# cargo-vet config file [cargo-vet] version = "0.10" [imports.bytecode-alliance] url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" [imports.embark-studios] url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" [imports.google] url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" [imports.isrg] url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" [imports.mozilla] url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" [policy.allocator-api2] audit-as-crates-io = true notes = "This is the upstream code with a fix for rust 1.89." [policy.any_all_workaround] audit-as-crates-io = true notes = "This is the upstream code plus the ARM intrinsics workaround from qcms, see bug 1882209." [policy.autocfg] audit-as-crates-io = true notes = "This is the upstream code plus a few local fixes, see bug 1685697." [policy.bhttp] audit-as-crates-io = true notes = "This is upstream code in between released versions." [policy."bindgen:0.72.0@git:9366e0af8da529c958b4cd4fcbe492d951c86f5c"] audit-as-crates-io = true notes = "This is the upstream code not yet released" [policy.chardetng] audit-as-crates-io = true notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that." [policy.chardetng_c] audit-as-crates-io = true notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that." [policy.cose] audit-as-crates-io = true notes = "This is upstream plus a warning fix from bug 1823866." [policy.firefox-on-glean] audit-as-crates-io = false notes = "The crates.io version of this is just a placeholder to allow public crates to depend on firefox-on-glean." [policy.geckodriver] audit-as-crates-io = false criteria = "safe-to-run" notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run." [policy.gkrust-gtest] criteria = "safe-to-run" notes = "Used for testing." [policy.gkrust-shared] dependency-criteria = { tokio-reactor = [], tokio-threadpool = [] } notes = "The dependencies on tokio-reactor and tokio-threadpools are just a hack to pin the version used by audioipc-{client,server}. Suppress vetting on those for the same reasons behind the policy entries." [policy.gluesmith] criteria = "safe-to-run" notes = "Used for fuzzing." [policy.http3server] criteria = "safe-to-run" notes = "Used for testing." [policy.icu_capi] audit-as-crates-io = true notes = "Patched version of upstream" [policy.icu_segmenter_data] audit-as-crates-io = true notes = "Patched version of upstream" [policy.l10nregistry] dependency-criteria = { fluent-testing = "safe-to-run", tokio = "safe-to-run" } notes = "This crate has two testing-only dependencies which are specified as regular-but-optional rather than a dev-dependencies, because they need to be available to both benchmarks and integration tests." [policy.libcrux-traits] audit-as-crates-io = true notes = "Patched version of upstream to avoid unnecessary unused dependencies and conflicts." [policy.libudev-sys] audit-as-crates-io = false notes = "This override is an api-compatible fork with an orthogonal implementation." [policy.malloc_size_of_derive] audit-as-crates-io = false notes = "This was originally servo code which Bobby Holley put on crates.io some years ago and that was moved in-tree as first-party code later on." [policy.marionette] audit-as-crates-io = false notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." [policy.memtest] audit-as-crates-io = true [policy.midir] audit-as-crates-io = true notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release." [policy.mls-rs] audit-as-crates-io = true notes = "This is a pinned version of the upstream code, pending update of the crate." [policy.mls-rs-codec] audit-as-crates-io = true notes = "This is a pinned version of the upstream code, pending update of the crate." [policy.mls-rs-codec-derive] audit-as-crates-io = true notes = "This is a pinned version of the upstream code, pending update of the crate." [policy.mls-rs-core] audit-as-crates-io = true notes = "This is a pinned version of the upstream code, pending update of the crate." [policy.mls-rs-crypto-hpke] audit-as-crates-io = true notes = "This is a pinned version of the upstream code, pending update of the crate." [policy.mls-rs-crypto-traits] audit-as-crates-io = true notes = "This is a pinned version of the upstream code, pending update of the crate." [policy.mls-rs-identity-x509] audit-as-crates-io = true notes = "This is a pinned version of the upstream code, pending update of the crate." [policy.mls-rs-provider-sqlite] audit-as-crates-io = true notes = "This is a pinned version of the upstream code, pending update of the crate." [policy.mozbuild] audit-as-crates-io = false notes = "The crates.io version of this is just a placeholder to allow public crates to depend on mozbuild." [policy.mozdevice] audit-as-crates-io = false notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." [policy.mozglue-static] dependency-criteria = { rustc_version = "safe-to-run" } notes = "The rustc_version dependency is only used in the build script, and does not generate any runtime code" [policy.mozilla-central-workspace-hack] audit-as-crates-io = false criteria = "safe-to-run" notes = "This is a first-party crate which is also published to crates.io as a convenience for other in-tree crates that depend on it and are published as well. The dependencies from this crate are dependencies of other crates that will get the right criteria through them, but using safe-to-deploy for this one would be too broad." [policy.mozprofile] audit-as-crates-io = false notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." [policy.mozrunner] audit-as-crates-io = false notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." [policy.mozversion] audit-as-crates-io = false notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." [policy.mp4parse] audit-as-crates-io = false [policy.mp4parse_capi] audit-as-crates-io = false [policy.mtu] audit-as-crates-io = true [policy.naga] audit-as-crates-io = true notes = "Part of the wgpu repository, pinned as the rest of wgpu crates." [policy.nss-gk-api] audit-as-crates-io = true notes = "This is a pinned version of the upstream code, pending update of the crate." [policy.objc] audit-as-crates-io = true notes = "This is the upstream code plus a backported fix." [policy.ohttp] audit-as-crates-io = true notes = "This is upstream code in between released versions." [policy.osclientcerts] audit-as-crates-io = false notes = "This is a first-party crate that happens to have been pushed to crates.io a very long time ago but was yanked." [policy.peek-poke] audit-as-crates-io = false [policy.peek-poke-derive] audit-as-crates-io = false [policy.pulse] audit-as-crates-io = false notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name." [policy.qcms] audit-as-crates-io = true notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem." [policy.rure] audit-as-crates-io = true notes = "Identical to upstream, but with cdylib and staticlib targets disabled to avoid unnecessary build artifacts and linker errors." [policy.selectors] audit-as-crates-io = true notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem." [policy.servo_arc] audit-as-crates-io = true notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem." [policy.storage] audit-as-crates-io = false notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name." [policy.tabs] audit-as-crates-io = false notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name." [policy.thin-vec] audit-as-crates-io = true notes = "3rd-party crate with a mozilla-specific patch applied" [policy.to_shmem] audit-as-crates-io = true notes = "This is a first-party crate which is also published to crates.io" [policy.to_shmem_derive] audit-as-crates-io = true notes = "This is a first-party crate which is also published to crates.io" [policy.unicode-bidi] audit-as-crates-io = true [policy.viaduct] audit-as-crates-io = false notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name." [policy.webdriver] audit-as-crates-io = false criteria = "safe-to-run" notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run." [policy.webrender] audit-as-crates-io = false dependency-criteria = { hyper = "safe-to-run", tokio = "safe-to-run" } notes = "the hyper and tokio dependencies are only enabled in local debug builds, and are not shipped to users" [policy.webrender_api] audit-as-crates-io = false [policy.webrender_build] audit-as-crates-io = false [policy.wgpu-core] audit-as-crates-io = true notes = "Upstream project which we pin." [policy.wgpu-core-deps-apple] audit-as-crates-io = true notes = "Upstream project which we pin." [policy.wgpu-core-deps-windows-linux-android] audit-as-crates-io = true notes = "Upstream project which we pin." [policy.wgpu-hal] audit-as-crates-io = true notes = "Upstream project which we pin." [policy.wgpu-types] audit-as-crates-io = true notes = "Upstream project which we pin." [policy.windows] audit-as-crates-io = true notes = "Local override of the crates.io crate that uses a non-vendored local copy of the downloaded crate" [policy.wr_malloc_size_of] audit-as-crates-io = false [policy.zip] audit-as-crates-io = true [[exemptions.alsa]] version = "0.4.3" criteria = "safe-to-deploy" [[exemptions.alsa-sys]] version = "0.3.1" criteria = "safe-to-deploy" [[exemptions.android_log-sys]] version = "0.2.0" criteria = "safe-to-deploy" [[exemptions.async-task]] version = "4.0.3" criteria = "safe-to-deploy" [[exemptions.bincode]] version = "1.3.3" criteria = "safe-to-deploy" [[exemptions.block]] version = "0.1.6" criteria = "safe-to-deploy" [[exemptions.cache-padded]] version = "1.2.0" criteria = "safe-to-deploy" [[exemptions.chrono]] version = "0.4.19" criteria = "safe-to-deploy" [[exemptions.chunky-vec]] version = "0.1.0" criteria = "safe-to-deploy" [[exemptions.clang-sys]] version = "1.3.3" criteria = "safe-to-deploy" [[exemptions.cookie]] version = "0.16.0" criteria = "safe-to-run" [[exemptions.coreaudio-sys]] version = "0.2.10" criteria = "safe-to-deploy" [[exemptions.coremidi-sys]] version = "3.1.0" criteria = "safe-to-deploy" [[exemptions.cose]] version = "0.1.4" criteria = "safe-to-deploy" [[exemptions.cose-c]] version = "0.1.5" criteria = "safe-to-deploy" [[exemptions.cpufeatures]] version = "0.2.2" criteria = "safe-to-deploy" [[exemptions.crossbeam-channel]] version = "0.5.4" criteria = "safe-to-deploy" [[exemptions.crossbeam-deque]] version = "0.8.1" criteria = "safe-to-deploy" [[exemptions.crossbeam-epoch]] version = "0.9.8" criteria = "safe-to-deploy" [[exemptions.crossbeam-utils]] version = "0.8.8" criteria = "safe-to-deploy" [[exemptions.darling]] version = "0.13.4" criteria = "safe-to-deploy" [[exemptions.darling_core]] version = "0.13.4" criteria = "safe-to-deploy" [[exemptions.darling_macro]] version = "0.13.4" criteria = "safe-to-deploy" [[exemptions.data-encoding]] version = "2.3.2" criteria = "safe-to-deploy" [[exemptions.dbus]] version = "0.6.5" criteria = "safe-to-deploy" [[exemptions.devd-rs]] version = "0.3.4" criteria = "safe-to-deploy" [[exemptions.digest]] version = "0.10.3" criteria = "safe-to-deploy" [[exemptions.dirs]] version = "4.0.0" criteria = "safe-to-deploy" [[exemptions.dirs-sys]] version = "0.3.7" criteria = "safe-to-deploy" [[exemptions.dns-parser]] version = "0.8.0" criteria = "safe-to-deploy" [[exemptions.enumset]] version = "1.0.11" criteria = "safe-to-deploy" [[exemptions.enumset_derive]] version = "0.6.0" criteria = "safe-to-deploy" [[exemptions.env_logger]] version = "0.9.0" criteria = "safe-to-deploy" [[exemptions.fallible-iterator]] version = "0.2.0" criteria = "safe-to-deploy" [[exemptions.fallible-streaming-iterator]] version = "0.1.9" criteria = "safe-to-deploy" [[exemptions.fallible_collections]] version = "0.4.4" criteria = "safe-to-deploy" [[exemptions.ffi-support]] version = "0.4.4" criteria = "safe-to-deploy" [[exemptions.float-cmp]] version = "0.6.0" criteria = "safe-to-deploy" [[exemptions.fs-err]] version = "2.7.0" criteria = "safe-to-deploy" [[exemptions.futures-task]] version = "0.3.21" criteria = "safe-to-deploy" [[exemptions.futures-util]] version = "0.3.21" criteria = "safe-to-deploy" [[exemptions.generic-array]] version = "0.14.5" criteria = "safe-to-deploy" [[exemptions.getrandom]] version = "0.2.6" criteria = "safe-to-deploy" [[exemptions.gl_generator]] version = "0.14.0" criteria = "safe-to-deploy" [[exemptions.glsl]] version = "6.0.1" criteria = "safe-to-deploy" [[exemptions.goblin]] version = "0.1.3" criteria = "safe-to-deploy" [[exemptions.gpu-alloc]] version = "0.5.3" criteria = "safe-to-deploy" [[exemptions.gpu-alloc-types]] version = "0.2.0" criteria = "safe-to-deploy" [[exemptions.gpu-descriptor]] version = "0.2.2" criteria = "safe-to-deploy" [[exemptions.gpu-descriptor-types]] version = "0.1.1" criteria = "safe-to-deploy" [[exemptions.hashlink]] version = "0.7.0" criteria = "safe-to-deploy" [[exemptions.hexf-parse]] version = "0.2.1" criteria = "safe-to-deploy" [[exemptions.ioctl-sys]] version = "0.7.1" criteria = "safe-to-deploy" [[exemptions.itertools]] version = "0.10.3" criteria = "safe-to-deploy" [[exemptions.khronos_api]] version = "3.1.0" criteria = "safe-to-deploy" [[exemptions.libdbus-sys]] version = "0.2.2" criteria = "safe-to-deploy" [[exemptions.libloading]] version = "0.7.3" criteria = "safe-to-deploy" [[exemptions.libsqlite3-sys]] version = "0.25.2" criteria = "safe-to-deploy" suggest = false notes = "The in-gecko feature that we enable makes only pre-built bindings used, and none of the embedded C code is built. The build script was audited and is not doing anything besides exposing those bindings" [[exemptions.libudev]] version = "0.2.0" criteria = "safe-to-deploy" [[exemptions.memmap2]] version = "0.5.4" criteria = "safe-to-deploy" [[exemptions.memoffset]] version = "0.6.5" criteria = "safe-to-deploy" [[exemptions.midir]] version = "0.7.0" criteria = "safe-to-deploy" [[exemptions.mime_guess]] version = "2.0.4" criteria = "safe-to-deploy" [[exemptions.minimal-lexical]] version = "0.2.1" criteria = "safe-to-deploy" [[exemptions.mio]] version = "0.8.0" criteria = "safe-to-deploy" [[exemptions.murmurhash3]] version = "0.0.5" criteria = "safe-to-deploy" [[exemptions.nix]] version = "0.15.0" criteria = "safe-to-deploy" [[exemptions.objc]] version = "0.2.7" criteria = "safe-to-deploy" [[exemptions.object]] version = "0.28.4" criteria = "safe-to-deploy" [[exemptions.once_cell]] version = "1.12.0" criteria = "safe-to-deploy" [[exemptions.plain]] version = "0.2.3" criteria = "safe-to-deploy" [[exemptions.plist]] version = "1.3.1" criteria = "safe-to-run" [[exemptions.ppv-lite86]] version = "0.2.16" criteria = "safe-to-deploy" [[exemptions.profiling]] version = "1.0.6" criteria = "safe-to-deploy" [[exemptions.prost]] version = "0.8.0" criteria = "safe-to-deploy" [[exemptions.prost-derive]] version = "0.8.0" criteria = "safe-to-deploy" [[exemptions.quick-error]] version = "1.2.3" criteria = "safe-to-deploy" [[exemptions.remove_dir_all]] version = "0.5.3" criteria = "safe-to-deploy" [[exemptions.replace_with]] version = "0.1.7" criteria = "safe-to-deploy" [[exemptions.ringbuf]] version = "0.2.8" criteria = "safe-to-deploy" [[exemptions.ron]] version = "0.7.0" criteria = "safe-to-deploy" [[exemptions.runloop]] version = "0.1.0" criteria = "safe-to-deploy" [[exemptions.rusqlite]] version = "0.27.0" criteria = "safe-to-deploy" [[exemptions.rust-ini]] version = "0.10.3" criteria = "safe-to-deploy" [[exemptions.scroll]] version = "0.10.2" criteria = "safe-to-deploy" [[exemptions.scroll_derive]] version = "0.10.5" criteria = "safe-to-deploy" [[exemptions.self_cell]] version = "0.10.2" criteria = "safe-to-deploy" [[exemptions.serde_with]] version = "1.14.0" criteria = "safe-to-deploy" [[exemptions.serde_with_macros]] version = "1.5.2" criteria = "safe-to-deploy" [[exemptions.siphasher]] version = "0.3.10" criteria = "safe-to-deploy" [[exemptions.socket2]] version = "0.4.4" criteria = "safe-to-deploy" [[exemptions.spirv]] version = "0.2.0+1.5.4" criteria = "safe-to-deploy" [[exemptions.tempfile]] version = "3.3.0" criteria = "safe-to-deploy" [[exemptions.time]] version = "0.1.44" criteria = "safe-to-deploy" [[exemptions.triple_buffer]] version = "5.0.6" criteria = "safe-to-deploy" [[exemptions.type-map]] version = "0.4.0" criteria = "safe-to-deploy" [[exemptions.typenum]] version = "1.15.0" criteria = "safe-to-deploy" [[exemptions.unix_path]] version = "1.0.1" criteria = "safe-to-run" [[exemptions.unix_str]] version = "1.0.0" criteria = "safe-to-run" [[exemptions.uuid]] version = "0.8.2" criteria = "safe-to-deploy" [[exemptions.webrtc-sdp]] version = "0.3.9" criteria = "safe-to-deploy" [[exemptions.winapi]] version = "0.3.9" criteria = "safe-to-deploy" [[exemptions.winapi-i686-pc-windows-gnu]] version = "0.4.0" criteria = "safe-to-deploy" [[exemptions.winapi-x86_64-pc-windows-gnu]] version = "0.4.0" criteria = "safe-to-deploy" [[exemptions.wio]] version = "0.2.2" criteria = "safe-to-deploy" [[exemptions.xml-rs]] version = "0.8.4" criteria = "safe-to-deploy"