зеркало из https://github.com/mozilla/gecko-dev.git
1217 строки
37 KiB
TOML
1217 строки
37 KiB
TOML
|
|
# cargo-vet audits file
|
|
|
|
[[audits.android_logger]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.11.0"
|
|
notes = "Small crate, wrapping Android log functionality, reviewed by janerik"
|
|
|
|
[[audits.android_logger]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.11.0 -> 0.11.1"
|
|
notes = "Small crate, wrapping Android log functionality, now switched to properly using MaybeUninit"
|
|
|
|
[[audits.android_system_properties]]
|
|
who = "Nicolas Silva <nical@fastmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship."
|
|
|
|
[[audits.android_system_properties]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.2 -> 0.1.4"
|
|
|
|
[[audits.anyhow]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.57 -> 1.0.61"
|
|
|
|
[[audits.anyhow]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.58 -> 1.0.57"
|
|
notes = "No functional differences, just CI config and docs."
|
|
|
|
[[audits.anyhow]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.61 -> 1.0.62"
|
|
|
|
[[audits.app_units]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.1"
|
|
notes = """
|
|
I'm pretty familiar with this crate. It provides a fixed-point numeric type.
|
|
The code is pretty straight-forward, there's no unsafe code at all.
|
|
"""
|
|
|
|
[[audits.arbitrary]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "1.1.0 -> 1.1.1"
|
|
|
|
[[audits.arbitrary]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "1.1.1 -> 1.1.3"
|
|
|
|
[[audits.ashmem]]
|
|
who = "Matthew Gregan <kinetik@flim.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
notes = """
|
|
Small unsafe wrapper around Android 8.0's ASharedMemory native API that falls
|
|
back to older private ioctl-based API at runtime on earlier OS releases. The
|
|
shim code is small and doesn't inspect the API arguments, so is unlikely to
|
|
expose any safety issues beyond those presented by the native OS API.
|
|
"""
|
|
|
|
[[audits.askama]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.11.1"
|
|
notes = """
|
|
Just contains some traits and re-exports for use by a broader package of related
|
|
crates. No unsafe code or ambient capability usage.
|
|
"""
|
|
|
|
[[audits.async-trait]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.56 -> 0.1.57"
|
|
|
|
[[audits.atomic_refcell]]
|
|
who = "Bobby Holley <bholley@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.8"
|
|
notes = "I maintain this crate and have reviewed every line."
|
|
|
|
[[audits.autocfg]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.1.0"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
|
|
[[audits.bindgen]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.59.2"
|
|
notes = "I'm the primary author and maintainer of the crate."
|
|
|
|
[[audits.bit-set]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.2"
|
|
notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues."
|
|
|
|
[[audits.bit-set]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.2 -> 0.5.3"
|
|
|
|
[[audits.bit-vec]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.6.3"
|
|
notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine."
|
|
|
|
[[audits.build-parallel]]
|
|
who = "Jeff Muizelaar <jmuizelaar@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
|
|
[[audits.bumpalo]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-run"
|
|
delta = "3.9.1 -> 3.10.0"
|
|
notes = """
|
|
Some nontrivial functional changes but certainly meets the no-malware bar of
|
|
safe-to-run. If we needed safe-to-deploy for this in m-c I'd ask Nick to re-
|
|
certify this version, but we don't, so this is fine for now.
|
|
"""
|
|
|
|
[[audits.bytes]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.1.0 -> 1.2.1"
|
|
|
|
[[audits.camino]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.9 -> 1.1.1"
|
|
|
|
[[audits.chardetng]]
|
|
who = "Henri Sivonen <hsivonen@hsivonen.fi>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.9"
|
|
notes = "I, Henri Sivonen, wrote this (safe-code-only) crate for Gecko even though the crate is published via crates.io."
|
|
|
|
[[audits.chardetng_c]]
|
|
who = "Henri Sivonen <hsivonen@hsivonen.fi>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
notes = "I, Henri Sivonen, wrote this crate for Gecko even though it is published via crates.io. The buffer input assumes Rust slice constraints for the start pointer. In Gecko, this is taken care of by mozilla::Span, but the C API doesn't conform to idiomatic C constraints on this point."
|
|
|
|
[[audits.clap_lex]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.0 -> 0.2.2"
|
|
|
|
[[audits.clap_lex]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.2 -> 0.2.4"
|
|
|
|
[[audits.cpufeatures]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.2 -> 0.2.4"
|
|
|
|
[[audits.crossbeam-channel]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.4 -> 0.5.6"
|
|
|
|
[[audits.crossbeam-deque]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.1 -> 0.8.2"
|
|
|
|
[[audits.crossbeam-epoch]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.9.8 -> 0.9.10"
|
|
|
|
[[audits.crossbeam-utils]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.8 -> 0.8.11"
|
|
|
|
[[audits.crypto-common]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.3 -> 0.1.6"
|
|
|
|
[[audits.cssparser]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.29.6"
|
|
notes = """
|
|
I've reviewed or authored most of the recent changes to this library, and it
|
|
was developed by other mozilla folks. Unsafe code there is reasonable (utf-8
|
|
casts for serialization and parsing).
|
|
"""
|
|
|
|
[[audits.cssparser-macros]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.6.0"
|
|
notes = """
|
|
Trivial crate with a single proc macro to compute the max length of the inputs
|
|
to a match expression.
|
|
"""
|
|
|
|
[[audits.cstr]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.10"
|
|
notes = """
|
|
I've reviewed the code of the crate thoroughly. It generates an unsafe block
|
|
which is statically guaranteed to be safe. Inputs to the macro have to be
|
|
static so there's no uncontrolled input whatsoever.
|
|
"""
|
|
|
|
[[audits.derive_arbitrary]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "1.1.0 -> 1.1.1"
|
|
|
|
[[audits.derive_arbitrary]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "1.1.1 -> 1.1.3"
|
|
|
|
[[audits.devd-rs]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.4 -> 0.3.5"
|
|
|
|
[[audits.dogear]]
|
|
who = "Sammy Khamis <skhamis@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.0 -> 0.5.0"
|
|
notes = "The repository for this crate belongs in the Mozilla org."
|
|
|
|
[[audits.either]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.6.1 -> 1.7.0"
|
|
|
|
[[audits.either]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.7.0 -> 1.8.0"
|
|
|
|
[[audits.encoding_c]]
|
|
who = "Henri Sivonen <hsivonen@hsivonen.fi>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.8"
|
|
notes = "I, Henri Sivonen, wrote encoding_c for Gecko even though it is published via crates.io. There are two caveats: 1) the C API is designed to be used together with mozilla::Span and is unidiomatic for zero-length inputs otherwise. 2) It is idiomatic in C and C++ to pass uninitialized buffers as output buffers. This is generally documented to be UB in Rust, but idiomatic C and C++ usage here relies on this not actually being UB for buffers of integers (which these buffers are). See https://github.com/hsivonen/encoding_rs/issues/79#issuecomment-1211870361"
|
|
|
|
[[audits.encoding_c_mem]]
|
|
who = "Henri Sivonen <hsivonen@hsivonen.fi>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.6"
|
|
notes = """
|
|
I, Henri Sivonen, wrote encoding_c_mem for Gecko even though it is published via crates.io. There are two caveats: 1) the C API is designed to be used together with mozilla::Span and is unidiomatic for zero-length inputs otherwise. 2) It is idiomatic in C and C
|
|
++ to pass uninitialized buffers as output buffers. This is generally documented to be UB in Rust, but idiomatic C and C++ usage here relies on this not actually being UB for buffers of integers (which these buffers are). See https://github.com/hsivonen/encoding_rs/i
|
|
ssues/79#issuecomment-1211870361
|
|
"""
|
|
|
|
[[audits.encoding_rs]]
|
|
who = "Henri Sivonen <hsivonen@hsivonen.fi>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.8.31"
|
|
notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ."
|
|
|
|
[[audits.extend]]
|
|
who = "Ben Dean-Kawamura <bdk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.1.2"
|
|
notes = "Inspected the crate and noted that the impl block comes directly from the proc-macro input. If no new code can be added by this crate, I don't think there can be any issues."
|
|
|
|
[[audits.fallible_collections]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.4 -> 0.4.5"
|
|
|
|
[[audits.fastrand]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.7.0 -> 1.8.0"
|
|
|
|
[[audits.flagset]]
|
|
who = "Ryan Hunt <rhunt@eqrion.net>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.3"
|
|
notes = "Uses no ambient capabilities, vetted the one instance of unsafe."
|
|
|
|
[[audits.fluent]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.16.0"
|
|
|
|
[[audits.fluent-bundle]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.15.2"
|
|
|
|
[[audits.fluent-fallback]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.6.0"
|
|
|
|
[[audits.fluent-langneg]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.13.0"
|
|
|
|
[[audits.fluent-pseudo]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.1"
|
|
|
|
[[audits.fluent-syntax]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.11.0"
|
|
|
|
[[audits.fluent-testing]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-run"
|
|
version = "0.0.2"
|
|
|
|
[[audits.fnv]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.7"
|
|
notes = "Simple hasher implementation with no unsafe code."
|
|
|
|
[[audits.fs-err]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "2.7.0 -> 2.8.1"
|
|
|
|
[[audits.futures]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.21 -> 0.3.23"
|
|
|
|
[[audits.futures-channel]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.21 -> 0.3.23"
|
|
|
|
[[audits.futures-core]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.21 -> 0.3.23"
|
|
|
|
[[audits.futures-executor]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.21 -> 0.3.23"
|
|
|
|
[[audits.futures-io]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.21 -> 0.3.23"
|
|
|
|
[[audits.futures-macro]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.21 -> 0.3.23"
|
|
|
|
[[audits.futures-sink]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.21 -> 0.3.23"
|
|
|
|
[[audits.futures-task]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.21 -> 0.3.23"
|
|
|
|
[[audits.futures-util]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.21 -> 0.3.23"
|
|
|
|
[[audits.fxhash]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.1"
|
|
notes = "Straightforward crate with no unsafe code, does what it says on the tin."
|
|
|
|
[[audits.generic-array]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.14.5 -> 0.14.6"
|
|
|
|
[[audits.getrandom]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.6 -> 0.2.7"
|
|
|
|
[[audits.glean]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "50.1.0"
|
|
notes = "Maintained by the Glean team at Mozilla"
|
|
|
|
[[audits.glean]]
|
|
who = "Travis Long <tlong@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "50.1.2"
|
|
notes = "Maintained by the Glean team at Mozilla"
|
|
|
|
[[audits.glean]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "51.1.0"
|
|
notes = "Maintained by the Glean team at Mozilla"
|
|
|
|
[[audits.glean]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "50.1.2 -> 50.1.3"
|
|
notes = "Unchanged from last version"
|
|
|
|
[[audits.glean]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "50.1.3 -> 51.0.1"
|
|
notes = "Maintained by the Glean team at Mozilla"
|
|
|
|
[[audits.glean-core]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "50.1.0"
|
|
notes = "Maintained by the Glean team at Mozilla"
|
|
|
|
[[audits.glean-core]]
|
|
who = "Travis Long <tlong@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "50.1.2"
|
|
notes = "Maintained by the Glean team at Mozilla"
|
|
|
|
[[audits.glean-core]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "51.1.0"
|
|
notes = "Maintained by the Glean team at Mozilla"
|
|
|
|
[[audits.glean-core]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "50.1.2 -> 50.1.3"
|
|
notes = "Bug fix release with minimal changes, changes done by myself"
|
|
|
|
[[audits.glean-core]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "50.1.3 -> 51.0.1"
|
|
notes = "Maintained by the Glean team at Mozilla"
|
|
|
|
[[audits.gpu-descriptor]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.2 -> 0.2.3"
|
|
|
|
[[audits.guid_win]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
notes = """
|
|
This crate has some unsafe code for the FFI bits, which I've reviewed carefully.
|
|
It uses the deprecated mem::uninitialized(), which is generally sketchy. However
|
|
the usage is pretty straightforward and while it's technically UB, it seems no
|
|
more likely to lead to miscompilation than any other use of mem::uninitialized.
|
|
"""
|
|
|
|
[[audits.h2]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "0.3.13 -> 0.3.14"
|
|
|
|
[[audits.hashbrown]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.3"
|
|
notes = "This version is used in rust's libstd, so effectively we're already trusting it"
|
|
|
|
[[audits.hyper]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "0.14.19 -> 0.14.20"
|
|
|
|
[[audits.indexmap]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.8.2 -> 1.9.1"
|
|
|
|
[[audits.inherent]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.1 -> 1.0.2"
|
|
|
|
[[audits.inplace_it]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.3 -> 0.3.4"
|
|
|
|
[[audits.intl-memoizer]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.1"
|
|
|
|
[[audits.intl_pluralrules]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "7.0.1"
|
|
|
|
[[audits.itoa]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.2 -> 1.0.3"
|
|
|
|
[[audits.libc]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.126 -> 0.2.132"
|
|
|
|
[[audits.linked-hash-map]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.4"
|
|
notes = "I own this crate (I am contain-rs) and 0.5.4 passes miri. This code is very old and used by lots of people, so I'm pretty confident in it, even though it's in maintenance-mode and missing some nice-to-have APIs."
|
|
|
|
[[audits.linked-hash-map]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "0.5.4 -> 0.5.6"
|
|
|
|
[[audits.log]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.17"
|
|
|
|
[[audits.malloc_size_of_derive]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
notes = """
|
|
This was originally servo code which I put on crates.io some years ago but didn't
|
|
examine at the time, so I examined it now. I didn't perform a full logic review
|
|
but convinced myself that any generated code will be entirely safe to deploy.
|
|
"""
|
|
|
|
[[audits.matches]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.9"
|
|
notes = "This is a trivial crate."
|
|
|
|
[[audits.memmap2]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.5.4 -> 0.5.7"
|
|
|
|
[[audits.naga]]
|
|
who = "Dzmitry Malyshau <kvark@fastmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.8.0"
|
|
notes = """
|
|
This crate, up through the indicated version, was written or reviewed
|
|
by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left
|
|
Mozilla at the beginning of February 2022. This audit statement was
|
|
collected by Jim Blandy, a Mozilla employee, over email in July 2022:
|
|
Dzmitry was shown, and agreed to, the 'safe-to-deploy' text.
|
|
"""
|
|
|
|
[[audits.new_debug_unreachable]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.4"
|
|
notes = "This is a trivial crate."
|
|
|
|
[[audits.num]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.0"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
|
|
[[audits.num-bigint]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.6"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
|
|
[[audits.num-bigint]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.3"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
|
|
[[audits.num-complex]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.2"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
|
|
[[audits.num-derive]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.3"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
|
|
[[audits.num-integer]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.45"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
|
|
[[audits.num-iter]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.43"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
|
|
[[audits.num-macros]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.40"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
|
|
[[audits.num-rational]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.1"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
|
|
[[audits.num-traits]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.15"
|
|
notes = "All code written or reviewed by Josh Stone."
|
|
|
|
[[audits.once_cell]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.12.0 -> 1.13.1"
|
|
|
|
[[audits.origin-trial-token]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.1"
|
|
notes = """
|
|
I'm the author of the crate. The only unsafe code is a view over a byte array
|
|
which is properly validated.
|
|
|
|
Cryptography shenanigans are delegated to the caller so there's no possible
|
|
unsoundness there.
|
|
"""
|
|
|
|
[[audits.os_str_bytes]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "6.1.0 -> 6.3.0"
|
|
|
|
[[audits.packed_simd_2]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.7 -> 0.3.8"
|
|
|
|
[[audits.paste]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.7 -> 1.0.8"
|
|
|
|
[[audits.pin-project]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "1.0.10 -> 1.0.12"
|
|
|
|
[[audits.pin-project-internal]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "1.0.10 -> 1.0.12"
|
|
|
|
[[audits.pkcs11-bindings]]
|
|
who = "Dana Keeler <dkeeler@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
notes = """
|
|
This crate consists of declarations of types and constants that are
|
|
auto-generated by running bindgen on the PKCS#11 specification headers. Other
|
|
than the tests generated by bindgen, it consists of no runnable code.
|
|
"""
|
|
|
|
[[audits.precomputed-hash]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.1"
|
|
notes = "This is a trivial crate."
|
|
|
|
[[audits.proc-macro2]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.39"
|
|
notes = """
|
|
`proc-macro2` acts as either a thin(-ish) wrapper around the std-provided
|
|
`proc_macro` crate, or as a fallback implementation of the crate, depending on
|
|
where it is used.
|
|
|
|
If using this crate on older versions of rustc (1.56 and earlier), it will
|
|
temporarily replace the panic handler while initializing in order to detect if
|
|
it is running within a `proc_macro`, which could lead to surprising behaviour.
|
|
This should not be an issue for more recent compiler versions, which support
|
|
`proc_macro::is_available()`.
|
|
|
|
The `proc-macro2` crate's fallback behaviour is not identical to the complex
|
|
behaviour of the rustc compiler (e.g. it does not perform unicode normalization
|
|
for identifiers), however it behaves well enough for its intended use-case
|
|
(tests and scripts processing rust code).
|
|
|
|
`proc-macro2` does not use unsafe code, however exposes one `unsafe` API to
|
|
allow bypassing checks in the fallback implementation when constructing
|
|
`Literal` using `from_str_unchecked`. This was intended to only be used by the
|
|
`quote!` macro, however it has been removed
|
|
(https://github.com/dtolnay/quote/commit/f621fe64a8a501cae8e95ebd6848e637bbc79078),
|
|
and is likely completely unused. Even when used, this API shouldn't be able to
|
|
cause unsoundness.
|
|
"""
|
|
|
|
[[audits.proc-macro2]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.39 -> 1.0.43"
|
|
|
|
[[audits.qcms]]
|
|
who = "Jeff Muizelaar <jmuizelaar@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
|
|
[[audits.quote]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.18"
|
|
notes = """
|
|
`quote` is a utility crate used by proc-macros to generate TokenStreams
|
|
conveniently from source code. The bulk of the logic is some complex
|
|
interlocking `macro_rules!` macros which are used to parse and build the
|
|
`TokenStream` within the proc-macro.
|
|
|
|
This crate contains no unsafe code, and the internal logic, while difficult to
|
|
read, is generally straightforward. I have audited the the quote macros, ident
|
|
formatter, and runtime logic.
|
|
"""
|
|
|
|
[[audits.quote]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.18 -> 1.0.21"
|
|
|
|
[[audits.radium]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.3"
|
|
notes = """
|
|
I am no longer the primary maintainer of `radium`, however I have audited the
|
|
code to ensure it is still correct. The implementation contains no `unsafe`
|
|
logic, and will not abstract away `Sync` trait bounds.
|
|
|
|
The core logic is very simple, and acts as an abstraction trait for `Cell<T>`
|
|
and `AtomicT`.
|
|
"""
|
|
|
|
[[audits.rayon]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.5.3"
|
|
notes = "All code written or reviewed by Josh Stone or Niko Matsakis."
|
|
|
|
[[audits.rayon-core]]
|
|
who = "Josh Stone <jistone@redhat.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.9.3"
|
|
notes = "All code written or reviewed by Josh Stone or Niko Matsakis."
|
|
|
|
[[audits.redox_syscall]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.13 -> 0.2.16"
|
|
|
|
[[audits.regex]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.5.6 -> 1.6.0"
|
|
|
|
[[audits.regex-syntax]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.6.26 -> 0.6.27"
|
|
|
|
[[audits.ron]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.7.0 -> 0.7.1"
|
|
|
|
[[audits.rust_decimal]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.24.0 -> 1.25.0"
|
|
|
|
[[audits.rust_decimal]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.25.0 -> 1.26.1"
|
|
|
|
[[audits.rustc-hash]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.1.0"
|
|
notes = "Straightforward crate with no unsafe code, does what it says on the tin."
|
|
|
|
[[audits.rustc_version]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-run"
|
|
version = "0.4.0"
|
|
notes = """
|
|
Straightforward crate which runs `$RUSTC -vV` and parses the output into a
|
|
machine-interpretable form for build scripts.
|
|
"""
|
|
|
|
[[audits.rustversion]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.9"
|
|
notes = """
|
|
This crate has a build-time component and procedural macro logic, which I looked
|
|
at enough to convince myself it wasn't going to do anything dramatically wrong.
|
|
I don't think logic bugs in the version parsing etc can realistically introduce
|
|
a security vulnerability.
|
|
"""
|
|
|
|
[[audits.ryu]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.10 -> 1.0.11"
|
|
|
|
[[audits.selectors]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.22.0"
|
|
notes = """
|
|
This crate is basically developed in-tree. Mozilla employees have either
|
|
reviewed or written virtually all of the code.
|
|
"""
|
|
|
|
[[audits.semver]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.9 -> 1.0.10"
|
|
|
|
[[audits.semver]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.10 -> 1.0.13"
|
|
|
|
[[audits.serde]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.137 -> 1.0.143"
|
|
|
|
[[audits.serde]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.143 -> 1.0.144"
|
|
|
|
[[audits.serde_bytes]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.11.6 -> 0.11.7"
|
|
|
|
[[audits.serde_derive]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.137 -> 1.0.143"
|
|
|
|
[[audits.serde_derive]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.143 -> 1.0.144"
|
|
|
|
[[audits.serde_json]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.81 -> 1.0.83"
|
|
|
|
[[audits.serde_json]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.83 -> 1.0.85"
|
|
|
|
[[audits.serde_repr]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "0.1.8 -> 0.1.9"
|
|
|
|
[[audits.serde_yaml]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "0.8.24 -> 0.8.26"
|
|
|
|
[[audits.servo_arc]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.1"
|
|
notes = "Developed in-tree, effectively."
|
|
|
|
[[audits.slab]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.6 -> 0.4.7"
|
|
|
|
[[audits.smallvec]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.8.0 -> 1.9.0"
|
|
|
|
[[audits.svg_fmt]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.1"
|
|
notes = "Simple string processing with no unsafe code or ambient capability usage."
|
|
|
|
[[audits.syn]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.96 -> 1.0.99"
|
|
|
|
[[audits.synstructure]]
|
|
who = "Nika Layzell <nika@thelayzells.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.6"
|
|
notes = """
|
|
I am the primary author of the `synstructure` crate, and its current
|
|
maintainer. The one use of `unsafe` is unnecessary, but documented and
|
|
harmless. It will be removed in the next version.
|
|
"""
|
|
|
|
[[audits.thin-vec]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.5"
|
|
notes = "I own this crate, and most of its versions were codeveloped and reviewed by Nika Layzell. This version was not explicitly reviewed by her, but it was specifically a release that made the code pass miri and was reviewed by me. Firefox uses it in the gecko-ffi configuration which is less thoroughly tested and more dangerous but we're reasonably confident in it. The real danger is from C++ code failing to use it correctly in FFI but that's just how FFI is."
|
|
|
|
[[audits.thin-vec]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.5 -> 0.2.7"
|
|
|
|
[[audits.thiserror]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.31 -> 1.0.32"
|
|
|
|
[[audits.thiserror-impl]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.31 -> 1.0.32"
|
|
|
|
[[audits.threadbound]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.3 -> 0.1.4"
|
|
|
|
[[audits.tinystr]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.4"
|
|
|
|
[[audits.tinystr]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.6.0"
|
|
|
|
[[audits.topological-sort]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.0"
|
|
notes = "Simple algorithm crate with no unsafe code or capability usage."
|
|
|
|
[[audits.tower-service]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "0.3.1 -> 0.3.2"
|
|
|
|
[[audits.tracing]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "0.1.35 -> 0.1.36"
|
|
|
|
[[audits.tracing-attributes]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "0.1.21 -> 0.1.22"
|
|
|
|
[[audits.tracing-core]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "0.1.27 -> 0.1.29"
|
|
|
|
[[audits.tracy-rs]]
|
|
who = "Glenn Watson <git@intuitionlibrary.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
|
|
[[audits.uluru]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
version = "3.0.0"
|
|
notes = """
|
|
I've reviewed multiple patches in this crate, including the initial
|
|
implementation back in the day. It has no unsafe code at all nowadays.
|
|
"""
|
|
|
|
[[audits.unic-langid]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.0"
|
|
|
|
[[audits.unic-langid-impl]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.0"
|
|
|
|
[[audits.unic-langid-macros]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.0"
|
|
|
|
[[audits.unic-langid-macros-impl]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.0"
|
|
|
|
[[audits.unicode-ident]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.0 -> 1.0.1"
|
|
|
|
[[audits.unicode-ident]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.1 -> 1.0.3"
|
|
|
|
[[audits.unicode-normalization]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.19 -> 0.1.20"
|
|
notes = "I am the author of most of these changes upstream, and prepared the release myself, at which point I looked at the other changes since 0.1.19."
|
|
|
|
[[audits.unicode-normalization]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.20 -> 0.1.21"
|
|
|
|
[[audits.uniffi]]
|
|
who = "Travis Long <tlong@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.19.3"
|
|
notes = "Maintained by the Glean and Application Services teams"
|
|
|
|
[[audits.uniffi_bindgen]]
|
|
who = "Travis Long <tlong@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.19.3"
|
|
notes = "Maintained by the Glean and Application Services teams."
|
|
|
|
[[audits.uniffi_build]]
|
|
who = "Travis Long <tlong@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.19.3"
|
|
notes = "Maintained by the Glean and Application Services teams."
|
|
|
|
[[audits.uniffi_macros]]
|
|
who = "Travis Long <tlong@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.19.3"
|
|
notes = "Maintained by the Glean and Application Services teams."
|
|
|
|
[[audits.void]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.2"
|
|
notes = "Very small crate, just hosts the Void type for easier cross-crate interfacing."
|
|
|
|
[[audits.wasm-encoder]]
|
|
who = "Ryan Hunt <rhunt@eqrion.net>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.0"
|
|
notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. This has no unsafe code and uses no ambient capabilities."
|
|
|
|
[[audits.wasm-encoder]]
|
|
who = "Ryan Hunt <rhunt@eqrion.net>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.7.0 -> 0.14.0"
|
|
notes = "wasm-encoder has no unsafe code and uses no ambient capabilities."
|
|
|
|
[[audits.wasm-encoder]]
|
|
who = "Yury Delendik <ydelendik@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.14.0 -> 0.15.0"
|
|
|
|
[[audits.wasm-smith]]
|
|
who = "Ryan Hunt <rhunt@eqrion.net>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.11.2"
|
|
notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. I've vetted the one instance of unsafe code."
|
|
|
|
[[audits.wasm-smith]]
|
|
who = "Yury Delendik <ydelendik@mozilla.com>"
|
|
criteria = "safe-to-run"
|
|
delta = "0.11.2 -> 0.11.3"
|
|
|
|
[[audits.wasmparser]]
|
|
who = "Ryan Hunt <rhunt@eqrion.net>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.87.0"
|
|
notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. I've vetted the one instance of unsafe code."
|
|
|
|
[[audits.wasmparser]]
|
|
who = "Yury Delendik <ydelendik@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.87.0 -> 0.88.0"
|
|
|
|
[[audits.wast]]
|
|
who = "Ryan Hunt <rhunt@eqrion.net>"
|
|
criteria = "safe-to-deploy"
|
|
version = "44.0.0"
|
|
notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. wast has no unsafe code and the only ambient capability it uses is to read the full contents of a file that is given to it."
|
|
|
|
[[audits.wast]]
|
|
who = "Yury Delendik <ydelendik@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "44.0.0 -> 45.0.0"
|
|
|
|
[[audits.webdriver]]
|
|
who = "Henrik Skupin <mail@hskupin.info>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.46.0"
|
|
notes = "Maintained by the DevTools team at Mozilla and has no unsafe code."
|
|
|
|
[[audits.weedle2]]
|
|
who = "Travis Long <tlong@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "3.0.0"
|
|
notes = "Maintained by the Glean and Application Services teams."
|
|
|
|
[[audits.wgpu-core]]
|
|
who = "Dzmitry Malyshau <kvark@fastmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.0"
|
|
notes = """
|
|
This crate, up through the indicated version, was written or reviewed
|
|
by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left
|
|
Mozilla at the beginning of February 2022. This audit statement was
|
|
collected by Jim Blandy, a Mozilla employee, over email in July 2022:
|
|
Dzmitry was shown, and agreed to, the 'safe-to-deploy' text.
|
|
"""
|
|
|
|
[[audits.wgpu-hal]]
|
|
who = "Dzmitry Malyshau <kvark@fastmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.0"
|
|
notes = """
|
|
This crate, up through the indicated version, was written or reviewed
|
|
by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left
|
|
Mozilla at the beginning of February 2022. This audit statement was
|
|
collected by Jim Blandy, a Mozilla employee, over email in July 2022:
|
|
Dzmitry was shown, and agreed to, the 'safe-to-deploy' text.
|
|
"""
|
|
|
|
[[audits.wgpu-types]]
|
|
who = "Dzmitry Malyshau <kvark@fastmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.0"
|
|
notes = """
|
|
This crate, up through the indicated version, was written or reviewed
|
|
by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left
|
|
Mozilla at the beginning of February 2022. This audit statement was
|
|
collected by Jim Blandy, a Mozilla employee, over email in July 2022:
|
|
Dzmitry was shown, and agreed to, the 'safe-to-deploy' text.
|
|
"""
|
|
|
|
[[audits.whatsys]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
notes = """
|
|
Contains platform-specific FFI code for apple, mac, and windows. The windows code
|
|
also contains a small C file compiled at build-time. I audited all of it and it
|
|
looks correct.
|
|
"""
|
|
|
|
[[audits.xmldecl]]
|
|
who = "Henri Sivonen <hsivonen@hsivonen.fi>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
notes = "I, Henri Sivonen, wrote this crate myself for Gecko even though it's published on crates.io."
|
|
|