diff --git a/deny.toml b/deny.toml index 5c3e415b4..946f84746 100644 --- a/deny.toml +++ b/deny.toml @@ -1,7 +1,8 @@ [sources.allow-org] github = [ - "mintlayer", # allow any code from mintlayer's github - "tokio-rs", # we have to use an unreleased version of tokio at this moment + "mintlayer", # allow any code from mintlayer's github + "paritytech", # we have to use an unreleased version of parity-scale-codec at this moment + "tokio-rs", # we have to use an unreleased version of tokio at this moment ] [licenses] @@ -24,28 +25,24 @@ allow = [ "MIT", "MPL-2.0", "Unicode-3.0", - "Unlicense", # this is a specific license rather than no license at all + "Unlicense", # this is a specific license rather than no license at all "Zlib", ] # deny a license not in this set of licenses [[licenses.clarify]] name = "ring" expression = "LicenseRef-ring" -license-files = [ - { path = "LICENSE", hash = 0xbd0eed23 }, -] +license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }] [[licenses.clarify]] name = "webpki" expression = "LicenseRef-webpki" -license-files = [ - { path = "LICENSE", hash = 0x001c7e6c }, -] +license-files = [{ path = "LICENSE", hash = 0x001c7e6c }] [advisories] version = 2 db-path = "~/.cargo/advisory-dbs" -db-urls = [ "https://github.com/RustSec/advisory-db" ] +db-urls = ["https://github.com/RustSec/advisory-db"] yanked = "warn" ignore = [ "RUSTSEC-2024-0436", # "paste" is no longer maintained diff --git a/supply-chain/README.md b/supply-chain/README.md index 654899195..415dfcae2 100644 --- a/supply-chain/README.md +++ b/supply-chain/README.md @@ -107,8 +107,32 @@ will be automatically removed by `cargo vet`, while `cargo vet --locked` will co | Jonas Platte | jplatte | Member of `tokio-rs` and `tower-rs`, maintainer of `axum`. | | Eliza Weisman | hawkw | Member of `tokio-rs` and `tower-rs`, creator/maintainer of `tracing` crates and crates related to `tokio-console`. | | Jon Gjengset | jonhoo | Educator, author of "Rust for Rustaceans", author and maintainer of the `hdrhistogram` crate used by `console-subscriber`. | + | Frank Denis | jedisct1 | Member of `WebAssembly` and `wasm-crypto`, creator/maintainer of `libsodium`. | + | Hayden Stainsby | hds | One of the owners of the `tracing` crates. Recent versions of `tracing` were published by him. | - We also trust the crates that we've forked. Normally this is done by putting them to the `policy` table in `config.toml` and setting its `audit-as-crates-io` key to `false`. + +## What to do when a dependency gets updated and `cagro vet` starts complaining. + +- First of all, run `cargo vet check` (i.e. without `--locked`), which may pull some new audits. + +- The `cargo vet check` call above may also suggest trusting crates published by people that we already trust, so you may run what it suggests.\ + Alternatively, you may want to just run `cargo vet trust` for all publishers that we already trust, e.g. + ``` + for var in alexcrichton Darksonn Amanieu ...; do cargo vet trust --all "$var" --allow-multiple-publishers --criteria safe-to-deploy; done + ``` + (use all publisher ids both from the list and the table above). + +- Consider adding new publishers as trusted. In particular, if a crate is from an ecosystem that we generally trust (e.g. `tracing`) + and a new version of that crate has been published by a new publisher, it makes sense to add that publisher as trusted as well (after + verifying that the person is indeed among the crate's owners/maintainers). + + Don't forget to add the newly trusted publishers to the table above. + +- Consider making an audit yourself. + +- Finally, if there are still some unvetted dependecies, run `cargo vet regenerate exemptions`, which will create new exemptions + or update existing ones. diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index ca273e377..d4195eb62 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -191,7 +191,7 @@ end = "2026-10-15" [[trusted.bip39]] criteria = "safe-to-deploy" -user-id = 28012 # Steven Roose (stevenroose) +user-id = 28012 start = "2020-07-22" end = "2026-10-15" @@ -1455,6 +1455,12 @@ user-id = 5059 # Artyom Pavlov (newpavlov) start = "2020-01-06" end = "2026-10-15" +[[trusted.siphasher]] +criteria = "safe-to-deploy" +user-id = 468 # Frank Denis (jedisct1) +start = "2019-09-20" +end = "2027-02-11" + [[trusted.slab]] criteria = "safe-to-deploy" user-id = 6741 # Alice Ryhl (Darksonn) @@ -1707,24 +1713,48 @@ user-id = 1249 # Eliza Weisman (hawkw) start = "2019-06-28" end = "2027-02-11" +[[trusted.tracing]] +criteria = "safe-to-deploy" +user-id = 172786 # Hayden Stainsby (hds) +start = "2024-11-27" +end = "2027-02-11" + [[trusted.tracing-attributes]] criteria = "safe-to-deploy" user-id = 1249 # Eliza Weisman (hawkw) start = "2019-08-08" end = "2027-02-11" +[[trusted.tracing-attributes]] +criteria = "safe-to-deploy" +user-id = 172786 # Hayden Stainsby (hds) +start = "2024-11-26" +end = "2027-02-11" + [[trusted.tracing-core]] criteria = "safe-to-deploy" user-id = 1249 # Eliza Weisman (hawkw) start = "2019-06-20" end = "2027-02-11" +[[trusted.tracing-core]] +criteria = "safe-to-deploy" +user-id = 172786 # Hayden Stainsby (hds) +start = "2024-11-25" +end = "2027-02-11" + [[trusted.tracing-serde]] criteria = "safe-to-deploy" user-id = 1249 # Eliza Weisman (hawkw) start = "2019-06-27" end = "2027-02-11" +[[trusted.tracing-serde]] +criteria = "safe-to-deploy" +user-id = 172786 # Hayden Stainsby (hds) +start = "2024-11-27" +end = "2027-02-11" + [[trusted.tracing-subscriber]] criteria = "safe-to-deploy" user-id = 10 @@ -1737,6 +1767,12 @@ user-id = 1249 # Eliza Weisman (hawkw) start = "2019-06-27" end = "2027-02-11" +[[trusted.tracing-subscriber]] +criteria = "safe-to-deploy" +user-id = 172786 # Hayden Stainsby (hds) +start = "2024-11-29" +end = "2027-02-11" + [[trusted.unicode-ident]] criteria = "safe-to-deploy" user-id = 3618 # David Tolnay (dtolnay) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 22255880d..736bbc728 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -103,7 +103,7 @@ version = "1.0.1" criteria = "safe-to-deploy" [[exemptions.ashpd]] -version = "0.11.0" +version = "0.11.1" criteria = "safe-to-deploy" [[exemptions.async-executor]] @@ -111,7 +111,7 @@ version = "1.13.3" criteria = "safe-to-deploy" [[exemptions.async-lock]] -version = "3.4.1" +version = "3.4.2" criteria = "safe-to-deploy" [[exemptions.async-recursion]] @@ -123,13 +123,17 @@ version = "4.7.1" criteria = "safe-to-deploy" [[exemptions.bigdecimal]] -version = "0.4.9" +version = "0.4.10" criteria = "safe-to-deploy" [[exemptions.bincode]] version = "1.3.3" criteria = "safe-to-deploy" +[[exemptions.bip39]] +version = "2.2.2" +criteria = "safe-to-deploy" + [[exemptions.bitvec]] version = "1.0.1" criteria = "safe-to-deploy" @@ -142,8 +146,24 @@ criteria = "safe-to-deploy" version = "0.5.1" criteria = "safe-to-deploy" +[[exemptions.bluez-async]] +version = "0.8.2" +criteria = "safe-to-deploy" + +[[exemptions.bluez-generated]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.borsh]] +version = "1.6.0" +criteria = "safe-to-deploy" + [[exemptions.borsh-derive]] -version = "1.5.7" +version = "1.6.0" +criteria = "safe-to-deploy" + +[[exemptions.btleplug]] +version = "0.11.8" criteria = "safe-to-deploy" [[exemptions.byte-slice-cast]] @@ -151,7 +171,7 @@ version = "1.2.3" criteria = "safe-to-deploy" [[exemptions.byte-unit]] -version = "5.1.6" +version = "5.2.0" criteria = "safe-to-deploy" [[exemptions.bytecheck]] @@ -163,7 +183,7 @@ version = "0.6.12" criteria = "safe-to-deploy" [[exemptions.bytemuck]] -version = "1.24.0" +version = "1.25.0" criteria = "safe-to-deploy" [[exemptions.bytemuck_derive]] @@ -174,10 +194,22 @@ criteria = "safe-to-deploy" version = "0.13.0" criteria = "safe-to-deploy" +[[exemptions.calloop]] +version = "0.14.3" +criteria = "safe-to-deploy" + [[exemptions.calloop-wayland-source]] version = "0.3.0" criteria = "safe-to-deploy" +[[exemptions.calloop-wayland-source]] +version = "0.4.1" +criteria = "safe-to-deploy" + +[[exemptions.cc]] +version = "1.2.55" +criteria = "safe-to-deploy" + [[exemptions.cesu8]] version = "1.1.0" criteria = "safe-to-deploy" @@ -218,6 +250,10 @@ criteria = "safe-to-deploy" version = "0.6.0" criteria = "safe-to-deploy" +[[exemptions.convert_case]] +version = "0.10.0" +criteria = "safe-to-deploy" + [[exemptions.core-foundation]] version = "0.10.1" criteria = "safe-to-deploy" @@ -247,7 +283,7 @@ version = "0.2.9" criteria = "safe-to-deploy" [[exemptions.ctor-lite]] -version = "0.1.0" +version = "0.1.1" criteria = "safe-to-deploy" [[exemptions.cursor-icon]] @@ -270,20 +306,48 @@ criteria = "safe-to-deploy" version = "1.1.1" criteria = "safe-to-deploy" +[[exemptions.darling]] +version = "0.14.4" +criteria = "safe-to-deploy" + [[exemptions.darling]] version = "0.21.3" criteria = "safe-to-deploy" +[[exemptions.darling_core]] +version = "0.14.4" +criteria = "safe-to-deploy" + [[exemptions.darling_core]] version = "0.21.3" criteria = "safe-to-deploy" +[[exemptions.darling_macro]] +version = "0.14.4" +criteria = "safe-to-deploy" + [[exemptions.darling_macro]] version = "0.21.3" criteria = "safe-to-deploy" +[[exemptions.dashmap]] +version = "5.5.3" +criteria = "safe-to-deploy" + +[[exemptions.dashmap]] +version = "6.1.0" +criteria = "safe-to-deploy" + [[exemptions.data-encoding]] -version = "2.9.0" +version = "2.10.0" +criteria = "safe-to-deploy" + +[[exemptions.dbus]] +version = "0.9.10" +criteria = "safe-to-deploy" + +[[exemptions.dbus-tokio]] +version = "0.7.6" criteria = "safe-to-deploy" [[exemptions.dconf_rs]] @@ -347,11 +411,11 @@ version = "0.1.2" criteria = "safe-to-deploy" [[exemptions.drm]] -version = "0.12.0" +version = "0.14.1" criteria = "safe-to-deploy" [[exemptions.drm-ffi]] -version = "0.8.0" +version = "0.9.0" criteria = "safe-to-deploy" [[exemptions.drm-fourcc]] @@ -359,7 +423,19 @@ version = "2.2.0" criteria = "safe-to-deploy" [[exemptions.drm-sys]] -version = "0.7.0" +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.encdec]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.encdec-base]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.encdec-macros]] +version = "0.10.0" criteria = "safe-to-deploy" [[exemptions.encode_unicode]] @@ -414,6 +490,10 @@ criteria = "safe-to-deploy" version = "0.7.6" criteria = "safe-to-deploy" +[[exemptions.find-msvc-tools]] +version = "0.1.9" +criteria = "safe-to-deploy" + [[exemptions.fix-hidden-lifetime-bug]] version = "0.2.7" criteria = "safe-to-deploy" @@ -459,7 +539,7 @@ version = "2.6.1" criteria = "safe-to-deploy" [[exemptions.generator]] -version = "0.8.7" +version = "0.8.8" criteria = "safe-to-deploy" [[exemptions.generic-array]] @@ -474,6 +554,10 @@ criteria = "safe-to-deploy" version = "0.3.4" criteria = "safe-to-deploy" +[[exemptions.getrandom]] +version = "0.4.1" +criteria = "safe-to-deploy" + [[exemptions.getrandom_or_panic]] version = "0.0.3" criteria = "safe-to-deploy" @@ -522,6 +606,10 @@ criteria = "safe-to-deploy" version = "2.7.1" criteria = "safe-to-deploy" +[[exemptions.hash32]] +version = "0.3.1" +criteria = "safe-to-deploy" + [[exemptions.hashlink]] version = "0.10.0" criteria = "safe-to-deploy" @@ -530,6 +618,10 @@ criteria = "safe-to-deploy" version = "0.11.0" criteria = "safe-to-deploy" +[[exemptions.heapless]] +version = "0.8.0" +criteria = "safe-to-deploy" + [[exemptions.hermit-abi]] version = "0.5.2" criteria = "safe-to-deploy" @@ -542,10 +634,18 @@ criteria = "safe-to-deploy" version = "0.2.1" criteria = "safe-to-deploy" +[[exemptions.hidapi]] +version = "2.6.4" +criteria = "safe-to-deploy" + [[exemptions.hyper-timeout]] version = "0.5.2" criteria = "safe-to-deploy" +[[exemptions.iana-time-zone]] +version = "0.1.65" +criteria = "safe-to-deploy" + [[exemptions.iced_aw]] version = "0.12.2@git:def1db9aac1e58a47e0c3127d4d4e95d724ca8ad" criteria = "safe-to-deploy" @@ -567,15 +667,23 @@ version = "2.11.0" criteria = "safe-to-deploy" [[exemptions.iri-string]] -version = "0.7.9" +version = "0.7.10" criteria = "safe-to-run" +[[exemptions.jni]] +version = "0.19.0" +criteria = "safe-to-deploy" + [[exemptions.jni-sys]] version = "0.3.0" criteria = "safe-to-deploy" +[[exemptions.jni-utils]] +version = "0.1.1" +criteria = "safe-to-deploy" + [[exemptions.js-sys]] -version = "0.3.81" +version = "0.3.85" criteria = "safe-to-deploy" [[exemptions.jsonrpsee]] @@ -622,6 +730,18 @@ criteria = "safe-to-deploy" version = "0.10.4" criteria = "safe-to-deploy" +[[exemptions.ledger-lib]] +version = "0.1.0@git:035789ec436d47b938e8a3d2085ffb2fbf6f0559" +criteria = "safe-to-deploy" + +[[exemptions.ledger-proto]] +version = "0.1.0@git:035789ec436d47b938e8a3d2085ffb2fbf6f0559" +criteria = "safe-to-deploy" + +[[exemptions.libdbus-sys]] +version = "0.2.7" +criteria = "safe-to-deploy" + [[exemptions.libloading]] version = "0.7.4" criteria = "safe-to-deploy" @@ -631,7 +751,7 @@ version = "0.8.9" criteria = "safe-to-deploy" [[exemptions.libredox]] -version = "0.1.10" +version = "0.1.12" criteria = "safe-to-deploy" [[exemptions.libusb1-sys]] @@ -651,7 +771,7 @@ version = "1.0.16" criteria = "safe-to-deploy" [[exemptions.lyon_geom]] -version = "1.0.17" +version = "1.0.18" criteria = "safe-to-deploy" [[exemptions.lyon_path]] @@ -671,7 +791,7 @@ version = "0.8.4" criteria = "safe-to-deploy" [[exemptions.memmap2]] -version = "0.9.8" +version = "0.9.9" criteria = "safe-to-deploy" [[exemptions.memoffset]] @@ -723,11 +843,11 @@ version = "0.4.4" criteria = "safe-to-deploy" [[exemptions.num_enum]] -version = "0.7.4" +version = "0.7.5" criteria = "safe-to-deploy" [[exemptions.num_enum_derive]] -version = "0.7.4" +version = "0.7.5" criteria = "safe-to-deploy" [[exemptions.objc]] @@ -758,10 +878,18 @@ criteria = "safe-to-deploy" version = "0.2.2" criteria = "safe-to-deploy" +[[exemptions.objc2-core-bluetooth]] +version = "0.2.2" +criteria = "safe-to-deploy" + [[exemptions.objc2-core-data]] version = "0.2.2" criteria = "safe-to-deploy" +[[exemptions.objc2-core-graphics]] +version = "0.3.2" +criteria = "safe-to-deploy" + [[exemptions.objc2-core-image]] version = "0.2.2" criteria = "safe-to-deploy" @@ -811,7 +939,7 @@ version = "0.1.13" criteria = "safe-to-deploy" [[exemptions.orbclient]] -version = "0.3.48" +version = "0.3.50" criteria = "safe-to-deploy" [[exemptions.ordered-multimap]] @@ -911,7 +1039,7 @@ version = "3.7.2" criteria = "safe-to-deploy" [[exemptions.psl]] -version = "2.1.150" +version = "2.1.188" criteria = "safe-to-deploy" [[exemptions.psl-types]] @@ -935,7 +1063,7 @@ version = "1.2.3" criteria = "safe-to-deploy" [[exemptions.quick-xml]] -version = "0.37.5" +version = "0.38.4" criteria = "safe-to-deploy" [[exemptions.r-efi]] @@ -975,7 +1103,7 @@ version = "0.1.4" criteria = "safe-to-deploy" [[exemptions.rangemap]] -version = "1.6.0" +version = "1.7.1" criteria = "safe-to-deploy" [[exemptions.read-fonts]] @@ -994,6 +1122,10 @@ criteria = "safe-to-deploy" version = "0.5.18" criteria = "safe-to-deploy" +[[exemptions.redox_syscall]] +version = "0.7.0" +criteria = "safe-to-deploy" + [[exemptions.redox_users]] version = "0.4.6" criteria = "safe-to-deploy" @@ -1019,11 +1151,11 @@ version = "0.17.14" criteria = "safe-to-deploy" [[exemptions.rkyv]] -version = "0.7.45" +version = "0.7.46" criteria = "safe-to-deploy" [[exemptions.rkyv_derive]] -version = "0.7.45" +version = "0.7.46" criteria = "safe-to-deploy" [[exemptions.rlimit]] @@ -1051,7 +1183,7 @@ version = "0.18.0" criteria = "safe-to-deploy" [[exemptions.rust_decimal]] -version = "1.39.0" +version = "1.40.0" criteria = "safe-to-deploy" [[exemptions.rustc-hex]] @@ -1075,7 +1207,7 @@ version = "0.1.28" criteria = "safe-to-deploy" [[exemptions.schemars]] -version = "1.0.4" +version = "1.2.1" criteria = "safe-to-deploy" [[exemptions.schnorrkel]] @@ -1107,31 +1239,35 @@ version = "2.15.0" criteria = "safe-to-deploy" [[exemptions.self_cell]] -version = "1.2.0" +version = "1.2.2" criteria = "safe-to-deploy" [[exemptions.serde-wasm-bindgen]] version = "0.6.5" criteria = "safe-to-deploy" +[[exemptions.serde-xml-rs]] +version = "0.8.2" +criteria = "safe-to-deploy" + [[exemptions.serde_urlencoded]] version = "0.7.1" criteria = "safe-to-deploy" [[exemptions.serde_with]] -version = "3.15.0" +version = "3.16.1" criteria = "safe-to-deploy" [[exemptions.serde_with_macros]] -version = "3.15.0" +version = "3.16.1" criteria = "safe-to-deploy" [[exemptions.serial_test]] -version = "3.2.0" +version = "3.3.1" criteria = "safe-to-run" [[exemptions.serial_test_derive]] -version = "3.2.0" +version = "3.3.1" criteria = "safe-to-run" [[exemptions.signal-hook]] @@ -1139,19 +1275,19 @@ version = "0.3.18" criteria = "safe-to-deploy" [[exemptions.signal-hook-mio]] -version = "0.2.4" +version = "0.2.5" criteria = "safe-to-deploy" [[exemptions.signal-hook-registry]] -version = "1.4.6" +version = "1.4.8" criteria = "safe-to-deploy" -[[exemptions.simdutf8]] -version = "0.1.5" +[[exemptions.simd-adler32]] +version = "0.3.8" criteria = "safe-to-deploy" -[[exemptions.siphasher]] -version = "0.3.11" +[[exemptions.simdutf8]] +version = "0.1.5" criteria = "safe-to-deploy" [[exemptions.slave-pool]] @@ -1159,15 +1295,19 @@ version = "0.2.3" criteria = "safe-to-deploy" [[exemptions.slotmap]] -version = "1.0.7" +version = "1.1.1" criteria = "safe-to-deploy" [[exemptions.smithay-client-toolkit]] version = "0.19.2" criteria = "safe-to-deploy" +[[exemptions.smithay-client-toolkit]] +version = "0.20.0" +criteria = "safe-to-deploy" + [[exemptions.smithay-clipboard]] -version = "0.7.2" +version = "0.7.3" criteria = "safe-to-deploy" [[exemptions.smol_str]] @@ -1183,7 +1323,7 @@ version = "0.4.0" criteria = "safe-to-deploy" [[exemptions.softbuffer]] -version = "0.4.6" +version = "0.4.8" criteria = "safe-to-deploy" [[exemptions.soketto]] @@ -1223,7 +1363,7 @@ version = "0.3.2" criteria = "safe-to-deploy" [[exemptions.system-configuration]] -version = "0.6.1" +version = "0.7.0" criteria = "safe-to-deploy" [[exemptions.system-configuration-sys]] @@ -1231,7 +1371,7 @@ version = "0.6.0" criteria = "safe-to-deploy" [[exemptions.tempfile]] -version = "3.23.0" +version = "3.25.0" criteria = "safe-to-deploy" [[exemptions.term]] @@ -1270,10 +1410,6 @@ criteria = "safe-to-deploy" version = "0.5.2" criteria = "safe-to-deploy" -[[exemptions.tracing-serde]] -version = "0.2.0" -criteria = "safe-to-deploy" - [[exemptions.tsify]] version = "0.5.6" criteria = "safe-to-deploy" @@ -1318,12 +1454,16 @@ criteria = "safe-to-deploy" version = "0.9.0" criteria = "safe-to-deploy" +[[exemptions.unwrap-infallible]] +version = "1.0.0" +criteria = "safe-to-deploy" + [[exemptions.urlencoding]] version = "2.1.3" criteria = "safe-to-deploy" [[exemptions.utf8-width]] -version = "0.1.7" +version = "0.1.8" criteria = "safe-to-deploy" [[exemptions.version_check]] @@ -1335,27 +1475,27 @@ version = "0.14.1" criteria = "safe-to-deploy" [[exemptions.wasite]] -version = "0.1.0" +version = "1.0.2" criteria = "safe-to-deploy" [[exemptions.wasm-bindgen]] -version = "0.2.104" +version = "0.2.108" criteria = "safe-to-deploy" [[exemptions.wasm-bindgen-futures]] -version = "0.4.54" +version = "0.4.58" criteria = "safe-to-deploy" [[exemptions.wasm-bindgen-macro]] -version = "0.2.104" +version = "0.2.108" criteria = "safe-to-deploy" [[exemptions.wasm-bindgen-macro-support]] -version = "0.2.104" +version = "0.2.108" criteria = "safe-to-deploy" [[exemptions.wasm-bindgen-shared]] -version = "0.2.104" +version = "0.2.108" criteria = "safe-to-deploy" [[exemptions.wasm-timer]] @@ -1363,11 +1503,11 @@ version = "0.2.5" criteria = "safe-to-deploy" [[exemptions.wayland-backend]] -version = "0.3.11" +version = "0.3.12" criteria = "safe-to-deploy" [[exemptions.wayland-client]] -version = "0.31.11" +version = "0.31.12" criteria = "safe-to-deploy" [[exemptions.wayland-csd-frame]] @@ -1375,31 +1515,39 @@ version = "0.3.0" criteria = "safe-to-deploy" [[exemptions.wayland-cursor]] -version = "0.31.11" +version = "0.31.12" criteria = "safe-to-deploy" [[exemptions.wayland-protocols]] -version = "0.32.9" +version = "0.32.10" +criteria = "safe-to-deploy" + +[[exemptions.wayland-protocols-experimental]] +version = "20250721.0.1" +criteria = "safe-to-deploy" + +[[exemptions.wayland-protocols-misc]] +version = "0.3.10" criteria = "safe-to-deploy" [[exemptions.wayland-protocols-plasma]] -version = "0.3.9" +version = "0.3.10" criteria = "safe-to-deploy" [[exemptions.wayland-protocols-wlr]] -version = "0.3.9" +version = "0.3.10" criteria = "safe-to-deploy" [[exemptions.wayland-scanner]] -version = "0.31.7" +version = "0.31.8" criteria = "safe-to-deploy" [[exemptions.wayland-sys]] -version = "0.31.7" +version = "0.31.8" criteria = "safe-to-deploy" [[exemptions.web-sys]] -version = "0.3.81" +version = "0.3.85" criteria = "safe-to-deploy" [[exemptions.web-time]] @@ -1419,7 +1567,7 @@ version = "0.19.5" criteria = "safe-to-deploy" [[exemptions.whoami]] -version = "1.6.1" +version = "2.1.0" criteria = "safe-to-deploy" [[exemptions.widestring]] @@ -1482,8 +1630,12 @@ criteria = "safe-to-deploy" version = "0.2.1" criteria = "safe-to-deploy" +[[exemptions.xml]] +version = "1.2.1" +criteria = "safe-to-deploy" + [[exemptions.xml-rs]] -version = "0.8.27" +version = "0.8.28" criteria = "safe-to-deploy" [[exemptions.yansi]] diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index e455c2b89..5129b20e8 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -204,13 +204,6 @@ user-id = 1588 user-login = "apoelstra" user-name = "Andrew Poelstra" -[[publisher.bip39]] -version = "2.2.0" -when = "2025-06-15" -user-id = 28012 -user-login = "stevenroose" -user-name = "Steven Roose" - [[publisher.bitcoin]] version = "0.32.8" when = "2025-12-06" @@ -295,13 +288,6 @@ user-id = 6741 user-login = "Darksonn" user-name = "Alice Ryhl" -[[publisher.cc]] -version = "1.0.89" -when = "2024-03-04" -user-id = 2915 -user-login = "Amanieu" -user-name = "Amanieu d'Antras" - [[publisher.cfg-if]] version = "1.0.4" when = "2025-10-15" @@ -616,13 +602,6 @@ user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" -[[publisher.find-msvc-tools]] -version = "0.1.0" -when = "2025-08-29" -user-id = 539 -user-login = "cuviper" -user-name = "Josh Stone" - [[publisher.flate2]] version = "1.1.9" when = "2026-02-03" @@ -659,8 +638,8 @@ user-login = "newpavlov" user-name = "Artyom Pavlov" [[publisher.getrandom]] -version = "0.2.16" -when = "2025-04-22" +version = "0.2.17" +when = "2026-01-11" user-id = 5059 user-login = "newpavlov" user-name = "Artyom Pavlov" @@ -1583,6 +1562,20 @@ user-id = 5059 user-login = "newpavlov" user-name = "Artyom Pavlov" +[[publisher.siphasher]] +version = "0.3.11" +when = "2023-08-23" +user-id = 468 +user-login = "jedisct1" +user-name = "Frank Denis" + +[[publisher.siphasher]] +version = "1.0.2" +when = "2026-01-27" +user-id = 468 +user-login = "jedisct1" +user-name = "Frank Denis" + [[publisher.slab]] version = "0.4.12" when = "2026-01-31" @@ -1800,6 +1793,41 @@ user-id = 3959 user-login = "LucioFranco" user-name = "Lucio Franco" +[[publisher.tracing]] +version = "0.1.44" +when = "2025-12-18" +user-id = 172786 +user-login = "hds" +user-name = "Hayden Stainsby" + +[[publisher.tracing-attributes]] +version = "0.1.31" +when = "2025-11-26" +user-id = 172786 +user-login = "hds" +user-name = "Hayden Stainsby" + +[[publisher.tracing-core]] +version = "0.1.36" +when = "2025-12-18" +user-id = 172786 +user-login = "hds" +user-name = "Hayden Stainsby" + +[[publisher.tracing-serde]] +version = "0.2.0" +when = "2024-11-27" +user-id = 172786 +user-login = "hds" +user-name = "Hayden Stainsby" + +[[publisher.tracing-subscriber]] +version = "0.3.22" +when = "2025-11-28" +user-id = 172786 +user-login = "hds" +user-name = "Hayden Stainsby" + [[publisher.unicode-ident]] version = "1.0.23" when = "2026-02-08" @@ -2742,12 +2770,6 @@ who = "Benjamin Bouvier " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.2" -[[audits.bytecode-alliance.audits.cc]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "1.2.30 -> 1.2.41" -notes = "This is a trusted rust-lang/rust crate" - [[audits.bytecode-alliance.audits.cipher]] who = "Andrew Brown " criteria = "safe-to-deploy" @@ -2785,12 +2807,6 @@ criteria = "safe-to-deploy" delta = "2.1.1 -> 2.3.0" notes = "Minor refactoring, nothing new." -[[audits.bytecode-alliance.audits.find-msvc-tools]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.1.0 -> 0.1.4" -notes = "Nothing out of the ordinary for a crate finding MSVC tooling." - [[audits.bytecode-alliance.audits.foldhash]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -3077,18 +3093,6 @@ criteria = "safe-to-deploy" version = "0.3.1" notes = "unsafety is used for smuggling std::task::Context as a raw pointer. Lifetime and type safety appears to be taken care of correctly." -[[audits.bytecode-alliance.audits.tracing-attributes]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.1.28 -> 0.1.30" -notes = "Few code changes, a pretty minor update." - -[[audits.bytecode-alliance.audits.tracing-core]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.1.33 -> 0.1.34" -notes = "Mostly just an update with Rust stylistic conventions changing. Nothing awry." - [[audits.bytecode-alliance.audits.tracing-log]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -3104,11 +3108,6 @@ criteria = "safe-to-deploy" delta = "0.1.3 -> 0.2.0" notes = "Nothing out of the ordinary, a typical major version update and nothing awry." -[[audits.bytecode-alliance.audits.tracing-subscriber]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.3.17" - [[audits.bytecode-alliance.audits.try-lock]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -3600,13 +3599,6 @@ criteria = "safe-to-deploy" version = "1.0.3" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" -[[audits.google.audits.iana-time-zone]] -who = "Manish Goregaokar " -criteria = "safe-to-deploy" -version = "0.1.61" -notes = "Some unsafe: interfacing with system timezone APIs" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - [[audits.google.audits.icu_collections]] who = "Manish Goregaokar " criteria = "safe-to-deploy" @@ -3892,18 +3884,6 @@ version = "0.10.5" notes = "Reviewed on https://fxrev.dev/712371." aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.simd-adler32]] -who = "Lukasz Anforowicz " -criteria = "safe-to-deploy" -version = "0.3.7" -notes = """ -Security review of earlier versions of the crate can be found at -(Google-internal, sorry): go/image-crate-chromium-security-review - -Audit comments for 1.3.2 can be found at https://crrev.com/c/4723145. -""" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - [[audits.google.audits.skrifa]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" @@ -4569,43 +4549,6 @@ version = "0.6.2" notes = "Contains unsafe code to interoperate with the ObjC runtime." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.borsh]] -who = "Nika Layzell " -criteria = "safe-to-deploy" -version = "1.5.7" -notes = "Uses of unsafe are limited to safe use-cases." -aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" - -[[audits.mozilla.audits.cc]] -who = "Erich Gubler " -criteria = "safe-to-deploy" -delta = "1.0.89 -> 1.2.10" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.cc]] -who = "Erich Gubler " -criteria = "safe-to-deploy" -delta = "1.2.10 -> 1.2.11" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.cc]] -who = "Erich Gubler " -criteria = "safe-to-deploy" -delta = "1.2.11 -> 1.2.12" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.cc]] -who = "Erich Gubler " -criteria = "safe-to-deploy" -delta = "1.2.12 -> 1.2.16" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.cc]] -who = "Erich Gubler " -criteria = "safe-to-deploy" -delta = "1.2.16 -> 1.2.30" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.cfg_aliases]] who = "Alex Franchuk " criteria = "safe-to-deploy" @@ -4720,18 +4663,6 @@ criteria = "safe-to-deploy" version = "0.4.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.iana-time-zone]] -who = "Mark Hammond " -criteria = "safe-to-deploy" -delta = "0.1.61 -> 0.1.63" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.iana-time-zone]] -who = "Erich Gubler " -criteria = "safe-to-deploy" -delta = "0.1.63 -> 0.1.64" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.icu_collections]] who = "Makoto Kato " criteria = "safe-to-deploy" @@ -5280,65 +5211,6 @@ version = "0.7.5+spec-1.1.0" notes = "Pure data type crate with some datetime parsing. No unsafe." aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" -[[audits.mozilla.audits.tracing]] -who = "Alex Franchuk " -criteria = "safe-to-deploy" -version = "0.1.37" -notes = """ -There's only one unsafe impl, and its purpose is to ensure correct behavior by -creating a non-Send marker type (it has nothing to do with soundness). All -dependencies make sense, and no side-effectful std functions are used. -""" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.tracing]] -who = "Mark Hammond " -criteria = "safe-to-deploy" -delta = "0.1.37 -> 0.1.41" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.tracing-attributes]] -who = "Alex Franchuk " -criteria = "safe-to-deploy" -version = "0.1.24" -notes = "No unsafe code, macros extensively tested and produce reasonable code." -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.tracing-attributes]] -who = "Mark Hammond " -criteria = "safe-to-deploy" -delta = "0.1.24 -> 0.1.28" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.tracing-core]] -who = "Alex Franchuk " -criteria = "safe-to-deploy" -version = "0.1.30" -notes = """ -Most unsafe code is in implementing non-std sync primitives. Unsafe impls are -logically correct and justified in comments, and unsafe code is sound and -justified in comments. -""" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.tracing-core]] -who = "Mark Hammond " -criteria = "safe-to-deploy" -delta = "0.1.30 -> 0.1.33" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.tracing-subscriber]] -who = "Mark Hammond " -criteria = "safe-to-deploy" -delta = "0.3.17 -> 0.3.19" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.tracing-subscriber]] -who = "Mark Hammond " -criteria = "safe-to-deploy" -delta = "0.3.19 -> 0.3.20" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.utf8parse]] who = "Nika Layzell " criteria = "safe-to-deploy" @@ -5618,13 +5490,6 @@ delta = "0.1.4 -> 0.1.7" notes = "Only change to an `unsafe` block is to fix a clippy lint." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.siphasher]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.3.11 -> 1.0.1" -notes = "No code changes, just stabilising the code in SemVer." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.strum]] who = "Jack Grigg " criteria = "safe-to-deploy"