewed by an expert in Rust's unsafety guarantees/non-guarantees. For crates which generate deployed code (e.g. build dependencies or procedural macros), reasonable usage of the crate should output code which meets the above criteria.""" implies = "safe-to-deploy" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [criteria.ub-risk-0] description = """ No unsafe code. Full description of the audit criteria can be found at https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-0 """ implies = "ub-risk-1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [criteria.ub-risk-1] description = """ Excellent soundness. Full description of the audit criteria can be found at https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-1 """ implies = "ub-risk-2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [criteria.ub-risk-1-thorough] description = """ Excellent soundness (established in a thorough review). Full description of the audit criteria can be found at https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-1-thorough """ implies = "ub-risk-1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [criteria.ub-risk-2] description = """ Negligible unsoundness or average soundness. Full description of the audit criteria can be found at https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-2 """ implies = "ub-risk-3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [criteria.ub-risk-2-thorough] description = """ Negligible unsoundness or average soundness (established in a thorough review). Full description of the audit criteria can be found at https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-2-thorough """ implies = "ub-risk-2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [criteria.ub-risk-3] description = """ Mild unsoundness or suboptimal soundness. Full description of the audit criteria can be found at https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-3 """ implies = "ub-risk-4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [criteria.ub-risk-4] description = """ Extreme unsoundness. Full description of the audit criteria can be found at https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-4 """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits."0.7.11"]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-1"] version = "0.7.15" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.addr2line]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.19.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.addr2line]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.19.0 -> 0.20.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.addr2line]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.20.0 -> 0.21.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.adler]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.2" notes = """ Fast checksum'ing algos like the one implemented by this crate don't qualify as crypto. Hence, this crate does-not-implement-crypto. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.adler]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "1.0.2" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` and there were no hits (except in comments and in the `README.md` file). Note that some additional, internal notes about an older version of this crate can be found at go/image-crate-chromium-security-review. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.adler2]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "2.0.0" notes = ''' This audit has been reviewed in https://crrev.com/c/5811890 The crate is fairly easy to read thanks to its small size and rich comments. I've grepped for `-i cipher`, `-i crypto`, `\bfs\b`, `\bnet\b`, and `\bunsafe\b`. There were no hits (except for a comment in `README.md` and `lib.rs` pointing out "Zero `unsafe`"). ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.aes]] who = "Joshua Liebow-Feeser " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.7.5 -> 0.8.2" notes = """ Note for reviewers of future updates to this crate: There exist internal APIs such as [1] which are safe but have undocumented safety invariants. [1] https://fuchsia-review.git.corp.google.com/c/fuchsia/+/711365/comment/7a8cdc16_9e9f45ca/ """ aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.aes]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-1"] delta = "0.8.2 -> 0.8.4" notes = "Audited at https://fxrev.dev/987054" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.aes-gcm]] who = "Joshua Liebow-Feeser " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.9.4 -> 0.8.2" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.aes-gcm-siv]] who = "Joshua Liebow-Feeser " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.10.3 -> 0.11.1" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.ahash]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.3" notes = """ Note on does-not-implement-crypto: the aHash documentation explicitly states it is not a cryptographically secure hash. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ahash]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.8.3 -> 0.7.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ahash]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.8.3 -> 0.8.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ahash]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.8.5 -> 0.8.11" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.aho-corasick]] who = "Android Legacy" criteria = "safe-to-run" version = "0.7.18" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.aho-corasick]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.7.20" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.aho-corasick]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.aho-corasick]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.2" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.aho-corasick]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.1.2 -> 1.1.3" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.alloc-no-stdlib]] who = [ "Luca Versari ", "Manish Goregaokar ", ] criteria = "ub-risk-4" version = "2.0.4" notes = """ Reviewed in CL 636730294 Issues found: - unsafe functions have no documented safety invariants - CallocBackingStore returns uninitialized memory """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.alloc-stdlib]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.2.2" notes = "Reviewed in CL 636730499" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.alsa-sys]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.1" notes = """ The vast majority of the LOC of this package is decls that mirror alsa's. Auditing alsa itself is out of scope, but these bindings look fine. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.android_logger]] who = "Manish Goregaokar " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "0.13.3" notes = "Reviewed in CL 559548165" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.android_system_properties]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "0.1.5" notes = "Android system API FFI" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.ansi_term]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.12.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.anstream]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.13" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.anstream]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.3.2" notes = "Reviewed in CL 559376670" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.anstream]] who = "Ben Saunders " criteria = "ub-risk-4" version = "0.6.5" notes = """ Reviewed in CL 596713982 Issues found: - https://github.com/rust-cli/anstyle/issues/156 - Exhaustive review of utf8 soundness not performed """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.anstyle]] who = "Yu-An Wang " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.anstyle]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.4" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anstyle]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.4 -> 1.0.6" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anstyle]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.6 -> 1.0.7" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anstyle]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.7 -> 1.0.8" notes = "Only Cargo.toml changes in the 1.0.7 => 1.0.8 delta." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anstyle]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.8 -> 1.0.9" notes = "No changes" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anstyle]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.9 -> 1.0.10" notes = "Minor changes related to `write_str`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anstyle]] who = "Ben Saunders " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "1.0.0" notes = "Reviewed in CL 559404826" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.anstyle-parse]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.anstyle-parse]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.2.1" notes = "Reviewed in CL 559131783" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.anstyle-query]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.anstyle_query]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "1.0.0" notes = "Reviewed in CL 559375925" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.anyhow]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.68" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.anyhow]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.68 -> 1.0.70" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.anyhow]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.70 -> 1.0.71" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.anyhow]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.71 -> 1.0.72" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.anyhow]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.72 -> 1.0.75" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.anyhow]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.75 -> 1.0.79" notes = """ 1.0.75 has been previously audited as \"safe-to-run\", \"does-not-implement-crypto\" - see https://github.com/google/rust-crate-audits/blob/c2d49cb6e80bb817f569debecf846161dcebd88c/audits.toml#L277-L305 The \"1.0.75 -> 1.0.79\" delta meets the same criteria. This is an incremental/delta audit - we don't claim any particular `ub-risk-N` level for the baseline or for the final version. OTOH note that additional uses of `unsafe` have been reviewed in https://crrev.com/c/5178771 and the **delta** was evaluated as `ub-risk-3` - no known unsoundness but: * Little safety comments to explain why a particular usage of `unsafe` is safe and/or necessary * Safety analysis couldn't be done locally, but required considering the whole crate (e.g. checking if the public `Ref.ptr` is mutated anywhere) """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anyhow]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.79 -> 1.0.80" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anyhow]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.80 -> 1.0.81" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anyhow]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.81 -> 1.0.82" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anyhow]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.82 -> 1.0.83" notes = "No change to UB-risk profile either." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anyhow]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.83 -> 1.0.86" notes = "Delta only updates the ensure macro implementation, still safe to run, no crypto" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anyhow]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.86 -> 1.0.87" notes = "Minimal changes, mostly renaming std to core for a type" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anyhow]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.87 -> 1.0.89" notes = "No safety-related changes in this delta" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anyhow]] who = "Liza Burakova " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.89 -> 1.0.91" notes = "Minimal changes" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anyhow]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.91 -> 1.0.93" notes = """ `ensure!` macro tweaks to handle https://github.com/rust-lang/rfcs/blob/master/text/2582-raw-reference-mir-operator.md """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anyhow]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.93 -> 1.0.94" notes = "No behavioral changes" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anyhow]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.94 -> 1.0.95" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anyhow]] who = "Daniel Cheng " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.95 -> 1.0.97" notes = "Only minor changes to comments, tests, and clippy expectations." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.anymap]] who = "Manish Goregaokar " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "1.0.0-beta2" notes = "Reviewed in CL 558118223" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.arbitrary]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.arbitrary]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.2.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.arbitrary]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.2.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.arbitrary]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.2.3 -> 1.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.archery]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "1.2.1" notes = "Reviewed in CL 689387930" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.argh]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.10" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.argh]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.10 -> 0.1.12" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.argh_derive]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.10" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.argh_derive]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.10 -> 0.1.12" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.argh_shared]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.10" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.argh_shared]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.10 -> 0.1.12" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.argminmax]] who = "Augie Fackler " criteria = "ub-risk-2" version = "0.6.2" notes = "Reviewed in CL 645900200" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.array-init-cursor]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.2.0" notes = """ Reviewed in CL 702364774 Could have more comments. into_buf can probably be written safely. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.arrayref]] who = [ "Luca Versari ", "Manish Goregaokar ", ] criteria = "ub-risk-3" version = "0.3.7" notes = """ Reviewed in CL 636647431 Issues found: - Macros do not overflow check before adding pre/post and can cause hard-to-trigger UB. https://github.com/droundy/arrayref/issues/26 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.arrayref]] who = "Manish Goregaokar " criteria = "ub-risk-2" delta = "0.3.7 -> 0.3.9" notes = """ Reviewed in CL 693504716 Diff fixes https://github.com/droundy/arrayref/issues/26 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.arrayvec]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.7.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.arrayvec]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "0.7.6" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'` and there were no hits, except for some `net` usage in tests. The crate has quite a few bits of `unsafe` Rust. The audit comments can be found in https://chromium-review.googlesource.com/c/chromium/src/+/6187726/2 ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.arrow-buffer]] who = "Augie Fackler " criteria = "ub-risk-2" version = "51.0.0" notes = "Reviewed in CL 637904132" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.arrow-cast]] who = "Augie Fackler " criteria = "ub-risk-2" version = "51.0.0" notes = "Reviewed in CL 638739847" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.arrow-data]] who = "Ben Saunders " criteria = "ub-risk-3" version = "51.0.0" notes = "Reviewed in CL 638739833" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.arrow-select]] who = "Augie Fackler " criteria = "ub-risk-3" version = "51.0.0" notes = "Reviewed in CL 638739853" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.arrow_select]] who = "Taylor Cramer " criteria = "ub-risk-3" version = "53.1.0" notes = """ Reviewed in CL 683334337 Issues found: - filter_run_end_array needs a patch to check its preconditions https://github.com/apache/arrow-rs/issues/6569 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.ascii]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ash]] who = "Chia-I Wu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.38.0+1.3.281" notes = "Vulkan binding mostly generated from vk.xml" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ash]] who = "David Koloski " criteria = ["ub-risk-4", "safe-to-deploy"] version = "0.37.0+1.3.209" notes = "Reviewed on https://fxrev.dev/694269" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.askama_derive]] who = "Luca Versari " criteria = "ub-risk-2" version = "0.13.1" notes = "Reviewed in CL 751078334" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.askama_parser]] who = "Luca Versari " criteria = "ub-risk-2" version = "0.13.0" notes = "Reviewed in " aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.assert_matches]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.5.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.async-executor]] who = "Luca Versari " criteria = "ub-risk-2" version = "1.13.1" notes = "Reviewed in CL 737846535" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.async-lock]] who = "Luca Versari " criteria = "ub-risk-2" version = "3.4.0" notes = "Reviewed in CL 740466573" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.async-stream]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.async-stream]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.async-stream]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.4 -> 0.3.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.async-stream]] who = "Tyler Mandry " criteria = ["ub-risk-2", "safe-to-deploy"] version = "0.3.4" notes = "Reviewed on https://fxrev.dev/761470" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.async-stream]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-0"] delta = "0.3.4 -> 0.3.5" notes = "Reviewed on https://fxrev.dev/906795" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.async-stream-impl]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.async-stream-impl]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.async-stream-impl]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.4 -> 0.3.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.async-stream-impl]] who = "Tyler Mandry " criteria = ["ub-risk-2", "safe-to-deploy"] version = "0.3.4" notes = "Reviewed on https://fxrev.dev/761470" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.async-stream-impl]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-0"] delta = "0.3.4 -> 0.3.5" notes = "Reviewed on https://fxrev.dev/906795" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.async-task]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "4.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.async-trait]] who = "Android Legacy" criteria = "safe-to-run" version = "0.1.48" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.async-trait]] who = "Android Legacy" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.61" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.async-trait]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.64" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.async-trait]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.66" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.async-trait]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.66 -> 0.1.68" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.async-trait]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.68 -> 0.1.69" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.async-trait]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.69 -> 0.1.73" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.async-trait]] who = "David Koloski " criteria = "safe-to-deploy" delta = "0.1.56 -> 0.1.68" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.async_stream]] who = "Luca Versari " criteria = "ub-risk-3" version = "0.3.6" notes = "Reviewed in CL 814718864" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.atomic-polyfill]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.11" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.atomic-polyfill]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.11 -> 1.0.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.atty]] who = "Android Legacy" criteria = "safe-to-run" version = "0.2.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.atty]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.autocfg]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.autocfg]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.8 -> 1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.autocfg]] who = "Lukasz Anforowicz " criteria = ["ub-risk-0", "safe-to-deploy", "does-not-implement-crypto"] version = "1.1.0" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits except for reasonable, client-controlled usage of `std::fs` in `AutoCfg::with_dir`. This crate has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb The CL description contains a link to a Google-internal document with audit details. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.autocfg]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "1.4.0" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.autocfg]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.1.0 -> 1.2.0" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and nothing changed from the baseline audit of 1.1.0. Skimmed through the 1.1.0 => 1.2.0 delta and everything seemed okay. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.autocfg]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.2.0 -> 1.4.0" notes = "Still no `unsafe`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.axum]] who = "ChromeOS" criteria = "safe-to-run" version = "0.5.16" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.axum]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.17" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.axum-core]] who = "ChromeOS" criteria = "safe-to-run" version = "0.2.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.axum-core]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.backtrace]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.67" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.backtrace]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.67 -> 0.3.68" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.backtrace]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.68 -> 0.3.69" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bare-metal]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bare-metal]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.5 -> 1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.base64]] who = "Android Legacy" criteria = "safe-to-run" version = "0.13.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.base64]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.13.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.base64]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.13.1 -> 0.10.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.base64]] who = "Adam Langley " criteria = ["ub-risk-0", "safe-to-deploy", "does-not-implement-crypto"] version = "0.13.1" notes = "Skimmed the uses of `std` to ensure that nothing untoward is happening. Code uses `forbid(unsafe_code)` and, indeed, there are no uses of `unsafe`" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.base64]] who = "amarjotgill " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.22.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.base64ct]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "1.6.0" notes = "Reviewed in CL 592910669" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.bayer]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.beef]] who = "Ben Saunders " criteria = "ub-risk-1" version = "0.5.0" notes = "Reviewed in CL 742874865" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.bincode]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bindgen]] who = "Android Legacy" criteria = "safe-to-run" version = "0.57.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bindgen]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.60.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bindgen]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.63.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bindgen]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.70.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bindgen]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.60.1 -> 0.59.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bindgen]] who = "Abhishek Pandit-Subedi " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.63.0 -> 0.64.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bindgen]] who = "Dennis Kempin " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.64.0 -> 0.68.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bindgen]] who = "Bob Haarman " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.68.1 -> 0.69.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bit-set]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bit-set]] who = [ "Manish Goregaokar ", "Augie Fackler ", ] criteria = "ub-risk-2" version = "0.5.3" notes = """ Reviewed in CL 615008047 Uses unsafe operations from bit-vec that are not actually unsafe. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.bit-vec]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bit-vec]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bit_field]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.10.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bit_field]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.10.2" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bitfield]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.13.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bitflags]] who = "Android Legacy" criteria = "safe-to-run" version = "1.2.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bitflags]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.3.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bitflags]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.6.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bitflags]] who = "Dennis Kempin " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.3.2 -> 2.2.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bitflags]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "2.2.1 -> 2.3.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bitflags]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "2.3.1 -> 2.3.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bitflags]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "2.3.2 -> 2.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bitflags]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "1.3.2" notes = """ Security review of earlier versions of the crate can be found at (Google-internal, sorry): go/image-crate-chromium-security-review The crate exposes a function marked as `unsafe`, but doesn't use any `unsafe` blocks (except for tests of the single `unsafe` function). I think this justifies marking this crate as `ub-risk-1`. Additional review comments can be found at https://crrev.com/c/4723145/31 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bitflags]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "2.4.2" notes = """ Audit notes: * I've checked for any discussion in Google-internal cl/546819168 (where audit of version 2.3.3 happened) * `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]` * There are 2 cases of `unsafe` in `src/external.rs` but they seem to be correct in a straightforward way - they just propagate the marker trait's impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type * Additional discussion and/or notes may be found in https://crrev.com/c/5238056 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bitflags]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.4.2 -> 2.5.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bitflags]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.5.0 -> 2.6.0" notes = "The changes from the previous version are negligible and thus it retains the same properties." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bitflags]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.6.0 -> 2.8.0" notes = "No changes related to `unsafe impl ... bytemuck` pieces from `src/external.rs`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bitflags]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.8.0 -> 2.9.0" notes = "Adds a straightforward clear() function, but no new unsafe code." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bitflags]] who = "Taylor Cramer " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "2.3.3" notes = "Reviewed in CL 545304270" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.bitmaps]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "2.1.0" notes = """ Reviewed in CL 755933866 This has incorrect usage of target_feature: https://github.com/bodil/bitmaps/issues/31 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.bitmaps]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "3.2.1" notes = """ Reviewed in CL 755933866 Issues found: - Incorrect use of target_feature https://github.com/bodil/bitmaps/issues/31 - Incorrect layout assumptions around bool https://github.com/bodil/bitmaps/issues/29 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.bitreader]] who = "ChromeOS" criteria = "safe-to-run" version = "0.3.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bitreader]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.3.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bitreader]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.3.7" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bitvec]] who = "ChromeOS" criteria = "safe-to-run" version = "0.19.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.blazesym]] who = "Hidenori Kobayashi " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.0-rc.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.blazesym-c]] who = "Hidenori Kobayashi " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.0-rc.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.block-buffer]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.10.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.boxcar]] who = "Luca Versari " criteria = "ub-risk-2" version = "0.2.10" notes = "Reviewed in CL 736485432" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.brotli]] who = "Ben Saunders " criteria = "ub-risk-2" version = "3.5.0" notes = "Reviewed in CL 641306142" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.bstr]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "1.10.0" notes = """ WARNING: This certification is a result of a **partial** audit. The `unicode` feature has **not** been audited. The unicode feature has soundness that depends on the correctness of regex automata that are shipped as binary blobs. They have not been reviewed here.Ability to track partial audits is tracked in https://github.com/mozilla/cargo-vet/issues/380. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bstr]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.10.0 -> 1.11.0" notes = "Changes two unsafe blocks to use core::mem::align_of instead of core::mem::size_of which shouldn't differ on mainstream platforms." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bstr]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.11.0 -> 1.11.1" notes = "This release just excludes Unicode data files from being published to crates.io" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bstr]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.11.1 -> 1.11.3" notes = "No unsafe changes" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.btoi]] who = "Ben Saunders " criteria = ["ub-risk-0", "does-not-implement-crypto"] version = "0.4.3" notes = "Reviewed in CL 581228675" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.built]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bulletproofs]] who = "Manish Goregaokar " criteria = "ub-risk-0" version = "5.0.0" notes = """ Reviewed in CL 666491560 Only unsafe is in tests """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.bumpalo]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "3.14.0" notes = "Reviewed in CL 574186321" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.bytecount]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bytecount]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.6.7" notes = """ Reviewed in CL 596699465 Is sound, but needs safety docs """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.bytemuck]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.13.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bytemuck]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.13.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bytemuck]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" version = "1.16.3" notes = """ Review notes from the original audit (of 1.14.3) may be found in https://crrev.com/c/5362675. Note that this audit has initially missed UB risk that was fixed in 1.16.2 - see https://github.com/Lokathor/bytemuck/pull/258. Because of this, the original audit has been edited to certify version `1.16.3` instead (see also https://crrev.com/c/5771867). """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck]] who = "Lukasz Anforowicz " criteria = ["does-not-implement-crypto", "ub-risk-4"] delta = "1.13.1 -> 1.14.3" notes = """ Review notes from the original audit may be found in https://crrev.com/c/5362675. Note that this audit has initially missed UB risk that was fixed in 1.16.2 - see https://github.com/Lokathor/bytemuck/pull/258. Because of this, the original audit has been edited to certify `ub-risk-4` instead. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.13.1 -> 1.16.3" notes = """ The certification of the 1.13.1 => 1.16.1 delta is based on: * 1.13.1 -> 1.14.3 audit in https://crrev.com/c/5362675. Note that this audit has initially missed UB risk that was fixed in 1.16.2 - see https://github.com/Lokathor/bytemuck/pull/258. * 1.14.3 -> 1.15.0 audit in https://crrev.com/c/5380327 * 1.15.0 -> 1.16.0 audit in https://crrev.com/c/5535688 * 1.16.0 -> 1.16.1 audit in https://crrev.com/c/5650895 When auditing the changes in the 1.16.1 -> 1.16.3 delta it seems that: * The changes correctly account for ZSTs: * Avoiding division-by-zero errors * Avoiding UB in `BoxBytes::drop` * The changes preserve safety gurantees for nearby `unsafe` blocks """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.14.3 -> 1.15.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.15.0 -> 1.16.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.16.0 -> 1.16.1" notes = """ The delta only adds `f16` and `f128` support (with some other minor changes) and has no impact on the audit criteria. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck]] who = "Lukasz Anforowicz " criteria = "ub-risk-3" delta = "1.16.3 -> 1.17.0" notes = """ 1.17.0 may rely on `union` layout that is not guaranteed by the compiler. See https://github.com/Lokathor/bytemuck/pull/268 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.16.3 -> 1.17.1" notes = "Unsafe review comments can be found in https://crrev.com/c/5813463" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.17.1 -> 1.18.0" notes = "No code changes - just altering feature flag arrangements" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.18.0 -> 1.19.0" notes = "No code changes - just comment changes and adding the track_caller attribute." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.19.0 -> 1.20.0" notes = "`unsafe` review can be found at https://crrev.com/c/6096767" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.20.0 -> 1.21.0" notes = "Unsafe review at https://chromium-review.googlesource.com/c/chromium/src/+/6111154/" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.21.0 -> 1.22.0" notes = """ This adds new instances of unsafe, but the uses are justified: - BoxBytes is essentially a Box<[u8], which is Send + Sync, so also marking BoxBytes as Send + Sync is justified. - core::num::Saturating meets the criteria for Zeroable + Pod, so marking it as such is justified. See https://crrev.com/c/6321863 for more audit notes. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck]] who = [ "Manish Goregaokar ", "Łukasz Anforowicz ", ] criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "1.13.1" notes = "Reviewed in CL 561111794" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.bytemuck_derive]] who = "Bastian Kersting " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.5.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bytemuck_derive]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "1.6.0" notes = """ Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits except for 8 occurrences of `unsafe`. Additional `unsafe` review comments can be found in https://crrev.com/c/5445719. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck_derive]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.6.0 -> 1.6.1" notes = """ No behavior/code changes AFAICT - only adding `#[allow(clippy::multiple_bound_locations)]`, doc comments, and making some cosmetic changes in non-`.rs` files. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck_derive]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.6.1 -> 1.7.0" notes = """ Added support for Zeroable enums, which requires them to be represented as an integer and to have 0 as one of their values. Other trivial/formatting changes. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck_derive]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.7.0 -> 1.7.1" notes = """ No impact on safety AFAICT - the delta only specifies a new attribute for `proc_macro_derive` to work around re-export issues described at https://github.com/Lokathor/bytemuck/issues/159 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck_derive]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.7.1 -> 1.8.0" notes = "Unsafe review: https://crrev.com/c/5921014" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck_derive]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.8.0 -> 1.8.1" notes = "Changes do not impact safety." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytemuck_derive]] who = "Chris Palmer " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.8.1 -> 1.9.2" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.byteorder]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "1.5.0" notes = "Unsafe review in https://crrev.com/c/5838022" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.byteorder]] who = "Alyssa Haroldsen " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "1.4.3" notes = """ Reviewed in CL 559206679 Issues found: - https://github.com/BurntSushi/byteorder/issues/194 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.bytes]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bytes]] who = "Android Legacy" criteria = "safe-to-run" version = "1.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bytes]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.bytes]] who = "agl@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.4.0 -> 1.5.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytes]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.5.0 -> 1.6.0" notes = "Update removes some unsafe, and includes verifiable safety comments for newly-added unsafe." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytes]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.6.0 -> 1.6.1" notes = "Very minor update, no unsafe changes" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytes]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.6.1 -> 1.7.1" notes = "Many changes but they seem to meet the low bar of safe-to-run." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytes]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.7.1 -> 1.7.2" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytes]] who = "Liza Burakova " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.7.2 -> 1.8.0" notes = "smol change, does not add unsafe code, majority of change is new tests" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytes]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.8.0 -> 1.9.0" notes = "Reviewed in https://crrev.com/c/6072366." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytes]] who = "Liza Burakova " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.9.0 -> 1.10.0" notes = """ Reviewed in https://crrev.com/c/6235725. Very large change in buf_impl.rs as well but no unsafe changes there specifically. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bytes]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.10.0 -> 1.10.1" notes = """ Still no crypto, and safe to run with trustworthy inputs. There are some `unsafe`-related changes in the delta, but I didn't evaluate those, because this is not required for `safe-to-run` certification. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.bzip2]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.6.1" notes = "Reviewed in CL 828354407" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.calendrical_calculations]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.1.2" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.calendrical_calculations]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.1.2 -> 0.1.3" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.caliptra_cfi]] who = "Taylor Cramer " criteria = "ub-risk-4" version = "0.1.0" notes = """ Reviewed in CL 609792409 Rating is ub-risk-4 because this crate makes assumptions about single-threadedness. However, on the platform it is intended for, this is fine and can be treated as having ub-risk-3. Issues found: https://github.com/chipsalliance/caliptra-cfi/pull/10 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.capnp]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.14.11" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cargo-lock]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "8.0.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cast]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.castaway]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.2.3" notes = "Reviewed in CL 683065028" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.cbindgen]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.24.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cbindgen]] who = "Hung-Hsien Chen " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.24.5 -> 0.27.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cc]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.79" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cc]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.79 -> 1.0.82" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cc]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.82 -> 1.0.83" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cexpr]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cexpr]] who = "Android Legacy" criteria = "safe-to-run" version = "0.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cexpr]] who = "Android Legacy" criteria = "safe-to-run" version = "0.5.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cexpr]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.0 -> 0.6.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cfg-if]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cfg-if]] who = "Android Legacy" criteria = "safe-to-run" version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cfg-if]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.0.0" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cfg-if]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "1.0.0" notes = ''' I grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. This is a really small crate (only `lib.rs` which is less than 200 lines + one end-to-end test) so I also skimmed through the macro's definition and everything looks okay to me. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cfg_aliases]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cfg_aliases]] who = "Hsin-chen Chuang " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.1 -> 0.2.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.chacha20]] who = "Joshua Liebow-Feeser " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.8.1 -> 0.9.0" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.chacha20]] who = "" criteria = "ub-risk-2" version = "0.9.1" notes = "Reviewed in CL 640124703" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.chalk_ir]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.92.0" notes = "Reviewed in CL 558137822" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.chalk_ir]] who = "Manish Goregaokar " criteria = "ub-risk-0" version = "0.95.0" notes = "Reviewed in CL 599467162" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.chrono]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.23" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.chrono]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.23 -> 0.4.24" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.chrono]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.24 -> 0.4.26" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.chrono]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.26 -> 0.4.34" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.chunked_transfer]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "1.4.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.chunked_transfer]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.4.1" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ciborium]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ciborium-io]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ciborium-ll]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clang-sys]] who = "Android Legacy" criteria = "safe-to-run" version = "1.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clang-sys]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.6.0" notes = "No attempt was made to audit the DSO(s) this links to; only the Rust code was looked at." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clang-sys]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.6.0 -> 1.6.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap]] who = "Android Legacy" criteria = "safe-to-run" version = "2.33.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.34.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "3.2.22" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "3.2.23" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "4.0.32" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "4.5.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.0.32 -> 4.1.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "4.4.8" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Lukasz Anforowicz " criteria = "ub-risk-0" version = "4.5.0" notes = "No `unsafe`" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "4.5.15" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` and there were no hits, except for `std::net::IpAddr` usage in `examples/typed-derive.rs`. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.4.8 -> 4.4.14" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.4.14 -> 4.5.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.0 -> 4.5.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.1 -> 4.5.2" notes = "Reviewed in https://crrev.com/c/5362201" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.2 -> 4.5.3" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.3 -> 4.5.4" notes = "Minimal diff - only module naming/nesting-related changes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.4 -> 4.5.7" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.7 -> 4.5.8" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.8 -> 4.5.9" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.15 -> 4.5.16" notes = """ The only change in the delta is explicitly listing re-exports instead of using a `*` wildcard in `pub use clap_derive::{self, *}`. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "4.5.15 -> 4.5.17" notes = "Minor code change and toml changes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "4.5.17 -> 4.5.18" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "4.5.18 -> 4.5.20" notes = "Trivial changes" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.20 -> 4.5.21" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.21 -> 4.5.23" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.23 -> 4.5.27" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Liza Burakova " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.27 -> 4.5.28" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Jonathan Hao " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.28 -> 4.5.29" notes = "No code changes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Daniel Cheng " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.29 -> 4.5.31" notes = "Comment-only change to update version." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.31 -> 4.5.32" notes = "Only `examples` changes + comment-only changes in `lib.rs` and `_tutorial.rs`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "4.1.14" notes = """ This was a diff audit between clap 4.0.32 sources, and sources in clap_builder 4.1.14. clap_builder is primarily stuff refactored out of `clap`. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap_builder]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "4.5.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap_builder]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "4.4.8" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "Lukasz Anforowicz " criteria = "ub-risk-0" version = "4.5.0" notes = "No `unsafe`" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "4.5.15" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` and there were no hits. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.4.8 -> 4.4.14" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.4.14 -> 4.5.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.0 -> 4.5.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.1 -> 4.5.2" notes = "Reviewed in https://crrev.com/c/5362201" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.2 -> 4.5.7" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.7 -> 4.5.8" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.8 -> 4.5.9" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "4.5.15 -> 4.5.17" notes = "No new unsafe, net, fs" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "4.5.17 -> 4.5.18" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto", "ub-risk-0"] delta = "4.5.18 -> 4.5.20" notes = "No new unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.20 -> 4.5.21" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.21 -> 4.5.23" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.23 -> 4.5.27" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "Jonathan Hao " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.27 -> 4.5.29" notes = "Only changed `args_present` method a bit and added a `value` method to `flat_map`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "Daniel Cheng " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.29 -> 4.5.31" notes = "No unsafe uses added or changed. Delta consists of miscellaneous fixes and cleanups (e.g. improvements for ValueRange) and a new parser for Saturating." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_builder]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.5.31 -> 4.5.32" notes = "Just a new `fn remove` method in `src/error/mod.rs`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_conf]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap_derive]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "3.2.18" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap_derive]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "4.5.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap_derive]] who = "Dennis Kempin " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "3.2.18 -> 4.0.18" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap_derive]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.0.18 -> 4.0.21" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap_derive]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "4.0.21 -> 4.1.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap_lex]] who = "ChromeOS" criteria = "safe-to-run" version = "0.2.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap_lex]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap_lex]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.7.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap_lex]] who = "George Burgess IV " criteria = "does-not-implement-crypto" delta = "0.4.1 -> 0.2.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.clap_lex]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.0" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_lex]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.6.0 -> 0.7.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_lex]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.7.0 -> 0.7.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_lex]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.7.1 -> 0.7.2" notes = "No `.rs` changes in the delta." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_lex]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.7.2 -> 0.7.3" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_lex]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.7.3 -> 0.7.4" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.clap_lex]] who = "Ben Saunders " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "0.5.0" notes = """ Reviewed in CL 559377426 Issues: - Unsound transmutes from OsStr to [u8] (https://github.com/clap-rs/clap/issues/5280) - (optional) Incorrect safety comment (https://github.com/clap-rs/clap/pull/5281) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.clap_lex]] who = "Manish Goregaokar " criteria = "ub-risk-3" delta = "0.5.1 -> 0.6.0" notes = """ Reviewed in CL 596708333 Issues: - Unsound transmutes from OsStr to [u8] (https://github.com/clap-rs/clap/issues/5280) - (optional) Incorrect safety comment (https://github.com/clap-rs/clap/pull/5281) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.clap_lex]] who = "Manish Goregaokar " criteria = "ub-risk-3" delta = "0.7.2 -> 0.7.3" notes = "Reviewed in CL 701531434" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.clap_lex]] who = "Manish Goregaokar " criteria = "ub-risk-3" delta = "0.7.3 -> 0.7.4" notes = """ Reviewed in CL 709087295 No change since previous review """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.clear_on_drop]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.2.5" notes = """ Reviewed in CL 666491561 Issues: - Could use some safety comments - Clear::clear() would ideally discard the &mut self and only work with raw pointers to avoid tripping anything around reference validity. Impl is *probably* fine given the way T-opsem is leaning """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.clru]] who = "Ben Saunders " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "0.6.1" notes = "Reviewed in CL 581562557" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.cmake]] who = "ChromeOS" criteria = "safe-to-run" version = "0.1.45" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cmake]] who = "ChromeOS" criteria = "safe-to-run" version = "0.1.48" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cmake]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.1.49" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cmake]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.1.49" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cmake]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.49 -> 0.1.50" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.codespan-reporting]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.11.1" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.color_quant]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.color_quant]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.1.0" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.colorchoice]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.colored]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.colored]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "2.0.4 -> 2.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.com_logger]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.command-fds]] who = "Li-Yu Yu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.0" notes = "Already used in AOSP." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.command_group]] who = "Ben Saunders " criteria = ["ub-risk-4", "does-not-implement-crypto"] version = "2.0.1" notes = """ Reviewed in CL 561009596 Issues found: - https://github.com/watchexec/command-group/issues/20 - https://github.com/watchexec/command-group/issues/19 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.compact_str]] who = "Augie Fackler " criteria = "ub-risk-2" version = "0.7.1" notes = "Reviewed in CL 639198555" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.configparser]] who = "ChromeOS" criteria = "safe-to-run" version = "3.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.configparser]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "3.0.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.configparser]] who = "George Burgess IV " criteria = "ub-risk-0" version = "3.0.2" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.configparser]] who = "Li-Yu Yu " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "3.0.2 -> 3.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.console]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.15.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.console]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.15.5 -> 0.15.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.console]] who = "" criteria = "ub-risk-2" version = "0.15.8" notes = "Reviewed in CL 683999046" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.constant_time_eq]] who = "Ben Saunders " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "0.3.0" notes = "Reviewed in CL 587904821" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.constcat]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.5.1" notes = "Reviewed in CL 706930648" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.core-foundation]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.10.0" notes = """ Reviewed in CL 711537864 FFI crate """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.core-foundation-sys]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "0.8.7" notes = "OSX system APIs" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.core-foundation-sys]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.8.7" notes = "Reviewed in CL 711535914" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.core_maths]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.1.1" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cortex-m]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.7.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cortex-m-rt-macros]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.15" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cortex-m-rtic]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cortex-m-rtic-macros]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.countme]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "3.0.1" notes = "Reviewed in CL 558181122" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.cpp_demangle]] who = "Hidenori Kobayashi " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cpufeatures]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cpufeatures]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.8 -> 0.2.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.crabbyavif]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.1.0" notes = "Reviewed in CL 781088700" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.cranelift-entity]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.113.1" notes = "Reviewed in CL 698407144" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.cranelift-entity]] who = "Manish Goregaokar " criteria = ["ub-risk-2", "does-not-implement-crypto"] delta = "1.113.1 -> 1.114.0" notes = """ Reviewed in CL 699228957 No change in unsafe code since last import """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.crc]] who = "Bastian Kersting " criteria = ["safe-to-run", "crypto-safe"] delta = "2.1.0 -> 3.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.crc-catalog]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.1" notes = """ crc-catalog has no actual functions or logic implementing crypto; it's just a few types and `const`s that outline different CRC configurations. Hence, this doesn't implement crypto. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.crc-catalog]] who = "Bastian Kersting " criteria = "does-not-implement-crypto" delta = "1.1.1 -> 2.2.0" notes = "This crate exposes a catalog of types that represent read-only versions of algorithms. There is no line of code that actually does something within this crate, but rather information about the algorithms as Rust types-" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.crc-catalog]] who = "Bastian Kersting " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.1.1 -> 2.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.crc32c]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.6.5" notes = """ Reviewed in CL 608991681 Does not have much unsafe (some use of hardware intrinsics, one bit of pointer manipulation). However, the unsafe isn't documented enough. Can be upgraded to a rating 2 or 1 with some unsafe documentation. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.crc32fast]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.3.2" notes = """ This package implements CRC, which is not intended to be cryptographically secure. Hence, this crate does-not-implement-crypto. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.crc32fast]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "1.4.2" notes = """ Security review of earlier versions of the crate can be found at (Google-internal, sorry): go/image-crate-chromium-security-review Audit comments for 1.4.2 can be found at https://crrev.com/c/4723145. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.crc32fast]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "1.3.2" notes = "Reviewed in CL 558895300" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.critical-section]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.critical-section]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.1.1 -> 1.1.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.critical-section]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.1.2 -> 1.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cros-codecs]] who = "Alexandre Courbot " criteria = "does-not-implement-crypto" version = "0.0.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cros-codecs]] who = "Alexandre Courbot " criteria = "safe-to-run" version = "0.0.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cros-codecs]] who = "Alexandre Courbot " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.0.2 -> 0.0.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cros-codecs]] who = "Alexandre Courbot " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.0.3 -> 0.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cros-libva]] who = "Alexandre Courbot " criteria = "does-not-implement-crypto" version = "0.0.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cros-libva]] who = "Alexandre Courbot " criteria = "safe-to-run" version = "0.0.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cros-libva]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.0.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cros-libva]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.0.11" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cros-libva]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.0.12" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cros-libva]] who = "Alexandre Courbot " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.0.3 -> 0.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.crossbeam-channel]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.crossbeam-channel]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.5.7 -> 0.5.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.crossbeam-deque]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.crossbeam-epoch]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.9.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.crossbeam-epoch]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.9.14 -> 0.9.15" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.crossbeam-utils]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.15" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.crossbeam-utils]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.8.15 -> 0.8.16" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.crossterm]] who = "Ben Saunders " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "0.26.1" notes = """ Reviewed in CL 562140151 Issues: - Internal API permits buffer overruns (https://github.com/crossterm-rs/crossterm/pull/821) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.crossterm]] who = "Ben Saunders " criteria = ["ub-risk-3", "does-not-implement-crypto"] delta = "0.26.1 -> 0.27.0" notes = """ Reviewed in CL 566337315 Issues: - Internal API permits buffer overruns (https://github.com/crossterm-rs/crossterm/pull/821) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.cstr_core]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cstream]] who = "Taylor Cramer " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.1.1" notes = "Reviewed in CL 805553961" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.ctor]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.26" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ctor]] who = "Ben Saunders " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "0.2.4" notes = """ Reviewed in CL 552861146 Issues found: - https://github.com/mmastrac/rust-ctor/pull/294 - https://github.com/mmastrac/rust-ctor/pull/293 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.ctrlc]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "3.2.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ctrlc]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "3.2.4 -> 3.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ctrlc]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "3.3.0 -> 3.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ctrlc]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "3.4.0 -> 3.4.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ctrlc]] who = "Taylor Cramer " criteria = "ub-risk-3" version = "3.4.0" notes = "Reviewed in CL 587904024" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.cty]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.curve25519-dalek]] who = "Ben Saunders " criteria = "ub-risk-1" version = "4.0.0" notes = "Reviewed in CL 557134163" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.curve25519-dalek-derive]] who = "Ben Saunders " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "0.1.0" notes = """ Reviewed in CL 557129495 Issues found: - https://github.com/dalek-cryptography/curve25519-dalek/issues/563 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.cxx]] who = "Android Legacy" criteria = "safe-to-run" version = "1.0.42" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxx]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.92" notes = """ There is an implementation of SipHash in cxx/ at src/sip.rs. This hash is not considered cryptographically secure, and is not used within a context where cryptographic security is critical. Hence, it's not considered to be an \"implementation of crypto\". More directly, its current usage is just in HashMap, and its purposes are: - randomness and speed suitable for use as a HashMap hasher - difficult to DoS with attacker-controlled inputs For more, see comments on https://crrev.com/c/4411368 . """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxx]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.92 -> 1.0.94" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxx]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.94 -> 1.0.97" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxx]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.97 -> 1.0.106" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxx]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.106 -> 1.0.107" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxx]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.110" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxx]] who = "Lukasz Anforowicz " criteria = "does-not-implement-crypto" version = "1.0.117" notes = """ Grepped for \"crypt\", \"cipher\" - there were no hits (except for benign hits in `MODULE.bazel.lock`) """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxx]] who = "danakj " criteria = "does-not-implement-crypto" version = "1.0.122" notes = """ safe-to-deploy and ub-risk-2 are provided by exemption. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxx]] who = "danakj " criteria = "does-not-implement-crypto" delta = "1.0.117 -> 1.0.119" notes = "Reviewed in https://crrev.com/c/5362739" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxx]] who = "Dustin J. Mitchell " criteria = "does-not-implement-crypto" delta = "1.0.119 -> 1.0.120" notes = "Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/5392544." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxx]] who = "Adrian Taylor " criteria = "does-not-implement-crypto" delta = "1.0.120 -> 1.0.121" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxx]] who = "Adrian Taylor " criteria = "does-not-implement-crypto" delta = "1.0.122 -> 1.0.123" notes = "safe-to-deploy and ub-risk-2 are provided by exemption" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxx]] who = "Dustin J. Mitchell " criteria = "does-not-implement-crypto" delta = "1.0.123 -> 1.0.124" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxx]] who = "Lukasz Anforowicz " criteria = "does-not-implement-crypto" delta = "1.0.124 -> 1.0.126" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxx]] who = "Adrian Taylor " criteria = "does-not-implement-crypto" delta = "1.0.129 -> 1.0.130" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxx-build]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.97" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxx-build]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.121" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxxbridge]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.110" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.110" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.110 -> 1.0.115" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.115 -> 1.0.116" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.116 -> 1.0.117" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.117 -> 1.0.118" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.118 -> 1.0.119" notes = "Reviewed in https://crrev.com/c/5362136" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.119 -> 1.0.120" notes = "Version bump only." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.120 -> 1.0.121" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.121 -> 1.0.122" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.122 -> 1.0.123" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.123 -> 1.0.124" notes = "No changes except to dependencies" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.124 -> 1.0.126" notes = """ Only minor changes: * Using `let Some(foo) = ... else { ... }` pattern in a few places. * Exposing an extra constructor for `rust::Slice`. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.126 -> 1.0.128" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Liza Burakova " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.128 -> 1.0.129" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.129 -> 1.0.130" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Liza Burakova " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.130 -> 1.0.131" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.131 -> 1.0.134" notes = "No code changes in the delta." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.134 -> 1.0.135" notes = """ Minimal change in `syntax/parse.rs` (coming from my https://github.com/dtolnay/cxx/pull/1414) """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.135 -> 1.0.136" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.136 -> 1.0.137" notes = "The delta just removes some clippy opt-outs." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.137 -> 1.0.140" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Takuto Ikuta " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.140 -> 1.0.141" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Daniel Cheng " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.141 -> 1.0.143" notes = "Clippy lint suppression and... a C++ deduction guide for cxx::Slice." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-cmd]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.143 -> 1.0.146" notes = "Only propagating `cxx.h` change from the main `cxx` roll." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "Android Legacy" criteria = "safe-to-run" version = "1.0.42" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "1.0.92" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.0.92" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.0.94" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.0.107" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] delta = "1.0.92 -> 1.0.94" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.94 -> 1.0.97" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.97 -> 1.0.106" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] delta = "1.0.106 -> 1.0.107" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.110" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "1.0.122" notes = "no grep hits for cipher, crypto, fs, net, or unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.122 -> 1.0.123" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.123 -> 1.0.124" notes = "No changes in this delta" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.124 -> 1.0.126" notes = "No changes in this delta" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.126 -> 1.0.128" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "Liza Burakova " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.128 -> 1.0.129" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.129 -> 1.0.130" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.130 -> 1.0.131" notes = "no grep hits for cipher, crypto, fs, net, or unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.131 -> 1.0.135" notes = "No code changes in the delta" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.135 -> 1.0.136" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.136 -> 1.0.137" notes = "The delta just removes `#![allow(clippy::let_and_return)]` from `lib.rs`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.137 -> 1.0.140" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "Takuto Ikuta " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.140 -> 1.0.141" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.141 -> 1.0.143" notes = "Only changes for rustdoc generation." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-flags]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.143 -> 1.0.146" notes = "No actual changes in this delta - just a version bump." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-macro]] who = "Android Legacy" criteria = "safe-to-run" version = "1.0.42" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxxbridge-macro]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.92" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxxbridge-macro]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.92 -> 1.0.94" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxxbridge-macro]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.94 -> 1.0.97" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxxbridge-macro]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.97 -> 1.0.106" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxxbridge-macro]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.106 -> 1.0.107" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.cxxbridge-macro]] who = "danakj " criteria = "does-not-implement-crypto" version = "1.0.122" notes = """ no grep hits for cipher, crypto. safe-to-deploy and ub-risk-2 are provided by exemption. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-macro]] who = "Adrian Taylor " criteria = "does-not-implement-crypto" delta = "1.0.122 -> 1.0.123" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-macro]] who = "Dustin J. Mitchell " criteria = "does-not-implement-crypto" delta = "1.0.123 -> 1.0.124" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-macro]] who = "Lukasz Anforowicz " criteria = "does-not-implement-crypto" delta = "1.0.124 -> 1.0.126" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.cxxbridge-macro]] who = "Adrian Taylor " criteria = "does-not-implement-crypto" delta = "1.0.129 -> 1.0.130" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.daemonize]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.5.0" notes = "Reviewed in CL 670551760" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.dary_heap]] who = "Ben Saunders " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "0.3.7" notes = "Reviewed in CL 778340537" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.dashmap]] who = "Max Lee " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "5.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dasp_frame]] who = "Li-Yu Yu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.11.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dasp_interpolate]] who = "Li-Yu Yu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.11.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dasp_ring_buffer]] who = "Li-Yu Yu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.11.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dasp_sample]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.11.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.data-encoding]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.6.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.data-encoding]] who = "Lukasz Anforowicz " criteria = "ub-risk-3" version = "2.7.0" notes = """ https://github.com/ia0/data-encoding/issues/75 was partially addressed via `#[doc(hidden)]` added in https://github.com/ia0/data-encoding/pull/76, but the original repro from issue #75 can still trigger Undefined Behavior through public APIs exposed by the `data-encoding` crate (without using `unsafe`, and without using APIs named something like `internal_field_do_not_use`). Additionally, the discussion in https://github.com/ia0/data-encoding/issues/124 leans toward `unsafe` encapsulation at a crate level, requiring crate-**global** reasoning to prove soundness of public crate APIs. Specifically, the crate currently has a internal function that can cause Undefined Behavior if the caller doesn't uphold certain (implied, not explicitly documented) safety requirements. The fact that such function is not marked as `unsafe` effectively means that safety audit can't terminate and use **local** reasoning near `unsafe` expression boundaries. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.dbus]] who = "ChromeOS Legacy" criteria = "safe-to-run" version = "0.9.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dbus]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.9.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dbus-codegen]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.10.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dbus-crossroads]] who = "ChromeOS" criteria = "safe-to-run" version = "0.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dbus-crossroads]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dbus-crossroads]] who = "George Burgess IV " criteria = "does-not-implement-crypto" delta = "0.5.2 -> 0.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dbus-tokio]] who = "ChromeOS" criteria = "safe-to-run" version = "0.7.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dbus-tokio]] who = "ChromeOS" criteria = "safe-to-run" version = "0.7.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dbus-tokio]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.7.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dbus-tree]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.9.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.deduplicating_array]] who = "Manish Goregaokar " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.1.7" notes = """ Reviewed in CL 700071397 Safe, but needs safety comments """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.defmt-macros]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.defmt-parser]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.deqp-runner]] who = "Matt Turner " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.13.1 -> 0.18.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.deranged]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.3.0" notes = "Reviewed in CL 683999039" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.deranged]] who = "Taylor Cramer " criteria = "ub-risk-1" version = "0.3.9" notes = "Reviewed in CL 579385986" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.derive-getters]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.derive-into-owned]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.derive_builder]] who = "Manish Goregaokar " criteria = "ub-risk-0" version = "0.20.0" notes = "Reviewed in CL 644303353" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.difflib]] who = "Max Lee " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.diplomat]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "0.9.0" notes = "Unsafe code pertaining to defining FFI interfaces" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.diplomat]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-2"] delta = "0.9.0 -> 0.10.0" notes = "Similar unsafe code pertaining to FFI interfaces" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.diplomat-runtime]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "0.9.0" notes = "Unsafe code pertaining to defining FFI-compatible types, with safety comments." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.diplomat-runtime]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-2"] delta = "0.9.0 -> 0.10.0" notes = "Very minor diff" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.diplomat_core]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.9.0" notes = "No unsafe code" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.diplomat_core]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-0"] delta = "0.9.0 -> 0.10.0" notes = "No unsafe code" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.dirs-next]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "2.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dirs-next]] who = "George Burgess IV " criteria = "ub-risk-0" version = "2.0.0" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dirs-sys-next]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dispatch2]] who = "" criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "0.3.0" notes = "Reviewed in CL 752745648" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.displaydoc]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.displaydoc]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.2.5" notes = "No unsafe code" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.document-features]] who = "ChromeOS" criteria = "safe-to-run" version = "0.2.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.document-features]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.2.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.document-features]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.2.7" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.downcast]] who = "Max Lee " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.11.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.downcast-rs]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.drm]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.12.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.drm-ffi]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.drm-fourcc]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.drm-sys]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.7.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.dyn-clone]] who = [ "Ben Saunders ", "Augie Fackler ", "Luca Versari ", ] criteria = "ub-risk-2" version = "1.0.17" notes = "Reviewed in CL 637023476" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.dyn-stack]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] delta = "0.9.0 -> 0.11.0" notes = "Reviewed in CL 754079845" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.ecdsa]] who = "Joshua Liebow-Feeser " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.13.4 -> 0.14.8" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.ed25519-compact]] who = "George Burgess IV " criteria = "safe-to-run" version = "1.0.16" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.educe]] who = "Taylor Cramer " criteria = "ub-risk-3" version = "0.4.23" notes = """ Reviewed in CL 778349439 Issues found: - https://github.com/magiclen/educe/issues/45 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.either]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.8.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.either]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.8.1 -> 1.9.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.either]] who = "agl@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.9.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.either]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "1.13.0" notes = "Unsafe code pertaining to wrapping Pin APIs. Mostly passes invariants down." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.either]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.9.0 -> 1.10.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.either]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.10.0 -> 1.11.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.either]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.11.0 -> 1.12.0" notes = "Only changes the MSRV and adds a (safe) trait specialization." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.either]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.12.0 -> 1.13.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.either]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "1.13.0 -> 1.14.0" notes = """ Inheriting ub-risk-1 from the baseline review of 1.13.0. While the delta has some diffs in unsafe code, they are either: - migrating code to use helper macros - migrating match patterns to take advantage of default bindings mode from RFC 2005 Either way, the result is code that does exactly the same thing and does not change the risk of UB. See https://crrev.com/c/6323164 for more audit details. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.either]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "1.14.0 -> 1.15.0" notes = "The delta in `lib.rs` only tweaks doc comments and `#[cfg(feature = \"std\")]`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.elliptic-curve]] who = "Joshua Liebow-Feeser " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.11.12 -> 0.12.3" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.embedded-hal-mock]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.encode_unicode]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "1.0.0" notes = "Reviewed in CL 683999023" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.encoding_rs]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.8.33" notes = """ Reviewed in CL 605370461 Needs extensive safety comments: - https://github.com/hsivonen/encoding_rs/pull/101 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.endian-type]] who = "ChromeOS" criteria = "safe-to-run" version = "0.1.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.endian-type]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.enum-ordinalize]] who = "" criteria = "ub-risk-2" version = "3.1.15" notes = "Reviewed in CL 778348618" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.enumflags2]] who = "Zhengping Jiang " criteria = "does-not-implement-crypto" version = "0.7.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.enumflags2]] who = "Zhengping Jiang " criteria = "safe-to-run" version = "0.7.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.enumflags2]] who = "Ben Saunders " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "0.7.8" notes = "Reviewed in CL 603523557" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.enumflags2_derive]] who = "Zhengping Jiang " criteria = "does-not-implement-crypto" version = "0.7.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.enumflags2_derive]] who = "Zhengping Jiang " criteria = "safe-to-run" version = "0.7.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.enumn]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.1.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.enumn]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.1.8" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.enumn]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.1.10" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.enumn]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.1.11" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.enumn]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.1.12" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.enumn]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] delta = "0.1.8 -> 0.1.10" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.enumn]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] delta = "0.1.10 -> 0.1.11" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.enumn]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] delta = "0.1.11 -> 0.1.12" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.enumn]] who = "Alexandre Courbot " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.12 -> 0.1.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.env_logger]] who = "Android Legacy" criteria = "safe-to-run" version = "0.8.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.env_logger]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.9.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.env_logger]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.9.3 -> 0.8.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.equator-macro]] who = "" criteria = "ub-risk-4" version = "0.4.2" notes = """ Reviewed in CL 752779890 The unsafe code is a transmute from a user-provided type to a user-provided type, so it is trivially unsound. Would be better if e.g. the proc macro was renamed unsafe_assert, and had a safety comment describing the preconditions. (It is currently named `assert`, and undocumented.) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.equivalent]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "1.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.equivalent]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.0.1" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.equivalent]] who = "Jonathan Hao " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.1 -> 1.0.2" notes = "No changes to any .rs files or Rust code." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.errno]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.errno]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.errno]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.8 -> 0.3.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.errno]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.1 -> 0.3.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.errno]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.2 -> 0.3.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.errno]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.2.8" notes = "Reviewed in CL 567624402" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.error-chain]] who = "ChromeOS" criteria = "safe-to-run" version = "0.11.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.error-chain]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.12.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.error-chain]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.12.4" notes = "Reviewed in CL 545732008" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.etcetera]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.10.0" notes = "Reviewed in CL 750960146" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.etherparse]] who = "Ben Saunders " criteria = "ub-risk-1" version = "0.18.0" notes = "Reviewed in CL 775556814" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.ethnum]] who = "Ben Saunders " criteria = "ub-risk-4" version = "1.5.0" notes = """ Reviewed in CL 624267108 Issues found: - error.rs: Unsoundly transmutes into std error types, making assumptions about stability and layout - fmt.rs: GenericRadix trait should be unsafe - fmt.rs: fmt_u256 has safety comments that are incorrect """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.euclid]] who = "ChromeOS" criteria = "safe-to-run" version = "0.22.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.euclid]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.22.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.euclid]] who = "Taylor Cramer " criteria = "ub-risk-1" version = "0.22.11" notes = "Reviewed in CL 719023061" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.exitcode]] who = "Gwendal Grignou " criteria = ["safe-to-run", "crypto-safe"] version = "1.1.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ext-trait]] who = "Howard Yang " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ext-trait-proc_macros]] who = "Howard Yang " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ext2]] who = "Edward O'Callaghan " criteria = ["safe-to-run", "crypto-safe"] version = "0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ext4-view]] who = "Andre Braga " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ext4-view]] who = "Ted Brandston " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.0 -> 0.4.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.extension-traits]] who = "Howard Yang " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.fallible-iterator]] who = "Hidenori Kobayashi " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.fast-float]] who = ["Augie Fackler ", "< manishearth@google.com>"] criteria = "ub-risk-4" version = "0.2.0" notes = """ Reviewed in Issues found: - https://github.com/aldanor/fast-float-rust/issues/37 (multiple issues) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.faster-hex]] who = "Ben Saunders " criteria = ["ub-risk-4", "does-not-implement-crypto"] version = "0.8.1" notes = """ Reviewed in CL 579318683 Issues found: - https://github.com/nervosnetwork/faster-hex/pull/39 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.fastrand]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "1.9.0" notes = """ `does-not-implement-crypto` is certified because this crate explicitly says that the RNG here is not cryptographically secure. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.fastrand]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.9.0" notes = """ `rg -i unsafe` resulted in two hits for this package: 1. `#![forbid(unsafe_code)]` 2. A CHANGELOG entry noting that unsafe code was forbidden. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.fastrand]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.0.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.fd-lock]] who = "ChromeOS" criteria = "safe-to-run" version = "2.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.fd-lock]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "3.0.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.fd-lock]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "3.0.9 -> 3.0.10" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.fd-lock]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "3.0.9 -> 3.0.13" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.fdeflate]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.3.4" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` and there were no hits. Note that some additional, internal notes about an older version of this crate can be found at go/image-crate-chromium-security-review. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.fdeflate]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.3.4 -> 0.3.5" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.fdeflate]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.3.5 -> 0.3.6" notes = "No unsafe, no crypto, mysterious tables replaced with const expressions" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.fdeflate]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.3.6 -> 0.3.7" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.fdt]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.1.5" notes = """ Reviewed in CL 565675584 No usage of unsafe; one public unsafe function with documented invariants. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.fend-core]] who = "jiwan@chromium.org" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "1.4.6" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.fend-core]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.4.6 -> 1.4.8" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.fend-core]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.4.8 -> 1.4.9" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.fend-core]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.4.9 -> 1.5.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.fend-core]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.5.0 -> 1.5.1" notes = "Only `Cargo.toml` changes + defining two new measurement units." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.fend-core]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.5.1 -> 1.5.2" notes = "No unsafe, no crypto" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.fend-core]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.5.2 -> 1.5.3" notes = "No new unsafe, fs, net." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.fend-core]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.5.3 -> 1.5.5" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.fend-core]] who = "Chris Palmer " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.5.5 -> 1.5.6" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.filedescriptor]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.filedescriptor]] who = "Luca Versari " criteria = "ub-risk-2" version = "0.8.2" notes = "Reviewed in CL 715944931" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.filetime]] who = "Bastian Kersting " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.22" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.filetime]] who = "Manish Goregaokar " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "0.2.19" notes = "Reviewed in CL 559795004" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.find-msvc-tools]] who = "" criteria = "ub-risk-3" version = "0.1.2" notes = "Reviewed in CL 810860514" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.fixed_decimal]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.6.0" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.fixed_decimal]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-0"] delta = "0.6.0 -> 0.7.0" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.fixedbitset]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.fixedbitset]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.2.0" notes = "Reviewed in CL 559071858" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.flatbuffers]] who = "Taylor Cramer " criteria = "ub-risk-1" version = "23.5.26" notes = "Reviewed in CL 638739860" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.flate2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.26" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.flate2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.26 -> 1.0.27" notes = """ There is a CRC implementation in here, but those are not considered crypto. Further, it's only used in tests internal to this crate. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.flate2]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "1.0.30" notes = ''' WARNING: This certification is a result of a **partial** audit. The `any_zlib` code has **not** been audited. Ability to track partial audits is tracked in https://github.com/mozilla/cargo-vet/issues/380 Chromium does use the `any_zlib` feature(s). Accidentally depending on this feature in the future is prevented using the `ban_features` feature of `gnrt` - see: https://crrev.com/c/4723145/31/third_party/rust/chromium_crates_io/gnrt_config.toml Security review of earlier versions of the crate can be found at (Google-internal, sorry): go/image-crate-chromium-security-review I grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`. All `unsafe` in `flate2` is gated behind `#[cfg(feature = "any_zlib")]`: * The code under `src/ffi/...` will not be used because the `mod c` declaration in `src/ffi/mod.rs` depends on the `any_zlib` config * 7 uses of `unsafe` in `src/mem.rs` also all depend on the `any_zlib` config: - 2 in `fn set_dictionary` (under `impl Compress`) - 2 in `fn set_level` (under `impl Compress`) - 3 in `fn set_dictionary` (under `impl Decompress`) All hits of `'\bfs\b'` are in comments, or example code, or test code (but not in product code). There were no hits of `-i cipher`, `-i crypto`, `'\bnet\b'`. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.flate2]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.30 -> 1.0.31" notes = """ WARNING: This certification is a result of a **partial** audit. The `any_zlib` code has **not** been audited. See the audit of 1.0.30 for more details. Only benign changes: * Comment-only changes in `.rs` files * Also changing dependency version in `Cargo.toml`, but this is for `any_zlib` feature which is not used in Chromium (i.e. this is a *partial* audit - see the previous audit notes for 1.0.30) """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.flate2]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.31 -> 1.0.33" notes = """ WARNING: This certification is a result of a **partial** audit. The `any_zlib` code has **not** been audited. See the audit of 1.0.30 for more details. This delta audit has been reviewed in https://crrev.com/c/5811890 The delta can be seen at https://diff.rs/flate2/1.0.31/1.0.33 The delta bumps up `miniz_oxide` dependency to `0.8.0` The delta also contains some changes to `src/ffi/c.rs` which is *NOT* used by Chromium and therefore hasn't been covered by this partial audit. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.flate2]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.33 -> 1.0.34" notes = """ WARNING: This certification is a result of a **partial** audit. The `any_zlib` code has **not** been audited. See the audit of 1.0.30 for more details. The delta can be seen at https://diff.rs/flate2/1.0.33/1.0.34 The delta bumps up `libz-rs-sys` dependency from `0.2.1` to `0.3.0` The delta in `lib.rs` only tweaks comments and has no code changes. The delta also contains some changes to `src/ffi/c.rs` which is *NOT* used by Chromium and therefore hasn't been covered by this partial audit. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.flate2]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.34 -> 1.0.35" notes = "There are no significant code changes in this delta (just one string constant change). Note that prior audits may have been partial." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.flate2]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.35 -> 1.1.0" notes = """ This is a delta audit from a **partial** audit (**not** covering zlib-related crate features which are not used by Chromium). The delta does not appear to any new unsafety or unsoundness. Changes consist of: - deriving more impls, e.g. for Clone or Default - migrating away from deprecated things in the rand crate - general improvements, e.g.: - slice::copy_from_slice instead of a for loop - Result::map_err instead of Result::unwrap - use helpers for converting numerics to/from little-endian bytes - nicer conversions between miniz_oxide::MZFlush and FlushCompress/FlushDecompress - cfg soup changes in FFI for the C zlib backends–though Chromium does not use these backends """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.flate2]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "1.0.24" notes = """ Reviewed in CL 558916134 Issues found: - Uninitialized memory: https://github.com/rust-lang/flate2-rs/pull/373 Minor code quality suggestions: - Defense in depth on dangling pointers (https://github.com/rust-lang/flate2-rs/issues/379) - set_len usage relies on tricky undocumented invariants (incidentally fixed by PR #373) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.flate2]] who = "Manish Goregaokar " criteria = "ub-risk-4" delta = "1.0.24 -> 1.0.27" notes = """ Reviewed in CL 572611911 Same review as previous """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.flate2]] who = "Manish Goregaokar " criteria = "ub-risk-3" delta = "1.0.27 -> 1.0.28" notes = """ Reviewed in CL 573223148 Issues from previous review (#379, #220) fixed (PRs #380, #373). """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.fleetspeak]] who = "Manish Goregaokar " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "0.4.0" notes = """ Reviewed in CL 551181045 Opens files from file descriptors obtained from potentially untrusted sources. This may be okay depending on your use case, and is a common pattern for IPC, but should be included in your project with care since opening the wrong mmaped fd may cause UB. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.flexbuffers]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.float-cmp]] who = "Max Lee " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.9.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.fnv]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.7" notes = """ fnv explicitly documents that it does not attempt to be crypto-secure, nor does it try to guard against collisions. Hence, this does not implement crypto. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.foldhash]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "0.1.3" notes = """ `ub-risk-2` review notes can be found in https://crrev.com/c/6071306/5/third_party/rust/chromium_crates_io/vendor/foldhash-0.1.3/src/seed.rs `does-not-implement-crypto` based on `README.md` which explicitly says that \"Foldhash is **not appropriate for any cryptographic purpose**.\" """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.foldhash]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "0.1.3 -> 0.1.4" notes = "No changes to safety-relevant code" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.foldhash]] who = "Chris Palmer " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "0.1.4 -> 0.1.5" notes = "No new `unsafe`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.font-types]] who = "Lukasz Anforowicz " criteria = ["ub-risk-0", "safe-to-deploy", "does-not-implement-crypto"] version = "0.4.2" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits. The initial version of this crate has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/a59c3c448941f92f870d0c18c6d53d5c6104ab72 The CL description contains a link to a Google-internal document with audit details. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.font-types]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "0.5.2" notes = """ Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits except for 3 `unsafe impl bytemuck::SomeTrait for ...`. Each `impl` had a reasonable safety comment and there were no actual `unsafe` blocks, so I think this can be treated as `ub-risk-1`. Additional `unsafe` review comments can be found in https://crrev.com/c/5445719. For overall `safe-to-deploy` and `does-not-implement-crypto` I am mostly relying on certification by the Chromium engineers who work on the library (mostly drott@chromium.org). """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.font-types]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.4.2 -> 0.4.3" notes = "Reviewed in https://crrev.com/c/5362378. No new use of unsafe." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.font-types]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "0.5.2 -> 0.5.3" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.font-types]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "0.5.3 -> 0.5.4" notes = """ The delta just adds `impl From for u32` - no impact on `unsafe impl`s elsewhere. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.font-types]] who = "danakj@chromium.org" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "0.5.4 -> 0.5.5" notes = "No unsafe changes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.font-types]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "0.5.5 -> 0.6.0" notes = "This change comprises changes to understand larger GlyphId and compatibility with older Mac TrueType fonts. No unsafe code is introduced." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.font-types]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "0.6.0 -> 0.7.1" notes = "No new unsafe, mostly changes about int24 as a new OpenType type, and moving Pen from Skrifa." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.font-types]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "0.7.1 -> 0.7.2" notes = "Explicit inlining of some type conversion. No new unsafe." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.font-types]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "0.7.2 -> 0.7.3" notes = "Wrapping math for Fixed type, no new unsafe." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.font-types]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "0.7.3 -> 0.8.2" notes = "No new unsafe, more inlining, checked add. Minor spec compliance issues." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.font-types]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "0.8.2 -> 0.8.3" notes = "Changes to reading IndexSubtable, reverting adding Tag::NULL associated constant." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.font-types]] who = "Augie Fackler " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "0.5.0" notes = "Reviewed in CL 617547813" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.font-types]] who = "Ben Saunders " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "0.8.2" notes = "Reviewed in CL 718913459" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.foreign-types]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.foreign-types-shared]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.form_urlencoded]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.form_urlencoded]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.1.0 -> 1.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.form_urlencoded]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.2.0 -> 1.2.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.fragile]] who = "Max Lee " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.fragile]] who = "Taylor Cramer " criteria = "ub-risk-4" version = "2.0.0" notes = """ Reviewed in CL 655309625 Issues found: - https://github.com/mitsuhiko/fragile/issues/34 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.fs-err]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "3.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.fs-set-times]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.20.3" notes = "Reviewed in CL 778504445" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.fs4]] who = "" criteria = "ub-risk-2" version = "0.13.1" notes = "Reviewed in CL 771980548" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.fsevent-sys]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "4.1.0" notes = """ Reviewed in CL 726605958 FFI crate with some simple wrappers """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.ftdi]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ftdi-mpsse]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.funty]] who = "ChromeOS" criteria = "safe-to-run" version = "1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futf]] who = "Taylor Cramer " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.1.5" notes = "Reviewed in CL 810913099" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.futures]] who = "Android Legacy" criteria = "safe-to-run" version = "0.3.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.3.28" notes = """ `futures` has no logic other than tests - it simply `pub use`s things from other crates. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.3.28" notes = """ `rg -i unsafe` in this crate had one hit: a comment in a test mentioning UnsafeFutureObj. UnsafeFutureObj is implemented in futures-task-0.3.28, not here. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-channel]] who = "Android Legacy" criteria = "safe-to-run" version = "0.3.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-channel]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.28" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-channel]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.28 -> 0.3.31" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-core]] who = "Android Legacy" criteria = "safe-to-run" version = "0.3.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-core]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.28" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-core]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.28 -> 0.3.31" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-executor]] who = "Android Legacy" criteria = "safe-to-run" version = "0.3.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-executor]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.28" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-io]] who = "Android Legacy" criteria = "safe-to-run" version = "0.3.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-io]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.28" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-io]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.28 -> 0.3.31" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-macro]] who = "Android Legacy" criteria = "safe-to-run" version = "0.3.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-macro]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.28" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-macro]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.28 -> 0.3.31" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-sink]] who = "Android Legacy" criteria = "safe-to-run" version = "0.3.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-sink]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.28" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-sink]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.28 -> 0.3.31" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-task]] who = "Android Legacy" criteria = "safe-to-run" version = "0.3.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-task]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.28" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-task]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.28 -> 0.3.31" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-util]] who = "Android Legacy" criteria = "safe-to-run" version = "0.3.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-util]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.28" notes = """ There's a custom xorshift-based `random::shuffle` implementation in src/async_await/random.rs. This is `doc(hidden)` and seems to exist just so that `futures-macro::select` can be unbiased. Sicne xorshift is explicitly not intended to be a cryptographically secure algorithm, it is not considered crypto. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.futures-util]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.28 -> 0.3.31" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.gag]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.gag]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.0.0" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.gbm]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.15.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.gbm-sys]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.gdbstub]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.gdbstub]] who = "Dennis Kempin " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.6.6 -> 0.7.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.gdbstub_arch]] who = "Dennis Kempin " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.4 -> 0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.generic-array]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.14.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.getifaddrs]] who = "Ben Saunders " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "0.1.5" notes = """ Reviewed in CL 772629745 Issues found: - Iterator for InterfaceIterator impl unconditionally derefs potentially-null current_unicast pointer """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.getopts]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.21" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.getrandom]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.16" notes = """ getrandom simply contains a bundle of ways of deferring to external sources of randomness (libcalls, syscalls, CPU insns), so no crypto is directly implemented here. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.getrandom]] who = "Android Legacy" criteria = "safe-to-run" version = "0.2.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.getrandom]] who = "Android Legacy" criteria = "safe-to-run" version = "0.2.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.getrandom]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.10" notes = """ While this crate provides crypto methods, they all defer to system or hardware crypto implementations. Hence, this crate does not implement crypto. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.getrandom]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.11" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.getrandom]] who = "Lukasz Anforowicz " criteria = "does-not-implement-crypto" delta = "0.2.11 -> 0.2.12" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.getrandom]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.12 -> 0.2.14" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.getrandom]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.14 -> 0.2.15" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.getrandom]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.2.2 -> 0.2.12" notes = "Audited at https://fxrev.dev/932979" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.getrandom]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.3.1" notes = """ Reviewed in CL 731774826 Tons of unsafe for backend specific syscalls. The MaybeUninit invariant of `fill_inner` is upheld nonlocally and is not tracked in comments. Potentially would be nicer to have `fn fill_inner(&mut [MaybeUninit]) -> &mut [u8]`, and have individual backends do their own `assume_init()` invariant asserting comments. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.ghost]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ghost]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.9 -> 0.1.13" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ghost]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.13 -> 0.1.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.gif]] who = "Ben Saunders " criteria = "ub-risk-1" version = "0.12.1" notes = "Reviewed in CL 637680029" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gimli]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.27.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.gimli]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.27.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.gimli]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.27.3 -> 0.28.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.gimli]] who = "Hidenori Kobayashi " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.28.0 -> 0.30.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.gimli]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.26.2" notes = """ Reviewed in CL 694412583 Based off of existing review for 0.31, diff reviewed was *backwards*. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gimli]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.31.0" notes = """ Reviewed in CL 675488712 Could have better documented invariants. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "0.55.2" notes = """ Reviewed in CL 581562516 Issues found: - Unsafe transmute of lifetime (https://github.com/Byron/gitoxide/pull/1154) - Interrupt handler function should be unsafe """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-attributes]] who = "" criteria = "ub-risk-4" version = "0.22.2" notes = """ Reviewed in CL 653264864 Issues found: - https://github.com/Byron/gitoxide/issues/1460 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-commitgraph]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.22.0" notes = "Reviewed in CL 581562496" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-config-value]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.14.0" notes = "Reviewed in CL 581042137" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-features]] who = "Manish Goregaokar " criteria = "ub-risk-3" delta = "0.30.0 -> 0.40.0" notes = "Reviewed in CL 720029078" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-features]] who = "Ben Saunders " criteria = ["ub-risk-4", "does-not-implement-crypto"] version = "0.36.0" notes = """ Reviewed in CL 580908504 Issues: - Illegal mutable aliasing (https://github.com/Byron/gitoxide/pull/1115) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-filter]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.11.2" notes = "Reviewed in CL 652491636" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-filter]] who = "Manish Goregaokar " criteria = "ub-risk-2" delta = "0.11.3 -> 0.13.0" notes = """ Reviewed in CL 666834466 No change to unsafe code """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-hash]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.13.1" notes = "Reviewed in CL 580781568" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-index]] who = "Ben Saunders " criteria = ["ub-risk-2-thorough", "does-not-implement-crypto"] version = "0.26.0" notes = """ Reviewed in CL 581562538 Relies on mmap'd file being untouched externally. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-index]] who = "Manish Goregaokar " criteria = "ub-risk-2" delta = "0.27.1 -> 0.33.0" notes = "Reviewed in CL 636423069" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-pack]] who = "Taylor Cramer " criteria = "ub-risk-4" version = "0.44.0" notes = """ Reviewed in CL 581562540 Issues: - https://github.com/Byron/gitoxide/pull/113 - https://github.com/Byron/gitoxide/pull/1115 - https://github.com/Byron/gitoxide/pull/1116 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-pack]] who = "Manish Goregaokar " criteria = "ub-risk-4" delta = "0.44.0 -> 0.45.0" notes = """ Reviewed in CL 594331347 Issues found: - https://github.com/Byron/gitoxide/pull/1230 - https://github.com/Byron/gitoxide/issues/1231 (previously found issues have been fixed) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-ref]] who = "Manish Goregaokar " criteria = "ub-risk-2-thorough" version = "0.38.0" notes = "Reviewed in CL 581562488" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-ref]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.47.0" notes = """ Reviewed in CL 666834467 Uses mmap, otherwise minimal use of unsafe, well commented """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-revision]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.23.0" notes = "Reviewed in CL 581562502" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-revision]] who = "Manish Goregaokar " criteria = "ub-risk-2" delta = "0.23.0 -> 0.24.0" notes = "Reviewed in CL 594331337" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-revision]] who = "Ben Saunders " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "0.29.0" notes = "Reviewed in CL 666885060" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-sec]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.10.0" notes = "Reviewed in CL 581046394" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-tempfile]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "11.0.0" notes = "Reviewed in CL 581562529" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix-tempfile]] who = "Manish Goregaokar " criteria = "ub-risk-3" delta = "11.0.1 -> 14.0.0" notes = "Reviewed in CL 636941982" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gix_packetline]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.17.5" notes = "Reviewed in CL 651814949" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.glob]] who = "Android Legacy" criteria = "safe-to-run" version = "0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.glob]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.3.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.glob]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.3.1" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.glob]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.3.1" notes = """ No unsafe. The crate's purpose is to find files based on a glob, so it uses the fs module for that and returns lists of paths. There's no net usage or crypto. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.glob]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.3.1 -> 0.3.2" notes = "Still no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.goblin]] who = "Ben Saunders " criteria = "ub-risk-1" version = "0.8.0" notes = "Reviewed in CL 642006818" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.gpio-cdev]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.gpt_disk_io]] who = "Bastian Kersting " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.15.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.gpt_disk_io]] who = "Bastian Kersting " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.15.0 -> 0.16.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.gpt_disk_types]] who = "Bastian Kersting " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.15.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.gpt_disk_types]] who = "Bastian Kersting " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.15.0 -> 0.16.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.grpcio]] who = "Android Legacy" criteria = "safe-to-run" version = "0.8.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.grpcio]] who = "Android Legacy" criteria = "safe-to-run" version = "0.9.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.grpcio]] who = "Abhishek Pandit-Subedi " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.9.1 -> 0.13.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.grpcio-compiler]] who = "Android Legacy" criteria = "safe-to-run" version = "0.6.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.grpcio-compiler]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.7.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.grpcio-compiler]] who = "Abhishek Pandit-Subedi " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.6.0 -> 0.7.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.grpcio-compiler]] who = "George Burgess IV " criteria = "does-not-implement-crypto" delta = "0.7.0 -> 0.6.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.grpcio-compiler]] who = "Abhishek Pandit-Subedi " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.7.0 -> 0.13.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.grpcio-sys]] who = "Android Legacy" criteria = "safe-to-run" version = "0.8.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.grpcio-sys]] who = "Android Legacy" criteria = "safe-to-run" version = "0.9.1+1.38.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.grpcio-sys]] who = "Android Legacy" criteria = "safe-to-run" version = "0.13.0+1.56.2-patched" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.h2]] who = "ChromeOS" criteria = "safe-to-run" version = "0.3.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.h2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.18" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.h2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.18 -> 0.3.19" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.h2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.19 -> 0.3.20" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.h2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.20 -> 0.3.21" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.h2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.21 -> 0.3.24" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.h2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.24 -> 0.3.26" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.half]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.4.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.half]] who = "Ben Saunders " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "1.8.2" notes = """ Reviewed in CL 590192561 Issues found: - The `set_len`s in slice.rs and vec.rs are premature and create uninitialized vectors - (internal safety) f16x4_to_f32x4 and f16x4_to_f32x4_x86_f16c do not enforce i.len() > 4. Should be marked unsafe (no issues filed, all of the issues appear to be fixed on GitHub main) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.half]] who = "Ben Saunders " criteria = "ub-risk-1" version = "1.8.3" notes = "Reviewed in CL 590192561" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.half]] who = "Ben Saunders " criteria = "ub-risk-1" version = "2.4.0" notes = "Reviewed in CL 610738461" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.halfbrown]] who = "Augie Fackler " criteria = "ub-risk-4" version = "0.2.5" notes = "Reviewed in CL 659834502" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.hashbrown]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.13.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.hashbrown]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.13.2 -> 0.12.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.hashbrown]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.13.2 -> 0.14.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.hashlink]] who = "" criteria = "ub-risk-2" version = "0.9.0" notes = "Reviewed in CL 649389159" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.heapless]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.7.17" notes = """ does-not-implement-crypto: Hashing containers (e.g., IndexMap) defer to other machinery like the hash32 crate for hashing. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.heck]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.heck]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.heck]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.0 -> 0.3.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.heck]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.0 -> 0.4.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.heck]] who = "Lukasz Anforowicz " criteria = ["ub-risk-0", "safe-to-deploy", "does-not-implement-crypto"] version = "0.4.1" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits. `heck` (version `0.3.3`) has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.hex]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.hex-literal]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.1" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.highway]] who = "Taylor Cramer " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "1.3.0" notes = "Reviewed in CL 794944624" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.hkdf]] who = "Joshua Liebow-Feeser " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.11.0 -> 0.12.3" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.hmac]] who = "Joshua Liebow-Feeser " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.11.0 -> 0.12.1" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.home]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.5.4" notes = "Reviewed in CL 559796554" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.home]] who = "Augie Fackler " criteria = ["ub-risk-2", "does-not-implement-crypto"] delta = "0.5.4 -> 0.5.5" notes = "Reviewed in CL 566644164" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.hoot]] who = "Ben Saunders " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "0.1.3" notes = """ Reviewed in CL 607320079 Issues found: - https://github.com/algesten/hoot/issues/2 (fixed in https://github.com/algesten/hoot/pull/3) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.hoot]] who = "Ben Saunders " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "0.1.4" notes = "Reviewed in CL 607320079" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.hostname]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.hostname]] who = "Augie Fackler " criteria = "ub-risk-2" version = "0.4.0" notes = "Reviewed in CL 707926879" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.hound]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "3.5.0" notes = """ Reviewed in CL 564508706 Issues found: - https://github.com/ruuda/hound/pull/58 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.html-escape]] who = "Ben Saunders " criteria = ["ub-risk-4", "does-not-implement-crypto"] version = "0.2.13" notes = """ Reviewed in CL 612354454 Issues found: - decode_impl macro should have \"unsafe\" in its name and document the safety at callsites - write_hex_to_vec: The Vec::set_len is UB and should only be called after filling the buffer. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.http]] who = "ChromeOS" criteria = "safe-to-run" version = "0.2.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.http]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.http]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "1.49.0" notes = "Reviewed in CL 588379811" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.http-body]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.4.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.http-body]] who = "ChromeOS" criteria = "safe-to-run" version = "0.4.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.http-body]] who = "Erick Tryzelaar " criteria = ["ub-risk-2", "safe-to-run"] version = "0.4.4" notes = "Reviewed on https://fxrev.dev/611683" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.http-range-header]] who = "ChromeOS" criteria = "safe-to-run" version = "0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.http-range-header]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.3.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.http-range-header]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.3.1" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.httparse]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.8.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.httparse]] who = "Ben Saunders " criteria = "ub-risk-4" delta = "1.8.0 -> 1.9.4" notes = """ Reviewed in CL 648994349 Issues found: - https://github.com/seanmonstar/httparse/issues/177 -Parsing code would be improved with an API that combines peeking and advancing """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.httpdate]] who = "ChromeOS" criteria = "safe-to-run" version = "1.0.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.httpdate]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "1.0.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.httpdate]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.0.3" notes = "`rg -i unsafe` had exactly one hit: `#![forbid(unsafe_code)]`" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.humantime]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.hyper]] who = "ChromeOS" criteria = "safe-to-run" version = "0.14.20" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.hyper]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.14.27" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.hyper]] who = [ "Manish Goregaokar ", "Augie Fackler ", ] criteria = "ub-risk-4" version = "1.0.1" notes = """ Reviewed in CL 588384310 Issues found: - https://github.com/hyperium/hyper/pull/3498 - https://github.com/hyperium/hyper/issues/3556 - https://github.com/hyperium/hyper/issues/3500 (probably not a real issue) - https://github.com/hyperium/hyper/issues/3554 (documentation) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.hyper-timeout]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.4.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.hyper-timeout]] who = "ChromeOS" criteria = "safe-to-run" version = "0.4.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.hyper-util]] who = "Ben Saunders " criteria = "ub-risk-2" version = "0.1.3" notes = "Reviewed in CL 605631967" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.i2cdev]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.iana-time-zone]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.53" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.iana-time-zone]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.53 -> 0.1.56" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.iana-time-zone]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.56 -> 0.1.57" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.iana-time-zone]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "0.1.61" notes = "Some unsafe: interfacing with system timezone APIs" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_calendar]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "2.0.0-beta1" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_calendar]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "No unsafe introduced" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_calendar_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_calendar_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_capi]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "2.0.0-beta1" notes = "Despite being an FFI crate, it is 100% safe code since it uses Diplomat for bindings." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_capi]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Despite being an FFI crate, it is 100% safe code since it uses Diplomat for bindings." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_casemap]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = "Safety review: One bit of unsafe DST construction from constant values. One checklisted ULE impl for a simple type wrapping RawBytesULE." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_casemap]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "No meaningful change to unsafe code" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_casemap_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_casemap_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_collator]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = """ All unsafe code commented: - enum construction from discriminant with masks or other checks - from_u32 for Hangul Jamo, with math that is in range - from_u32 from a packed type that maintains a valid char invariant """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_collator]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "2.0.0-beta2" notes = """ All unsafe code commented (and improved from prior version): - enum construction from discriminant with masks or other checks - from_u32 for Hangul Jamo, with math that is in range - from_u32 from a packed type that maintains a valid char invariant """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_collator_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_collator_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-2"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_collections]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "2.0.0-beta1" notes = """ Two instances of unsafe : - Non-safety related unsafe API that imposes additional invariants - `from_utf8` for known-UTF8 integer Comments added/improved in https://github.com/unicode-org/icu4x/pull/6056. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_collections]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "from_utf8 unsafe removed. no new unsafe added" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_datetime]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = """ All unsafe code commented: - Checklisted ULE impls - from-utf8 code based on type invariants Comments added/improved in https://github.com/unicode-org/icu4x/pull/6056. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_datetime]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-2"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Same unsafe code as last time, with improved comments" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_datetime_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_datetime_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_decimal]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "2.0.0-beta1" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_decimal]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_decimal_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_decimal_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_experimental]] who = "Manish Goregaokar " criteria = "does-not-implement-crypto" version = "0.2.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_experimental]] who = "Manish Goregaokar " criteria = "does-not-implement-crypto" delta = "0.2.0 -> 0.3.0-beta2" notes = "No crypto introduced" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_experimental_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "0.2.0-dev" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_experimental_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "0.2.0-dev -> 0.3.0-beta2" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_list]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "2.0.0-beta1" notes = "Simple well-commented unsafe around regex-automata DFA construction." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_list]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Some new use of VarZeroCow unsafe APIs, which are on byte slices so the unchecked construction is not a problem" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_list_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_list_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_locale]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = "Covariant transform transmute; since rustc does not understand that ZeroMap is invariant" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_locale]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "No contentful changes to unsafe code" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_locale_core]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = """ All unsafe code commented: - A checklisted ULE impl - from-utf8 code on known-ASCII - Some unchecked indexing around maintained invariants Comments added/improved in https://github.com/unicode-org/icu4x/pull/6056. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_locale_core]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "2.0.0-beta2" notes = """ All unsafe code commented (and improved from prior version): - A checklisted ULE impl - from-utf8 code on known-ASCII - Some unchecked indexing around maintained invariants """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_locale_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_locale_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_locale_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_locid_transform]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.5.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.icu_locid_transform_data]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.5.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.icu_normalizer]] who = "Manish Goregaokar " criteria = "does-not-implement-crypto" version = "2.0.0-beta1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_normalizer]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "2.0.0-beta2" notes = """ All unsafe is unchecked `char` and `str` conversion, mostly well-commented. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_normalizer_data]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.5.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.icu_normalizer_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_normalizer_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_pattern]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "0.3.0" notes = """ Simple unsafe around repr(transparent), and one checklist-commented VarULE impl. Comments improved in https://github.com/unicode-org/icu4x/pull/6056 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_pattern]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "0.3.0 -> 0.4.0" notes = "Unsafe code unchanged; comments improved" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_plurals]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "2.0.0-beta1" notes = """ Unsafe code pertaining to checklisted ULE/VarULE impls. Comments added/improved in https://github.com/unicode-org/icu4x/pull/6056. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_plurals]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "No new unsafe code." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_plurals_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_plurals_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_properties]] who = "Manish Goregaokar " criteria = "does-not-implement-crypto" version = "2.0.0-beta1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_properties]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "2.0.0-beta2" notes = "All unsafe was removed" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_properties_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_properties_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_provider]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.5.0" notes = """ This crate contains a custom impl of FxHash. The maintainers needed a custom hashing function that was `const` and self-contained. Since FxHash isn't built to be crypto secure, this does-not-implement-crypto. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.icu_provider]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "2.0.0-beta1" notes = """ All unsafe code commented: - Minor unsafe transmutes between types which are identical but not type-system-provably so. - One unsafe EqULE impl - Some repr(transparent) transmutes - A from_utf8_unchecked for an ascii-validated string Comment improvements can be found in https://github.com/unicode-org/icu4x/pull/6056 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_provider]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "from_utf8_unchecked unsafe remove, all other unsafe not meaningfully changed" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_provider_adapters]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "2.0.0-beta1" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_provider_adapters]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Still contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_provider_baked]] who = "Manish Goregaokar " criteria = "does-not-implement-crypto" version = "2.0.0-beta1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_provider_baked]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta2" notes = """ All unsafe code commented: - Unchecked indexing in generated code - Unchecked indexing around successful binary searches - Unchecked indexing in ZeroTrie assuming valid tries by-construction """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_provider_macros]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.5.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.icu_provider_macros]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "2.0.0-beta1" notes = "Does not contain any unsafe code" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_segmenter]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "2.0.0-beta1" notes = "Unsafe code pertaining to unchecked indexing, with length checks right before it" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_segmenter]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "No change to unsafe code" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_segmenter_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_segmenter_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-2"] delta = "2.0.0-beta1 -> 2.0.0-beta2" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_time]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "2.0.0-beta2" notes = "Does not contain any unsafe code" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_time_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta2" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_timezone]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "2.0.0-beta1" notes = "Simple, commented unsafe code around string mutation with checked ASCII-only bytes" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.icu_timezone_data]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.0.0-beta1" notes = "Contains codegenned unsafe only, using safe Bake impls from zerovec/zerotrie" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.idna]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.idna]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.0 -> 1.0.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.idna_adapter]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.igvm]] who = "Ben Saunders " criteria = "ub-risk-1" version = "0.3.0" notes = "Reviewed in CL 660125968" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.image]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.23.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.image]] who = "Chih-Yao Chuang " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.23.14 -> 0.24.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.image]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.24.6" notes = "Reviewed in CL 559198279" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.imara-diff]] who = "Taylor Cramer " criteria = "ub-risk-4" version = "0.1.5" notes = "Reviewed in CL 581562578" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.imara_diff]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.1.7" notes = "Reviewed in CL 657293942" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.include_dir]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.include_dir_impl]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.6.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.include_dir_impl]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.6.2" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.indexmap]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.9.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.indexmap]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.9.3 -> 2.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.indexmap]] who = "Li-Yu Yu " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "2.1.0 -> 2.2.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.indexmap]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "2.7.1" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'` and there were no hits. There is a little bit of `unsafe` Rust code - the audit can be found at https://chromium-review.googlesource.com/c/chromium/src/+/6187726/2 ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.indexmap]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "2.7.1 -> 2.8.0" notes = """ No `unsafe` introduced or affected in: * `indexmap_with_default!` and `indexset_with_default!` macros * New `PartialEq` implementations * `fn slice_eq` in `util.rs` """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.indexmap]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "2.2.6" notes = "Reviewed in CL 629033781" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.indoc]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.3.6" notes = """ This crate simply reexports indoc_impl. There's therefore no code specific to this crate to audit. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.indoc]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.3.6" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.indoc-impl]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.3.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.indoc-impl]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.3.6" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.inflections]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.inotify]] who = "ChromeOS" criteria = "safe-to-run" version = "0.9.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.inotify]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.9.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.inotify]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.9.6" notes = "Reviewed in CL 562731461" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.inotify-sys]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.1.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.inotify-sys]] who = "ChromeOS" criteria = "safe-to-run" version = "0.1.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.inst]] who = "Manish Goregaokar " criteria = "ub-risk-2" delta = "1.40.0 -> 1.41.1" notes = """ Reviewed in CL 698174008 One usage of unsafe, could have safety comments """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.insta]] who = "Taylor Cramer " criteria = "ub-risk-1" version = "1.29.0" notes = "Reviewed in CL 554440331" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.insta]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "1.42.0" notes = """ Reviewed in CL 718829060 Only use of unsafe is bind_async, which does a straightforward projection. Can be removed with https://github.com/mitsuhiko/insta/pull/711 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.instant]] who = "Android Legacy" criteria = "safe-to-run" version = "0.1.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.instant]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.12" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.intaglio]] who = "" criteria = "ub-risk-2" version = "1.11.0" notes = "Reviewed in CL 821787257" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.intrusive-collections]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.9.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.intrusive-collections]] who = "Taylor Cramer " criteria = "ub-risk-3" version = "0.9.6" notes = "Reviewed in CL 638226392" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.inventory]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.11" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.inventory-impl]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.1.11" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.inventory-impl]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.1.11" notes = """ This crate has an instance of `unsafe {` in a comment. The comment is referencing a future potential implementation of this code, once a desired rustc feature is stabilized. There's otherwise no mention of `unsafe` flagged by `rg -i unsafe`. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.io-close]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.3.7" notes = "Reviewed in CL 733421084" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.io-extras]] who = "Luca Versari " criteria = "ub-risk-2" version = "0.18.4" notes = "Reviewed in CL 799517019" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.io-lifetimes]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.io-lifetimes]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.10" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.io-lifetimes]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.10 -> 1.0.11" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.io-uring]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.13" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ioctl-rs]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.iovec]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.is-terminal]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.is-terminal]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.2 -> 0.4.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.is-terminal]] who = "Luca Versari " criteria = "ub-risk-2" version = "0.4.13" notes = "Reviewed in CL 666758546" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.is_executable]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "1.0.4" notes = "Reviewed in CL 696533953" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.iso8601]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.isolang]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "2.4.0" notes = "Reviewed in CL 710664600" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.itertools]] who = "ChromeOS" criteria = "safe-to-run" version = "0.9.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.itertools]] who = "ChromeOS" criteria = "safe-to-run" version = "0.10.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.itertools]] who = "Yu-An Wang " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.10.5 -> 0.11.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.itertools]] who = "agl@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.11.0" notes = """ This is 12K lines of code, plus 6K lines of tests and benchmarks. It has minimal use of unsafe and so I have paged though it all with \"::\" highlighted and paid attention to which imported functions are being called. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.itertools]] who = "Ben Saunders " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "0.11.0" notes = "Reviewed in CL 566337310" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.itoa]] who = "Android Legacy" criteria = "safe-to-run" version = "0.4.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.itoa]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.itoa]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.5 -> 1.0.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.itoa]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.6 -> 1.0.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.itoa]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "1.0.10" notes = ''' I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. There are a few places where `unsafe` is used. Unsafe review notes can be found in https://crrev.com/c/5350697. Version 1.0.1 of this crate has been added to Chromium in https://crrev.com/c/3321896. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.itoa]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.10 -> 1.0.11" notes = """ Straightforward diff between 1.0.10 and 1.0.11 - only 3 commits: * Bumping up the version * A touch up of comments * And my own PR to make `unsafe` blocks more granular: https://github.com/dtolnay/itoa/pull/42 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.itoa]] who = "Liza Burakova " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.11 -> 1.0.14" notes = """ Unsafe review at https://crrev.com/c/6051067 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.itoa]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.14 -> 1.0.15" notes = "Only minor rustdoc changes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.itoap]] who = "Augie Fackler " criteria = "ub-risk-2" version = "1.0.1" notes = "Reviewed in CL 649662185" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.ixdtf]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.3.0" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.ixdtf]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-0"] delta = "0.3.0 -> 0.4.0" notes = "No unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.jaq]] who = "" criteria = "ub-risk-3" version = "2.2.0" notes = "Reviewed in CL 778639304" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.jiff]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.1.0" notes = "Reviewed in CL 666672133" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.jiff]] who = "Manish Goregaokar " criteria = "ub-risk-2" delta = "0.1.0 -> 0.1.24" notes = """ Reviewed in CL 717066700 New Android system APIs, otherwise no change to unsafe code since last review """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.jiter]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.0.6" notes = "Reviewed in CL 615051835" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.jj-cli]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.8.0" notes = "Reviewed in CL 554583176" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.jj_cli]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.11.0" notes = "Reviewed in CL 586453800" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.jj_cli]] who = "Taylor Cramer " criteria = "ub-risk-1" version = "0.8.0" notes = "Reviewed in CL 558944141" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.jj_lib]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.11.0" notes = "Reviewed in CL 586453800" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.jobserver]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.26" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.js-sys]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.3.69" notes = "Reviewed in CL 652404154" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.js-sys]] who = "Manish Goregaokar " criteria = "ub-risk-2" delta = "0.3.69 -> 0.3.70" notes = """ Reviewed in CL 696447614 Minor changes since last review """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.json_writer]] who = "Augie Fackler " criteria = "ub-risk-2" version = "0.4.0" notes = "Reviewed in CL 809112751" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.junit-report]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.jxl]] who = "Joshua Liebow-Feeser " criteria = "ub-risk-1" version = "0.1.1" notes = "Reviewed in " aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.jxl]] who = "Luca Versari " criteria = "safe-to-deploy" version = "0.1.1" notes = "Based on ub-risk-1 by joshlf@google.com and the lack of filesystem usage outside tests." aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/additional-audits.toml" [[audits.jxl]] who = "Łukasz Anforowicz " criteria = "safe-to-deploy" version = "0.1.3" notes = "Based on a review by @anforowicz (https://github.com/libjxl/jxl-rs/pull/518) and the lack of filesystem usage outside tests." aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/additional-audits.toml" [[audits.jxl]] who = "Łukasz Anforowicz " criteria = "safe-to-deploy" version = "0.1.5" notes = "Delta review from v0.1.3: no safety-relevant changes (except for a simple fix under stacked borrows)." aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/additional-audits.toml" [[audits.jxl]] who = "Łukasz Anforowicz " criteria = "safe-to-deploy" version = "0.3.0" notes = "Delta review from v0.1.5" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/additional-audits.toml" [[audits.jxl_macros]] who = "Luca Versari " criteria = "safe-to-deploy" version = "0.3.0" notes = "No unsafe code, no fs access outside of test-only functionality" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/additional-audits.toml" [[audits.jxl_simd]] who = "Łukasz Anforowicz " criteria = "safe-to-deploy" version = "0.1.3" notes = "Based on a review by @anforowicz (https://github.com/libjxl/jxl-rs/pull/518) and the lack of filesystem usage outside tests." aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/additional-audits.toml" [[audits.jxl_simd]] who = "Łukasz Anforowicz " criteria = "safe-to-deploy" version = "0.1.5" notes = "Delta review from v0.1.3: no safety-relevant changes." aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/additional-audits.toml" [[audits.jxl_simd]] who = "Łukasz Anforowicz " criteria = "safe-to-deploy" version = "0.3.0" notes = "Delta review from v0.1.5" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/additional-audits.toml" [[audits.jxl_transforms]] who = "Luca Versari " criteria = "safe-to-deploy" version = "0.3.0" notes = "No unsafe code, no fs access" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/additional-audits.toml" [[audits.kamadak-exif]] who = "Ben Saunders " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "0.6.1" notes = "Reviewed in CL 827439468" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.keccak]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.1.5" notes = "Reviewed in CL 636605237" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.kernlog]] who = "Matthias Kaehlcke " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.kstring]] who = "" criteria = "ub-risk-3" version = "2.0.0" notes = """ Reviewed in CL 653263733 Issues found: - Should use repr(C) union to get correct layout: https://github.com/cobalt-org/kstring/pull/77. - Ideally the HeapStr trait should be unsafe, but this is a local issue since the trait is sealed. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.kstring]] who = "" criteria = "ub-risk-2" delta = "2.0.0 -> 2.0.1" notes = "Reviewed in CL 655475274" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.kvm-ioctls]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.14.0" notes = "Reviewed in CL 549307303" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.kvm-ioctls]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.14.0" notes = "Reviewed in CL 565655079" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.kvm-ioctls]] who = "Manish Goregaokar " criteria = "ub-risk-3" delta = "0.15.0 -> 0.17.0" notes = "Reviewed in CL 634689649" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.lab]] who = "Augie Fackler " criteria = "ub-risk-2" version = "0.11.0" notes = "Reviewed in CL 716390760" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.lazy_static]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "1.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.lazy_static]] who = "Android Legacy" criteria = "safe-to-run" version = "1.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.lazy_static]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "1.4.0" notes = ''' I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. There are two places where `unsafe` is used. Unsafe review notes can be found in https://crrev.com/c/5347418. This crate has been added to Chromium in https://crrev.com/c/3321895. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.lazy_static]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.4.0 -> 1.5.0" notes = "Unsafe review notes: https://crrev.com/c/5650836" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.lazycell]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "1.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.lazycell]] who = "Android Legacy" criteria = "safe-to-run" version = "1.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.lebe]] who = "Luca Versari " criteria = "ub-risk-3" version = "0.5.2" notes = "Reviewed in CL 793627519" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.lexical]] who = "Taylor Cramer " criteria = ["ub-risk-4", "does-not-implement-crypto"] version = "6.1.1" notes = """ Reviewed in CL 545304248 Many issues found across the `lexical` family of crates: - https://github.com/Alexhuszagh/rust-lexical/pull/103 - https://github.com/Alexhuszagh/rust-lexical/issues/104 - https://github.com/Alexhuszagh/rust-lexical/issues/101 - https://github.com/Alexhuszagh/rust-lexical/issues/95 - Beyond the above issues, review was not completed on the unchecked indexing """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.lexical-core]] who = "Manish Goregaokar " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "0.8.5" notes = """ Reviewed in CL 545304290 See notes on lexical crate. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.lexical-write-integer]] who = "Manish Goregaokar " criteria = ["ub-risk-4", "does-not-implement-crypto"] version = "0.8.5" notes = """ Reviewed in CL 545304293 See notes on lexical crate. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.lexical_parse_integer]] who = "Ben Saunders " criteria = ["ub-risk-4", "does-not-implement-crypto"] version = "0.8.6" notes = """ Reviewed in CL 545304272 See notes on lexical crate. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.lexical_parse_integer]] who = "Ben Saunders " criteria = ["ub-risk-4", "does-not-implement-crypto"] version = "0.8.6" notes = """ Reviewed in CL 545304281 See notes on lexical crate. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.lexical_util]] who = "Manish Goregaokar " criteria = ["ub-risk-4", "does-not-implement-crypto"] version = "0.8.5" notes = """ Reviewed in CL 545304267 See notes on lexical crate. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.lexical_write_float]] who = "Manish Goregaokar " criteria = ["ub-risk-4", "does-not-implement-crypto"] version = "0.8.5" notes = """ Reviewed in CL 545304258 See notes on lexical crate. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.libafl_bolts]] who = "Luca Versari " criteria = "ub-risk-4" version = "0.14.1" notes = "Reviewed in CL 752209217" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.libc]] who = "Android Legacy" criteria = "safe-to-run" version = "0.2.86" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libc]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.146" notes = """ Much like the getrandom crate, this exports interfaces to APIs which perform crypto, but does not implement any crypto itself. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libc]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.146 -> 0.2.147" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libc]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.147 -> 0.2.153" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libc]] who = "Hsin-chen Chuang " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.153 -> 0.2.170" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libc]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.2.142 -> 0.2.149" notes = "Audited at https://fxrev.dev/932979" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.libc]] who = "Ben Saunders " criteria = "ub-risk-4" delta = "0.2.150 -> 0.2.153" notes = "Reviewed in CL 622219230" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.libc-print]] who = "Luca Versari " criteria = "ub-risk-2" version = "0.1.20" notes = "Reviewed in CL 779126414" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.libdbus-sys]] who = "ChromeOS Legacy" criteria = "safe-to-run" version = "0.2.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libdbus-sys]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.5" notes = """ This audit does **not** include an audit of the `vendor/` directory, which contains a full copy of dbus, but is only built when the `vendored` feature is enabled. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libftdi1-sys]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libfuzz-sys]] who = "Taylor Cramer " criteria = "ub-risk-3" delta = "0.4.4 -> 0.4.5" notes = """ Reviewed in CL 562889777 Issues found: - https://github.com/rust-fuzz/libfuzzer/issues/112 - https://github.com/rust-fuzz/libfuzzer/issues/113 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.libfuzzer-sys]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libfuzzer-sys]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.4 -> 0.4.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libfuzzer-sys]] who = "Ben Saunders " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "0.4.7" notes = "Reviewed in CL 564731033" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.libloading]] who = "Android Legacy" criteria = "safe-to-run" version = "0.7.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libloading]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.7.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libloading]] who = "Chia-I Wu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libloading]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.8.0" notes = "Reviewed in CL 562765830" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.liblzma]] who = "Luca Versari " criteria = "ub-risk-2" version = "0.4.1" notes = "Reviewed in CL 767514298" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.liblzma-sys]] who = "Luca Versari " criteria = "ub-risk-3" version = "0.4.3" notes = "Reviewed in CL 767507325" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.libm]] who = "Manish Goregaokar " criteria = "does-not-implement-crypto" version = "0.2.11" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.libproc]] who = "Taylor Cramer " criteria = "ub-risk-4" version = "0.14.8" notes = """ Reviewed in CL 650620517 Issues found: - `pidinfo` buffer is inferred as `c_void` and is therefore too small - `PIDFDInfo` and `PIDRUsage` should be `unsafe trait`s """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.libshpool]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.3.3" notes = "Reviewed in CL 580903771" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.libshpool]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.5.0" notes = "Reviewed in CL 609436265" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.libslirp-sys]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "4.2.1" notes = "No audit of the slirp DSO this is intended to link to was done." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libsqlite3-sys]] who = "" criteria = "ub-risk-2" version = "0.28.0" notes = "Reviewed in CL 649389160" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.libtest-mimic]] who = "Dennis Kempin " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.0" notes = "Used in tests only" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libtest-mimic]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.6.0 -> 0.6.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libusb1-sys]] who = "Benjamin Gordon " criteria = "does-not-implement-crypto" version = "0.7.0" notes = """ * The libusb subdirectory contains a partial copy of libusb-1.0.27. I downloaded a copy from upstream and confirmed that there are no diffs. * build.rs calls pkg_config to probe for libusb-1.0 and sets up some build variables. * The files under src contain constants, extern declarations for libusb functions, and small helper functions that fill in some structs. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libusb1-sys]] who = "Benjamin Gordon " criteria = "safe-to-run" version = "0.7.0" notes = """ * The libusb subdirectory contains a partial copy of libusb-1.0.27. I downloaded a copy from upstream and confirmed that there are no diffs. * build.rs calls pkg_config to probe for libusb-1.0 and sets up some build variables. * The files under src contain constants, extern declarations for libusb functions, and small helper functions that fill in some structs. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libz-sys]] who = "Android Legacy" criteria = "safe-to-run" version = "1.1.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libz-sys]] who = "Android Legacy" criteria = "safe-to-run" version = "1.1.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libz-sys]] who = "ChromeOS" criteria = "safe-to-run" version = "1.1.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.libz-sys]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.12" notes = """ The bundled zlib C sources were not audited as a part of this. However, I did compare the vendored sources present in this crate with their upstream repos. There was no diff between zlib/ and https://zlib.net/fossils/zlib-1.2.11.tar.gz. zlib-ng did not provide a version, so I ran diff across everything in zlib-ng's commit history. The closest upstream SHA was cf89cf35037f152ce7adfeca864656de5d33ea1e with 8 lines of output from `diff --recursive . ../../libz-sys-1.1.12/src/zlib-ng/`. All of these referenced files that were only present in libz-sys, and they're all presumably irrelevant (CI configuration files, .git files, linter config) """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.line-index]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.1.0" notes = "Reviewed in CL 562882288" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.line-index]] who = "Ben Saunders " criteria = "ub-risk-2" version = "0.1.1" notes = "Reviewed in CL 599482318" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.link-cplusplus]] who = "ChromeOS" criteria = "safe-to-run" version = "1.0.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.link-cplusplus]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "1.0.9" notes = """ This crate exists simply to link with libcxx or libstdcxx. No assertions are made about the safety of either of those libraries. :) """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.link-cplusplus]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.0.9" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.linked-hash-map]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.linkme]] who = "Luca Versari " criteria = "ub-risk-4" version = "0.3.32" notes = "Reviewed in CL 758190959" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.linkme-impl]] who = "Luca Versari " criteria = "ub-risk-4" version = "0.3.32" notes = "Reviewed in CL 758190960 (but see the review for linkme)" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.linux-embedded-hal]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.linux-loader]] who = "Taylor Cramer " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.9.0" notes = "Reviewed in CL 548095317" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.linux-loader]] who = "Manish Goregaokar " criteria = "ub-risk-2" delta = "0.9.0 -> 0.10.0" notes = "Reviewed in CL 600836074" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.linux-raw-sys]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.13" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.linux-raw-sys]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.linux-raw-sys]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.4.10" notes = "Reviewed in CL 581059097" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.litemap]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.7.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.litemap]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.7.4" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.litemap]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.7.4 -> 0.7.5" notes = "Delta implements the entry API but doesn't add or change any unsafe code." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.litrs]] who = "ChromeOS" criteria = "safe-to-run" version = "0.2.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.lock_api]] who = "Android Legacy" criteria = "safe-to-run" version = "0.4.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.lock_api]] who = "Android Legacy" criteria = "safe-to-run" version = "0.4.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.lock_api]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.10" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.lock_api]] who = "Taylor Cramer " criteria = "ub-risk-2" delta = "0.4.9 -> 0.4.10" notes = "Reviewed in CL 563851550" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.log]] who = "Android Legacy" criteria = "safe-to-run" version = "0.4.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.log]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.17" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.log]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.17 -> 0.4.20" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.log]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "0.4.22" notes = """ Unsafe review in https://docs.google.com/document/d/1IXQbD1GhTRqNHIGxq6yy7qHqxeO4CwN5noMFXnqyDIM/edit?usp=sharing Unsafety is generally very well-documented, with one exception, which we describe in the review doc. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.log]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.20 -> 0.4.21" notes = """ I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. I also skimmed through the 0.4.20 => 0.4.21 delta and there was no new crypto-related code AFAICT. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.log]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.21 -> 0.4.22" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.log]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "0.4.22 -> 0.4.25" notes = "No impact on `unsafe` usage in `lib.rs`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.log]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "0.4.25 -> 0.4.26" notes = "Only trivial code and documentation changes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.log]] who = "Ben Saunders " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "0.4.20" notes = "Reviewed in CL 563853923" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.log-panics]] who = "Howard Chung " criteria = ["safe-to-run", "crypto-safe"] version = "2.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.logos]] who = "" criteria = "ub-risk-0" version = "0.15.0" notes = "Reviewed in CL 742874864" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.logos-codegen]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.15.0" notes = "Reviewed in CL 742874863" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.loom]] who = "David Koloski " criteria = "safe-to-run" delta = "0.5.6 -> 0.7.0" notes = "Reviewed on https://fxrev.dev/907709." aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.lz4_flex]] who = "Dennis Kempin " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.11.1" notes = "Frequently makes use of unsafe for performance reasons. Most behind feature flags, but not all. Not entirely sure how memory safe those optimizations are." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.lzma-sys]] who = "Bastian Kersting " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.20" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.mac_address]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "1.1.7" notes = """ Reviewed in CL 718900394 winapi code """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.malloced]] who = "Ben Saunders " criteria = "ub-risk-2" version = "1.3.1" notes = "Reviewed in CL 604812730" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.managed]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.match_cfg]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.match_cfg]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.1.0" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.matchers]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.1.0" notes = """ Reviewed in CL 639804665 Has relatively straightforward invariant, but invariant could be documented further. Filed PR: https://github.com/hawkw/matchers/pull/9 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.matchit]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.5.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.matchit]] who = "ChromeOS" criteria = "safe-to-run" version = "0.5.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.mathcal]] who = "Luca Versari " criteria = "ub-risk-3" version = "0.6.9" notes = "Reviewed in CL 770938969" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.matroska-demuxer]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.md-5]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-1"] version = "0.10.5" notes = "Reviewed on https://fxrev.dev/712372." aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.memchr]] who = "Android Legacy" criteria = "safe-to-run" version = "2.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.memchr]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.4.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.memchr]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.6.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.memchr]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.7.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.memchr]] who = "Dustin J. Mitchell " criteria = "does-not-implement-crypto" delta = "2.7.2 -> 2.7.4" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.memchr]] who = "Manish Goregaokar " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "2.6.3" notes = """ Reviewed in CL 563868651 Second review would be appreciated. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.memfd]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.6.4" notes = "Reviewed in CL 703568697" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.memmap2]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.memoffset]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.memoffset]] who = "Dennis Kempin " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.6.5 -> 0.7.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.memoffset]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.7.1 -> 0.8.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.memoffset]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.8.0 -> 0.9.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.memoffset]] who = "Taylor Cramer " criteria = "ub-risk-3" version = "0.9.0" notes = "Reviewed in CL 555491937" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.merge]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.merge]] who = "ChromeOS" criteria = "safe-to-run" version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.merge_derive]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.merge_derive]] who = "ChromeOS" criteria = "safe-to-run" version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.merge_derive]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.1.0" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.merlin]] who = "Ben Saunders " criteria = "ub-risk-4" version = "3.0.0" notes = """ Reviewed in CL 660103172 Issues found: - https://github.com/zkcrypto/merlin/pull/7 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.mime]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.3.16" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.mime]] who = "ChromeOS" criteria = "safe-to-run" version = "0.3.16" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.minifier]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "0.2.3" notes = """ Reviewed in CL 577203072 Issues found: - https://github.com/GuillaumeGomez/minifier-rs/issues/105 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.minimal-lexical]] who = "danakj@chromium.org" criteria = "ub-risk-3" version = "0.2.1" notes = """ Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/4977110 - Unsound unsafe blocks present. - Safe traits that can cause soundness bugs. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.miniz_oxide]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.miniz_oxide]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.4 -> 0.3.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.miniz_oxide]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.5.4 -> 0.4.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.miniz_oxide]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.6.2 -> 0.5.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.miniz_oxide]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.6.2 -> 0.7.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.miniz_oxide]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.7.4" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` and there were no hits, except for some mentions of "unsafe" in the `README.md` and in a comment in `src/deflate/core.rs`. The comment discusses whether a function should be treated as unsafe, but there is no actual `unsafe` code, so the crate meets the `ub-risk-0` criteria. Note that some additional, internal notes about an older version of this crate can be found at go/image-crate-chromium-security-review. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.miniz_oxide]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.7.4 -> 0.8.0" notes = ''' This delta audit has been reviewed in https://crrev.com/c/5811890 The delta can be inspected at https://diff.rs/miniz_oxide/0.7.4/0.8.0 and is fairly small (changes related to `const fn` and to `adler2` switch). I've grepped for `-i cipher`, `-i crypto`, `\bfs\b`, `\bnet\b`, and `\bunsafe\b`. There were no hits (except for comments in `core.rs` and in `Readme.md`). ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.miniz_oxide]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.8.0 -> 0.8.2" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.miniz_oxide]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.8.2 -> 0.8.3" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.miniz_oxide]] who = "Jonathan Hao " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.8.3 -> 0.8.4" notes = "No big changes. Replaces some array with Box and other minor changes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.miniz_oxide]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.8.4 -> 0.8.5" notes = "No additions of or changes to unsafe code. Delta consists of a bug fix + cleanups/changes to make it easier for the compiler to elide checks." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.mio]] who = "Android Legacy" criteria = "safe-to-run" version = "0.7.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.mio]] who = "ChromeOS" criteria = "safe-to-run" version = "0.7.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.mio]] who = "Vovo Yang " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.mio]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.8.5 -> 0.8.9" notes = "Audited at https://fxrev.dev/946305" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.mmx]] who = "" criteria = "ub-risk-3" version = "0.1.32" notes = "Reviewed in CL 769615692" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.mockall]] who = "Max Lee " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.11.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.mockall]] who = "Yu-An Wang " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.11.4 -> 0.12.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.mockall_derive]] who = "Max Lee " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.11.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.mockall_derive]] who = "Yu-An Wang " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.11.4 -> 0.12.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.mocktopus]] who = "Howard Yang " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.mocktopus_macros]] who = "Howard Yang " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.7.11" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.multi_log]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.multimap]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.named-lock]] who = "crosvm" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nanorand]] who = "Ben Saunders " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "0.7.0" notes = "Reviewed in CL 562503105" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.nb]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.1.3" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nb]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nb]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.0.0" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nb]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.1.0" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nb]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] delta = "1.0.0 -> 0.1.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nb]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] delta = "1.0.0 -> 1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.netlink-packet-core]] who = "Manish Goregaokar " criteria = "ub-risk-0" version = "0.7.0" notes = "Reviewed in CL 772208218" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.netlink-sys]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.8.0" notes = "Reviewed in CL 772197803" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.nibble_vec]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nibble_vec]] who = "ChromeOS" criteria = "safe-to-run" version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nix]] who = "Android Legacy" criteria = "safe-to-run" version = "0.19.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nix]] who = "Android Legacy" criteria = "safe-to-run" version = "0.20.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nix]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.24.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nix]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.23.1 -> 0.23.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nix]] who = "Dennis Kempin " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.25.0 -> 0.26.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nix]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.26.2 -> 0.27.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nix]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.27.1 -> 0.28.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nix]] who = "Hsin-chen Chuang " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.28.0 -> 0.29.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nix]] who = "David Koloski " criteria = ["ub-risk-3", "safe-to-run"] version = "0.26.2" notes = """ Reviewed on https://fxrev.dev/780283 Issues: - https://github.com/nix-rust/nix/issues/1975 - https://github.com/nix-rust/nix/issues/1977 - https://github.com/nix-rust/nix/pull/1978 - https://github.com/nix-rust/nix/pull/1979 - https://github.com/nix-rust/nix/issues/1980 - https://github.com/nix-rust/nix/issues/1981 - https://github.com/nix-rust/nix/pull/1983 - https://github.com/nix-rust/nix/issues/1990 - https://github.com/nix-rust/nix/pull/1992 - https://github.com/nix-rust/nix/pull/1993 """ aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.nix]] who = "Manish Goregaokar " criteria = "ub-risk-3" delta = "0.26.1 -> 0.28.0" notes = """ Reviewed in CL 622222105 (The rating differs from the previous once since I feel that the crate needs much more safety comments) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.nix]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.26.2" notes = "Reviewed in CL 552861153" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.nom]] who = "Android Legacy" criteria = "safe-to-run" version = "5.1.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nom]] who = "Android Legacy" criteria = "safe-to-run" version = "6.1.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.nom]] who = "danakj@chromium.org" criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-1"] version = "7.1.3" notes = """ Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/5046153 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.normalize-line-endings]] who = "Max Lee " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.notify]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "6.1.1" notes = "Reviewed in CL 562731464" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.nu_ansi_term]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.49.0" notes = "Reviewed in CL 585090965" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.num]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.2.1" notes = "This crate just reexports subcrates, so it's trivially safe in isolation." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.2.1" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num-bigint]] who = "Manish Goregaokar " criteria = "does-not-implement-crypto" version = "0.4.6" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.num-bigint-dig]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.8.4" notes = """ Reviewed in CL 598457101 Issues found: - to_str_radix_reversed is required to return a valid string by unsafe code, but this is not documented, nor is it easy to verify. It should probably return a String (at least internally), and have better safety documentation, or a double check when converting from UTF8 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.num-cmp]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num-complex]] who = "Li-Yu Yu " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.4 -> 0.4.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num-derive]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.3.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num-derive]] who = "Android Legacy" criteria = "safe-to-run" version = "0.3.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num-derive]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.3 -> 0.4.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num-integer]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.45" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num-integer]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.1.46" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.num-iter]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.1.43" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num-iter]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.1.43" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num-rational]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num-rational]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.4.2" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.num-traits]] who = "Android Legacy" criteria = "safe-to-run" version = "0.2.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num-traits]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.15" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num-traits]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.15 -> 0.2.16" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num-traits]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "0.2.19" notes = "Contains a single line of float-to-int unsafe with decent safety comments" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.num_cpus]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "1.13.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num_cpus]] who = "Android Legacy" criteria = "safe-to-run" version = "1.13.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num_cpus]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.13.0 -> 1.16.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num_enum]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num_enum_derive]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num_enum_derive]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.7.2" notes = "Reviewed in CL 647708155" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.num_threads]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.num_traits]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.2.15" notes = "Reviewed in CL 558869499" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.num_traits]] who = "Taylor Cramer " criteria = "ub-risk-2" delta = "0.2.15 -> 0.2.16" notes = "Reviewed in CL 562140156" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.number_prefix]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.number_prefix]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.4.0" notes = "`rg -i unsafe` had exactly one hit: `#![deny(unsafe_code)]`" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.numpy]] who = "" criteria = "ub-risk-4" delta = "0.20.0 -> 0.21.0" notes = """ Reviewed in CL 683848897 Issues found: - to_owned_array needs to be unsafe as it can introduce aliasing UB - Review incomplete: pervasive undocumented unsafety """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.object]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.30.3" notes = "I'm not counting the code related to the GNU Hash section as crypto for the sake of this review." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.object]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.30.3 -> 0.30.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.object]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.30.3 -> 0.31.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.object]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.31.1 -> 0.32.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.object]] who = "Manish Goregaokar " criteria = "ub-risk-1" version = "0.32.0" notes = "Reviewed in CL 558738698" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.once_cell]] who = "crosvm" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.17.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.once_cell]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.19.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.once_cell]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.17.0 -> 1.18.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.open-enum]] who = "Howard Yang " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.open-enum-derive]] who = "Howard Yang " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.openssl-macros]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.openssl-macros]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.1.0" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.openssl-macros]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.1.1" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.openssl-macros]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] delta = "0.1.0 -> 0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.os_pipe]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "1.2.1" notes = "Reviewed in CL 715231802" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.os_str_bytes]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "6.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.os_str_bytes]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "6.4.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.os_str_bytes]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "6.4.1 -> 6.5.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.owning_ref]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.owo-colors]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "3.5.0" notes = """ Reviewed in CL 683999019 Issues found: - Unsafe code relies on const promotion. This *may* actually be sound in a const context, however it's not a huge deal since it's easy to patch: https://github.com/jam1garner/owo-colors/pull/131 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.owo-colors]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "4.1.0" notes = """ Reviewed in CL 683999019 Issues found: - Unsafe code relies on const promotion. This *may* actually be sound in a const context, however it's not a huge deal since it's easy to patch: https://github.com/jam1garner/owo-colors/pull/131 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.p256]] who = "Joshua Liebow-Feeser " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.10.1 -> 0.11.1" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.p9]] who = "Dennis Kempin " criteria = ["safe-to-deploy", "does-not-implement-crypto"] version = "0.2.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.p9]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.3 -> 0.3.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.p9]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.3.2" notes = "Reviewed in CL 713823916" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.p9_wire_format_derive]] who = "Dennis Kempin " criteria = ["safe-to-deploy", "does-not-implement-crypto"] version = "0.2.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.p9_wire_format_derive]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.3 -> 0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.panic-halt]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.panic-halt]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.2.0" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.parking_lot]] who = "Android Legacy" criteria = "safe-to-run" version = "0.11.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.parking_lot]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.11.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.parking_lot]] who = "George Burgess IV " criteria = "does-not-implement-crypto" delta = "0.11.2 -> 0.11.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.parking_lot]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.11.2 -> 0.12.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.parking_lot_core]] who = "Android Legacy" criteria = "safe-to-run" version = "0.8.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.parquet]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "51.0.0" notes = "Reviewed in CL 642798209" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.parquet]] who = "Augie Fackler " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "54.0.0" notes = """ Reviewed in CL 712680846 Skipped all the `arrow` parts of this crate as we won't use them. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.partial-io]] who = "Luca Versari " criteria = "ub-risk-2" version = "0.5.4" notes = "Reviewed in CL 767496248" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.password-hash]] who = "Joshua Liebow-Feeser " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.3.2 -> 0.4.2" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.paste]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.18" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.paste]] who = "Android Legacy" criteria = "safe-to-run" version = "1.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.paste]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.paste-impl]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.18" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.pbkdf2]] who = "Joshua Liebow-Feeser " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.9.0 -> 0.11.0" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.pcap]] who = "" criteria = "ub-risk-3" version = "2.2.0" notes = "Reviewed in CL 772184300" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.pdl-compiler]] who = "Abhishek Pandit-Subedi " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.2" notes = "Google first-party code (source already has rule of two enforced)." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.pdl-runtime]] who = "Abhishek Pandit-Subedi " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.2" notes = "Google first-party code (source already has rule of two enforced)." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.peeking_take_while]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.1.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.peeking_take_while]] who = "Android Legacy" criteria = "safe-to-run" version = "0.1.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.percent-encoding]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.percent-encoding]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "2.2.0 -> 2.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.percent-encoding]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "2.3.0 -> 2.3.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.perf-event-open-sys]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "4.0.0" notes = "Reviewed in CL 583996664" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.perf_event]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.4.8" notes = "Reviewed in CL 583996666" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.pest]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.7.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.pest_derive]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.7.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.pest_generator]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.7.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.pest_meta]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.7.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.petgraph]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.petgraph]] who = "Taylor Cramer " criteria = "ub-risk-3" version = "0.5.1" notes = """ Reviewed in CL 558142733 Issues found: - https://github.com/petgraph/petgraph/pull/404 - https://github.com/petgraph/petgraph/issues/582 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.pin-project]] who = "ChromeOS" criteria = "safe-to-run" version = "1.0.12" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.pin-project-internal]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "1.0.12" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.pin-project-internal]] who = "ChromeOS" criteria = "safe-to-run" version = "1.0.12" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.pin-project-lite]] who = "Android Legacy" criteria = "safe-to-run" version = "0.2.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.pin-project-lite]] who = "ChromeOS" criteria = "safe-to-run" version = "0.2.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.pin-project-lite]] who = "David Koloski " criteria = ["ub-risk-1", "safe-to-deploy"] version = "0.2.9" notes = "Reviewed on https://fxrev.dev/824504" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.pin-project-lite]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.2.9 -> 0.2.13" notes = "Audited at https://fxrev.dev/946396" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.pin-utils]] who = "Android Legacy" criteria = "safe-to-run" version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.pin-utils]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.pkg-config]] who = "Alexandre Courbot " criteria = "does-not-implement-crypto" version = "0.3.26" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.pkg-config]] who = "Alexandre Courbot " criteria = "safe-to-run" version = "0.3.26" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.pkg-config]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.31" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.planus]] who = "Taylor Cramer " criteria = "ub-risk-3" version = "0.3.1" notes = """ Reviewed in CL 702424963 Issues found: - Some traits should be unsafe https://github.com/planus-org/planus/issues/276 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.png]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.17.13" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` and there were no hits except for reasonable, client-controlled usage of `std::fs::File` in tests in `src/encoder.rs`, tests in `src/decoder/stream.rs`, and in some example code. Note that some additional, internal notes about an older version of this crate can be found at go/image-crate-chromium-security-review. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.png]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.17.13 -> 0.17.14" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.png]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.17.14 -> 0.17.15" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.png]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.17.15 -> 0.17.16" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.png]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.17.16 -> 0.18.0-rc" notes = "Still no `unsafe`, no cryptography, and justified usage of `std::fs`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.polars]] who = "Manish Goregaokar " criteria = "ub-risk-0" version = "0.38.3" notes = """ Reviewed in CL 645917709 No unsafe code outside of tests. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.polars-arrow-format]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.1.0" notes = "Reviewed in CL 703108664" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.polars-ffi]] who = "" criteria = "ub-risk-2" version = "0.48.1" notes = "Reviewed in CL 774758919" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.polars-io]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "0.38.3" notes = """ Reviewed in CL 645900171 No actual unsoundness was found, however this crate was rather hard to review, with a lot of usages of unsafe in the CSV parser that seemed gratuitous, and uncommented. Rating can be lowered when someone can find the time to review this. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.polars-json]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "0.38.3" notes = """ Reviewed in CL 671839126 issues found: - Unsafe code relies on entirely undocumented invariants pervasive in code around only ever producing UTF8 bytes. Code should be updated to use `&mut String` - https://github.com/pola-rs/polars/pull/18725 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.polars-parquet]] who = "Taylor Cramer " criteria = "ub-risk-3" version = "0.44.2" notes = "Reviewed in CL 704268862" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.polars-plan]] who = "Ben Saunders " criteria = "ub-risk-4" version = "0.38.3" notes = """ Reviewed in CL 653608525 Issues found: - Unprotected public `static mut`s read in safe code - Review incomplete: pervasive undocumented unsafety """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.polars-row]] who = "Augie Fackler " criteria = "ub-risk-3" version = "0.38.3" notes = "Reviewed in CL 644011025" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.polars-stream]] who = "" criteria = "ub-risk-4" version = "0.48.1" notes = "Reviewed in CL 771500385" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.polars-time]] who = "Taylor Cramer " criteria = "ub-risk-4" version = "0.38.3" notes = """ Reviewed in CL 645900204 mem::transmute of ParseError is unsound and unnecessary. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.polars-time]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.38.3" notes = "Reviewed in CL 645900204" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.polars-utils]] who = "Augie Fackler " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.38.3" notes = "Reviewed in CL 636679479" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.pollster]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.3.0" notes = """ Reviewed in CL 581562576 Usage of unsafe is fine, but crate can be 100% safe: https://github.com/zesterer/pollster/pull/23 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.portable-atomic-util]] who = "Taylor Cramer " criteria = "ub-risk-1" version = "0.2.4" notes = "Reviewed in CL 772168486" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.postcard]] who = "Manish Goregaokar " criteria = "ub-risk-2" delta = "1.0.10 -> 1.1.1" notes = "Reviewed in CL 707054899" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.postcard]] who = "Manish Goregaokar " criteria = "ub-risk-2" delta = "1.0.2 -> 1.0.10" notes = "Reviewed in CL 698047950" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.potential_utf]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "0.1.0" notes = "Contains a handful of lines of from-UTF8 unsafety and some `repr(transparent)` casting unsafety. Reasonably well commented, could do with listing invariants explicitly." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.potential_utf]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-2"] delta = "0.1.0 -> 0.1.2" notes = "Addition of safe comparison APIs since last audit" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.powerfmt]] who = "Taylor Cramer " criteria = "ub-risk-1" version = "0.2.0" notes = "Reviewed in CL 578897702" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.ppv-lite86]] who = "Android Legacy" criteria = "safe-to-run" version = "0.2.10" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ppv-lite86]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.17" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.ppv-lite86]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.17 -> 0.2.20" notes = "Using zerocopy to reduce unsafe usage." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.ppv-lite86]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.20 -> 0.2.21" notes = """ The delta mostly corresponds to @joshlf's https://github.com/cryptocorrosion/cryptocorrosion/pull/85 which started using an undocumented API that `zerocopy` has provided specifically for `ppv-lite86` in https://github.com/google/zerocopy/pull/2418. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.predicates]] who = "Max Lee " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.1.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.predicates]] who = "Yu-An Wang " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "2.1.5 -> 3.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.predicates-core]] who = "Max Lee " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.predicates-tree]] who = "Max Lee " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.prettyplease]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.20" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.prettyplease]] who = "Harshad Phule " criteria = "does-not-implement-crypto" version = "0.1.25" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.prettyplease]] who = "Harshad Phule " criteria = "safe-to-run" version = "0.1.25" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.prettyplease]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.25 -> 0.2.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.prettyplease]] who = "Bob Haarman " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.6 -> 0.2.17" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.primal-check]] who = "Li-Yu Yu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.printf-compat]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro-crate]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.2.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro-error]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro-error-attr]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "1.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro-error-attr]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.0.4" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro-hack]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.5.19" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro-hack]] who = "Android Legacy" criteria = "safe-to-run" version = "0.5.19" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro-nested]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.1.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro-nested]] who = "Android Legacy" criteria = "safe-to-run" version = "0.1.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro-nested]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.1.7" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "Android Legacy" criteria = "safe-to-run" version = "1.0.26" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "Chrome OS Toolchain" criteria = "safe-to-run" version = "1.0.29" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.49" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.79" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.49 -> 1.0.56" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.56 -> 1.0.59" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.59 -> 1.0.66" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.66 -> 1.0.69" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "Hung-Hsien Chen " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.79 -> 1.0.86" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "1.0.78" notes = """ Grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits (except for a benign \"fs\" hit in a doc comment) Notes from the `unsafe` review can be found in https://crrev.com/c/5385745. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.69 -> 1.0.76" notes = """ 1.0.69 has been previously audited as \"safe-to-run\", \"does-not-implement-crypto\" - see https://github.com/google/rust-crate-audits/blob/c2d49cb6e80bb817f569debecf846161dcebd88c/audits.toml#L3939-L3979 The \"1.0.69 -> 1.0.76\" delta meets the same criteria. This is an incremental/delta audit - we don't claim any particular `ub-risk-N` level for the baseline or for the final version. OTOH note that additional uses of `unsafe` have been reviewed in https://crrev.com/c/5178771 and the **delta** was evaluated as `ub-risk-2`. There are some new `unsafe` blocks but they seem sound - additional `unsafe` audit notes can be found in https://crrev.com/c/5178771/comment/32dbab4e_c7402137 and https://crrev.com/c/5178771/4/third_party/rust/chromium_crates_io/vendor/proc-macro2-1.0.76/src/wrapper.rs#783 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.78 -> 1.0.79" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.79 -> 1.0.80" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.80 -> 1.0.81" notes = "Comment changes only" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.81 -> 1.0.82" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.82 -> 1.0.83" notes = "Substantive change is replacing String with Box, saving memory." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.83 -> 1.0.84" notes = "Only doc comment changes in `src/lib.rs`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "danakj@chromium.org" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.84 -> 1.0.85" notes = "Test-only changes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.85 -> 1.0.86" notes = """ Comment-only changes in `build.rs`. Reordering of `Cargo.toml` entries. Just bumping up the version number in `lib.rs`. Config-related changes in `test_size.rs`. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.86 -> 1.0.87" notes = "No new unsafe interactions." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.proc-macro2]] who = "Liza Burakova ", "Dan Johnson ", "David Koloski ", "Julia Ryan ", "Manish Goregaokar ", "Tyler Mandry ", ] criteria = ["ub-risk-2", "safe-to-deploy"] delta = "1.3.0 -> 1.5.3" notes = "Reviewed on https://fxrev.dev/753625" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.read-fonts]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.19.0" notes = """ Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits (except for a benign \"fs\" hit in a comment). For overall `safe-to-deploy` and `does-not-implement-crypto` I am mostly relying on certification by the Chromium engineers who work on the library (mostly drott@chromium.org). """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.read-fonts]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.25.3" notes = """ Fixes for hdmx processing (use explicit record size), overflow fixes for packed point numbers. Fixes for midpoint computation, and follow-up fix to reinstate FreeType equivalence. Feature gating experimential spec features. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.read-fonts]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.19.0 -> 0.19.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.read-fonts]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.19.1 -> 0.19.2" notes = """ The delta is a bug fix in `src/tables/cmap.rs`. No new `unsafe` - still `ub-risk-0`. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.read-fonts]] who = "danakj@chromium.org" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.19.2 -> 0.19.3" notes = "No unsafe." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.read-fonts]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.19.3 -> 0.20.0" notes = """ Contains changes for: * Adding IntSet, SparseBitSet * Support for VARC * Improved AAT support * Fuzzer overflow fixes, and avoiding timeouts in CMAP * Closure computations for subsetting of COLR * large glyphId support. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.read-fonts]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.20.0 -> 0.22.0" notes = "Changes for incremental font transfer, Ankr, Feat tables, and support for getting access to the SVG document from the SVG table, as well as Avar2." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.read-fonts]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.22.0 -> 0.22.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.read-fonts]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.22.1 -> 0.22.3" notes = "Support for the hdmx table, inlining optimizations. Crate has no unsafe code." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.read-fonts]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.22.3 -> 0.23.0" notes = "More lenient parsing of CFF fonts with invalid BlueValues, incremental font transfer implementation of glyph keyed patching. No unsafe code in crate." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.read-fonts]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.23.0 -> 0.23.2" notes = "Some IFT changes, and better compatibility with empty PrivateDict in CFF." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.read-fonts]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.25.3 -> 0.26.0" notes = "Added min_byte_range() method, expose IndexSubtableList for bitmaps. No new unsafe. Gvar delta API changes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.read-fonts]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.26.0 -> 0.27.1" notes = "IFT impl behind feature flag." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.read-fonts]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.27.1 -> 0.27.2" notes = "CFF charsets support, font_builder related changes, clippy fixes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.read-fonts]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.27.2 -> 0.27.3" notes = "Glyf/gvar performance improvements, HVAR/VVAR subset support, test fix for cmap test." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.read-fonts]] who = "Taylor Cramer " criteria = "ub-risk-1" version = "0.15.6" notes = "Reviewed in CL 611302616" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.realfft]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "3.3.0" notes = "Reviewed in CL 564478712" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.ref-cast]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "1.0.20" notes = "Reviewed in CL 585449372" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.ref-cast-impl]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "1.0.20" notes = "Reviewed in CL 585449373" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.referencing]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "0.29.1" notes = """ Reviewed in CL 831131871 This crate seems to use unsafe code in a very underdocumented way to achieve self-referencing. Self-referencing is very tricky to get right, and while I'm not 100% sure I think this crate does it wrong. https://github.com/Stranger6667/jsonschema/issues/851 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.regex]] who = "Android Legacy" criteria = "safe-to-run" version = "1.5.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.regex]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.10.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.regex]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.11.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.regex]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.10.2" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.10.2 -> 1.10.3" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.10.3 -> 1.10.4" notes = "Docs changes only." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.10.4 -> 1.10.5" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.10.5 -> 1.10.6" notes = "The delta has minimal changes in `pattern.rs`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.10.6 -> 1.11.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex]] who = "Liza Burakova " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.11.0 -> 1.11.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex-automata]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.regex-automata]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.regex-automata]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.3" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex-automata]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.3 -> 0.4.5" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex-automata]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.5 -> 0.4.6" notes = "Reviewed in https://crrev.com/c/5362200" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex-automata]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.6 -> 0.4.7" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex-automata]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.7 -> 0.4.8" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex-automata]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.8 -> 0.4.9" notes = "New API: `BuildError.is_size_limit_exceeded`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex-automata]] who = "Manish Goregaokar " criteria = "ub-risk-1" delta = "0.4.8 -> 0.4.9" notes = """ Reviewed in CL 701879630 Built on top of previous diff reviews """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.regex-syntax]] who = "Android Legacy" criteria = "safe-to-run" version = "0.6.25" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.regex-syntax]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.regex-syntax]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.regex-syntax]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.2" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex-syntax]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.8.5" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex-syntax]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.8.2 -> 0.8.3" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex-syntax]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.8.3 -> 0.8.4" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex-syntax]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.8.4 -> 0.8.5" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.regex_automata]] who = "Taylor Cramer " criteria = "ub-risk-1" version = "0.3.8" notes = "Reviewed in CL 563876644" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.regex_automata]] who = "Ben Saunders " criteria = "ub-risk-1" delta = "0.3.8 -> 0.4.3" notes = "Reviewed in CL 576161259" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.relative-path]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "1.9.3" notes = """ There is no net or fs usage, no crypto. There is unsafe to convert pointers from str to RelativePath, where the latter is a transparent wrapper around str so the pointer will be to a valid type/value always. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.relative-path]] who = "Ben Saunders " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "1.9.3" notes = "Reviewed in CL 820550361" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.remain]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.retain_mut]] who = "Gwendal Grignou " criteria = ["safe-to-run", "crypto-safe"] version = "0.1.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ring]] who = "Laura Peskin " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.16.12 -> 0.16.20" notes = """ Reviewed on: https://fxrev.dev/923001 (0.16.13 -> 0.16.20) Reviewed on: https://fxrev.dev/716624 (0.16.12 -> 0.16.13) """ aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.rinja_derive]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.3.5" notes = """ Reviewed in CL 691465402 The unsafe code is mostly in from_utf8_unchecked calls. It does not appear to be particularly performance-necessary, and the crate could use clearer tracking of these invariants. One bit of unsafe code relies on code in rinja_parser continuing to be ASCII-only. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.rinja_parser]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.3.5" notes = """ Reviewed in CL 691465401 Review done alongside rinja_derive. The unsafe code is mostly in from_utf8_unchecked calls. It does not appear to be particularly performance-necessary, and the crate could use clearer tracking of these invariants. One bit of unsafe code relies on code in rinja_parser continuing to be ASCII-only. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.riscv-rt]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.riscv-rt-macros]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.riscv-target]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rlsf]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.2.1" notes = """ Reviewed in CL 710142550 Custom allocator crate doing a bunch of pointer math. Decent safety comments. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.roman-numerals-rs]] who = "Ben Saunders " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "3.1.0" notes = "Reviewed in CL 762479504" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.rpassword]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "7.3.1" notes = "Reviewed in CL 702377827" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.rstest]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto", "ub-risk-0"] version = "0.17.0" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rstest]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto", "ub-risk-0"] delta = "0.17.0 -> 0.22.0" notes = "No new unsafe. fs and net usage, but only in its own tests." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rstest_macros]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.17.0" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rstest_macros]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto", "ub-risk-0"] version = "0.22.0" notes = """ There is no fs or net usage directly, though there is fs usage through the glob crate to get lists of files if the user asks for it in their macro. There is no unsafe. Scanned through all the code. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rstest_reuse]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto", "ub-risk-0"] version = "0.5.0" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rstest_reuse]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto", "ub-risk-0"] delta = "0.5.0 -> 0.7.0" notes = "No new unsafe, looked through the changes which were minimal." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rtic-core]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rtic-monotonic]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rtic-syntax]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rtt-target]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rubato]] who = "Taylor Cramer " criteria = "ub-risk-3" version = "0.14.1" notes = "Reviewed in CL 570228314" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.rusb]] who = "Benjamin Gordon " criteria = "does-not-implement-crypto" version = "0.9.4" notes = "Files are straightforward wrappers around libusb functions." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rusb]] who = "Benjamin Gordon " criteria = "safe-to-run" version = "0.9.4" notes = """ * build.rs reads version info from libusb.h * Files in src are straightforward wrappers around libusb functions and don't do anything extra beyond tracking lifetimes. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rusqlite]] who = "" criteria = "ub-risk-3" version = "0.32.0" notes = """ Reviewed in CL 649389163 Issues found: - https://github.com/rusqlite/rusqlite/issues/1546 - Technically, free_boxed_value should use catch_unwind (minor) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.rust_decimal]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "1.36.0" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` and there were no hits except: * Some reasonable `fs` usage in `build.rs`, under `make/scripts`, in one test * A single `unsafe` usage in one test. I think this still qualifies this crate as `ub-risk-0`. FWIW the test usage seems sound - see: https://chromium-review.googlesource.com/c/chromium/src/+/6187726/2/third_party/rust/chromium_crates_io/vendor/rust_decimal-1.36.0/tests/decimal_tests.rs ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rust_decimal]] who = "Chris Palmer " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.36.0 -> 1.37.0" notes = "New `unsafe` in a test." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rustc-demangle]] who = "Android Legacy" criteria = "safe-to-run" version = "0.1.18" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rustc-demangle]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.21" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rustc-demangle]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.23" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rustc-demangle]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.23 -> 0.1.24" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rustc-demangle-capi]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rustc-hash]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "1.1.0" notes = "The hash this crate implements is explicitly non-cryptographic." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rustc-hash]] who = "Android Legacy" criteria = "safe-to-run" version = "1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rustc_version]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rustc_version]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.3 -> 0.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rustc_version]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.0" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rustc_version]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.0 -> 0.4.1" notes = "No unsafe, net or fs." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rustfft]] who = "Li-Yu Yu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "6.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rustix]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.36.7" notes = """ Precompiled files in `src/backend/linux_raw/arch/outline` were not audited. I'm also at all familiar with PowerPC asm, but the instructions seemed inoffensive. This crate provides random functions, but they simply proxy libc's, so no crypto is truly implemented here. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rustix]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.38.32" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rustix]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.36.7 -> 0.38.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rustix-linux-procfs]] who = "Taylor Cramer " criteria = "ub-risk-1" version = "0.1.1" notes = "Reviewed in CL 778504452" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.rustversion]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rustversion]] who = "Lukasz Anforowicz " criteria = ["ub-risk-0", "safe-to-deploy", "does-not-implement-crypto"] version = "1.0.14" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits except for: * Using trivially-safe `unsafe` in test code: ``` tests/test_const.rs:unsafe fn _unsafe() {} tests/test_const.rs:const _UNSAFE: () = unsafe { _unsafe() }; ``` * Using `unsafe` in a string: ``` src/constfn.rs: \"unsafe\" => Qualifiers::Unsafe, ``` * Using `std::fs` in `build/build.rs` to write `${OUT_DIR}/version.expr` which is later read back via `include!` used in `src/lib.rs`. Version `1.0.6` of this crate has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rustversion]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.14 -> 1.0.15" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rustversion]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.15 -> 1.0.16" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rustversion]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.16 -> 1.0.17" notes = "Just updates windows compat" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rustversion]] who = "Liza Burakova " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.17 -> 1.0.18" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rustversion]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.18 -> 1.0.19" notes = "No unsafe, just doc changes" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rustversion]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.19 -> 1.0.20" notes = "Only minor updates to documentation and the mock today used for testing." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.rusty-fork]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rustybuzz]] who = "Manish Goregaokar " criteria = "ub-risk-0" version = "0.12.0" notes = """ Reviewed in CL 649338374 Only unsafe is in examples """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.rustyline]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "10.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rustyline]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "10.0.0 -> 9.1.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rustyline-derive]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.rustyline-derive]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.6.0 -> 0.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ruzstd]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.4.0" notes = """ Reviewed in CL 557876502 Issues found: - https://github.com/KillingSpark/zstd-rs/issues/44 - extend_from_within_unchecked_branchless is hard to review but it's currently dead code """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.ruzstd]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.6.0" notes = "Reviewed in CL 615772489" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.ryu]] who = "Android Legacy" criteria = "safe-to-run" version = "1.0.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ryu-js]] who = "Ben Saunders " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "0.2.2" notes = """ Reviewed in CL 589126213 Issues found: - Internal unsoundness around the invariants of q and i in f2s_intrinsics.rs - Unclear bounds checking around get_unchecked in s2d.rs """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.safe_arch]] who = "Ben Saunders " criteria = "ub-risk-1" version = "0.7.4" notes = "Reviewed in CL 796208907" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.safemem]] who = "Gwendal Grignou " criteria = ["safe-to-run", "crypto-safe"] version = "0.3.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.same-file]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "1.0.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.same-file]] who = "Android Legacy" criteria = "safe-to-run" version = "1.0.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.sapling-streampager]] who = "Ben Saunders " criteria = "ub-risk-4" version = "0.10.3" notes = """ Reviewed in CL 719162422 Issues found: - BufferWrite::written() must clamp """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.sbat]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.scoped-tls]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.scopeguard]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.scopeguard]] who = "Android Legacy" criteria = "safe-to-run" version = "1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.scopeguard]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "1.2.0" notes = """ Reviewed in CL 728831450 Implements a drop guard, unsafe code around ptr::read/ManuallyDrop and Sync impl. Rather clearly commented. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.scratch]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.scroll]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.12.0" notes = "Reviewed in CL 642006817" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.scudo]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.2" notes = "Scudo itself was not audited as a part of this review" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.seccompiler]] who = "Ben Saunders " criteria = ["ub-risk-1", "does-not-implement-crypto"] version = "0.3.0" notes = "Reviewed in CL 547754248" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.security-framework-sys]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "2.13.0" notes = """ Reviewed in CL 711542463 FFI """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.semver]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.9.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.semver]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.16" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.semver]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.20" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.semver]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.20 -> 1.0.21" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.semver]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.21 -> 1.0.22" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.semver]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.22 -> 1.0.23" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.semver]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.23 -> 1.0.24" notes = "Minor, `ptr_eq`-related changes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.semver]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.24 -> 1.0.25" notes = "No changes in `.rs` files except `doc` attribute changes in `lib.rs`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.semver]] who = "Daniel Cheng " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.25 -> 1.0.26" notes = "Only minor documentation updates." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.semver-parser]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.7.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.serde]] who = "Android Legacy" criteria = "safe-to-run" version = "1.0.126" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.serde]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.152" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.serde]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "1.0.197" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`. There were some hits for `net`, but they were related to serialization and not actually opening any connections or anything like that. There were 2 hits of `unsafe` when grepping: * In `fn as_str` in `impl Buf` * In `fn serialize` in `impl Serialize for net::Ipv4Addr` Unsafe review comments can be found in https://crrev.com/c/5350573/2 (this review also covered `serde_json_lenient`). Version 1.0.130 of the crate has been added to Chromium in https://crrev.com/c/3265545. The CL description contains a link to a (Google-internal, sorry) document with a mini security review. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.197 -> 1.0.198" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.198 -> 1.0.201" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.201 -> 1.0.202" notes = "Trivial changes" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.202 -> 1.0.203" notes = "s/doc_cfg/docsrs/ + tuple_impls/tuple_impl_body-related changes" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.203 -> 1.0.204" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.204 -> 1.0.207" notes = "The small change in `src/private/ser.rs` should have no impact on `ub-risk-2`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.207 -> 1.0.209" notes = """ The delta carries fairly small changes in `src/private/de.rs` and `src/private/ser.rs` (see https://crrev.com/c/5812194/2..5). AFAICT the delta has no impact on the `unsafe`, `from_utf8_unchecked`-related parts of the crate (in `src/de/format.rs` and `src/ser/impls.rs`). """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.209 -> 1.0.210" notes = "Almost no new code - just feature rearrangement" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde]] who = "Liza Burakova " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.210 -> 1.0.213" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.213 -> 1.0.214" notes = "No unsafe, no crypto" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.214 -> 1.0.215" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.215 -> 1.0.216" notes = "The delta makes minor changes in `build.rs` - switching to the `?` syntax sugar." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.216 -> 1.0.217" notes = "Minimal changes, nothing unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.217 -> 1.0.218" notes = "No changes outside comments and documentation." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.218 -> 1.0.219" notes = "Just allowing `clippy::elidable_lifetime_names`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde-tuple-vec-map]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "1.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.serde-tuple-vec-map]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.0.1" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.serde_bser]] who = "Ben Saunders " criteria = "ub-risk-2" version = "0.4.0" notes = "Reviewed in CL 696305035" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.serde_bytes]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.10.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.serde_core]] who = "Luca Versari " criteria = "ub-risk-2" version = "1.0.228" notes = "Reviewed in CL 816638143" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.serde_derive]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.152" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Lukasz Anforowicz " criteria = "ub-risk-0" version = "1.0.193" notes = 'Grepped for `\bunsafe\b` - there were no hits' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "1.0.195" notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "1.0.196" notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "1.0.197" notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "danakj " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.197 -> 1.0.201" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.201 -> 1.0.202" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.202 -> 1.0.203" notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.203 -> 1.0.204" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.204 -> 1.0.207" notes = 'Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.207 -> 1.0.209" notes = ''' There are no code changes in this delta - see https://crrev.com/c/5812194/2..5 I've neverthless also grepped for `-i cipher`, `-i crypto`, `\bfs\b`, `\bnet\b`, and `\bunsafe\b`. There were no hits. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.209 -> 1.0.210" notes = "Almost no new code - just feature rearrangement" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Liza Burakova " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.210 -> 1.0.213" notes = "Grepped for 'unsafe', 'crypt', 'cipher', 'fs', 'net' - there were no hits" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.213 -> 1.0.214" notes = "No changes to unsafe, no crypto" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.214 -> 1.0.215" notes = "Minor changes should not impact UB risk" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.215 -> 1.0.216" notes = "The delta adds `#[automatically_derived]` in a few places. Still no `unsafe`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.216 -> 1.0.217" notes = "No changes" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.217 -> 1.0.218" notes = "No changes outside comments and documentation." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_derive]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.0.218 -> 1.0.219" notes = "Minor changes (clippy tweaks, using `mem::take` instead of `mem::replace`)." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_jcs]] who = "Augie Fackler " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "0.1.0" notes = "Reviewed in CL 590122717" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.serde_json]] who = "Android Legacy" criteria = "safe-to-run" version = "1.0.64" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.serde_json]] who = "Harshad Phule " criteria = "does-not-implement-crypto" version = "1.0.96" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.serde_json]] who = "Harshad Phule " criteria = "safe-to-run" version = "1.0.96" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.serde_json]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.108" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.108 -> 1.0.111" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.111 -> 1.0.113" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.113 -> 1.0.114" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.114 -> 1.0.115" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "Dustin J. Mitchell " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.115 -> 1.0.116" notes = "No changes that affect safety to run, and no crypto" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.116 -> 1.0.117" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.117 -> 1.0.120" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.120 -> 1.0.122" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.122 -> 1.0.124" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.124 -> 1.0.127" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.127 -> 1.0.128" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "Liza Burakova " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.128 -> 1.0.132" notes = """ Methods moved into new deserializer trait in de.rs. New methods for converting Number to i128 or u128 in number.rs No new unsafe changes. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.132 -> 1.0.133" notes = "No changes affecting safety-to-run and still no crypto" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.133 -> 1.0.134" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.134 -> 1.0.137" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "Liza Burakova " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.137 -> 1.0.138" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json]] who = "Daniel Cheng " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.138 -> 1.0.140" notes = "Only minor fixes for clippy and documentation updates." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json_lenient]] who = "danakj@chromium.org" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "0.1.8" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`. There were some hits for `fs` and `net`, but they were in comments. Unsafe review comments can be found in https://crrev.com/c/5350573/2. There were 8 hits of `unsafe` when grepping. Version 0.1.4 of the crate was added to Chromium in https://crrev.com/c/3511416. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json_lenient]] who = "danakj@chromium.org" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "0.1.8 -> 0.2.0" notes = """ Reviewed in https://crrev.com/c/5361256 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json_lenient]] who = "djmitche@chromium.org" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "0.2.0 -> 0.2.1" notes = """ Reviewed in https://crrev.com/c/5385822 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json_lenient]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "0.2.1 -> 0.2.3" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_json_lenient]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "0.2.3 -> 0.2.4" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.serde_spanned]] who = "Hung-Hsien Chen " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.serde_urlencoded]] who = "ChromeOS" criteria = "safe-to-run" version = "0.7.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.serde_yml]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "0.0.12" notes = """ Reviewed in https://github.com/sebastienrousseau/libyml DO NOT USE, ported from libyml using c2rust, and then \"fixed\" by an LLM, with unsound code like https://github.com/sebastienrousseau/libyml/blob/2d23ead2742c196b0e65004a9ed353bc30bea6ad/src/document.rs#L711-L715 Should be strongly avoided. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.serial-core]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.serial-unix]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.serial_test]] who = "Max Lee " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.serial_test_derive]] who = "Max Lee " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.sfv]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.9.4" notes = ''' Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` and there were no hits. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.sfv]] who = "amarjotgill " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.10.4" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.sha1]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-1"] version = "0.10.5" notes = "Reviewed on https://fxrev.dev/712371." aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.sha1_smol]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "1.0.0" notes = "Reviewed in CL 581562531" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.shell-words]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.shell-words]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.1.0" notes = "`rg -i unsafe` had exactly one hit: `#![forbid(unsafe_code)]`" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.shlex]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.shlex]] who = "Android Legacy" criteria = "safe-to-run" version = "0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.shlex]] who = "Android Legacy" criteria = "safe-to-run" version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.shlex]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.shlex]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.1.0 -> 1.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.shlex]] who = [ "Manish Goregaokar ", "Augie Fackler ", ] criteria = "ub-risk-3" version = "1.3.0" notes = """ Reviewed in CL 600742555 This crate appears safe, but it's not clear that the unchecked utf8 stuff is necessary given the use case, and it relies on undocumented invariants from the bytes iterator code. Would be nice to have these properties documented and fuzz tested. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.shpool_pty]] who = "Ben Saunders " criteria = "ub-risk-4" version = "0.1.0" notes = """ Reviewed in CL 578198476 Issues: - Data race in Fork::new """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.shpool_pty]] who = "Ben Saunders " criteria = ["ub-risk-4", "does-not-implement-crypto"] version = "0.2.1" notes = "Reviewed in CL 578198476" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.shpool_pty]] who = "Ben Saunders " criteria = ["ub-risk-2-thorough", "does-not-implement-crypto"] version = "0.3.0" notes = "Reviewed in CL 578198476" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.signal-hook-registry]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.simd-adler32]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "0.3.7" notes = """ Security review of earlier versions of the crate can be found at (Google-internal, sorry): go/image-crate-chromium-security-review Audit comments for 1.3.2 can be found at https://crrev.com/c/4723145. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.simd-json]] who = "Ben Saunders " criteria = "ub-risk-4" version = "0.13.10" notes = """ Reviewed in CL 661175961 Issues found: - Review incomplete: Pervasive undocumented unsafety. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.simple_logger]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.16.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.simple_logger]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "4.3.3" notes = """ Reviewed in CL 706757224 Uses unsafe for interfacing with Windows tty APIs """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.skiplist]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.5.1" notes = "Reviewed in CL 769416918" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.skrifa]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.19.0" notes = """ Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits (except for benign \"fs\" hit in `skrifa-0.19.0/src/color/traversal_tests/mod.rs`). For overall `safe-to-deploy` and `does-not-implement-crypto` I am mostly relying on certification by the Chromium engineers who work on the library (mostly drott@chromium.org). """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "drott@chromium.org" criteria = ["ub-risk-1", "safe-to-deploy", "does-not-implement-crypto"] delta = "0.15.2 -> 0.15.4" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.19.0 -> 0.19.1" notes = "Crate has `forbid_unsafe` and no unsafe code. Changes all appear font-related and safe." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.19.1 -> 0.19.2" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.19.2 -> 0.19.3" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.19.3 -> 0.20.0" notes = "Contains mainly preparatory autohint changes and data tables." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.20.0 -> 0.22.0" notes = "Changes for adding autohinting support. Crates forbids unsafe code." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.22.0 -> 0.22.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.22.1 -> 0.22.3" notes = "Matching FreeType advances more closely, through usage of hdmx and other fixes. Path retrieval speedups." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.22.3 -> 0.23.0" notes = "Incremental Font Transfer patchset implementation removed, important fixes for path retrievel from CFF fonts with empty PrivateDict." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.23.0 -> 0.24.0" notes = "Skrifa updates for using wrapping arithmetic in CFF private dict parsing." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.24.0 -> 0.24.1" notes = "COLRv1 bounds fix, fixes for underflows/overflows." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.24.1 -> 0.26.3" notes = "Support for fonts that rely on hinting (like FreeType's \"tricky\" font detection). Overflow fixes, cycle detection in autohinting. cff overflow fixes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.26.3 -> 0.26.4" notes = "Improvements for computing advances for hinted variable fonts, when hvar is missing." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.26.4 -> 0.26.5" notes = "Contains fixes for hdmx metrics for fonts such as Arimo, Tinos, Market Sans." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.26.5 -> 0.27.0" notes = "Mostly a fuzzer fix, rejecting oversized composite outlines." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.27.0 -> 0.28.0" notes = "Minor clippy fix." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.28.0 -> 0.28.1" notes = "Fix for gsub hang, limits to cmap 12 iterator." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Dominik Röttsches " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.28.1 -> 0.29.0" notes = "Glyf/gvar performance improvements, glyph names API, malloc-free cycle detection." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.skrifa]] who = "Augie Fackler " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.16.0" notes = "Reviewed in CL 614825012" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.slab]] who = "Android Legacy" criteria = "safe-to-run" version = "0.4.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.slab]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.4.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.slab]] who = "Android Legacy" criteria = "safe-to-run" version = "0.4.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.slotmap]] who = "Augie Fackler " criteria = "ub-risk-2" version = "1.0.6" notes = "Reviewed in CL 647314509" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.small_ctor]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.1" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.small_ctor]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.1 -> 0.1.2" notes = "I don't fully understand the changes in `lib.rs` but they seem to meet the low bar of `safe-to-run`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.smallstr]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.3.0" notes = "Reviewed in CL 740466574" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.smallvec]] who = "Android Legacy" criteria = "safe-to-run" version = "1.6.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.smallvec]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.10.0 -> 1.13.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.smallvec]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto"] version = "1.13.2" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.smallvec]] who = "Jonathan Hao " criteria = ["safe-to-deploy", "does-not-implement-crypto"] delta = "1.13.2 -> 1.14.0" notes = """ WARNING: This certification is a result of a **partial** audit. The `malloc_size_of` feature has **not** been audited. This feature does not explicitly document its safety requirements. See also https://chromium-review.googlesource.com/c/chromium/src/+/6275133/comment/ea0d7a93_98051a2e/ and https://github.com/servo/malloc_size_of/issues/8. This feature is banned in gnrt_config.toml. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.smallvec]] who = "Manish Goregaokar " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "1.11.0" notes = "Reviewed in CL 552492992" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.smol_str]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.2.0" notes = "Reviewed in CL 558187227" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.socket2]] who = "Vovo Yang " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.socket2]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.4.4 -> 0.5.5" notes = "Reviewed at https://fxrev.dev/946307" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.speedate]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.13.0" notes = """ Reviewed in CL 614967252 Would be rather straightforward to add safety comments """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.spidev]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.spin]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.9.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.sptr]] who = "Augie Fackler " criteria = "ub-risk-2" version = "0.3.2" notes = "Reviewed in CL 660053567" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.stable-deref-trait]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "1.2.0" notes = """ Reviewed in Purely a trait, crates using this should be carefully vetted since self-referential stuff can be super tricky around various unsafe rust edges. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.stable_deref_trait]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.stable_deref_trait]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "1.2.0" notes = "Purely a trait, crates using this should be carefully vetted since self-referential stuff can be super tricky around various unsafe rust edges." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.static_assertions]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.static_assertions]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "1.1.0" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` and there were no hits except for one `unsafe`. The lambda where `unsafe` is used is never invoked (e.g. the `unsafe` code never runs) and is only introduced for some compile-time checks. Additional unsafe review comments can be found in https://crrev.com/c/5353376. This crate has been added to Chromium in https://crrev.com/c/3736562. The CL description contains a link to a document with an additional security review. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.stderrlog]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.strck]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto"] version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.strck]] who = "Manish Goregaokar " criteria = "ub-risk-1" version = "1.0.0" notes = "Reviewed in CL 685732460" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.strength_reduce]] who = "Li-Yu Yu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.strsim]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.10.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.strsim]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.11.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.strsim]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.10.0 -> 0.8.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.strsim]] who = "danakj@chromium.org" criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-0"] version = "0.10.0" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.strsim]] who = "Lukasz Anforowicz " criteria = "ub-risk-0" version = "0.11.0" notes = "No `unsafe`" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.strsim]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.10.0 -> 0.11.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.strsim]] who = "Adrian Taylor " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.11.0 -> 0.11.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.structopt-derive]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.18" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.strum]] who = "danakj@chromium.org" criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-0"] version = "0.25.0" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.strum_macros]] who = "danakj@chromium.org" criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-0"] version = "0.25.3" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.svd-parser]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.12.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.swc_atoms]] who = "Manish Goregaokar " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.5.7" notes = "Reviewed in CL 547104864" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.swc_common]] who = "Manish Goregaokar " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "0.31.17" notes = """ Reviewed in CL 547720673 Issues found: - https://github.com/swc-project/swc/issues/7709 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.swc_ecma_ast]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.107.0" notes = "Reviewed in CL 545304253" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.swc_ecma_parser]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "0.137.1" notes = """ Reviewed in CL 545304254 Issues found: - https://github.com/swc-project/swc/issues/7797 - https://github.com/swc-project/swc/issues/7752 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.swc_visit]] who = "Taylor Cramer " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.5.7" notes = "Reviewed in CL 546872016" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.sxd-document]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.3.2" notes = """ Reviewed in CL 764633109 Issues found: - Large quantities of mostly undocumented, difficult-to-audit raw pointer manipulation, but these seem to all bake down to sound use of arena-owned memory. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.syn]] who = "Android Legacy" criteria = "safe-to-run" version = "1.0.69" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.syn]] who = "ChromeOS" criteria = "safe-to-run" version = "1.0.80" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.syn]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.107" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.syn]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.0.58" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.syn]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.107 -> 2.0.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.syn]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "2.0.14 -> 2.0.18" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.syn]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "2.0.18 -> 2.0.28" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.syn]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "2.0.28 -> 2.0.38" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.syn]] who = "Hung-Hsien Chen " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "2.0.58 -> 2.0.77" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.syn]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "2.0.77 -> 2.0.87" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.syn]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.109" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.syn]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "2.0.29" notes = "Reviewed in CL 559769881" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.sync_wrapper]] who = "ChromeOS" criteria = "safe-to-run" version = "0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.sync_wrapper]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.sync_wrapper]] who = "Taylor Cramer " criteria = "ub-risk-1" version = "0.1.2" notes = "Reviewed in CL 605332043" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.synom]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.11.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.synstructure]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.12.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.synstructure]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.12.4 -> 0.13.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.synstructure]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.13.1" notes = "Exposes unsafe codegen APIs but does not itself contain unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.sys-info]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.9.1" notes = """ In c/linux.c, this includes some custom hashing logic for a C hashvector. This is only run on disk device names, and is very obviously not meant to be crypto, so does-not-implement-crypto is fine here. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.sysfs_gpio]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.syslog]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "6.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.syslog_rfc5424]] who = "Edward O'Callaghan " criteria = ["safe-to-run", "crypto-safe"] version = "0.9.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.take_mut]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-2"] version = "0.2.2" notes = "Reviewed on https://fxrev.dev/883543" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.tar]] who = "Bastian Kersting " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.40" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tar]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.4.0" notes = "Reviewed in CL 627536088" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.tar]] who = "Manish Goregaokar " criteria = "ub-risk-2" delta = "0.4.40 -> 0.4.42" notes = "Reviewed in CL 688729490" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.tempfile]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "3.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tempfile]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "3.10.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.temporal_capi]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.0.6" notes = "No unsafe or crypto." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.temporal_rs]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "0.0.6" notes = "No crypto. Minor unsafe maintaining some additional invariants that are not actually safety-critical." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.termcolor]] who = "Android Legacy" criteria = "safe-to-run" version = "1.1.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.termcolor]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.termcolor]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.4.0" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.termcolor]] who = "Lukasz Anforowicz " criteria = "ub-risk-0" version = "1.4.0" notes = "No `unsafe`." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.termcolor]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.4.0 -> 1.4.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.terminal_size]] who = "Manish Goregaokar " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.4.2" notes = "Reviewed in CL 756344022" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.termios]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.termios]] who = "Ben Saunders " criteria = ["ub-risk-4", "does-not-implement-crypto"] version = "0.3.3" notes = """ Reviewed in CL 715944917 Issues found: - mem::uninitialized (https://github.com/dcuddeback/termios-rs/pull/28) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.termtree]] who = "Max Lee " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.termwiz]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.22.0" notes = "Reviewed in CL 715944910" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.testing_logger]] who = "Christoph Schlosser " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.textwrap]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.11.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.textwrap]] who = "Android Legacy" criteria = "safe-to-run" version = "0.11.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.textwrap]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.15.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.textwrap]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.15.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.textwrap]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.16.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tfhe]] who = "Taylor Cramer " criteria = "ub-risk-3" version = "0.3.1" notes = """ Reviewed in CL 557823618 Issues found: - https://github.com/zama-ai/tfhe-rs/issues/526 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.tfhe-csprng]] who = "" criteria = "ub-risk-2" version = "0.5.0" notes = "Reviewed in CL 758730716" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.tfhe-ntt]] who = "" criteria = "ub-risk-2" version = "0.6.0" notes = "Reviewed in CL 761105022" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.thiserror]] who = "Android Legacy" criteria = "safe-to-run" version = "1.0.23" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.thiserror]] who = "Abhishek Pandit-Subedi " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.50" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.thiserror]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.58" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.thiserror]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.58 -> 2.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.thiserror-impl]] who = "Android Legacy" criteria = "safe-to-run" version = "1.0.23" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.thiserror-impl]] who = "Abhishek Pandit-Subedi " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.50" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.thiserror-impl]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.58" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.thiserror-impl]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.0.58 -> 2.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.thread_local]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.1.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.thread_local]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "1.0.1 -> 1.1.7" notes = "Reviewed on https://fxrev.dev/906819" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.threadpool]] who = "Dennis Kempin " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.8.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tiff]] who = "Luca Versari " criteria = "ub-risk-2" version = "0.9.0" notes = "Reviewed in CL 745174015" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.tiktoken]] who = "" criteria = "ub-risk-3" version = "0.12.0" notes = "Reviewed in CL 817400202" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.time]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.3.37" notes = """ Reviewed in CL 735478267 Uses unsafe to maintain calendrical invariants (is this necessary?) The comments are rather deficient: the underlying invariants are not tracked consistently and the math needs to be hand checked at times. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.time-macros]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.time-macros]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.2.15" notes = "Reviewed in CL 580962188" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.timeout-readwrite]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tinystr]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.7.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tinystr]] who = "Manish Goregaokar " criteria = "does-not-implement-crypto" version = "0.8.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.tinystr]] who = "Lukasz Anforowicz " criteria = "does-not-implement-crypto" delta = "0.8.0 -> 0.8.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.tinytemplate]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.2.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tinyvec]] who = "Lukasz Anforowicz " criteria = ["ub-risk-0", "safe-to-deploy", "does-not-implement-crypto"] version = "1.6.0" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits except for some \"unsafe\" appearing in comments: ``` src/arrayvec.rs: // Note: This shouldn't use A::CAPACITY, because unsafe code can't rely on src/lib.rs://! All of this is done with no `unsafe` code within the crate. Technically the src/lib.rs://! `Vec` type from the standard library uses `unsafe` internally, but *this src/lib.rs://! crate* introduces no new `unsafe` code into your project. src/array.rs:/// Just a reminder: this trait is 100% safe, which means that `unsafe` code ``` This crate has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/24773c33e1b7a1b5069b9399fd034375995f290b """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.tinyvec]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.6.0 -> 1.6.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.tinyvec]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.6.1 -> 1.7.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.tinyvec]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.7.0 -> 1.8.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.tinyvec]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.8.0 -> 1.8.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.tinyvec]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "1.8.1 -> 1.9.0" notes = """ Larger delta, but no unsafe code introduced. Deltas for: - borsh (Binary Object Representation Serializer for Hashing) serialization/deserialization support behind the `borsh` feature. - trait implementations to interoperate with the generic-array crate - miscellaneous helper functions and support code, e.g. `into_vec()`. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.tinyvec_macros]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tinyvec_macros]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.1.0" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tokenizers]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "0.19.1" notes = """ Reviewed in CL 684450749 Issues found: - UB with static mut https://github.com/huggingface/tokenizers/issues/1491 - underdocumented safety invariants in cases that need more documentation (PR in https://github.com/huggingface/tokenizers/pull/1651) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.tokenizers]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.20.1" notes = """ Reviewed in CL 684450749 Issues found: - underdocumented safety invariants in cases that need more documentation (PR in https://github.com/huggingface/tokenizers/pull/1651) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.tokenizers]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] delta = "0.20.1 -> 0.20.4" notes = "Reviewed in CL 706934375" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.tokenizers-python]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.20.1" notes = "Reviewed in CL 687963248" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.tokio]] who = "Android Legacy" criteria = "safe-to-run" version = "1.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tokio]] who = "Vovo Yang " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.29.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tokio]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "1.19.2 -> 1.20.5" notes = "Reviewed on http://fxrev.dev/904806" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.tokio]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "1.20.5 -> 1.25.2" notes = "Reviewed at https://fxrev.dev/906324" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.tokio-io-timeout]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "1.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tokio-io-timeout]] who = "ChromeOS" criteria = "safe-to-run" version = "1.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tokio-macros]] who = "Android Legacy" criteria = "safe-to-run" version = "1.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tokio-macros]] who = "Vovo Yang " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tokio-stream]] who = "Android Legacy" criteria = "safe-to-run" version = "0.1.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tokio-stream]] who = "David Koloski " criteria = ["ub-risk-1", "safe-to-deploy"] version = "0.1.11" notes = "Reviewed on https://fxrev.dev/804724" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.tokio-stream]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-0"] delta = "0.1.11 -> 0.1.14" notes = "Reviewed on https://fxrev.dev/907732." aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.tokio-util]] who = "ChromeOS" criteria = "safe-to-run" version = "0.7.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.toml]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.10" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.toml]] who = "Hung-Hsien Chen " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.5.10 -> 0.8.19" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.toml_datetime]] who = "Hung-Hsien Chen " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.toml_edit]] who = "Hung-Hsien Chen " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.22.20" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.toml_edit]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.22.12" notes = """ Reviewed in CL 628398549 Issues found: - Better documented safety: https://github.com/toml-rs/toml/pull/720 - Unclear on mll_quotes and mlb_quotes being safe """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.tonic]] who = "ChromeOS" criteria = "safe-to-run" version = "0.8.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tonic-build]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tower]] who = "ChromeOS" criteria = "safe-to-run" version = "0.4.13" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tower-http]] who = "ChromeOS" criteria = "safe-to-run" version = "0.3.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tower-layer]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.3.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tower-layer]] who = "ChromeOS" criteria = "safe-to-run" version = "0.3.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tower-service]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.3.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tower-service]] who = "ChromeOS" criteria = "safe-to-run" version = "0.3.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tracing]] who = "ChromeOS" criteria = "safe-to-run" version = "0.1.35" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tracing]] who = "Taylor Cramer " criteria = "ub-risk-4" version = "0.1.39" notes = """ Reviewed in CL 573852894 Issues found: - https://github.com/tokio-rs/tracing/pull/2765 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.tracing]] who = "Manish Goregaokar " criteria = "ub-risk-2" delta = "0.1.40 -> 0.1.41" notes = """ Reviewed in CL 709456617 Previous UB was fixed. Small amount of unsafe, well-commented. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.tracing-attributes]] who = "ChromeOS" criteria = "safe-to-run" version = "0.1.22" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tracing-core]] who = "ChromeOS" criteria = "safe-to-run" version = "0.1.29" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tracing-core]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.1.21 -> 0.1.31" notes = "Reviewed on https://fxrev.dev/906816" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.tracing-core]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.1.30" notes = "Reviewed in CL 555490997" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.tracing-core]] who = "Manish Goregaokar " criteria = "ub-risk-2" delta = "0.1.30 -> 0.1.32" notes = "Reviewed in CL 573852436" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.tracing-futures]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.2.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tracing-futures]] who = "ChromeOS" criteria = "safe-to-run" version = "0.2.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.tracing-log]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.2.0" notes = "Reviewed in CL 585090968" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.tracing-subscriber]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-2"] delta = "0.3.1 -> 0.3.15" notes = "Reviewed on https://fxrev.dev/907708" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.transpose]] who = "Li-Yu Yu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.transpose]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.2.2 -> 0.2.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.transpose]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.2.2" notes = "Reviewed in CL 551680548" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.triomphe]] who = "Taylor Cramer " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "0.1.8" notes = """ Reviewed in CL 545304280 Issues found: - https://github.com/Manishearth/triomphe/pull/62 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.triomphe]] who = "Taylor Cramer " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.1.9" notes = "Reviewed in CL 545304280" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.try-lock]] who = "ChromeOS" criteria = "safe-to-run" version = "0.2.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.try-lock]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.twox-hash]] who = "Dennis Kempin " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.6.3" notes = "Non-cyptographic hashing function" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.twox-hash]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "2.1.0" notes = """ Reviewed in CL 735469359 Unsafe found: - Some unchecked indexing based on internal invariants - A bunch of target specific simd and simple asm - Some unsafe traits - Some casting between different integer buffer types, correctly handling alignment """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.typed-arena]] who = "Taylor Cramer " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "2.0.2" notes = "Reviewed in CL 545304268" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.typeid]] who = "" criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "1.0.2" notes = "Reviewed in CL 707957977" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.typewit]] who = "Augie Fackler " criteria = "ub-risk-2" version = "1.11.0" notes = "Reviewed in CL 746362951" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.uart_16550]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.18" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ucs2]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ucs2]] who = "Andre Braga " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.2 -> 0.3.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uds]] who = "Manish Goregaokar " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "0.2.6" notes = """ Reviewed in CL 552861165 Issues found: - https://github.com/tormol/uds/issues/11 - https://github.com/tormol/uds/pull/9, https://github.com/tormol/uds/pull/10 - https://github.com/tormol/uds/issues/12 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.uds]] who = [ "Manish Goregaokar ", "Augie Fackler ", "", ] criteria = "ub-risk-4" version = "0.4.1" notes = """ Reviewed in CL 568546769 Issues found: - https://github.com/tormol/uds/pull/14 - https://github.com/tormol/uds/pull/15 - https://github.com/tormol/uds/issues/16 - https://github.com/tormol/uds/issues/17 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.uefi]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.19.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.20.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.23.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.25.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi]] who = "Joseph Sussman " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.25.0 -> 0.27.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi]] who = "Andre Braga " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.27.0 -> 0.28.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi]] who = "Andre Braga " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.28.0 -> 0.29.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi]] who = "Andre Braga " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.29.0 -> 0.31.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi]] who = "Andre Braga " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.31.0 -> 0.32.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi]] who = "Andre Braga " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.32.0 -> 0.33.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-macros]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.10.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-macros]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.11.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-macros]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.12.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-macros]] who = "Joseph Sussman " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.12.0 -> 0.13.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-macros]] who = "Andre Braga " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.13.0 -> 0.14.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-macros]] who = "Andre Braga " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.14.0 -> 0.15.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-macros]] who = "Andre Braga " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.15.0 -> 0.16.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-macros]] who = "Andre Braga " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.16.0 -> 0.17.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-raw]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-raw]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-raw]] who = "Joseph Sussman " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.4.0 -> 0.5.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-raw]] who = "Andre Braga " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.5.1 -> 0.5.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-raw]] who = "Andre Braga " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.5.2 -> 0.6.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-raw]] who = "Andre Braga " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.6.0 -> 0.7.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-raw]] who = "Andre Braga " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.7.0 -> 0.8.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-raw]] who = "Andre Braga " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.8.0 -> 0.9.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-services]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.16.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-services]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.17.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-services]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.20.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-services]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.22.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uefi-services]] who = "Joseph Sussman " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.22.0 -> 0.24.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ufmt]] who = "Taylor Cramer " criteria = "ub-risk-3" version = "0.2.0" notes = "Reviewed in CL 587894431" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.ufmt-write]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.ufmt-write]] who = "Ben Saunders " criteria = ["ub-risk-4", "does-not-implement-crypto"] version = "0.1.0" notes = """ Reviewed in CL 587772035 Issues found: - https://github.com/japaric/ufmt/pull/60 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.uguid]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.2.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uguid]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uguid]] who = "Nicholas Bishop " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uguid]] who = "Bastian Kersting " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "2.1.0 -> 2.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uhid-virt]] who = "Zhengping Jiang " criteria = "does-not-implement-crypto" version = "0.0.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uhid-virt]] who = "Zhengping Jiang " criteria = "safe-to-run" version = "0.0.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uhidrs-sys]] who = "Zhengping Jiang " criteria = "does-not-implement-crypto" version = "1.0.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uhidrs-sys]] who = "Zhengping Jiang " criteria = "safe-to-run" version = "1.0.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.unicase]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.6.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.unicode-bidi]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "0.3.18" notes = "Contains one line of repr(transparent) unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.unicode-bom]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "2.0.2" notes = "Reviewed in CL 581562581" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.unicode-ident]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.unicode-ident]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "1.0.12" notes = ''' I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. All two functions from the public API of this crate use `unsafe` to avoid bound checks for an array access. Cross-module analysis shows that the offsets can be statically proven to be within array bounds. More details can be found in the unsafe review CL at https://crrev.com/c/5350386. This crate has been added to Chromium in https://crrev.com/c/3891618. ''' aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.unicode-ident]] who = "Dustin J. Mitchell " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.12 -> 1.0.13" notes = "Lots of table updates, and tables are assumed correct with unsafe `.get_unchecked()`, so ub-risk-2 is appropriate" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.unicode-ident]] who = "Lukasz Anforowicz " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.13 -> 1.0.14" notes = "Minimal delta in `.rs` files: new test assertions + doc changes." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.unicode-ident]] who = "Adrian Taylor " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.14 -> 1.0.15" notes = "No changes relevant to any of these criteria." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.unicode-ident]] who = "Liza Burakova " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.15 -> 1.0.16" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.unicode-ident]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "1.0.16 -> 1.0.18" notes = "Only minor comment and documentation updates." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.unicode-linebreak]] who = "Lukasz Anforowicz " criteria = ["ub-risk-0", "safe-to-deploy", "does-not-implement-crypto"] version = "0.1.5" notes = """ Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` and there were no hits. Version `0.1.2` of this crate has been added to Chromium in https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb The CL description contains a link to a Google-internal document with audit details. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.unicode-normalization]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.22" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.unicode-reverse]] who = "Ben Saunders " criteria = "ub-risk-1" version = "1.0.8" notes = "Reviewed in CL 622744657" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.unicode-segmentation]] who = "Android Legacy" criteria = "safe-to-run" version = "1.7.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.unicode-segmentation]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.8.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.unicode-width]] who = "Android Legacy" criteria = "safe-to-run" version = "0.1.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.unicode-width]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.unicode-width]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.11" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.unicode-width]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.11 -> 0.1.12" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.unicode-width]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.12 -> 0.1.13" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.unicode-width]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.13 -> 0.1.14" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.unicode-xid]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.0.4" notes = "`rg -i unsafe` had exactly one hit: `#![deny(missing_docs, unsafe_code)]`" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.unicode-xid]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.1.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.unicode-xid]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.1.0" notes = "`rg -i unsafe` had exactly one hit: `#![deny(missing_docs, unsafe_code)]`" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.unicode-xid]] who = "Android Legacy" criteria = "safe-to-run" version = "0.2.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.unicode-xid]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.2.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.unicode-xid]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.2.4" notes = "`rg -i unsafe` had exactly one hit: `#![forbid(unsafe_code)]`" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.unicode-xid]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] delta = "0.1.0 -> 0.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uniffi_macros]] who = "" criteria = "ub-risk-3" version = "0.29.1" notes = "Reviewed in CL 752709844" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.unindent]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.1.10" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.unindent]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.1.10" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uninit]] who = "Howard Yang " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uninit]] who = "Howard Yang " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.url]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.3.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.urlencoding]] who = "Luca Versari " criteria = "ub-risk-2" version = "2.1.3" notes = "Reviewed in CL 778639303" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.userfaultfd]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.userfaultfd]] who = "Dennis Kempin " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.5.0 -> 0.7.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.userfaultfd]] who = "Shintaro Kawamura " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.7.0 -> 0.8.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.userfaultfd-sys]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.userfaultfd-sys]] who = "Dennis Kempin " criteria = ["safe-to-deploy", "does-not-implement-crypto"] delta = "0.4.2 -> 0.5.0" notes = "First party code managed by Googlers on github" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.userfaultfd-sys]] who = "Dennis Kempin " criteria = ["safe-to-deploy", "does-not-implement-crypto"] delta = "0.4.2 -> 0.5.0" notes = "First party code, managed by Googlers on GitHub" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.utf16_iter]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.utf16_iter]] who = "Manish Goregaokar " criteria = "does-not-implement-crypto" version = "1.0.5" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.utf8_iter]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.utf8_iter]] who = "Manish Goregaokar " criteria = "does-not-implement-crypto" version = "1.0.4" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.utf8parse]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.utf8parse]] who = "Ying Hsu " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.utf8parse]] who = "David Koloski " criteria = ["safe-to-deploy", "ub-risk-2"] version = "0.2.1" notes = "Reviewed on https://fxrev.dev/904811" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [[audits.utf8parse]] who = "Augie Fackler " criteria = "ub-risk-3" version = "0.2.1" notes = "Reviewed in CL 559131770" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.uuid]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.3.0" notes = "Randomness and hashing involved in UUID generation is sourced from other crates." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.uuid]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "1.3.0 -> 1.8.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.v4l2r]] who = "Alexandre Courbot " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.v4l2r]] who = "Justin Green " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.0.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.v4l2r]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.0.5 -> 0.0.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.vcell]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.vcpkg]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.11" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.vec_map]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.8.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.version_check]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "0.9.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.version_check]] who = "George Burgess IV " criteria = "ub-risk-0" version = "0.9.4" notes = "`rg -i unsafe` resulted in zero hits for this package." aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.vfio-bindings]] who = "Taylor Cramer " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.3.1" notes = "Reviewed in CL 545971960" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.vfio-ioctls]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.1.0" notes = "Reviewed in CL 545971961" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.vhost]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.7.0" notes = "Reviewed in CL 546255068" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.vhost]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "0.8.0" notes = """ Reviewed in CL 559359624 Issues found: - https://github.com/rust-vmm/vhost/pull/184 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.vhost]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.8.1" notes = "Reviewed in CL 559359624" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.vhost-user-backend]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.10.1" notes = "Reviewed in CL 559122379" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.virtio]] who = "Taylor Cramer " criteria = "ub-risk-1" version = "0.2.1" notes = "Reviewed in CL 557159752" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.virtio-media]] who = "Alexandre Courbot " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.0.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.virtio-media]] who = "Alexandre Courbot " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.0.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.virtio-media]] who = "Alexandre Courbot " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.0.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.virtio-media]] who = "Alexandre Courbot " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.0.5 -> 0.0.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.virtio-media]] who = "Daniel Verkamp " criteria = ["safe-to-run", "crypto-safe"] delta = "0.0.6 -> 0.0.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.virtio-media]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.0.6 -> 0.0.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.virtio-queue]] who = "Manish Goregaokar " criteria = "ub-risk-2" delta = "0.12.0 -> 0.14.0" notes = """ Reviewed in CL 717945204 No change to unsafe since last review """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.virtio-queue]] who = "Augie Fackler " criteria = "ub-risk-2" delta = "0.9.0 -> 0.12.0" notes = "Reviewed in CL 634659048" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.virtiofsd]] who = "Manish Goregaokar " criteria = ["ub-risk-3", "does-not-implement-crypto"] version = "1.6.1" notes = """ Reviewed in CL 548811972 Issues found: - https://gitlab.com/virtio-fs/virtiofsd/-/issues/113 (only an issue for library users) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.vm-memory]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.12.1" notes = """ Reviewed in CL 556862067 Issues found: - https://github.com/rust-vmm/vm-memory/issues/250 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.vm-memory]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.12.1" notes = """ Reviewed in CL 556862067 Issues from previous review fixed """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.vm-memory]] who = "Ben Saunders " criteria = ["ub-risk-4", "does-not-implement-crypto"] version = "0.13.1" notes = """ Reviewed in CL 595684339 Issues found: - https://github.com/rust-vmm/vm-memory/issues/281 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.vmm_sys_util]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.12.1" notes = "Reviewed in CL 599627630" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.void]] who = "George Burgess IV " criteria = ["does-not-implement-crypto", "safe-to-deploy"] version = "1.0.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.void]] who = "George Burgess IV " criteria = "ub-risk-0" version = "1.0.2" notes = """ `rg -i unsafe` in this crate had one hit: a comment on a function mentioning that the aforementioned function should be impossible to call _unless_ `unsafe` was used to incorrectly construct an object. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.volatile]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.volatile-register]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.vsock]] who = "Dennis Kempin " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.0" notes = """ The crate provides a simple wrapper to mimick the TcpListener/TcpStream APIs with vsock sockets. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.vsock]] who = "Eri Sawada " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.vte]] who = "Manish Goregaokar " criteria = "ub-risk-4" version = "0.12.0" notes = """ Reviewed in CL 579243289 Issues found: - https://github.com/alacritty/vte/pull/102 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.vte]] who = "Manish Goregaokar " criteria = "ub-risk-3" delta = "0.12.0 -> 0.12.1" notes = """ Reviewed in CL 725665450 Issues found in previous audit fixed. Not reaudited to check if it qualifies for ub-risk-2 or above, but appears to need more unsafe comments. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.vtparse]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.6.2" notes = "Reviewed in CL 716291286" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.wait-timeout]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.walkdir]] who = "Android Legacy" criteria = "safe-to-run" version = "2.3.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.walkdir]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "2.3.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.walkdir]] who = "Android Legacy" criteria = "safe-to-run" version = "2.3.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.want]] who = "George Burgess IV " criteria = "does-not-implement-crypto" version = "0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.want]] who = "ChromeOS" criteria = "safe-to-run" version = "0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.wasefire-applet-api]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.7.0" notes = "Reviewed in CL 699241799" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.wasefire-applet-api-desc]] who = "Manish Goregaokar " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.2.1" notes = """ Reviewed in CL 699230688 Would be nice to have comments """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.wasm-bindgen]] who = "" criteria = "ub-risk-2" version = "0.2.92" notes = "Reviewed in CL 643989424" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.wasm-bindgen]] who = "Manish Goregaokar " criteria = "ub-risk-2" delta = "0.2.92 -> 0.2.93" notes = """ Reviewed in CL 695250202 Not much unsafe diff from last review """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.wasm-bindgen-backend]] who = "" criteria = "ub-risk-2" version = "0.2.92" notes = "Reviewed in CL 643989422" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.wasm-bindgen-backend]] who = "Manish Goregaokar " criteria = "ub-risk-2" delta = "0.2.92 -> 0.2.93" notes = "Reviewed in CL 695250202" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.wasm-bindgen-futures]] who = "Ben Saunders " criteria = "ub-risk-2" version = "0.4.43" notes = "Reviewed in CL 696456463" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.wasm-bindgen-macro]] who = "" criteria = "ub-risk-1" version = "0.2.92" notes = "Reviewed in CL 643989420" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.wasmparser]] who = "Luca Versari " criteria = "ub-risk-2" version = "0.214.0" notes = "Reviewed in CL 737530206" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.wasmtime-cache]] who = "" criteria = "ub-risk-2" version = "27.0.0" notes = "Reviewed in CL 722783271" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.wezterm-color-types]] who = "Luca Versari " criteria = "ub-risk-2" version = "0.3.0" notes = "Reviewed in CL 716390757" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.wezterm-dynamic]] who = "" criteria = "ub-risk-2" version = "0.2.0" notes = "Reviewed in CL 716296241" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.which]] who = "Android Legacy" criteria = "safe-to-run" version = "3.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.which]] who = "Android Legacy" criteria = "safe-to-run" version = "4.0.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.which]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "4.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.wide]] who = "" criteria = "ub-risk-2" version = "0.7.33" notes = "Reviewed in CL 796208909" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.winapi]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.9" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.winapi-util]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.6" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.winapi-util]] who = "danakj " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.6 -> 0.1.8" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.winapi-util]] who = "Lukasz Anforowicz " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.1.8 -> 0.1.9" notes = "The delta only changes Cargo.toml." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.windows-core]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "0.52.0" notes = "Implements Windows system APIs" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.winnow]] who = "Hung-Hsien Chen " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.6.18" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.winnow]] who = "Taylor Cramer " criteria = "ub-risk-2" version = "0.5.19" notes = "Reviewed in CL 581220347" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.write16]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.write16]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "1.0.0" notes = "No unsafe code." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.writeable]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.5.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.writeable]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] version = "0.6.0" notes = "Contains three lines of unsafe, thoroughly commented: one is for from-UTF8 on ASCII, the other two are for from-UTF8 on a datastructure that keeps track of a buffer with partial UTF8 validation. Relatively straigtforward." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.writeable]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-1"] delta = "0.6.0 -> 0.6.1" notes = "Minor comment/documentation updates and switch to a non-panicking alternative to split_at()." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.wycheproof]] who = "danakj@chromium.org" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.4.0" notes = """ Reviewed in https://crrev.com/c/5171063 Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.wyz]] who = "ChromeOS" criteria = "safe-to-run" version = "0.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.xattr]] who = "Bastian Kersting " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.0.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.xlsynth]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.0.11" notes = """ Reviewed in CL 644646753 - Uses dlsym for FFI, could use more safety docs separating dlsym unsafety from C API unsafety """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.xlsynth]] who = "Luca Versari " criteria = "ub-risk-4" version = "0.29.0" notes = "Reviewed in CL 684413090" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.xlsynth-sys]] who = "Taylor Cramer " criteria = "ub-risk-2" delta = "0.0.181 -> 0.0.184" notes = "Reviewed in CL 807825913" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.xxhash-rust]] who = "Luca Versari " criteria = "ub-risk-3" version = "0.8.15" notes = "Reviewed in CL 747784964" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.xxhash-rust]] who = "Taylor Cramer " criteria = "ub-risk-4" version = "0.8.6" notes = """ Reviewed in CL 552861145 Many internal functions that are `unsafe` to call are not marked `unsafe`. See https://github.com/DoumanAsh/xxhash-rust/issues/29 """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.xz2]] who = "Bastian Kersting " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.yansi]] who = "Ben Saunders " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "1.0.1" notes = "Reviewed in CL 705950806" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.yansi-term]] who = "" criteria = "ub-risk-2" version = "0.1.2" notes = "Reviewed in CL 701084302" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.yoke]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.7.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.yoke]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto"] version = "0.7.5" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.yoke]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "0.7.5 -> 0.8.0" notes = """ Cleaning up a previous hack for adding trait bounds to yoke objects. Unsafe changes: - deleting the hack itself removes a lot of unsafe use required in the hack's implementation - changes another unsafe use to remove the use of the hack, now that it's no longer needed See https://crrev.com/c/6323349 for more audit notes. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.yoke]] who = "Luca Versari " criteria = ["ub-risk-2", "does-not-implement-crypto"] version = "0.7.4" notes = """ Reviewed in https://github.com/unicode-org/icu4x/pull/5046 Review performed as PR: https://github.com/unicode-org/icu4x/pull/5046. Minor docs improvements, plus known currently-unsolvable issue around potential future noalias UB (https://github.com/unicode-org/icu4x/issues/2095) """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.yoke]] who = "Luca Versari " criteria = ["ub-risk-2", "does-not-implement-crypto"] delta = "0.7.4 -> 0.7.5" notes = """ Reviewed in CL 700087030 Patches from last review all applied """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.yoke-derive]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.7.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.yoke-derive]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "0.7.5" notes = "Custom derive implementing the `Yokeable` trait. Generally generates simple code that asserts covariance." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.yoke-derive]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "0.7.5 -> 0.8.0" notes = "No code changes: only incrementing the version." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.yrs]] who = "Ben Saunders " criteria = "ub-risk-4" version = "0.23.0" notes = """ Reviewed in CL 740466576 Issues found: - Unsoundness in AtomicRef::update, ItemPtr, BranchPtr, ... - Review left incomplete """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.zerocopy]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.7.0-alpha.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zerocopy]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.7.0-alpha.1 -> 0.6.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zerocopy]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.7.0-alpha.1 -> 0.6.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zerocopy]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.7.0-alpha.1 -> 0.7.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zerocopy]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.7.8 -> 0.7.32" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zerocopy]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.7.32 -> 0.8.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zerocopy]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.6.1" notes = "Reviewed in CL 592374439" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.zerocopy]] who = "Taylor Cramer " criteria = "ub-risk-1" version = "0.8.14" notes = "Reviewed in CL 714029246" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.zerocopy-derive]] who = "ChromeOS" criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.3.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zerocopy-derive]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.3.2 -> 0.7.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zerocopy-derive]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.7.8 -> 0.6.6" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zerocopy-derive]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.7.8 -> 0.7.32" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zerocopy-derive]] who = "Daniel Verkamp " criteria = ["safe-to-run", "does-not-implement-crypto"] delta = "0.7.32 -> 0.8.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zerofrom]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zerofrom]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.1.5" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.zerofrom]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.1.5 -> 0.1.6" notes = "Only minor cfg tweaks." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.zerofrom-derive]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.1.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zerofrom-derive]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] version = "0.1.5" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.zerofrom-derive]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-0"] delta = "0.1.5 -> 0.1.6" notes = "Only a minor clippy adjustment." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.zeroize]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.5.7" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zeroize_derive]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "1.3.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zerotrie]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] version = "0.2.0" notes = "Minor repr(transparent) unsafe code. Improved comments in https://github.com/unicode-org/icu4x/pull/6054" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.zerotrie]] who = "Daniel Cheng " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "0.2.0 -> 0.2.1" notes = """ Changes in unsafe blocks are wrapping direct calls to `core::mem::transmute` with the `transparent_ref_from_store` wrapper. No safety guarantees change, but providing the `transparent_ref_from_store` as a wrapper provides a convenient marker that this transmute operation is actually sound. See https://crrev.com/c/6323349 for more audit notes. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.zerotrie]] who = "Manish Goregaokar " criteria = "ub-risk-2" version = "0.1.2" notes = "Reviewed in https://github.com/unicode-org/icu4x/pull/2722/" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.zerovec]] who = "Manish Goregaokar " criteria = "does-not-implement-crypto" version = "0.11.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.zerovec]] who = "Manish Goregaokar " criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] delta = "0.11.0 -> 0.11.1" notes = """ Some unsafe changed: - VarZeroCow unsafe moved around but not changed much, comments improved. - Added a ULE impl for () """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.zerovec-derive]] who = "George Burgess IV " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.10.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zerovec-derive]] who = "Manish Goregaokar " criteria = "does-not-implement-crypto" version = "0.11.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.zerovec-derive]] who = "Daniel Cheng " criteria = "does-not-implement-crypto" delta = "0.11.0 -> 0.11.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" [[audits.zlib-sys]] who = "Manish Goregaokar " criteria = "ub-risk-3" version = "0.4.2" notes = """ Reviewed in CL 730913141 Partial review performed: Mostly SIMD and allocator stuff. Seems correct enough for ub-risk-3. """ aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [[audits.zstd]] who = "Matt Turner " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "0.13.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zstd-safe]] who = "Matt Turner " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "7.0.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zstd-sys]] who = "Matt Turner " criteria = ["safe-to-run", "does-not-implement-crypto"] version = "2.0.9+zstd.1.5.5" notes = "Includes an implementation of xxhash (a non-cyptographic hashing function) as part of the zstd C sources" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.zune-jpeg]] who = "Luca Versari " criteria = "ub-risk-3" version = "0.4.19" notes = "Reviewed in CL 782822780" aggregated-from = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml"