[criteria.crypto-reviewed] description = "The cryptographic code in this crate has been reviewed for correctness by a member of a designated set of cryptography experts within the project." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [criteria.license-reviewed] description = "The license of this crate has been reviewed for compatibility with its usage in this repository." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.abscissa_core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.1 -> 0.8.2" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.abscissa_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.0 -> 0.8.2" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.abscissa_tokio]] who = "Jack Grigg " criteria = "safe-to-deploy" version = "0.9.0" notes = """ This crate uses `#![forbid(unsafe_code)]`, so there are no `unsafe` blocks. The code is a straightforward combination of `abscissa_core` and `tokio`, with very little of its own logic. No ambient capabilities are used directly, and the `tokio` runtime APIs appear to be correctly used. """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.addr2line]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.17.0 -> 0.19.0" notes = "Only change to unsafe code is to reduce the scope of some unsafe blocks." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.addr2line]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.21.0 -> 0.22.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.adler2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.0.0 -> 2.0.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.aead]] who = "Daira Hopwood " criteria = "safe-to-deploy" delta = "0.4.3 -> 0.5.1" notes = "Adds an AeadCore::generate_nonce function to generate random nonces, given a CryptoRng." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.aead]] who = "Jack Grigg " criteria = ["safe-to-deploy", "crypto-reviewed"] delta = "0.5.1 -> 0.5.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ahash]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.6 -> 0.8.7" notes = "Build-time `stdsimd` detection is replaced with a nightly-only feature flag." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ahash]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.8.7 -> 0.8.11" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.aho-corasick]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.1.1 -> 1.1.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.aho-corasick]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.1.2 -> 1.1.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.aho-corasick]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.1.3 -> 1.1.4" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.allocator-api2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.14 -> 0.2.15" notes = """ - Some existing `unsafe` code is moved without being altered. - The new `SliceExt` extension trait uses `unsafe` methods `Vec::set_len` and `core::ptr::copy_nonoverlapping` to initialize a `Vec` efficiently. The safety requirements appear to be satisfied. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.allocator-api2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.15 -> 0.2.16" notes = "Change to `unsafe` block is to fix the `Drop` impl of `Box` to drop its value." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.allocator-api2]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.16 -> 0.2.18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ambassador]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" version = "0.4.1" notes = "Crate uses no unsafe code and the macros introduced by this crate generate the expected trait implementations without introducing additional unexpected operations." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.anstyle]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.9 -> 1.0.10" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.anstyle]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.10 -> 1.0.13" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.anstyle-query]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.1.2 -> 1.1.4" notes = "Change to `unsafe` code is to adapt to the changed `HANDLE` type in `windows-sys`." aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.anstyle-wincon]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.0.6 -> 3.0.7" notes = """ Changes to `unsafe` blocks are removing `std::mem::transmute` calls that are now unnecessary after `windows-sys` changed its `HANDLE` type from `isize` to `*mut c_void` (matching what `std::os::windows::io::RawHandle` uses). """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.anstyle-wincon]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.0.7 -> 3.0.10" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.anyhow]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.56 -> 1.0.61" notes = "Update does not introduce new code. Minor build script changes look fine." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.anyhow]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.61 -> 1.0.65" notes = "Build script changes just alter what it is probing for; no difference in side effects." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.anyhow]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.68 -> 1.0.69" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.anyhow]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "1.0.69 -> 1.0.70" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.anyhow]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.71 -> 1.0.75" notes = """ `unsafe` changes are migrating from `core::any::Demand` to `std::error::Request` when the nightly features are available. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.anyhow]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.75 -> 1.0.77" notes = """ - Build script changes are to rerun cargo if the `RUSTC_BOOTSTRAP` env variable changes, and enable a few more `rustc` config flags. - Some `unsafe fn`s were altered to add `unsafe` blocks, to make the safety contracts in the code clearer (instead of using the `unsafe fn`'s implicit `unsafe` block); no actual `unsafe` changes were made. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.anyhow]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.77 -> 1.0.79" notes = """ Build script changes are to refactor the existing probe into a separate file (which removes a filesystem write), and adjust how it gets rerun in response to changes in the build environment. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.anyhow]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.79 -> 1.0.82" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.anyhow]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.82 -> 1.0.83" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.anyhow]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.95 -> 1.0.97" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.anyhow]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.97 -> 1.0.100" notes = """ Changes to the build script are to enable reusing the probe file within the crate, enable more features on newer Rust versions, and catch more errors. Most of the changes to `unsafe` code are refactors to surrounding safe code, and not actually altering the `unsafe` blocks. The new instances of `unsafe` are to allow errors to be converted to `Box` in a way that supports downcasting (at the cost of backtraces), via a new vtable method. The `unsafe` blocks in the new code appear to match how boxing and downcasting logic is done in other existing vtable methods. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.arrayref]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.3.6 -> 0.3.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.arrayref]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.6 -> 0.3.8" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.arrayref]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.8 -> 0.3.9" notes = "Changes to `unsafe` lines are to make some existing `unsafe fn`s `const`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.arti-client]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.23.0 -> 0.28.0" notes = """ No `unsafe` changes. The introduction of a path resolver affects filesystem access but is driven by API changes in dependencies; nothing looks untoward in the changes to this crate (though the various macros make some of it harder to reason about). """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.arti-client]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.arti-client]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.arti-client]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.async-trait]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.1.78 -> 0.1.80" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.async-trait]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.80 -> 0.1.81" notes = "Changes to generated code look fine." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.async-trait]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.88 -> 0.1.89" notes = """ Changes to generated code are to make use of `syn::Block` quoting in several places instead of directly quoting its statements. """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.autocfg]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.2.0 -> 1.3.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.autocfg]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.4.0 -> 1.5.0" notes = "Filesystem change is to remove the generated LLVM IR output file after probing." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.axum-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.2 -> 0.5.5" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.backtrace]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.67 -> 0.3.69" notes = """ Changes to `unsafe` blocks: - New call to `GetCurrentProcessId` on Windows, to help generate a process-unique name to use inside an existing `CreateMutexA` call. - Uses `libc::mmap64` on Linux instead of `libc::mmap`. - Alters `Stash` to allow caching more than one `Mmap`; the existing `unsafe` safety condition continues to be applicable. There are also several more places where DWARF data is mmapped from a filesystem path and then loaded. These appear to all derive from existing paths that themselves were already being mmapped and loaded. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.backtrace]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.69 -> 0.3.71" notes = "This crate inherently requires a lot of `unsafe` code, but the changes look plausible." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.base64]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.21.3 -> 0.21.4" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.base64]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.21.4 -> 0.21.5" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.base64]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.21.5 -> 0.21.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.base64ct]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.6.0 -> 1.8.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.base64ct]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.7.3 -> 1.8.0" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.basic-toml]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.9 -> 0.1.10" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.bech32]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.1 -> 0.9.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.bellman]] who = "Jack Grigg " criteria = ["crypto-reviewed", "safe-to-deploy"] delta = "0.13.0 -> 0.13.1" notes = "Adds multi-threaded batch validation, which I checked against the existing single-threaded batch validation." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.bellman]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.13.1 -> 0.14.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.bindgen]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.69.4 -> 0.69.5" notes = """ Change to `unsafe` block is to switch from `clang_getSpellingLocation` to `clang_getFileLocation`; I confirmed these have the same arguments. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.bindgen]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.72.0 -> 0.72.1" notes = """ Change to `unsafe` code is to narrow the scope of an `unsafe` block; no changes to the `unsafe` function being called. """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.bip0039]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.bip32]] who = "Jack Grigg " criteria = "safe-to-deploy" version = "0.5.1" notes = """ - Crate has no unsafe code, and sets `#![forbid(unsafe_code)]`. - Crate has no powerful imports. Only filesystem acces is via `include_str!`, and is safe. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.bitflags]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.3.3 -> 2.4.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.bitflags]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.9.4 -> 2.10.0" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.blake2b_simd]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.0 -> 1.0.1" notes = "Switches to `constant_time_eq 0.2.4`, which bumps its MSRV to 1.59." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.blake2b_simd]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.1 -> 1.0.2" notes = "Switches to `constant_time_eq 0.3.0`, which bumps its MSRV to 1.66." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.blake2b_simd]] who = "Jack Grigg " criteria = ["safe-to-deploy", "crypto-reviewed"] delta = "1.0.2 -> 1.0.3" notes = "No cryptographic changes." aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.blake2s_simd]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.0 -> 1.0.1" notes = "Switches to `constant_time_eq 0.2.4`, which bumps its MSRV to 1.59." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.blake2s_simd]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.1 -> 1.0.2" notes = "Switches to `constant_time_eq 0.3.0`, which bumps its MSRV to 1.66." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.blake2s_simd]] who = "Jack Grigg " criteria = ["safe-to-deploy", "crypto-reviewed"] delta = "1.0.2 -> 1.0.3" notes = "No cryptographic changes." aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.block-buffer]] who = "Jack Grigg " criteria = ["crypto-reviewed", "safe-to-deploy"] delta = "0.10.3 -> 0.10.4" notes = "Adds panics to prevent a block size of zero from causing unsoundness." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.bls12_381]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.7.0 -> 0.7.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.bls12_381]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.7.1 -> 0.8.0" notes = "I previously reviewed the crypto-sensitive portions of these changes as well." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.bounded-vec]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" version = "0.9.0" notes = "Crate forbids unsafe code and uses no powerful imports. It consists primarily of safe constructors for newtype wrappers around `Vec`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.bs58]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.5.0 -> 0.5.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.bumpalo]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.11.1 -> 3.12.0" notes = "Changes to `unsafe` code are to replace `mem::forget` uses with `ManuallyDrop`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.bumpalo]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "3.15.4 -> 3.16.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.byte-slice-cast]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.2.1 -> 1.2.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.bytemuck]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" delta = "1.15.0 -> 1.16.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.byteorder]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.4.3 -> 1.5.0" notes = """ - Adds two assertions to check the safety of `slice::from_raw_parts_mut` calls. - Replaces a bunch of `unsafe` blocks containing `copy_nonoverlapping` calls with safe `<&mut [u8]>::copy_from_slice` calls. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.bytes]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.3.0 -> 1.4.0" notes = """ Adds a `mem::forget` as part of avoiding `Vec::into_boxed_slice` when it would reallocate. I checked that the required semantics of `mem::forget` are maintained, but it seems like `ManuallyDrop` should also work here and be compatible with their MSRV. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.bytes]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.4.0 -> 1.5.0" notes = """ - Introduces new `unsafe` blocks inside new `UninitSlice` constructors, but these replace existing equivalent `unsafe` blocks that were directly constructing `UninitSlice`. - Adds `unsafe impl BufMut for &mut [core::mem::MaybeUninit]`, which is implemented almost identically to the existing `unsafe impl BufMut for &mut [u8]`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.bytes]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.5.0 -> 1.6.0" notes = """ There is significant use of `unsafe` code, but safety requirements are well documented and appear correct as far as I can see. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.bytes]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.6.0 -> 1.6.1" notes = """ New `unsafe` function is a code-duplicate of an existing `unsafe` function, but using the correct `Shared` type for `BytesMut` in order to fix a bug. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.bytes]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.7.1 -> 1.7.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.caret]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.0 -> 0.5.3" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.caret]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.3 -> 0.7.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.cc]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.83 -> 1.0.94" notes = """ The optimization to use `buffer.set_len(buffer.capacity())` in `command_helpers::StderrForwarder::forward_available` doesn't look panic-safe: if `stderr.read` panics and that panic is caught by a caller of `forward_available`, then the inner buffer of `StderrForwarder` will contain uninitialized data. This looks difficult to trigger in practice, but I have opened an issue . `parallel::async_executor` contains `unsafe` pinning code but it looks reasonable. Similarly for the `unsafe` initialization code in `parallel::job_token::JobTokenServer` and file operations in `parallel::stderr`. This crate executes commands, and my review is likely not sufficient to detect subtle backdoors. I did not review the use of library handles in the `com` package on Windows. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cc]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.94 -> 1.0.97" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.cc]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.1.6 -> 1.1.13" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.chacha20]] who = "Jack Grigg " criteria = ["crypto-reviewed", "safe-to-deploy"] delta = "0.8.1 -> 0.8.2" notes = "Unpins zeroize." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.chacha20]] who = "Daira Hopwood " criteria = "safe-to-deploy" delta = "0.8.2 -> 0.9.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.chacha20poly1305]] who = "Jack Grigg " criteria = ["crypto-reviewed", "safe-to-deploy"] delta = "0.9.0 -> 0.9.1" notes = "Unpins zeroize." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.chacha20poly1305]] who = "Daira Hopwood " criteria = "safe-to-deploy" delta = "0.9.1 -> 0.10.1" notes = "This mainly adapts to API changes between aead 0.4 and aead 0.5." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ciborium]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" delta = "0.2.1 -> 0.2.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.ciborium-io]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.0 -> 0.2.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.ciborium-io]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" delta = "0.2.1 -> 0.2.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.ciborium-ll]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.0 -> 0.2.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.ciborium-ll]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" delta = "0.2.1 -> 0.2.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.cipher]] who = "Daira Hopwood " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.4.3" notes = "Significant rework of (mainly RustCrypto-internal) APIs." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cipher]] who = "Jack Grigg " criteria = ["safe-to-deploy", "crypto-reviewed"] delta = "0.4.3 -> 0.4.4" notes = "Adds panics to prevent a block size of zero from causing unsoundness." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.clap]] who = "Jack Grigg " criteria = "safe-to-run" delta = "4.4.14 -> 4.4.18" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.clap_builder]] who = "Jack Grigg " criteria = "safe-to-run" delta = "4.5.0 -> 4.4.18" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.clap_builder]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "4.5.18 -> 4.5.20" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.clap_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "4.5.32 -> 4.5.49" notes = "Changes to generated code are adjustments to error strings." aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.clap_lex]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.7.2 -> 0.7.4" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.clap_lex]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.7.4 -> 0.7.6" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.clap_mangen]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.26 -> 0.2.31" notes = "Does not generate Rust code. Changes to generated roff output look plausible." aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.clearscreen]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.9 -> 1.0.10" notes = "Bumps nix and removes some of its default features." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.clearscreen]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.10 -> 1.0.11" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.clearscreen]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.11 -> 2.0.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.clearscreen]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.0.0 -> 2.0.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.clearscreen]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.0.1 -> 3.0.0" notes = "Changes to stdin FD handling look fine (moving to newer safer APIs)." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.clearscreen]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "4.0.1 -> 4.0.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.colorchoice]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.3 -> 1.0.4" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.console-api]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.1 -> 0.9.0" notes = "Only changes are to generated code as a result of dependency and protobuf updates." aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.console-subscriber]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.1 -> 0.5.0" notes = "Adds support for Vsock addresses. Usages of `tokio-vsock` for I/O look correct." aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.const_format]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.34 -> 0.2.35" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.constant_time_eq]] who = "Jack Grigg " criteria = ["safe-to-deploy", "crypto-reviewed"] delta = "0.2.4 -> 0.2.5" notes = "No code changes." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.constant_time_eq]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.5 -> 0.2.6" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.constant_time_eq]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.6 -> 0.3.0" notes = "Replaces some `unsafe` code by bumping MSRV to 1.66 (to access `core::hint::black_box`)." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.constant_time_eq]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.3.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cpp_demangle]] who = "Kris Nuttycombe " criteria = "safe-to-run" delta = "0.4.3 -> 0.4.4" notes = "No added unsafe code; adds support for additional c++23 types." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.cpufeatures]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.2 -> 0.2.5" notes = "Unsafe changes just introduce `#[inline(never)]` wrappers." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cpufeatures]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.2.5 -> 0.2.6" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cpufeatures]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.8 -> 0.2.9" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cpufeatures]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.9 -> 0.2.11" notes = """ New `unsafe` block is to call `libc::getauxval(libc::AT_HWCAP)` on Linux for LoongArch64 CPU feature detection support. This and the supporting macro code is the same as the existing Linux code for AArch64. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cpufeatures]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.11 -> 0.2.12" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cpufeatures]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.13 -> 0.2.14" notes = """ New `unsafe` block is to call `sysctlbyname` to detect DIT on Apple ARM64, which is done in the same way as existing target feature checks on that arch. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.criterion-cycles-per-byte]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.6.1 -> 0.7.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.criterion-plot]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.0 -> 0.6.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.crossbeam-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.6 -> 0.5.7" notes = "Fixes wrapping overflows for large timeouts." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crossbeam-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.8 -> 0.5.9" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crossbeam-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.9 -> 0.5.10" notes = """ Changes to `unsafe` code are to use `MaybeUninit::assume_init_drop` (which is now usable with the new MSRV) instead of dropping via casting. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crossbeam-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.12 -> 0.5.13" notes = "Macro changes look fine." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crossbeam-deque]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.2 -> 0.8.3" notes = "No new code." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crossbeam-deque]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.3 -> 0.8.4" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crossbeam-deque]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.8.4 -> 0.8.5" notes = "Changes to `unsafe` code look okay." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crossbeam-epoch]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.13 -> 0.9.14" notes = "Bumps memoffset to 0.8, and marks some BPF and Sony Vita targets as not having atomics." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crossbeam-epoch]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.14 -> 0.9.15" notes = "Bumps memoffset to 0.9, and unmarks some ARMv7r and Sony Vita targets as not having 64-bit atomics." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crossbeam-epoch]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.15 -> 0.9.16" notes = "Moved an `unsafe` block while removing `scopeguard` dependency." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crossbeam-epoch]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.16 -> 0.9.17" notes = """ Changes to `unsafe` code are to replace manual pointer logic with equivalent `unsafe` stdlib methods, now that MSRV is high enough to use them. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crossbeam-epoch]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.9.17 -> 0.9.18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crossbeam-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.14 -> 0.8.15" notes = """ - Fixes a wrapping overflow for large timeouts. - Marks some BPF and Sony Vita targets as not having atomics. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crossbeam-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.15 -> 0.8.16" notes = """ - Fixes cache line alignment for some targets. - Replaces `mem::replace` with `Option::take` inside `unsafe` blocks. - Unmarks some ARMv7r and Sony Vita targets as not having 64-bit atomics. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crossbeam-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.16 -> 0.8.17" notes = """ - Build script change removes some now-unused config flags, and checks for thread sanitization to enable this on `crossbeam`. - Changes to `unsafe` blocks are to move them, or to introduce a couple of new blocks identical to equivalent earlier blocks (now that MSRV is new enough to access newer `Atomic*` methods). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crossbeam-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.17 -> 0.8.18" notes = """ Changes to `unsafe` code are to construct and drop `MaybeUninit` directly via its methods (one of which is now usable with the new MSRV) instead of via casting. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crossbeam-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.20 -> 0.8.21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crunchy]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.3 -> 0.2.4" notes = """ Build script change is to fix a bug where a path separator for an included file was being selected by the target OS instead of the host OS. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.crypto-common]] who = "Jack Grigg " criteria = ["crypto-reviewed", "safe-to-deploy"] delta = "0.1.3 -> 0.1.6" notes = "New trait and type alias look fine." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.curve25519-dalek]] who = "Jack Grigg " criteria = ["safe-to-deploy", "crypto-reviewed"] delta = "4.1.0 -> 4.1.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.curve25519-dalek]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "4.1.1 -> 4.1.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.curve25519-dalek]] who = "Jack Grigg " criteria = ["safe-to-deploy", "crypto-reviewed"] delta = "4.1.2 -> 4.1.3" notes = """ - New unsafe is adding `core::ptr::read_volatile` calls for black box optimization barriers. - `build.rs` changes are to use `CARGO_CFG_TARGET_POINTER_WIDTH` instead of `TARGET` and the `platforms` crate for deciding on the target pointer width. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.curve25519-dalek-derive]] who = "Jack Grigg " criteria = ["safe-to-deploy", "crypto-reviewed"] delta = "0.1.0 -> 0.1.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Daira Hopwood " criteria = "safe-to-deploy" delta = "1.0.68 -> 1.0.72" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.72 -> 1.0.76" notes = "Impls Unpin for SharedPtr and UniquePtr. The rationale makes sense." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.76 -> 1.0.78" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" delta = "1.0.78 -> 1.0.79" notes = """ This release changes the result of the `cxxbridge` `exception` call to return a struct containing both the pointer to an error message and its length, instead of just the raw `*const u8`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.79 -> 1.0.83" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.83 -> 1.0.91" notes = """ - Buildscript change is only to bump MSRV. - Only change to C++ side is to fix a memory leak. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.91 -> 1.0.92" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.92 -> 1.0.94" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.95 -> 1.0.97" notes = "Adds some C++ static_casts to fix MSVC warnings." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.97 -> 1.0.107" notes = """ New `unsafe` blocks are to implement `CxxVector::new` (exposing `std::vector::new`). The remaining changes to `unsafe` code are removing uses of the wrapping `attr!` macro. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.107 -> 1.0.111" notes = "Build script change is to look for `src/cxx.cc` in the same folder as `include/cxx.h`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.111 -> 1.0.113" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.113 -> 1.0.122" notes = "Build script changes only affect lints." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.122 -> 1.0.124" notes = """ - Change to `build.rs` is to use `error_in_core` rustc feature. - Change to `cxx.cc` uses the same technique for `char` as is already in use for `isize` to check if it is an alias for `[u]int8_t`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.126 -> 1.0.128" notes = """ `unsafe` changes are to copy the `SyncUnsafeCell` type from nightly Rust. It is used as the ZST `SyncUnsafeCell>` to fix an LLVM miscompilation. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.128 -> 1.0.136" notes = """ - Change to build script is to raise MSRV. - Changes to `unsafe` blocks are a refactor to expose pointers from `UniquePtr`. The existing usages are effectively unaltered. - The hasher is changed from SipHash-1-3 to foldhash-q. This means the hasher is faster, but no longer resistant to HashDoS. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxx]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.158 -> 1.0.160" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-flags]] who = "Daira Hopwood " criteria = "safe-to-deploy" delta = "1.0.68 -> 1.0.72" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.72 -> 1.0.76" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.76 -> 1.0.78" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-flags]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" delta = "1.0.78 -> 1.0.79" notes = "This is exclusively an update to the `cxxbridge` dependency version." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.79 -> 1.0.83" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.83 -> 1.0.91" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.91 -> 1.0.92" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.92 -> 1.0.94" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.95 -> 1.0.97" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.97 -> 1.0.106" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.107 -> 1.0.111" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.111 -> 1.0.113" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.121 -> 1.0.122" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.135 -> 1.0.136" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.146 -> 1.0.158" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-flags]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.158 -> 1.0.160" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Daira Hopwood " criteria = "safe-to-deploy" delta = "1.0.68 -> 1.0.72" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.72 -> 1.0.76" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.76 -> 1.0.78" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" delta = "1.0.78 -> 1.0.79" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" delta = "1.0.78 -> 1.0.79" notes = "This is exclusively an update to the `cxxbridge` dependency version." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.79 -> 1.0.83" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.83 -> 1.0.91" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.91 -> 1.0.92" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.92 -> 1.0.94" notes = """ Migration to `syn 2`. I didn't check the logic, but the changes look reasonable and I didn't notice anything that seemed like it would adversely change the generated code. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.95 -> 1.0.97" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.97 -> 1.0.107" notes = "New generated `unsafe` block exposes `std::vector::new` from C++." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.107 -> 1.0.111" notes = """ Many more `unsafe` blocks are now added in generated code, but these appear to all be inside `unsafe fn`s, and are added to make the safety contracts in the generated code clearer (instead of using the `unsafe fn`'s implicit `unsafe` block). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.111 -> 1.0.113" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.113 -> 1.0.122" notes = "Only changes to lints." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.122 -> 1.0.124" notes = "Only changes to lints." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.126 -> 1.0.128" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.128 -> 1.0.136" notes = """ Changes to generated `unsafe` code are to add the new `unsafe` annotations added in Rust 1.82 to the `extern` blocks. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.cxxbridge-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.158 -> 1.0.160" notes = """ Changes to generated code were to add support for `C-unwind` across the FFI. Also replaced an internal ordered map impl with the `indexmap` crate. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.darling]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.20.9 -> 0.20.10" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.darling]] who = "Schell Carl Scivally " criteria = "safe-to-deploy" delta = "0.20.10 -> 0.21.3" notes = "Mostly added tests and documentation. The bulk of the changes were made to `darling_core`." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.darling_core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.20.9 -> 0.20.10" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.darling_core]] who = "Schell Carl Scivally " criteria = "safe-to-deploy" delta = "0.20.10 -> 0.21.3" notes = "No unsafe, just helpers for proc-macros." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.darling_macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.20.9 -> 0.20.10" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.darling_macro]] who = "Schell Carl Scivally " criteria = "safe-to-deploy" delta = "0.20.10 -> 0.20.11" notes = "Only includes changes to cargo packaging, the library source itself is unchanged." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.darling_macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.20.11 -> 0.21.3" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.deadpool-sqlite]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.12.1" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.der]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.7.8 -> 0.7.9" notes = "The change to ignore RUSTSEC-2023-0071 is correct for this crate." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.der]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.7.9 -> 0.7.10" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.deranged]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.10 -> 0.3.11" notes = """ Two new `unsafe` blocks to construct ranges via `T::new_unchecked`. The safety comments correctly document why the checks are unnecessary. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.derive-deftly]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.1 -> 1.1.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.derive-deftly]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.1.0 -> 1.3.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.directories]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "4.0.1 -> 5.0.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.directories]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "5.0.1 -> 6.0.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.dirs]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.0.2 -> 4.0.0" notes = "Some paths change across this upgrade (AFAICT they were bugfixes)." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.dirs]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "5.0.1 -> 6.0.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.dirs-sys]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.7 -> 0.4.0" notes = """ Changes to `unsafe` code are migrating from `winapi` to `windows-sys`. The APIs are equivalent, with the `windows-sys` ones being slightly more type-safe. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.dirs-sys]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.1 -> 0.5.0" notes = """ One change to an `unsafe` block, adapting to an API change in `windows_sys` (`Win32::Foundation::HANDLE` changed from `isize` to `*mut c_void`). I confirmed that the Windows documentation permits an argument of `std::ptr::null_mut()`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.document-features]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.11 -> 0.2.12" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.documented]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.9.1" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.documented]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.1 -> 0.9.2" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.documented-macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.1 -> 0.9.2" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.dunce]] who = "Jack Grigg " criteria = "safe-to-deploy" version = "1.0.5" notes = """ Does what it says on the tin. No `unsafe`, and the only IO is `std::fs::canonicalize`. Path and string handling looks plausibly correct. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.dyn-clone]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.19 -> 1.0.20" notes = """ Changes to `unsafe` code: - Migrating to `core::ptr::addr_of_mut!()` with MSRV bump. - Gating a function that uses `unsafe` behind `target_has_atomic = "ptr"`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.dynosaur]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.1 -> 0.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.dynosaur]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.0 -> 0.3.0" notes = "Updates its proc macro dependency, no other changes." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.ed25519]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.2.1 -> 2.2.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ed25519]] who = "Jack Grigg " criteria = ["safe-to-deploy", "crypto-reviewed"] delta = "2.2.2 -> 2.2.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ed25519-zebra]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.0.0 -> 3.1.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ed25519-zebra]] who = "Daira Emma Hopwood " criteria = "safe-to-deploy" delta = "3.1.0 -> 4.0.0" notes = """ Changes are mainly in the pem and pkcs8 features and in Java or Scala code. These do not introduce unsafe code, but I cannot vouch for their cryptographic correctness or conformance to PEM or PKCS8 standards. I reviewed the remaining changes from 3.1.0 to 4.0.0 fully. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ed25519-zebra]] who = "Jack Grigg " criteria = ["safe-to-deploy", "crypto-reviewed"] delta = "4.0.0 -> 4.0.3" notes = """ `SigningKey::from([u8; 32])` parsing now uses `Scalar::from_bytes_mod_order` instead of `Scalar::from_bits`. This means that the clamped scalar bits are now reduced before they are used, which removes the implicit mul-by-cofactor during scalar multiplication (as the last 3 bits of the scalar are no longer guaranteed to be zero). However, this happens to be fine in the context of this crate: - `SigningKey` does not expose its inner `Scalar` directly, so we only need to consider how it is used within the crate. - For multiplication within a prime-order (sub)group, we get the same result whether we reduce before or not. This means that the field-element multiplication during signing, and the prime-order subgroup component of any group-element scalar multiplication, are unaffected. - The only group element that the `Scalar` is multiplied by is the Ed25519 basepoint, which is torsion free (so the implicit mul-by-cofactor is unnecessary). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.either]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.8.0 -> 1.8.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.either]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.8.1 -> 1.9.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.either]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.9.0 -> 1.11.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.either]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.11.0 -> 1.13.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.equivalent]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.0 -> 1.0.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.errno]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.1 -> 0.3.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.errno]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.3 -> 0.3.8" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.errno]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.8 -> 0.3.9" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.errno]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.8 -> 0.3.9" notes = "Only affects `visionos` target, which is treated the same as `macos` etc." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.errno]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.10 -> 0.3.11" notes = "The `__errno` location for vxworks and cygwin looks correct from a quick search." aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.errno]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.11 -> 0.3.13" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.errno]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.13 -> 0.3.14" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.fastrand]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.9.0 -> 2.0.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.fastrand]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.0.0 -> 2.0.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.fastrand]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "2.0.1 -> 2.0.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.fastrand]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "2.0.2 -> 2.1.0" notes = """ As noted in the changelog, this version produces different output for a given seed. The documentation did not mention stability. It is possible that some uses relying on determinism across the update would be broken. The new constants do appear to match WyRand v4.2 (modulo ordering issues that I have not checked): https://github.com/wangyi-fudan/wyhash/blob/408620b6d12b7d667b3dd6ae39b7929a39e8fa05/wyhash.h#L145 I have no way to check whether these constants are an improvement or not. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.fastrand]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.0.2 -> 2.1.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.fastrand]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.1.0 -> 2.1.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ff]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.12.0 -> 0.12.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ff]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.12.1 -> 0.13.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.filetime]] who = "Jack Grigg " criteria = "safe-to-run" delta = "0.2.25 -> 0.2.26" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.flate2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.1.4 -> 1.1.5" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.fluent-langneg]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.13.0 -> 0.13.1" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.fpe]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.6.0 -> 0.6.1" notes = """ I am the author of this crate. This release fixes a regression bug in 0.6.0, and was reviewed by an ECC engineer. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.fs-mistrust]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.1 -> 0.9.3" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.fs-mistrust]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.3 -> 0.10.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.fs-mistrust]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.10.0 -> 0.12.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.futures]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.30" notes = "Only sub-crate updates and corresponding changes to tests." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.futures-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" notes = "Atomics usage in `Stream::size_hint` impls looks fine." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.26 -> 0.3.27" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-channel]] who = "Daira Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" notes = "Dependency updates, and an MSRV update to Rust 1.56." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.29" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.30 -> 0.3.31" notes = """ Changes to `unsafe` code are only to wrap the internals of some `unsafe fn`s int `unsafe` blocks for added clarity. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" notes = "Adds optional dependency on `portable-atomic 1` that can be enabled to replace `core::sync::atomic`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.26 -> 0.3.27" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-core]] who = "Daira Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" notes = """ Adds an optimization in unsafe code (https://github.com/rust-lang/futures-rs/pull/2723). The new code in AtomicWaker calls self.waker.get() twice assuming the same resulting pointer, but this appears to be correct because the AtomicWaker is in the required locked state. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.29" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-executor]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.30" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.futures-io]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.30" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.futures-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.29" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.futures-macro]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.futures-sink]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.futures-task]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-task]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.26 -> 0.3.27" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-task]] who = "Daira Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.26 -> 0.3.28" notes = "Dependency updates, and an MSRV update to Rust 1.56." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-task]] who = "Daira Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" notes = "Dependency updates, and an MSRV update to Rust 1.56." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-task]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.29" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-task]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.26" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.futures-task]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-util]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" notes = """ Changes to `unsafe` usage are to split `Either::project` into `Either::as_pin_ref` and `Either::as_pin_mut`. The new code follows the old code's pattern, and also now has SAFETY documentation. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-util]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" notes = """ - MSRV bumped to 1.56. - Changes to `unsafe` code are to move a function call outside an `unsafe fn`, and to call the `unsafe fn` earlier. The safety requirement of being in the `POLLING` state appears to be preserved. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-util]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.28 -> 0.3.29" notes = """ Only change to `unsafe` code is to add a `Fut: Send` bound to the `unsafe impl Sync for FuturesUnordered`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.futures-util]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" notes = """ - Removes `build.rs` now that it can rely on the `target_has_atomic` attribute. - Almost all changes to `unsafe` blocks are to either move them around, or replace them with safe method calls. - One new `unsafe` block is added for a slice lifetime transmutation. The slice reconstruction is obviously correct. AFAICT the lifetime transmutation is also correct; the slice's lifetime logically comes from the `AsyncBufRead` reader inside `FillBuf`, rather than the `Context`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.generic-array]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.14.6 -> 0.14.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.generic-array]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.14.7 -> 0.14.9" notes = "Change to build script is to add a deprecation warning behind a Rust version check." aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.getrandom]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.6 -> 0.2.7" notes = """ Checked that getrandom::wasi::getrandom_inner matches wasi::random_get. Checked that getrandom::util_libc::Weak lock ordering matches std::sys::unix::weak::DlsymWeak. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.getrandom]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.8 -> 0.2.9" notes = """ The new `getrandom_uninit` method is introduced by retrofitting every system implementation to take `&mut [MaybeUninit]` instead of `&mut [u8]`. Most implementations are only altered to update their signature, and to internally cast the slice back to `*mut u8` when writing to it. All of these backends appear to write bytes to the full length of the slice, so it should be fully initialized afterwards, upholding the invariants of the new `unsafe` code in the public APIs. - I did not check the behaviour of each implementation's system method to ensure they never write uninitialized bytes; the code prior to this change already needed to uphold that invariant as it was writing into `&mut [u8]`. The following system implementations have additional `unsafe` code modifications: - `custom`: The slice is zero-filled to ensure the `MaybeUninit` doesn't escape into a system implementation that might not write initialized bytes into the entire slice. The internal API between registration and usage is also switched from C ABI to Rust ABI, to guard against potential panics. - `emscripten`: New backend, implementation looks reasonable. - `hermit`: New backend, writes incrementally to the slice, but ensures that the entire slice has been written to before returning `Ok(())`. I note that it is possible for the implementation to loop indefinitely if `sys_read_entropy` were to always return 0 for some reason. - `js`: Adds chunking to limit each write to less than 2^31 (but that seems like a bugfix). The safety requirements for `Uint8Array::view_mut_raw` appear to be satisfied. - `rdrand`: Code changes to better handle CPU families with broken RDRAND. - `solaris_illumos`: Now uses `GRND_RANDOM`. - `windows`: Added `RtlGenRandom` fallback for non-UWP Windows. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.getrandom]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.15 -> 0.2.16" notes = "New support for Cygwin looks correct to me." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.getset]] who = "Jack Grigg " criteria = "safe-to-deploy" version = "0.1.3" notes = """ Does what it says on the tin. The proc macro generates unsurprising and obvious code, and does not produce unsafe code or access any imports. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.getset]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.4 -> 0.1.5" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.gimli]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.27.0 -> 0.27.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.gimli]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.27.2 -> 0.27.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.glob]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.2 -> 0.3.3" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.group]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" delta = "0.12.0 -> 0.12.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.group]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.12.1 -> 0.13.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.h2]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.21 -> 0.3.26" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.h2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.26 -> 0.4.5" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.h2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.7 -> 0.4.8" notes = """ Panic safety comment is locally correct, but I didn't confirm that the method `stream.send_flow.available()` is immutable, which it relies upon. """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.half]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" delta = "1.8.2 -> 2.2.1" notes = """ All new uses of unsafe are either just accessing bit representations, or plausibly reasonable uses of intrinsics. I have not checked safety requirements on the latter. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.hashbrown]] who = "Daira Emma Hopwood " criteria = "safe-to-deploy" delta = "0.13.2 -> 0.14.0" notes = """ There is some additional use of unsafe code but the changes in this crate looked plausible. There is a new default dependency on the `allocator-api2` crate, which itself has quite a lot of unsafe code. Many previously undocumented safety requirements have been documented. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.hashbrown]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.14.2 -> 0.14.5" notes = "I did not thoroughly check the safety argument for fold_impl, but it at least seems to be well documented." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.hdwallet]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.1 -> 0.4.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.hermit-abi]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.1 -> 0.3.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.hermit-abi]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.3 -> 0.3.9" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.home]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.5 -> 0.5.9" notes = """ `unsafe` changes are to switch Windows logic from `SHGetFolderPathW` to `SHGetKnownFolderPath`. I checked that the parameters and return values were being handled correctly per the Windows documentation. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.http]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.8 -> 0.2.9" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.http]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.11 -> 0.2.12" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.http]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.0 -> 0.2.11" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.http]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.2.0 -> 1.3.1" notes = """ No direct changes to `unsafe` code, but a `ByteStr::from_utf8_unchecked` call is wrapped in additional safety checks (now calling `std::from_utf8` in some cases). """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.http-body]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.5 -> 0.4.6" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.http-body]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.0 -> 1.0.1" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.http-body-util]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.2" notes = "New uses of pin_project! look fine." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.hyper]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.14.23 -> 0.14.24" notes = """ Fixes a bug where memory was reserved based on an adversary-controllable size, before the corresponding data was received. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.hyper]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.14.25 -> 0.14.26" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.hyper]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.14.26 -> 0.14.27" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.hyper]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.14.27 -> 0.14.28" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.hyper]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.14.30 -> 0.14.32" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.hyper-rustls]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.27.5 -> 0.27.7" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.hyper-timeout]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.1 -> 0.5.1" notes = "New uses of pin_project! look fine." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.hyper-util]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.5 -> 0.1.6" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.i18n-config]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.7 -> 0.4.8" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.i18n-embed]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.15.2 -> 0.15.3" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.i18n-embed-fl]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.2 -> 0.9.3" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.indexmap]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.8.1 -> 1.9.1" notes = "I'm satisfied that the assertion guarding the new unsafe block is correct." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.indexmap]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "1.9.2 -> 1.9.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.indexmap]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.0.0 -> 2.1.0" notes = "- Replaces an `unsafe` block with a safe alternative." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.indexmap]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.8.0 -> 2.9.0" notes = """ New `unsafe` code inside the `get_disjoint_mut` implementation is for obtaining mutable references to `Bucket`s inside a mutable `Slice`. The implementation takes `&mut self` and correctly enforces that the requested indices are unique, which makes the mutable pointer indexing sound because we are guaranteed that no other mutable borrows exist outside this method, and the indexing won't produce two mutable pointers to the same slice entry. """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.indexmap]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.11.4 -> 2.12.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.inferno]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" delta = "0.11.17 -> 0.11.19" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.inferno]] who = "Kris Nuttycombe " criteria = "safe-to-run" delta = "0.11.19 -> 0.11.21" notes = "No added unsafe code." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.inout]] who = "Daira Hopwood " criteria = "safe-to-deploy" version = "0.1.3" notes = "Reviewed in full." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.inout]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.3 -> 0.1.4" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.io-lifetimes]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.10 -> 1.0.11" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ipnet]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.5.0 -> 2.7.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ipnet]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "2.7.1 -> 2.7.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ipnet]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.7.2 -> 2.8.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ipnet]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.8.0 -> 2.9.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ipnet]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.9.0 -> 2.10.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ipnet]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.10.0 -> 2.10.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ipnet]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.10.1 -> 2.11.0" notes = """ Introduces an implicit MSRV of 1.81 for no-std usage, but does not declare it as std usage continues to work with earlier Rust versions. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.is-terminal]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" delta = "0.4.9 -> 0.4.12" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.is-terminal]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.16 -> 0.4.17" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.is_terminal_polyfill]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.70.1 -> 1.70.2" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.itoa]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.1 -> 1.0.3" notes = "Update makes no changes to code." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.itoa]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.5 -> 1.0.6" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.itoa]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.6 -> 1.0.9" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.itoa]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.9 -> 1.0.10" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.js-sys]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.60 -> 0.3.61" notes = """ - Adds `i64` variants of existing `Atomics` methods, which I checked them against. - Adds `Array.length` setter and `Intl.RelativeTimeFormat`; I checked these against their MDN documentation. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.js-sys]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.61 -> 0.3.64" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.js-sys]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.64 -> 0.3.66" notes = """ - Fixes the `BigInt64Array` variants of the existing `Atomics.wait` method. - Adds `Atomics.waitAsync`, the `DataView` constructor variant that takes `SharedArrayBuffer`, and `WebAssembly.Exception`; I checked these against their MDN documentation. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.js-sys]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.65 -> 0.3.66" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.js-sys]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.66 -> 0.3.69" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.jsonrpsee]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.24.7 -> 0.24.9" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.jsonrpsee]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.24.9 -> 0.24.10" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.jsonrpsee-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.24.7 -> 0.24.9" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.jsonrpsee-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.24.9 -> 0.24.10" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.jsonrpsee-http-client]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.24.9 -> 0.24.10" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.jsonrpsee-proc-macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.24.7 -> 0.24.9" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.jsonrpsee-proc-macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.24.9 -> 0.24.10" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.jsonrpsee-server]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.24.7 -> 0.24.9" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.jsonrpsee-server]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.24.9 -> 0.24.10" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.jsonrpsee-types]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.24.7 -> 0.24.9" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.jsonrpsee-types]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.24.9 -> 0.24.10" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.jubjub]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.0" notes = "I previously reviewed the crypto-sensitive portions of these changes as well." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.known-folders]] who = "Jack Grigg " criteria = "safe-to-deploy" version = "1.0.1" notes = """ Uses `unsafe` blocks to interact with `windows-sys` crate. - `SHGetKnownFolderPath` safety requirements are met. - `CoTaskMemFree` has no effect if passed `NULL`, so there is no issue if some future refactor created a pathway where `ffi::Guard` could be dropped before `SHGetKnownFolderPath` is called. - Small nit: `ffi::Guard::as_pwstr` takes `&self` but returns `PWSTR` which is the mutable type; it should instead return `PCWSTR` which is the const type (and what `lstrlenW` takes) instead of implicitly const-casting the pointer, as this would better reflect the intent to take an immutable reference. - The slice constructed from the `PWSTR` correctly goes out of scope before `guard` is dropped. - A code comment says that `path_ptr` is valid for `len` bytes, but `PCWSTR` is a `*const u16` and `lstrlenW` returns its length "in characters" (which the Windows documentation confirms means the number of `WCHAR` values). This is likely a typo; the code checks that `len * size_of::() <= isize::MAX`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.known-folders]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.1 -> 1.1.0" notes = "Addresses the notes from my previous review :)" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.known-folders]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.1.0 -> 1.2.0" notes = "Change to `unsafe` block is adapting to the `windows-sys` crate's API change." aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.known-folders]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.2.0 -> 1.4.0" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.libm]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.2 -> 0.2.5" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.libm]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.5 -> 0.2.6" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.libm]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.7 -> 0.2.8" notes = "Forces some intermediate values to not have too much precision on the x87 FPU." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.libredox]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.0.1 -> 0.1.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.link-cplusplus]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.6 -> 1.0.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.link-cplusplus]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.7 -> 1.0.8" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.link-cplusplus]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.9 -> 1.0.10" notes = "Only an MSRV bump (to 1.51); build script change is just formatting." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.linux-raw-sys]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.4.12 -> 0.4.13" notes = "Low-level OS interface crate, so `unsafe` code is expected." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.litemap]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.0 -> 0.8.1" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.lock_api]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.7 -> 0.4.9" notes = "The unsafe changes fix soundness bugs. The unsafe additions in the new ArcMutexGuard::into_arc method seem fine, but it should probably have used ManuallyDrop instead of mem::forget." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.lock_api]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" delta = "0.4.11 -> 0.4.12" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.log]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.16 -> 0.4.17" notes = "I confirmed that the unsafe transmutes are fine; NonZeroU128 and NonZeroI128 are `#[repr(transparent)]` wrappers around u128 and i128 respectively." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.log]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.18 -> 0.4.19" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.log]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.19 -> 0.4.20" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.log]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.4.20 -> 0.4.21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.macro_find_and_replace]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" version = "1.0.0" notes = "Fully reviewed. No problems found other than a few typos in documentation (filed https://github.com/lord-ne/rust-macro-find-and-replace/pull/1 )." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.maybe-rayon]] who = "Sean Bowe " criteria = "safe-to-deploy" version = "0.1.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.memchr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.6.3 -> 2.6.4" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.memchr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.6.4 -> 2.7.1" notes = """ Change to an `unsafe fn` is to rework the short-tail handling of a fixed-length comparison between `u8` pointers. The new tail code matches the existing head code (but adapted to `u16` and `u8` reads, instead of `u32`). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.memchr]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "2.7.1 -> 2.7.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.memchr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.7.2 -> 2.7.4" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.memchr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.7.4 -> 2.7.5" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.memmap2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.3 -> 0.9.4" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.memoffset]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.0 -> 0.9.0" notes = """ Refactors the `offset_of` macros to optionally replace their existing `unsafe` implementations with the unstable internal `core::mem::offset_of` macro. The existing `unsafe` implementations are unaltered. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.memuse]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.0 -> 0.2.1" notes = "Exposes an existing macro. Note that I am the author of the crate." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.memuse]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.1 -> 0.2.2" notes = "Adds no-std support; no other changes. Note that I am the author of the crate." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.metrics]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.19.0 -> 0.20.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.metrics]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.21.0 -> 0.21.1" notes = "Removes an unused `unsafe` public API." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.metrics-exporter-prometheus]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.10.0 -> 0.11.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.metrics-exporter-prometheus]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.12.1 -> 0.12.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.metrics-macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.1 -> 0.6.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.metrics-macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.7.0 -> 0.7.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.metrics-util]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.13.0 -> 0.14.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.metrics-util]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.15.0 -> 0.15.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.miniz_oxide]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.7.1 -> 0.7.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.minreq]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "2.11.0 -> 2.11.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.minreq]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.11.2 -> 2.12.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.mio]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.2 -> 0.8.4" notes = """ Migrates from winapi to windows-sys. The changes to API usage look reasonable based on what I've seen in other uses of the windows-sys crate. Unsafe code falls into two categories: - Usage of `mem::zeroed()`, which doesn't look obviously wrong. The `..unsafe { mem::zeroed() }` in `sys::unix::selector::kqueue` looks weird but AFAICT is saying "take any unspecified fields from an instance of this struct that has been zero-initialized", which is fine for integer fields. It would be nice if there was documentation to this effect (explaining why this is done instead of `..Default::default()`). - Calls to Windows API methods. These are either pre-existing (and altered for the differences in the crate abstractions), or newly added in logic that appears to be copied from miow 0.3.6 (I scanned this by eye and didn't see any noteworthy changes other than handling windows-sys API differences). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.mio]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.4 -> 0.8.5" notes = "The only unsafe changes are in epoll_create1 failure cases. Usage of epoll_create and fcntl looks fine; it is vulnerable to a race condition in multithreaded programs that fork child processes, but epoll_create1 is how you avoid this problem. See the discussion of the O_CLOEXEC flag in the open(2) man page for details." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.mio]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.5 -> 0.8.6" notes = """ New `unsafe` usages: - `NonZeroU8::new_unchecked`: I verified the constant is non-zero. - Additional `syscall!(close(socket))` calls before returning errors. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.mio]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.6 -> 0.8.8" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.mio]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.8.10 -> 0.8.11" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.multimap]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.10.0 -> 0.10.1" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.nix]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.26.1 -> 0.26.2" notes = "Fixes `SockaddrIn6` endianness bug." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.nix]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.26.2 -> 0.26.4" notes = """ Most of the `unsafe` changes are cleaning up their usage: - Replacing `data.len() * std::mem::size_of::<$ty>()` with `std::mem::size_of_val(data)`. - Removing some `mem::transmute`s. - Using `*mut` instead of `*const` to convey intended semantics. A new unsafe trait method `SockaddrLike::set_length` is added; it's impls look fine. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.nonempty]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" version = "0.11.0" notes = """ Additional use of `unsafe` to wrap `NonZeroUsize::new_unchecked`; in both cases the argument to this method is ` + 1`; in general this is safe with the exception that if an existing `Vec` has length or capacity `usize::MAX` this could wrap into zero; it would be better to use the safe operation and then `expect` to generate a panic, rather than risk undefined behavior. Additions are: - no_std support - sorting - `nonzero` module (just wrappers - `serde` support - `nonempty macro` (trivial, verified safe) """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.num-bigint]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.4.4 -> 0.4.5" notes = "New uses of unsafe look reasonable." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.num-conv]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" version = "0.1.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.num-integer]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.44 -> 0.1.45" notes = "Fixes some argument-handling panic bugs." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.num_cpus]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.14.0 -> 1.15.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.num_cpus]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.15.0 -> 1.16.0" notes = "New unsafe code calls AIX `getsystemcfg` API exposed by `libc` to access the SMT mode." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.num_cpus]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.16.0 -> 1.17.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.num_enum]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.7.0 -> 0.7.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.num_enum_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.7.0 -> 0.7.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.object]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.1 -> 0.30.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.object]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.2 -> 0.30.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.object]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.3 -> 0.30.4" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.object]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.32.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.object]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.32.1 -> 0.32.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.once_cell]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.17.0 -> 1.17.1" notes = """ Small refactor that reduces the overall amount of `unsafe` code. The new strict provenance approach looks reasonable. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.oneshot-fused-workaround]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.0 -> 0.2.3" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.oneshot-fused-workaround]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.3 -> 0.4.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.oorandom]] who = "Jack Grigg " criteria = "safe-to-run" delta = "11.1.3 -> 11.1.4" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.opaque-debug]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.3.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.os_pipe]] who = "Jack Grigg " criteria = "safe-to-run" delta = "1.2.2 -> 1.2.3" notes = """ Changes to `unsafe` code are to replace individual `target_os` cfg flags for Apple targets that gate functions containing `unsafe` blocks, with a `target_vendor = "apple"`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.pairing]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.22.0 -> 0.23.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.parity-scale-codec]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.2.1 -> 3.4.0" notes = "No new code, just refactoring to remove the `full` feature flag." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.parity-scale-codec]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.6.1 -> 3.6.5" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.parity-scale-codec]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.6.5 -> 3.6.9" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.parity-scale-codec-derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.1.3 -> 3.1.4" notes = """ - Bumps `syn` minimum version. - Fixes `max_encoded_len()` to pay attention to `#[codec(skip)]` attribute. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.parity-scale-codec-derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.1.4 -> 3.6.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.parity-scale-codec-derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.6.5 -> 3.6.9" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.parking_lot]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.2 -> 0.12.1" notes = "Most `unsafe {}` changes were to reduce the scope of the unsafe blocks. I didn't closely review the migration to the asm! macro but it looks reasonable." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.parking_lot]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" delta = "0.12.1 -> 0.12.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.parking_lot]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.12.2 -> 0.12.3" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.parking_lot_core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.5 -> 0.9.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.parking_lot_core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.5 -> 0.9.6" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.parking_lot_core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.6 -> 0.9.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.parking_lot_core]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" delta = "0.9.9 -> 0.9.10" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.pasta_curves]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.0 -> 0.4.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.pasta_curves]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.4.1 -> 0.5.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.pbkdf2]] who = "Jack Grigg " criteria = ["safe-to-deploy", "crypto-reviewed"] delta = "0.9.0 -> 0.10.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.pczt]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" version = "0.0.0" notes = "Initial empty crate release." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.phf]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.0 -> 0.11.1" notes = """ Mostly modernisation, migrating to `PhfBorrow`, and making more things `&'static`. No unsafe code in the new `OrderedMap` and `OrderedSet` types. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.phf]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.1 -> 0.11.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.phf]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.2 -> 0.11.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.phf]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.3 -> 0.12.1" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.phf]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.12.1 -> 0.13.1" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.phf_codegen]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.0 -> 0.11.1" notes = "New codegen and changes to existing codegen look fine." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.phf_codegen]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.1 -> 0.11.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.phf_codegen]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.2 -> 0.11.3" notes = "Only an MSRV bump (to 1.61)." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.phf_generator]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.0 -> 0.11.1" notes = "Just dependency and edition bumps and code formatting." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.phf_generator]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.1 -> 0.11.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.phf_generator]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.2 -> 0.11.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.phf_generator]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.3 -> 0.12.1" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.phf_generator]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.12.1 -> 0.13.1" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.phf_shared]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.0 -> 0.11.1" notes = """ Adds `uncased` dependency, and newly generates unsafe code to transmute `&'static str` into `&'static UncasedStr`. I verified that `UncasedStr` is a `#[repr(transparent)]` newtype around `str`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.phf_shared]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.1 -> 0.11.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.phf_shared]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.2 -> 0.11.3" notes = "Bumped MSRV and dependency versions to remove an `unsafe` block." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.phf_shared]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.3 -> 0.12.1" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.phf_shared]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.12.1 -> 0.13.1" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.pin-project-internal]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.1.3 -> 1.1.5" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.pin-project-lite]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.9 -> 0.2.13" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.pin-project-lite]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.13 -> 0.2.14" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.pkg-config]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.pkg-config]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.31 -> 0.3.32" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.platforms]] who = "Daira Emma Hopwood " criteria = "safe-to-deploy" version = "3.0.2" notes = """ This crate uses `#![forbid(unsafe_code)]` and its build script is safe. It only "provides programmatic access to information about valid Rust platforms, sourced from the Rust compiler"; it does not attempt any detection that would require unsafety. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.platforms]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.0.2 -> 3.1.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.platforms]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.1.2 -> 3.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.platforms]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.2.0 -> 3.3.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.platforms]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "3.3.0 -> 3.4.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.poly1305]] who = "Daira Hopwood " criteria = "safe-to-deploy" delta = "0.7.2 -> 0.8.0" notes = "Changes to unsafe (avx2) code look reasonable." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.potential_utf]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.2 -> 0.1.4" notes = """ - Changes to `unsafe` code are to remove some (by removing an override of a provided trait method). - `Cargo.toml` has a `build.rs` entry in `[package.include]` but no build script; likely an accident of using `include.workspace = true` and some other crate in the workspace gaining one. """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.pprof]] who = "Jack Grigg " criteria = "safe-to-run" delta = "0.13.0 -> 0.14.0" notes = """ I did not audit the correctness of the new `unsafe` block (initializing an `aligned_vec::AVec`), but the changes therein don't affect `safe-to-run`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.prettyplease]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.15 -> 0.2.20" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.proc-macro-crate]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.2.1 -> 1.3.0" notes = "Migrates from `toml` to `toml_edit`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.proc-macro-crate]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.3.0 -> 1.3.1" notes = "Bumps MSRV to 1.60." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.proc-macro-crate]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.3.1 -> 2.0.1" notes = """ New subprocess call to `$CARGO locate-project` which is controlled by the outer environment, because `cargo` forwards the value of `$CARGO` if set (instead of setting it to its own auto-detected path) when building crates. The output of this call is parsed as a `PathBuf` and the path is opened as a `Cargo.toml`, so the most that the environment can do (side effects aside) is return the path to a different `Cargo.toml`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.proc-macro-crate]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.3.0 -> 3.4.0" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.proc-macro2]] who = "Daira Hopwood " criteria = "safe-to-deploy" delta = "1.0.37 -> 1.0.41" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.proc-macro2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.49 -> 1.0.51" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.proc-macro2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.51 -> 1.0.52" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.proc-macro2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.54 -> 1.0.56" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.proc-macro2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.59 -> 1.0.60" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.proc-macro2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.66 -> 1.0.67" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.proc-macro2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.67 -> 1.0.70" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.proc-macro2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.70 -> 1.0.71" notes = """ New `unsafe` blocks are all inside `unsafe fn`s, and are added to make the safety contracts in the code clearer (instead of using the `unsafe fn`'s implicit `unsafe` block). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.proc-macro2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.71 -> 1.0.74" notes = """ Build script changes are to replace `RUSTFLAGS` string parsing with a probe file that is compiled with whatever `RUSTC` is set to (but the build script already relies on the `RUSTC` environment variable for inspecting the compiler version). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.proc-macro2]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.81 -> 1.0.82" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.proc-macro2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.94 -> 1.0.95" notes = """ Refactors code handling paths to source files, but AFAICT none of the affected code involves filesystem access. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.proptest]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.2.0 -> 1.4.0" notes = """ Adds support for generating arbitrary `PathBuf`s, but as this crate is intended for fuzzing in test environments this is within its expected scope (and the new API would be used intentionally by downstream tests). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.proptest]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.3.1 -> 1.4.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.prost]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.12.1 -> 0.12.3" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.prost]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.13.1 -> 0.13.4" notes = """ - The new `unsafe` block in `encoded_len_varint` has correct safety documentation. - The other changes to `unsafe` code are a move of existing `unsafe` code. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.prost]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.13.4 -> 0.13.5" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.prost]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.13.5 -> 0.14.1" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.prost-build]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.12.1 -> 0.12.3" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.prost-build]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.13.1 -> 0.13.4" notes = """ - Changes to generated code make sense. - Changes to `protoc` path handling don't alter existing usages (just allow the path to be explicitly set). """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.prost-derive]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.12.1 -> 0.12.3" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.prost-derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.12.3 -> 0.12.6" notes = "Changes to proc macro code are to fix lints after bumping MSRV." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.prost-derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.13.1 -> 0.13.4" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.prost-derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.13.4 -> 0.13.5" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.prost-derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.13.5 -> 0.14.1" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.prost-types]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.12.1 -> 0.12.3" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.prost-types]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.13.1 -> 0.13.4" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.prost-types]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.13.4 -> 0.13.5" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.prost-types]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.13.5 -> 0.14.1" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.quanta]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.3 -> 0.10.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.quinn-udp]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.13 -> 0.5.14" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.quote]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.23 -> 1.0.26" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.quote]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.31 -> 1.0.33" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.quote]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.33 -> 1.0.35" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.r-efi]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "5.2.0 -> 5.3.0" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.rand_xorshift]] who = "Sean Bowe " criteria = "safe-to-deploy" version = "0.3.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.raw-cpuid]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "10.6.0 -> 10.6.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.raw-cpuid]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "10.6.1 -> 10.7.0" notes = """ Appears to be a move-only change in display code to expose an internal API. I did not verify that the change was move-only, but there is no unsafe code affected. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.reddsa]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.5.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.reddsa]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.0 -> 0.5.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.redjubjub]] who = "Daira Emma Hopwood " criteria = ["safe-to-deploy", "crypto-reviewed"] version = "0.7.0" notes = """ This crate is a thin wrapper around the `reddsa` crate, which I did not review. I also did not review tests or verify test vectors. The comment on `batch::Verifier::verify` has an error in the batch verification equation, filed as https://github.com/ZcashFoundation/redjubjub/issues/163 . It does not affect the implementation which just delegates to `reddsa`. `reddsa` has the same comment bug filed as https://github.com/ZcashFoundation/reddsa/issues/52 , but its batch verification implementation is correct. (I checked the latter against https://zips.z.cash/protocol/protocol.pdf#reddsabatchvalidate which has had previous cryptographic review by NCC group; see finding NCC-Zcash2018-009 in https://research.nccgroup.com/wp-content/uploads/2020/07/NCC_Group_Zcash2018_Public_Report_2019-01-30_v1.3.pdf ). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.redjubjub]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" delta = "0.7.0 -> 0.8.0" notes = "This release adds `no-std` compatibility." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.redox_syscall]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" delta = "0.4.1 -> 0.5.1" notes = "Uses of unsafe look plausible." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.redox_users]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.3 -> 0.4.4" notes = "Switches from `redox_syscall` crate to `libredox` crate for syscalls." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.redox_users]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.4.4 -> 0.4.5" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.redox_users]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.5 -> 0.5.0" notes = """ Changes `Config` from using scheme prefixes (with a default of `file:`) to root FS prefixes (with a default of `/`). The behaviour of `Config::scheme` changed correspondingly but without being renamed. The effect on the rest of the crate is that the passwd, shadow, and group files now default to UNIX-style paths (`/etc/passwd`) instead of scheme syntax (`file:etc/passwd`). """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.redox_users]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.0 -> 0.5.2" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.regex]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.7.0 -> 1.7.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.regex]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "1.7.1 -> 1.7.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.regex]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.9.5 -> 1.10.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.regex]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.10.2 -> 1.10.4" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.regex]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.10.4 -> 1.10.5" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.regex]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.10.6 -> 1.11.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.regex-automata]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.8 -> 0.4.3" notes = """ There were additions to an `unsafe` trait, but the new code itself doesn't use any `unsafe` functions. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.regex-automata]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.4.3 -> 0.4.6" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.regex-automata]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.6 -> 0.4.7" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.regex-automata]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.7 -> 0.4.9" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.regex-automata]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.8 -> 0.4.9" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.regex-syntax]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.6.28 -> 0.6.29" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.regex-syntax]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.7.2 -> 0.7.5" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.regex-syntax]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.7.5 -> 0.8.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.regex-syntax]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.8.2 -> 0.8.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.regex-syntax]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.3 -> 0.8.4" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.retry-error]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.6.0 -> 0.6.3" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.retry-error]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.6.3 -> 0.6.5" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.retry-error]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.6.5 -> 0.8.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.rgb]] who = "Kris Nuttycombe " criteria = "safe-to-run" delta = "0.8.37 -> 0.8.50" notes = """ Some clearly-marked unsafe code is moved; adds safer alternative to the `as-bytes` feature (which is still enabled by default) """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.rpassword]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "7.3.1 -> 7.4.0" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.rusqlite]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.36.0 -> 0.37.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.rust-embed-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "8.5.0 -> 8.6.0" notes = """ If the folder path does not exist post-canonicalization, the non-canonicalized path is used instead to generate the `#ident::get` implementation. The path is checked as a prefix on requested paths to avoid escapes; not having this be a known-canonical path could be a problem in some scenarios. This is a limitation of how `Path::canonicalize` relies on filesystem resolution, and cannot canonicalize a path that does not exist. This change was made as part of adding a default-disabled `allow_missing` attribute, and the generator is gated on a check that the non-canonicalized path exists (if the new attribute is off), so there should not be any changes to existing usage. """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.rust-embed-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "8.6.0 -> 8.8.0" notes = "Change to generated code is to support deterministic timestamps with a feature flag." aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.rust-embed-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "8.5.0 -> 8.6.0" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.rust-embed-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "8.6.0 -> 8.8.0" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.rust_decimal]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.37.0 -> 1.37.2" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.rustc-demangle]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.1.21 -> 0.1.22" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.rustc-demangle]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.22 -> 0.1.23" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.rustc-demangle]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.1.23 -> 0.1.24" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.rustc-demangle]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.23 -> 0.1.24" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.rustc-demangle]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.24 -> 0.1.25" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.rustc-demangle]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.25 -> 0.1.26" notes = "Parser changes use existing parsing machinery in an obvious way." aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.rustc_version]] who = "Jack Grigg " criteria = "safe-to-deploy" version = "0.4.0" notes = """ Most of the crate is code to parse and validate the output of `rustc -vV`. The caller can choose which `rustc` to use, or can use `rustc_version::{version, version_meta}` which will try `$RUSTC` followed by `rustc`. If an adversary can arbitrarily set the `$RUSTC` environment variable then this crate will execute arbitrary code. But when this crate is used within a build script, `$RUSTC` should be set correctly by `cargo`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.rustc_version]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.0 -> 0.4.1" notes = "Changes to `Command` usage are to add support for `RUSTC_WRAPPER`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.rustix]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.38.28 -> 0.38.32" notes = "Cursory review." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.rustls]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.21.8 -> 0.21.12" notes = """ A comment in get_sni_extension asks whether the behaviour of parsing an IPv4 or IPv6 address in a host_name field of a server_name extension, but then ignoring the extension (because 'Literal IPv4 and IPv6 addresses are not permitted in "HostName"'), as the server, is compliant with RFC 6066. As an original author of RFC 3546 which has very similar wording, I can speak to the intent: yes this is fine. The client is clearly nonconformant in this case, but the server isn't. RFC 3546 said "If the server understood the client hello extension but does not recognize the server name, it SHOULD send an "unrecognized_name" alert (which MAY be fatal)." This wording was preserved in RFC 5746, and then updated in RFC 6066 to: If the server understood the ClientHello extension but does not recognize the server name, the server SHOULD take one of two actions: either abort the handshake by sending a fatal-level unrecognized_name(112) alert or continue the handshake. It is NOT RECOMMENDED to send a warning-level unrecognized_name(112) alert, because the client's behavior in response to warning-level alerts is unpredictable. If there is a mismatch between the server name used by the client application and the server name of the credential chosen by the server, this mismatch will become apparent when the client application performs the server endpoint identification, at which point the client application will have to decide whether to proceed with the communication. To me it's clear that it is reasonable to consider an IP address as a name that the server does not recognize. And so the server SHOULD *either* send a fatal unrecognized_name alert, *or* continue the handshake and let the client application decide when it "performs the server endpoint identification". There's no conformance requirement for the server to take any notice of a host_name that is "not permitted". (It would have been clearer to express this by specifying the allowed client and server behaviour separately, i.e. saying that the client MUST NOT send an IP address in host_name, and then explicitly specifying the server behaviour if it does so anyway. That's how I would write it now. But honestly this extension was one of the most bikeshedded parts of RFC 3546, to a much greater extent than I'd anticipated, and I was tired.) """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.rustversion]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.15 -> 1.0.16" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.rustversion]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.16 -> 1.0.17" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.rustversion]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.18 -> 1.0.19" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.rustversion]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.20 -> 1.0.21" notes = "Build script change is to fix building with `-Zfmt-debug=none`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.rustversion]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.21 -> 1.0.22" notes = "Changes to generated code are to prepend a clippy annotation." aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.ryu]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.12 -> 1.0.13" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ryu]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.13 -> 1.0.15" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ryu]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.15 -> 1.0.16" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ryu]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.16 -> 1.0.17" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ryu]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.17 -> 1.0.18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.ryu]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" delta = "1.0.17 -> 1.0.18" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.ryu]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.18 -> 1.0.20" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.safelog]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.0 -> 0.4.5" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.safelog]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.5 -> 0.4.8" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.safelog]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.8 -> 0.6.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.schemars]] who = "Schell Carl Scivally " criteria = "safe-to-deploy" delta = "0.8.12 -> 0.9.0" notes = """ The changes are primarily API refactoring and simplification, dependency updates, new type implementations, and feature flag reorganization. The crate changed from #![forbid(unsafe_code)] (line 9347) to #![deny(unsafe_code)] (line 9348), to accommodate the ref-cast crate integration which requires #[allow(unsafe_code)] on specific functions. The only notable change is the ref-cast usage which is a sound pattern for creating transparent newtype wrappers. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.schemars]] who = "Schell Carl Scivally " criteria = "safe-to-deploy" delta = "0.9.0 -> 1.1.0" notes = """ This update contains no unsafe code, no ambient capability usage, and no changes that could be exploited by untrusted input. The changes are purely schema generation logic improvements, API refinements, and dependency updates. This reverts a previous change that lowered #[forbid(unsafe_code)] to #[deny(unsafe_code)]. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.scopeguard]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.1.0 -> 1.2.0" notes = "Only change to an `unsafe` block is to replace a `mem::forget` with `ManuallyDrop`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.secp256k1]] who = "Jack Grigg " criteria = ["safe-to-deploy", "crypto-reviewed"] delta = "0.26.0 -> 0.27.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.semver]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.17 -> 1.0.18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.semver]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.18 -> 1.0.19" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.semver]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.19 -> 1.0.20" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.semver]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.20 -> 1.0.22" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.semver]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.22 -> 1.0.23" notes = """ `build.rs` change is to enable checking for expected `#[cfg]` names if compiling with Rust 1.80 or later. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.semver]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.25 -> 1.0.26" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.serde]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.136 -> 1.0.143" notes = "Bumps serde-derive and adds some constructors." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.143 -> 1.0.145" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.155 -> 1.0.156" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.159 -> 1.0.160" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.163 -> 1.0.164" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.179 -> 1.0.188" notes = "Mostly a bunch of cleanups after bumping MSRV." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.188 -> 1.0.193" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.193 -> 1.0.194" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.201 -> 1.0.202" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.serde]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.216 -> 1.0.217" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.227 -> 1.0.228" notes = "Changes to build script are to alter the name of a custom `cfg` option." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.serde_core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.227 -> 1.0.228" notes = "Changes to build script are to alter the name of a custom `cfg` option." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.serde_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.136 -> 1.0.143" notes = "Bumps syn, inverts some build flags." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.143 -> 1.0.145" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.155 -> 1.0.156" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.159 -> 1.0.160" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.163 -> 1.0.164" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.179 -> 1.0.188" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.188 -> 1.0.193" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.193 -> 1.0.194" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_derive]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.201 -> 1.0.202" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.serde_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.216 -> 1.0.217" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.227 -> 1.0.228" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.serde_json]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.95 -> 1.0.96" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_json]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.96 -> 1.0.97" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_json]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.97 -> 1.0.99" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_json]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.99 -> 1.0.106" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_json]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.106 -> 1.0.107" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_json]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.107 -> 1.0.108" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_json]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.108 -> 1.0.110" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_json]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.110 -> 1.0.116" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_json]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.116 -> 1.0.117" notes = """ `build.rs` change is to use `cargo:rustc-check-cfg` to check for features it was already using. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.serde_json]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" delta = "1.0.116 -> 1.0.117" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.serde_json]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.117 -> 1.0.120" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.serde_json]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.137 -> 1.0.140" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.serde_spanned]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.6.8 -> 0.6.9" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.serde_spanned]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.6.8 -> 1.0.3" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.serde_with]] who = "Schell Carl Scivally " criteria = "safe-to-deploy" delta = "3.8.1 -> 3.16.0" notes = "No new unsafe, no new IO." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.serde_with_macros]] who = "Schell Carl Scivally " criteria = "safe-to-deploy" delta = "3.8.1 -> 3.16.0" notes = "No new IO, mostly just machinery for deriving serde traits from Display." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.sha2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.10.6 -> 0.10.7" notes = """ The new `unsafe` assembly backend only uses aarch64 intrinsics, via their typed Rust APIs (aside from the SHA2-specific intrinsics that are not in Rust yet). I did not perform a cryptographic review, but the code to load from and store into the function arguments looks correct. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.sharded-slab]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.4 -> 0.1.7" notes = "Only change to an `unsafe` block is to fix a clippy lint." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.signature]] who = "Daira Emma Hopwood " criteria = "safe-to-deploy" version = "2.1.0" notes = """ This crate uses `#![forbid(unsafe_code)]`, has no build script, and only provides traits with some trivial default implementations. I did not review whether implementing these APIs would present any undocumented cryptographic hazards. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.signature]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.1.0 -> 2.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.siphasher]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.10 -> 0.3.11" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.siphasher]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.11 -> 1.0.1" notes = "No code changes, just stabilising the code in SemVer." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.sketches-ddsketch]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.3 -> 0.2.0" notes = "I did not review the refactor, but there are no unsafe blocks and I didn't see any obvious changes that could result in panics." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.sketches-ddsketch]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.0 -> 0.2.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.sketches-ddsketch]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.1 -> 0.2.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.slotmap-careful]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.3 -> 0.2.5" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.slotmap-careful]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.5 -> 0.4.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.smallvec]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.11.1 -> 1.13.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.socket2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.9 -> 0.4.10" notes = """ Adds support for ESP-IDF and Sony Vita targets. New `unsafe` blocks are for a Vita-specific `libc` call to `setsockopt` for non-blocking behaviour. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.socket2]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.4 -> 0.5.5" notes = """ Adds support for Sony Vita targets. New `unsafe` blocks are for Vita-specific `libc` calls to `getsockopt` and `setsockopt` for non-blocking behaviour. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.socket2]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.5.5 -> 0.5.6" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.socket2]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.5.6 -> 0.5.7" notes = "The new uses of unsafe to access getsockopt/setsockopt look reasonable." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.strum]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.27.1 -> 0.27.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.strum_macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.27.1 -> 0.27.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.symbolic-common]] who = "Kris Nuttycombe " criteria = "safe-to-run" delta = "12.9.2 -> 12.13.3" notes = "Just minor code & Cargo.toml cleanups." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.syn]] who = "Daira Hopwood " criteria = "safe-to-deploy" delta = "1.0.91 -> 1.0.98" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.syn]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "1.0.102 -> 1.0.104" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.syn]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.102 -> 1.0.107" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.syn]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.107 -> 1.0.109" notes = "Fixes string literal parsing to only skip specified whitespace characters." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.syn]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.0.11 -> 2.0.13" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.syn]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.0.13 -> 2.0.15" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.syn]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.0.15 -> 2.0.18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.syn]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.0.26 -> 2.0.33" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.syn]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.0.33 -> 2.0.37" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.syn]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.0.37 -> 2.0.41" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.syn]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.0.41 -> 2.0.43" notes = """ New `unsafe` blocks are all inside `unsafe fn`s, and are added to make the safety contracts in the code clearer (instead of using the `unsafe fn`'s implicit `unsafe` block). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.syn]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.0.43 -> 2.0.46" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.syn]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "2.0.46 -> 2.0.59" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.syn]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "2.0.53 -> 2.0.60" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.syn]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "2.0.60 -> 2.0.63" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.sync_wrapper]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.2 -> 1.0.1" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.sync_wrapper]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.1 -> 1.0.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tempfile]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.5.0 -> 3.6.0" notes = "New `build.rs` file uses `autocfg` crate to conditionally enable new trait impls." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tempfile]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" delta = "3.5.0 -> 3.12.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tempfile]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.6.0 -> 3.8.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tempfile]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.8.0 -> 3.8.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tempfile]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "3.8.1 -> 3.9.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tempfile]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "3.9.0 -> 3.10.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.terminfo]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.7.3 -> 0.7.5" notes = "Just dependency and edition updates." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thiserror]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.30 -> 1.0.32" notes = "Bumps thiserror-impl, no code changes." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thiserror]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.32 -> 1.0.37" notes = "The new build script invokes rustc to determine whether it supports the Provider API. The only side-effect is it overwrites `$OUT_DIR/probe.rs`, which is fine because it is unique to the thiserror package." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thiserror]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.43 -> 1.0.48" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thiserror]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.48 -> 1.0.51" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thiserror]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.51 -> 1.0.52" notes = "Reruns the build script if the `RUSTC_BOOTSTRAP` env variable changes." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thiserror]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.52 -> 1.0.56" notes = """ Build script changes are to refactor the existing probe into a separate file (which removes a filesystem write), and adjust how it gets rerun in response to changes in the build environment. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thiserror]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.56 -> 1.0.58" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thiserror]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.58 -> 1.0.60" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.thiserror]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.60 -> 1.0.61" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.thiserror]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.61 -> 1.0.63" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.thiserror-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.30 -> 1.0.32" notes = "Only change is to refine an error message." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thiserror-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.32 -> 1.0.37" notes = "Proc macro changes migrating to the Provider API look fine." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thiserror-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.43 -> 1.0.48" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thiserror-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.48 -> 1.0.51" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thiserror-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.51 -> 1.0.52" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thiserror-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.52 -> 1.0.56" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thiserror-impl]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.56 -> 1.0.58" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thiserror-impl]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.0.58 -> 1.0.60" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.thiserror-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.60 -> 1.0.61" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.thiserror-impl]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.61 -> 1.0.63" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.thread_local]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.1.4 -> 1.1.7" notes = """ New `unsafe` usage: - An extra `deallocate_bucket`, to replace a `Mutex::lock` with a `compare_exchange`. - Setting and getting a `#[thread_local] static mut Option` on nightly. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thread_local]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.1.7 -> 1.1.8" notes = """ Adds `unsafe` code that makes an assumption that `ptr::null_mut::>()` is a valid representation of an `AtomicPtr>`, but this is likely a correct assumption. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.thread_local]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.1.8 -> 1.1.9" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.time]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.20 -> 0.3.22" notes = """ Fixes alignment (by using `#[repr(C)]`) of some `union`s that are used in `unsafe` blocks to const convert between `UtcOffset`, and a trait type that is either `UtcOffset` or `()`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.time]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.30 -> 0.3.31" notes = """ Removes one `unsafe` block by repurposing a constructor containing a more general invocation of the same `unsafe` function. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.time]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.31 -> 0.3.36" notes = "Some use of `unsafe` code but its safety requirements are documented and look okay." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.time-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.time-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.1 -> 0.1.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.time-macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.4 -> 0.2.6" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.time-macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.7 -> 0.2.8" notes = """ - Only new `unsafe` code takes a `NonZeroU16` at proc-macro evaluation time and hard-codes its contents into a `NonZeroU16::new_unchecked` constructor, which is safe. - Bumps MSRV to 1.63. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.time-macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.8 -> 0.2.9" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.time-macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.9 -> 0.2.14" notes = """ New `unsafe` blocks are because a previously-unsafe macro helper now declares its unsafety; no actual logic changes. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.time-macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.14 -> 0.2.15" notes = """ New `unsafe` block is because `time::Date` now has a niche value optimization, and its macro-only constructor is now `unsafe`. Safe because the macro ensures that `ordinal` is non-zero while parsing. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.time-macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.15 -> 0.2.16" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.time-macros]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.16 -> 0.2.18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tinyvec_macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" notes = "Adds `#![forbid(unsafe_code)]` and license files." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tokio]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.35.0 -> 1.35.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tokio]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.35.1 -> 1.37.0" notes = "Cursory review, but new and changed uses of `unsafe` code look fine, as far as I can see." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tokio]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.40.0 -> 1.42.0" notes = """ Changes to unsafe code look reasonable. There are new unsafe APIs but their safety requirements are documented. This release has a vulnerability (https://rustsec.org/advisories/RUSTSEC-2025-0023) but it is not a regression relative to 1.40.0. Update to 1.42.1 to fix that. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tokio]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.42.0 -> 1.42.1" notes = "Plausible fix to https://rustsec.org/advisories/RUSTSEC-2025-0023 ." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tokio-macros]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.4.0 -> 2.5.0" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.tokio-stream]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.1.14 -> 0.1.15" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tokio-stream]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.15 -> 0.1.17" notes = """ No new `unsafe` code or powerful imports. The new async polling logic added as `StreamMap::poll_next_many` looks plausible. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tokio-util]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.7.10 -> 0.7.11" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.toml]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.19 -> 0.8.20" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.toml_datetime]] who = "Jack Grigg " criteria = "safe-to-deploy" version = "0.5.1" notes = "Crate has `#![forbid(unsafe_code)]`, no `unwrap / expect / panic`, no ambient capabilities." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.toml_datetime]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.1 -> 0.6.1" notes = "Fixes a bug in parsing negative minutes in datetime string offsets." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.toml_datetime]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.6.2 -> 0.6.3" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.toml_edit]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "0.19.7 -> 0.19.8" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.toml_edit]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.19.10 -> 0.19.11" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.toml_edit]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.19.15 -> 0.20.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tonic]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.10.2 -> 0.11.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tonic]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.12.0 -> 0.12.1" notes = "Changes to generics bounds look fine" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tonic]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.13.0 -> 0.13.1" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.tonic-build]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.10.2 -> 0.11.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tonic-build]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.0 -> 0.12.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tonic-build]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.12.0 -> 0.12.1" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tonic-build]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.12.1 -> 0.12.3" notes = "Changes to generated code make sense and don't result in anything unexpected." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tonic-build]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.12.3 -> 0.13.0" notes = "Changes to generated code look sensible (adapting to `tonic` API changes)." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tonic-build]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.13.0 -> 0.13.1" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.tonic-build]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.13.0 -> 0.14.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-async-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.23.0 -> 0.28.0" notes = """ Some macro complexity but it appears to only be used for defining error types; no changes to `unsafe` code or powerful imports. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-async-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-async-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-async-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-async-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-basic-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-basic-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-basic-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-basic-utils]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-bytes]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.23.0 -> 0.28.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-bytes]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-bytes]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-bytes]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-bytes]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-cell]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-cell]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-cell]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-cert]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.23.0 -> 0.28.0" notes = """ No new `unsafe` APIs, but does add a new API that could be used to violate crate semantics; it is gated as an experimental feature and follows the Tor crate naming convention of using a `dangerously_*` method prefix. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-cert]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-cert]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-cert]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-cert]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-chanmgr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-chanmgr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-chanmgr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-chanmgr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-checkable]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.23.0 -> 0.28.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-checkable]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-checkable]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-checkable]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-checkable]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-circmgr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-circmgr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-circmgr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-config]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-config]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-config]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-config]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-config-path]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-config-path]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-config-path]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-config-path]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-consdiff]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.23.0 -> 0.28.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-consdiff]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-consdiff]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-consdiff]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-consdiff]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-dirclient]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.23.0 -> 0.28.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-dirclient]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-dirclient]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-dirclient]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-dirclient]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-dirmgr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.23.0 -> 0.28.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-dirmgr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-dirmgr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-error]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.23.0 -> 0.28.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-error]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-error]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-error]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-error]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" notes = """ I didn't closely review the macro changes, but they look plausible and don't involve any powerful imports. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-general-addr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-general-addr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-general-addr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-general-addr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-guardmgr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-guardmgr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-hscrypto]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-hscrypto]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-hscrypto]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-hscrypto]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-key-forge]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-key-forge]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-key-forge]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-keymgr]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-linkspec]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-linkspec]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-linkspec]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-linkspec]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-llcrypto]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-llcrypto]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-llcrypto]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-log-ratelim]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.23.0 -> 0.28.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-log-ratelim]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-log-ratelim]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-log-ratelim]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-log-ratelim]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-memquota]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-memquota]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-memquota]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-memquota]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-netdir]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-netdir]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-netdir]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-netdir]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-netdoc]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-netdoc]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-netdoc]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-persist]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.23.0 -> 0.28.0" notes = "No new `unsafe` code, and three new `#![forbid(unsafe_code)]` annotations." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-persist]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-persist]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-persist]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-persist]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-protover]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.23.0 -> 0.28.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-protover]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-protover]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-protover]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-protover]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-relay-selection]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.23.0 -> 0.28.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-relay-selection]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-relay-selection]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-relay-selection]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-relay-selection]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-rtcompat]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-rtcompat]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-rtmock]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" notes = "I didn't review the macros closely because this crate is for testing." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-rtmock]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-rtmock]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-rtmock]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" notes = """ New `unsafe` blocks are to wrap unsafe code in `unsafe fn`s as part of migrating to Rust 2024 edition. No changes to the actual `unsafe` logic. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-socksproto]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-socksproto]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-socksproto]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-socksproto]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-units]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.28.0 -> 0.30.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-units]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.30.0 -> 0.31.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-units]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.31.0 -> 0.32.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tor-units]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.32.0 -> 0.35.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tower-layer]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.2 -> 0.3.3" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tower-service]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.2 -> 0.3.3" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.tracing-appender]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.2 -> 0.2.3" notes = """ - The rolling file appender has new code to automatically delete files; this is restricted to files within the configured log directory. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tracing-attributes]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.23 -> 0.1.25" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tracing-attributes]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.25 -> 0.1.26" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tracing-attributes]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.26 -> 0.1.27" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tracing-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.30 -> 0.1.31" notes = """ The only new `unsafe` block is to intentionally leak a scoped subscriber onto the heap when setting it as the global default dispatcher. I checked that the global default can only be set once and is never dropped. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tracing-core]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.31 -> 0.1.32" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tracing-subscriber]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.16 -> 0.3.17" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tracing-subscriber]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.17 -> 0.3.18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.try-lock]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.3 -> 0.2.4" notes = "Fixes unsoundness." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.try-lock]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.4 -> 0.2.5" notes = "Bumps MSRV to remove unsafe code block." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.trycmd]] who = "Jack Grigg " criteria = "safe-to-run" delta = "0.15.9 -> 0.15.10" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.type-map]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.0 -> 0.4.0" notes = """ Yay reverse diffs! The removed code did not result in any changes to `unsafe` code or usages of powerful imports. """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.typenum]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.16.0 -> 1.17.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.tz-rs]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.7.0 -> 0.7.1" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.uint]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.9.4 -> 0.9.5" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.unicode-ident]] who = "Daira Hopwood " criteria = "safe-to-deploy" version = "1.0.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.unicode-ident]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.6 -> 1.0.8" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.unicode-ident]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.9 -> 1.0.12" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.universal-hash]] who = "Daira Hopwood " criteria = "safe-to-deploy" delta = "0.4.1 -> 0.5.0" notes = "I checked correctness of to_blocks which uses unsafe code in a safe function." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.utf8parse]] who = "Jack Grigg " criteria = "safe-to-run" delta = "0.2.1 -> 0.2.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.valuable]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" notes = "Build script changes are for linting." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.visibility]] who = "Kris Nuttycombe " criteria = ["safe-to-deploy", "license-reviewed"] version = "0.1.1" notes = """ - Crate has no unsafe code, and sets `#![forbid(unsafe_code)]`. - Crate has no powerful imports, and exclusively provides a proc macro that safely malleates a visibility modifier. """ aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.wagyu-zcash-parameters]] who = "Sean Bowe " criteria = ["safe-to-deploy", "crypto-reviewed"] version = "0.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wagyu-zcash-parameters-1]] who = "Sean Bowe " criteria = ["safe-to-deploy", "crypto-reviewed"] version = "0.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wagyu-zcash-parameters-2]] who = "Sean Bowe " criteria = ["safe-to-deploy", "crypto-reviewed"] version = "0.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wagyu-zcash-parameters-3]] who = "Sean Bowe " criteria = ["safe-to-deploy", "crypto-reviewed"] version = "0.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wagyu-zcash-parameters-4]] who = "Sean Bowe " criteria = ["safe-to-deploy", "crypto-reviewed"] version = "0.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wagyu-zcash-parameters-5]] who = "Sean Bowe " criteria = ["safe-to-deploy", "crypto-reviewed"] version = "0.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wagyu-zcash-parameters-6]] who = "Sean Bowe " criteria = ["safe-to-deploy", "crypto-reviewed"] version = "0.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wait-timeout]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.0 -> 0.2.1" notes = """ - Changes to `unsafe` code blocks are just formatting. - Changes to `extern fn`s are to declare them explicitly as `extern "C" fn`s. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.walkdir]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" delta = "2.4.0 -> 2.5.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.want]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.3.0 -> 0.3.1" notes = """ Migrates to `try-lock 0.2.4` to replace some unsafe APIs that were not marked `unsafe` (but that were being used safely). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wasi]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.0+wasi-snapshot-preview1 -> 0.11.1+wasi-snapshot-preview1" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.wasm-bindgen-backend]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.88 -> 0.2.89" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.wasm-bindgen-backend]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.89 -> 0.2.92" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wasm-bindgen-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.87 -> 0.2.89" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wasm-bindgen-macro]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.88 -> 0.2.89" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.wasm-bindgen-macro]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.89 -> 0.2.92" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wasm-bindgen-macro]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.100 -> 0.2.105" notes = """ Change to generated code is to replace a feature flag with a cfg flag for controlling debug output. """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.wasm-bindgen-macro-support]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" version = "0.2.92" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wasm-bindgen-macro-support]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.87 -> 0.2.89" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wasm-bindgen-shared]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.83 -> 0.2.84" notes = "Bumps the schema version to add `linked_modules`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wasm-bindgen-shared]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.84 -> 0.2.87" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wasm-bindgen-shared]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.87 -> 0.2.89" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wasm-bindgen-shared]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.89 -> 0.2.92" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.web-sys]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.65 -> 0.3.66" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.web-sys]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.66 -> 0.3.69" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.webpki-roots]] who = "Jack Grigg " criteria = "safe-to-deploy" version = "0.26.8" notes = """ This crate contains a single constant `TLS_SERVER_ROOTS` and no runtime logic. It uses `#![forbid(unsafe_code, unstable_features)]`, and does not have any powerful imports. """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.webpki-roots]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.25.2 -> 0.25.4" notes = "I have not checked consistency with the Mozilla IncludedCACertificateReportPEMCSV report." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.which]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "4.3.0 -> 4.4.0" notes = "New APIs are remixes of existing code." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.which]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "4.4.0 -> 4.4.2" notes = """ Crate now has `#![forbid(unsafe_code)]`, replacing its last `unsafe` block with a dependency on the `rustix` crate. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.which]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "4.4.2 -> 6.0.1" notes = """ Mostly refactoring to newer APIs. New `winsafe` dependency is only used to check for extensionless Windows executables. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.which]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "6.0.1 -> 6.0.3" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.whoami]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.6.0 -> 1.6.1" notes = """ Switched dependencies from `redox_syscall` to `libredox`, which didn't involve any changes to `unsafe` code. """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.winapi-util]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" delta = "0.1.6 -> 0.1.8" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.winapi-util]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.9 -> 0.1.11" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.windows-link]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.1.1 -> 0.1.3" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.windows-link]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.0 -> 0.2.1" notes = "No code changes at all." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.windows-targets]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.53.0 -> 0.53.5" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.windows_aarch64_gnullvm]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.53.0 -> 0.53.1" notes = "No code changes at all." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.windows_aarch64_msvc]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.53.0 -> 0.53.1" notes = "No code changes at all." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.windows_i686_gnu]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.53.0 -> 0.53.1" notes = "No code changes at all." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.windows_i686_gnullvm]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.53.0 -> 0.53.1" notes = "No code changes at all." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.windows_i686_msvc]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.53.0 -> 0.53.1" notes = "No code changes at all." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.windows_x86_64_gnu]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.53.0 -> 0.53.1" notes = "No code changes at all." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.windows_x86_64_gnullvm]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.53.0 -> 0.53.1" notes = "No code changes at all." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.windows_x86_64_msvc]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.53.0 -> 0.53.1" notes = "No code changes at all." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.winnow]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.4.6 -> 0.4.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.wyz]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.5.0 -> 0.5.1" notes = "Only change to unsafe code is to extract a drop impl into a method. I note however that most of the changes in the published 0.5.1 are not present in the v0.5.1 tag on the GitHub repository." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.xdg]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.5.0 -> 2.5.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.yoke-derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.8.0 -> 0.8.1" notes = """ Changes to generated `unsafe` code are to silence the `clippy::mem_forget` lint; no actual code changes. """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.zcash_address]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" delta = "0.3.2 -> 0.4.0" notes = "This release contains no unsafe code and consists soley of added convenience methods." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash_encoding]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" delta = "0.2.0 -> 0.2.1" notes = "This release adds minor convenience methods and involves no unsafe code." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash_keys]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" delta = "0.2.0 -> 0.3.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash_note_encryption]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" version = "0.4.1" notes = "Additive-only change that exposes the ability to decrypt by pk_d and esk. No functional changes." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash_primitives]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" delta = "0.15.1 -> 0.16.0" notes = "The primary change here is the switch from the `hdwallet` dependency to using `bip32`." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash_primitives]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" delta = "0.24.0 -> 0.24.1" notes = "No added unsafe code or dangerous methods." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zcash_proofs]] who = "Kris Nuttycombe " criteria = "safe-to-deploy" delta = "0.15.0 -> 0.16.0" notes = "This release involves only updates of previously-vetted dependencies." aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zerocopy]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.7.31 -> 0.7.32" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zerocopy]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.7.32 -> 0.7.34" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zerocopy-derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.7.31 -> 0.7.32" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zerocopy-derive]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.7.32 -> 0.7.34" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zeroize]] who = "Daira Hopwood " criteria = "safe-to-deploy" delta = "1.4.3 -> 1.5.7" notes = "The zeroize_c_string unit test has UB, but that's very unlikely to cause a problem in practice." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zeroize]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "1.5.7 -> 1.6.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zeroize]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "1.6.0 -> 1.7.0" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[audits.zeroize]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.8.1 -> 1.8.2" notes = """ Changes to `unsafe` code are to alter how `core::mem::size_of` is named; no actual changes to the `unsafe` logic. """ aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[audits.zeroize_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.3.2 -> 1.3.3" notes = "Removes `T: Drop` bound from `impl Drop for SomeType`. I agree it was unnecessary." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zeroize_derive]] who = "Sean Bowe " criteria = "safe-to-deploy" delta = "1.3.3 -> 1.4.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zeroize_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.4.1 -> 1.4.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[audits.zerovec-derive]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.11.1 -> 0.11.2" notes = "Only changes to generated code are clippy lints." aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.bridgetree]] criteria = "safe-to-deploy" user-id = 6289 start = "2023-09-08" end = "2026-06-05" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.bridgetree]] criteria = "safe-to-deploy" user-id = 169181 start = "2022-07-22" end = "2025-10-02" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.equihash]] criteria = "safe-to-deploy" user-id = 6289 start = "2020-06-26" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.equihash]] criteria = "safe-to-deploy" user-id = 6289 start = "2020-06-26" end = "2026-03-22" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.equihash]] criteria = "safe-to-deploy" user-id = 6289 start = "2020-06-26" end = "2026-07-16" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.equihash]] criteria = "safe-to-deploy" user-id = 169181 start = "2025-02-21" end = "2026-02-21" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.equihash]] criteria = "safe-to-deploy" user-id = 169181 start = "2025-02-21" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.f4jumble]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-09-22" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.f4jumble]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 6289 start = "2021-09-22" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.f4jumble]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 6289 start = "2021-09-22" end = "2026-01-02" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.ff]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-08-11" end = "2026-07-16" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.halo2_gadgets]] criteria = "safe-to-deploy" user-id = 6289 start = "2022-02-15" end = "2025-12-16" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.halo2_gadgets]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 1244 start = "2022-05-10" end = "2024-09-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.halo2_gadgets]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 1244 start = "2022-05-10" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.halo2_gadgets]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 6289 start = "2022-02-15" end = "2026-01-02" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.halo2_legacy_pdqsort]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 199950 start = "2023-02-24" end = "2024-09-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.halo2_legacy_pdqsort]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 199950 start = "2023-02-24" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.halo2_poseidon]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-12-13" end = "2025-12-16" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.halo2_poseidon]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 6289 start = "2024-12-13" end = "2026-01-02" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.halo2_proofs]] criteria = "safe-to-deploy" user-id = 6289 start = "2022-01-20" end = "2026-07-16" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.halo2_proofs]] criteria = "safe-to-deploy" user-id = 6289 start = "2022-01-20" end = "2026-12-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.halo2_proofs]] criteria = "safe-to-deploy" user-id = 6289 start = "2022-01-20" end = "2026-12-05" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.halo2_proofs]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 1244 start = "2022-05-10" end = "2024-09-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.halo2_proofs]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 1244 start = "2022-05-10" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.incrementalmerkletree]] criteria = "safe-to-deploy" user-id = 1244 start = "2021-06-24" end = "2024-09-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.incrementalmerkletree]] criteria = "safe-to-deploy" user-id = 1244 start = "2021-06-24" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.incrementalmerkletree]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-12-17" end = "2024-09-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.incrementalmerkletree]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-12-17" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.incrementalmerkletree]] criteria = "safe-to-deploy" user-id = 169181 start = "2023-02-28" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.incrementalmerkletree]] criteria = "safe-to-deploy" user-id = 169181 start = "2023-02-28" end = "2025-10-02" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.incrementalmerkletree]] criteria = "safe-to-deploy" user-id = 169181 start = "2023-02-28" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.incrementalmerkletree-testing]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-09-25" end = "2025-10-02" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.incrementalmerkletree-testing]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-09-25" end = "2025-10-02" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.incrementalmerkletree-testing]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-09-25" end = "2026-04-09" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.memuse]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-09-03" end = "2025-12-16" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.orchard]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-01-07" end = "2026-12-05" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.orchard]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-12" end = "2025-08-12" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.orchard]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-12" end = "2025-10-02" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.orchard]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-12" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.orchard]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 1244 start = "2022-10-19" end = "2024-09-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.orchard]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 1244 start = "2022-10-19" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.orchard]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 start = "2021-01-07" end = "2024-09-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.orchard]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 start = "2021-01-07" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.orchard]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 169181 start = "2024-08-12" end = "2025-08-12" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.pczt]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-10-08" end = "2026-03-13" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.pczt]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-12-17" end = "2025-12-17" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.redjubjub]] criteria = "safe-to-deploy" user-id = 199950 start = "2023-03-30" end = "2026-02-21" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.redjubjub]] criteria = "safe-to-deploy" user-id = 199950 start = "2023-03-30" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.sapling-crypto]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-01-26" end = "2026-12-05" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.sapling-crypto]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-12" end = "2025-08-12" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.sapling-crypto]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-12" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.sapling-crypto]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 6289 start = "2024-01-26" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.sapling-crypto]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 169181 start = "2024-08-12" end = "2025-10-02" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.sapling-crypto]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 start = "2024-01-26" end = "2025-03-18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.sapling-crypto]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 169181 start = "2024-08-12" end = "2025-08-12" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.schemerz]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-10-15" end = "2025-10-15" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.schemerz-rusqlite]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-10-15" end = "2026-10-26" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.schemerz-rusqlite]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-10-15" end = "2026-11-05" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.shardtree]] criteria = "safe-to-deploy" user-id = 169181 start = "2022-12-15" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.shardtree]] criteria = "safe-to-deploy" user-id = 169181 start = "2022-12-15" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.sinsemilla]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-12-13" end = "2025-12-16" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.sinsemilla]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 6289 start = "2024-12-13" end = "2026-01-02" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.windows]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-01-15" end = "2026-10-26" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows-collections]] criteria = "safe-to-deploy" user-id = 64539 start = "2025-02-06" end = "2026-10-26" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows-core]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-11-15" end = "2026-04-08" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.windows-core]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-11-15" end = "2026-10-26" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows-future]] criteria = "safe-to-deploy" user-id = 64539 start = "2025-02-10" end = "2026-10-26" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows-implement]] criteria = "safe-to-deploy" user-id = 64539 start = "2022-01-27" end = "2026-04-08" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.windows-implement]] criteria = "safe-to-deploy" user-id = 64539 start = "2022-01-27" end = "2026-10-26" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows-interface]] criteria = "safe-to-deploy" user-id = 64539 start = "2022-02-18" end = "2026-10-26" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows-interface]] criteria = "safe-to-deploy" user-id = 64539 start = "2022-02-18" end = "2026-10-29" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.windows-link]] criteria = "safe-to-deploy" user-id = 64539 start = "2024-07-17" end = "2026-04-08" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.windows-numerics]] criteria = "safe-to-deploy" user-id = 64539 start = "2023-05-15" end = "2026-10-26" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows-registry]] criteria = "safe-to-deploy" user-id = 64539 start = "2024-02-15" end = "2026-04-08" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.windows-result]] criteria = "safe-to-deploy" user-id = 64539 start = "2024-02-02" end = "2026-10-26" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows-result]] criteria = "safe-to-deploy" user-id = 64539 start = "2024-02-02" end = "2026-10-29" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.windows-strings]] criteria = "safe-to-deploy" user-id = 64539 start = "2024-02-02" end = "2026-04-08" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.windows-strings]] criteria = "safe-to-deploy" user-id = 64539 start = "2024-02-02" end = "2026-10-26" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows-sys]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-11-15" end = "2024-06-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.windows-sys]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-11-15" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows-sys]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-11-15" end = "2026-03-31" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.windows-targets]] criteria = "safe-to-deploy" user-id = 64539 start = "2022-09-09" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows-targets]] criteria = "safe-to-deploy" user-id = 64539 start = "2022-09-09" end = "2025-07-19" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.windows-targets]] criteria = "safe-to-deploy" user-id = 64539 start = "2022-09-09" end = "2026-03-31" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.windows-threading]] criteria = "safe-to-deploy" user-id = 64539 start = "2025-04-29" end = "2026-10-26" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows_aarch64_gnullvm]] criteria = "safe-to-deploy" user-id = 64539 start = "2022-09-01" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows_aarch64_gnullvm]] criteria = "safe-to-deploy" user-id = 64539 start = "2022-09-01" end = "2025-07-19" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.windows_aarch64_gnullvm]] criteria = "safe-to-deploy" user-id = 64539 start = "2022-09-01" end = "2026-03-31" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.windows_aarch64_msvc]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-11-05" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows_aarch64_msvc]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-11-05" end = "2025-07-19" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.windows_aarch64_msvc]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-11-05" end = "2026-03-31" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.windows_i686_gnu]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-10-28" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows_i686_gnu]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-10-28" end = "2025-07-19" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.windows_i686_gnu]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-10-28" end = "2026-03-31" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.windows_i686_gnullvm]] criteria = "safe-to-deploy" user-id = 64539 start = "2024-04-02" end = "2025-05-15" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows_i686_gnullvm]] criteria = "safe-to-deploy" user-id = 64539 start = "2024-04-02" end = "2025-07-19" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.windows_i686_gnullvm]] criteria = "safe-to-deploy" user-id = 64539 start = "2024-04-02" end = "2026-03-31" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.windows_i686_msvc]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-10-27" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows_i686_msvc]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-10-27" end = "2025-07-19" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.windows_i686_msvc]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-10-27" end = "2026-03-31" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.windows_x86_64_gnu]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-10-28" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows_x86_64_gnu]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-10-28" end = "2025-07-19" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.windows_x86_64_gnu]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-10-28" end = "2026-03-31" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.windows_x86_64_gnullvm]] criteria = "safe-to-deploy" user-id = 64539 start = "2022-09-01" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows_x86_64_gnullvm]] criteria = "safe-to-deploy" user-id = 64539 start = "2022-09-01" end = "2025-07-19" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.windows_x86_64_gnullvm]] criteria = "safe-to-deploy" user-id = 64539 start = "2022-09-01" end = "2026-03-31" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.windows_x86_64_msvc]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-10-27" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.windows_x86_64_msvc]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-10-27" end = "2025-07-19" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.windows_x86_64_msvc]] criteria = "safe-to-deploy" user-id = 64539 start = "2021-10-27" end = "2026-03-31" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-07-15" end = "2025-07-19" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_address]] criteria = "safe-to-deploy" user-id = 1244 start = "2022-10-19" end = "2024-09-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_address]] criteria = "safe-to-deploy" user-id = 1244 start = "2022-10-19" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_address]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-03-07" end = "2025-03-18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_address]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-03-07" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_address]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-20" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_address]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-20" end = "2026-10-03" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_address]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-20" end = "2026-10-24" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_client_backend]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-03-26" end = "2026-09-25" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_client_backend]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-03-26" end = "2026-09-26" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_client_backend]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-03-25" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_client_backend]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-03-25" end = "2026-06-02" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_client_sqlite]] criteria = "safe-to-deploy" user-id = 6289 start = "2020-06-25" end = "2025-10-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_client_sqlite]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-03-25" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_client_sqlite]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-03-25" end = "2026-06-02" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_encoding]] criteria = "safe-to-deploy" user-id = 1244 start = "2022-10-19" end = "2024-09-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_encoding]] criteria = "safe-to-deploy" user-id = 1244 start = "2022-10-19" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_encoding]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-08-31" end = "2025-12-13" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_encoding]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-08-31" end = "2026-01-02" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_encoding]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-19" end = "2026-02-21" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_encoding]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-19" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_encoding]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-19" end = "2026-06-04" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_extensions]] criteria = "safe-to-deploy" user-id = 6289 start = "2020-04-24" end = "2025-04-23" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_history]] criteria = "safe-to-deploy" user-id = 1244 start = "2020-03-04" end = "2024-09-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_history]] criteria = "safe-to-deploy" user-id = 1244 start = "2020-03-04" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_history]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-03-01" end = "2025-03-18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_history]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-03-01" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_history]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-03-01" end = "2026-04-08" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_keys]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-03-01" end = "2026-09-25" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_keys]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-03-01" end = "2026-09-26" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_keys]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-01-15" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_keys]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-01-15" end = "2026-05-12" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_note_encryption]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 169181 start = "2023-03-22" end = "2024-09-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_note_encryption]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 169181 start = "2023-03-22" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_primitives]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-03-26" end = "2025-10-02" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_primitives]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-03-26" end = "2026-09-25" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_primitives]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-03-26" end = "2026-09-26" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_primitives]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-20" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_primitives]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-20" end = "2026-10-03" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_primitives]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-20" end = "2026-10-24" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_primitives]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 1244 start = "2019-10-08" end = "2024-09-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_primitives]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 1244 start = "2019-10-08" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_primitives]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 start = "2021-03-26" end = "2024-09-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_primitives]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 start = "2021-03-26" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_proofs]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-03-26" end = "2025-10-02" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_proofs]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-03-26" end = "2026-09-25" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_proofs]] criteria = "safe-to-deploy" user-id = 6289 start = "2021-03-26" end = "2026-09-26" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_proofs]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-20" end = "2026-04-08" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_proofs]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-20" end = "2026-10-03" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_proofs]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-08-20" end = "2026-10-24" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_proofs]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 start = "2021-03-26" end = "2024-09-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_proofs]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 start = "2021-03-26" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_protocol]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-12-13" end = "2025-12-13" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_protocol]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-12-13" end = "2026-09-26" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_protocol]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-01-27" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_protocol]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-01-27" end = "2026-06-02" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_protocol]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-01-27" end = "2026-06-05" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_script]] criteria = "safe-to-deploy" user-id = 6289 start = "2025-09-25" end = "2026-09-26" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_script]] criteria = "safe-to-deploy" user-id = 6289 start = "2025-09-25" end = "2026-10-03" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_script]] criteria = "safe-to-deploy" user-id = 6289 start = "2025-09-25" end = "2026-10-24" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_script]] criteria = "safe-to-deploy" user-id = 159631 start = "2022-08-31" end = "2026-04-08" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_script]] criteria = "safe-to-deploy" user-id = 159631 start = "2022-08-31" end = "2026-09-19" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_spec]] criteria = "safe-to-deploy" user-id = 199950 start = "2025-02-20" end = "2026-02-21" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_spec]] criteria = "safe-to-deploy" user-id = 199950 start = "2025-02-20" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_spec]] criteria = "safe-to-deploy" user-id = 199950 start = "2025-02-20" end = "2026-06-04" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_spec]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 start = "2023-12-07" end = "2025-03-18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_spec]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 start = "2023-12-07" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_transparent]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-12-14" end = "2025-12-16" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zcash_transparent]] criteria = "safe-to-deploy" user-id = 6289 start = "2024-12-14" end = "2026-09-26" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_transparent]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-12-17" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zcash_transparent]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-12-17" end = "2026-05-08" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zcash_transparent]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-12-17" end = "2026-12-18" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zip32]] criteria = "safe-to-deploy" user-id = 6289 start = "2023-12-06" end = "2025-03-18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zip32]] criteria = "safe-to-deploy" user-id = 6289 start = "2023-12-06" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zip32]] criteria = "safe-to-deploy" user-id = 6289 start = "2023-12-06" end = "2026-09-17" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zip32]] criteria = "safe-to-deploy" user-id = 169181 start = "2025-02-20" end = "2026-02-21" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" [[trusted.zip32]] criteria = "safe-to-deploy" user-id = 169181 start = "2025-02-20" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zip32]] criteria = "safe-to-deploy" user-id = 169181 start = "2025-02-20" end = "2026-06-04" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" [[trusted.zip321]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-01-15" end = "2026-03-04" aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" [[trusted.zip321]] criteria = "safe-to-deploy" user-id = 169181 start = "2024-01-15" end = "2026-07-16" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"