Revision control

Copy as Markdown

# cargo-vet imports lock
[[publisher.jsonschema-valid]]
version = "0.5.2"
when = "2023-11-08"
user-id = 48
user-login = "badboy"
user-name = "Jan-Erik Rediger"
[[publisher.linux-raw-sys]]
version = "0.4.10"
when = "2023-10-09"
user-id = 6825
user-login = "sunfishcode"
user-name = "Dan Gohman"
[[publisher.rustix]]
version = "0.38.20"
when = "2023-10-19"
user-id = 6825
user-login = "sunfishcode"
user-name = "Dan Gohman"
[[publisher.uniffi]]
version = "0.28.1"
when = "2024-08-13"
user-id = 127697
user-login = "bendk"
[[publisher.uniffi_bindgen]]
version = "0.28.1"
when = "2024-08-13"
user-id = 127697
user-login = "bendk"
[[publisher.uniffi_build]]
version = "0.28.1"
when = "2024-08-13"
user-id = 127697
user-login = "bendk"
[[publisher.uniffi_checksum_derive]]
version = "0.28.1"
when = "2024-08-13"
user-id = 127697
user-login = "bendk"
[[publisher.uniffi_core]]
version = "0.28.1"
when = "2024-08-13"
user-id = 127697
user-login = "bendk"
[[publisher.uniffi_macros]]
version = "0.28.1"
when = "2024-08-13"
user-id = 127697
user-login = "bendk"
[[publisher.uniffi_meta]]
version = "0.28.1"
when = "2024-08-13"
user-id = 127697
user-login = "bendk"
[[publisher.uniffi_testing]]
version = "0.28.1"
when = "2024-08-13"
user-id = 127697
user-login = "bendk"
[[publisher.uniffi_udl]]
version = "0.28.1"
when = "2024-08-13"
user-id = 127697
user-login = "bendk"
[[publisher.weedle2]]
version = "5.0.0"
when = "2024-01-24"
user-id = 127697
user-login = "bendk"
[[publisher.zeitstempel]]
version = "0.1.1"
when = "2021-03-18"
user-id = 48
user-login = "badboy"
user-name = "Jan-Erik Rediger"
[[audits.bytecode-alliance.audits.adler]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.2"
notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm."
[[audits.bytecode-alliance.audits.anyhow]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.69 -> 1.0.71"
[[audits.bytecode-alliance.audits.arrayref]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "0.3.6"
notes = """
Unsafe code, but its logic looks good to me. Necessary given what it is
doing. Well tested, has quickchecks.
"""
[[audits.bytecode-alliance.audits.bitflags]]
who = "Jamey Sharp <jsharp@fastly.com>"
criteria = "safe-to-deploy"
delta = "2.1.0 -> 2.2.1"
notes = """
This version adds unsafe impls of traits from the bytemuck crate when built
with that library enabled, but I believe the impls satisfy the documented
safety requirements for bytemuck. The other changes are minor.
"""
[[audits.bytecode-alliance.audits.bitflags]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "2.3.2 -> 2.3.3"
notes = """
Nothing outside the realm of what one would expect from a bitflags generator,
all as expected.
"""
[[audits.bytecode-alliance.audits.camino]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "1.1.4"
[[audits.bytecode-alliance.audits.cargo-platform]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.2"
notes = "no build, no ambient capabilities, no unsafe"
[[audits.bytecode-alliance.audits.cc]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.73"
notes = "I am the author of this crate."
[[audits.bytecode-alliance.audits.cfg-if]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.0"
notes = "I am the author of this crate."
[[audits.bytecode-alliance.audits.errno]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.3.0"
notes = "This crate uses libc and windows-sys APIs to get and set the raw OS error value."
[[audits.bytecode-alliance.audits.errno]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "0.3.0 -> 0.3.1"
notes = "Just a dependency version bump and a bug fix for redox"
[[audits.bytecode-alliance.audits.errno-dragonfly]]
who = "Jamey Sharp <jsharp@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.2"
notes = "This should be portable to any POSIX system and seems like it should be part of the libc crate, but at any rate it's safe as is."
[[audits.bytecode-alliance.audits.fd-lock]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "3.0.9"
notes = "This crate uses unsafe to make Windows syscalls, to borrow an Fd with an appropriate lifetime, and to zero a windows API structure that appears to have a valid representation with zeroed memory."
[[audits.bytecode-alliance.audits.fd-lock]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "3.0.9 -> 3.0.10"
notes = "Just a dependency version bump"
[[audits.bytecode-alliance.audits.fd-lock]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
delta = "3.0.10 -> 3.0.12"
notes = "Just a dependency version bump"
[[audits.bytecode-alliance.audits.form_urlencoded]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = """
This is a small crate for working with url-encoded forms which doesn't have any
more than what it says on the tin. Contains one `unsafe` block related to
performance around utf-8 validation which is fairly easy to verify as correct.
"""
[[audits.bytecode-alliance.audits.glob]]
who = "Jamey Sharp <jsharp@fastly.com>"
criteria = "safe-to-deploy"
delta = "0.3.1 -> 0.3.0"
[[audits.bytecode-alliance.audits.heck]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.4.1 -> 0.5.0"
notes = "Minor changes for a `no_std` upgrade but otherwise everything looks as expected."
[[audits.bytecode-alliance.audits.id-arena]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "2.2.1"
notes = "I am the author of this crate."
[[audits.bytecode-alliance.audits.idna]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.3.0"
notes = """
This is a crate without unsafe code or usage of the standard library. The large
size of this crate comes from the large generated unicode tables file. This
crate is broadly used throughout the ecosystem and does not contain anything
suspicious.
"""
[[audits.bytecode-alliance.audits.libc]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.2.146 -> 0.2.147"
notes = "Only new type definitions and updating others for some platforms, no major changes"
[[audits.bytecode-alliance.audits.libc]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.2.148 -> 0.2.149"
notes = "Lots of new functions and constants for new platforms and nothing out of the ordinary for what one would expect of the `libc` crate."
[[audits.bytecode-alliance.audits.miniz_oxide]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.7.1"
notes = """
This crate is a Rust implementation of zlib compression/decompression and has
been used by default by the Rust standard library for quite some time. It's also
a default dependency of the popular `backtrace` crate for decompressing debug
information. This crate forbids unsafe code and does not otherwise access system
resources. It's originally a port of the `miniz.c` library as well, and given
its own longevity should be relatively hardened against some of the more common
compression-related issues.
"""
[[audits.bytecode-alliance.audits.percent-encoding]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "2.2.0"
notes = """
This crate is a single-file crate that does what it says on the tin. There are
a few `unsafe` blocks related to utf-8 validation which are locally verifiable
as correct and otherwise this crate is good to go.
"""
[[audits.bytecode-alliance.audits.proc-macro2]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.51 -> 1.0.57"
[[audits.bytecode-alliance.audits.proc-macro2]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "1.0.59 -> 1.0.63"
notes = """
This is a routine update for new nightly features and new syntax popping up on
nightly, nothing out of the ordinary.
"""
[[audits.bytecode-alliance.audits.quote]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
delta = "1.0.23 -> 1.0.27"
[[audits.bytecode-alliance.audits.static_assertions]]
who = "Andrew Brown <andrew.brown@intel.com>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = "No dependencies and completely a compile-time crate as advertised. Uses `unsafe` in one module as a compile-time check only: `mem::transmute` and `ptr::write` are wrapped in an impossible-to-run closure."
[[audits.bytecode-alliance.audits.tempfile]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "3.5.0 -> 3.6.0"
notes = "Dependency updates and new optimized trait implementations, but otherwise everything looks normal."
[[audits.bytecode-alliance.audits.tinyvec]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.6.0"
notes = """
This crate, while it implements collections, does so without `std::*` APIs and
without `unsafe`. Skimming the crate everything looks reasonable and what one
would expect from idiomatic safe collections in Rust.
"""
[[audits.bytecode-alliance.audits.tinyvec_macros]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.0"
notes = """
This is a trivial crate which only contains a singular macro definition which is
intended to multiplex across the internal representation of a tinyvec,
presumably. This trivially doesn't contain anything bad.
"""
[[audits.bytecode-alliance.audits.unicase]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "2.6.0"
notes = """
This crate contains no `unsafe` code and no unnecessary use of the standard
library.
"""
[[audits.bytecode-alliance.audits.unicode-bidi]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.3.8"
notes = """
This crate has no unsafe code and does not use `std::*`. Skimming the crate it
does not attempt to out of the bounds of what it's already supposed to be doing.
"""
[[audits.bytecode-alliance.audits.unicode-ident]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "1.0.8"
[[audits.bytecode-alliance.audits.unicode-normalization]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.19"
notes = """
This crate contains one usage of `unsafe` which I have manually checked to see
it as correct. This crate's size comes in large part due to the generated
unicode tables that it contains. This crate is additionally widely used
throughout the ecosystem and skimming the crate shows no usage of `std::*` APIs
and nothing suspicious.
"""
[[audits.bytecode-alliance.audits.url]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "2.3.1"
notes = """
This crate contains no `unsafe` code and otherwise doesn't use any functionality
it's not supposed to from `std` or such. This crate is the defacto standard for
URL parsing in the Rust community with widespread usage to battle-test, harden,
and suss out bugs. I've historically reviewed this crate in the past and it
is similar to what it once was back then. Skimming over the crate there is
nothing suspicious and it's everything you'd expect a Rust URL parser to be.
"""
[[audits.embark-studios.audits.anyhow]]
who = "Johan Andersson <opensource@embark-studios.com>"
criteria = "safe-to-deploy"
version = "1.0.58"
[[audits.embark-studios.audits.thiserror]]
who = "Johan Andersson <opensource@embark-studios.com>"
criteria = "safe-to-deploy"
version = "1.0.40"
notes = "Wrapper over implementation crate, found no unsafe or ambient capabilities used"
[[audits.embark-studios.audits.thiserror-impl]]
who = "Johan Andersson <opensource@embark-studios.com>"
criteria = "safe-to-deploy"
version = "1.0.40"
notes = "Found no unsafe or ambient capabilities used"
[[audits.google.audits.bitflags]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "1.3.2"
notes = """
Security review of earlier versions of the crate can be found at
(Google-internal, sorry): go/image-crate-chromium-security-review
The crate exposes a function marked as `unsafe`, but doesn't use any
`unsafe` blocks (except for tests of the single `unsafe` function). I
think this justifies marking this crate as `ub-risk-1`.
Additional review comments can be found at https://crrev.com/c/4723145/31
"""
[[audits.google.audits.ctor]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
version = "0.1.26"
[[audits.google.audits.fastrand]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
version = "1.9.0"
notes = """
`does-not-implement-crypto` is certified because this crate explicitly says
that the RNG here is not cryptographically secure.
"""
[[audits.google.audits.flate2]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "1.0.30"
notes = '''
WARNING: This certification is a result of a **partial** audit. The
`any_zlib` code has **not** been audited. Ability to track partial
Chromium does use the `any_zlib` feature(s). Accidentally depending on
this feature in the future is prevented using the `ban_features` feature
of `gnrt` - see:
Security review of earlier versions of the crate can be found at
(Google-internal, sorry): go/image-crate-chromium-security-review
I grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`.
All `unsafe` in `flate2` is gated behind `#[cfg(feature = "any_zlib")]`:
* The code under `src/ffi/...` will not be used because the `mod c`
declaration in `src/ffi/mod.rs` depends on the `any_zlib` config
* 7 uses of `unsafe` in `src/mem.rs` also all depend on the
`any_zlib` config:
- 2 in `fn set_dictionary` (under `impl Compress`)
- 2 in `fn set_level` (under `impl Compress`)
- 3 in `fn set_dictionary` (under `impl Decompress`)
All hits of `'\bfs\b'` are in comments, or example code, or test code
(but not in product code).
There were no hits of `-i cipher`, `-i crypto`, `'\bnet\b'`.
'''
[[audits.google.audits.flate2]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
delta = "1.0.30 -> 1.0.31"
notes = """
Only benign changes:
* Comment-only changes in `.rs` files
* Also changing dependency version in `Cargo.toml`, but this is for `any_zlib`
feature which is not used in Chromium (i.e. this is a *partial* audit - see
the previous audit notes for 1.0.30)
"""
[[audits.google.audits.glob]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
version = "0.3.1"
[[audits.google.audits.heck]]
who = "Lukasz Anforowicz <lukasza@chromium.org>"
criteria = "safe-to-deploy"
version = "0.4.1"
notes = """
Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'``
and there were no hits.
`heck` (version `0.3.3`) has been added to Chromium in
"""
[[audits.google.audits.version_check]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
version = "0.9.4"
[[audits.isrg.audits.libc]]
who = "Brandon Pitman <bran@bran.land>"
criteria = "safe-to-deploy"
delta = "0.2.139 -> 0.2.141"
[[audits.isrg.audits.once_cell]]
who = "Brandon Pitman <bran@bran.land>"
criteria = "safe-to-deploy"
delta = "1.17.1 -> 1.17.2"
[[audits.isrg.audits.once_cell]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
delta = "1.17.2 -> 1.18.0"
[[audits.isrg.audits.serde]]
who = "Brandon Pitman <bran@bran.land>"
criteria = "safe-to-deploy"
delta = "1.0.160 -> 1.0.162"
[[audits.isrg.audits.serde]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
delta = "1.0.162 -> 1.0.163"
[[audits.isrg.audits.serde_derive]]
who = "Brandon Pitman <bran@bran.land>"
criteria = "safe-to-deploy"
delta = "1.0.160 -> 1.0.162"
[[audits.isrg.audits.serde_derive]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
delta = "1.0.162 -> 1.0.163"
[[audits.mozilla.audits.android_logger]]
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
criteria = "safe-to-deploy"
version = "0.11.0"
notes = "Small crate, wrapping Android log functionality, reviewed by janerik"
[[audits.mozilla.audits.android_logger]]
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.11.0 -> 0.11.1"
notes = "Small crate, wrapping Android log functionality, now switched to properly using MaybeUninit"
[[audits.mozilla.audits.android_logger]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.11.1 -> 0.11.3"
[[audits.mozilla.audits.android_logger]]
who = "Chris H-C <chutten@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.11.3 -> 0.12.0"
notes = "Small wrapper crate. This update fixes log level filtering."
[[audits.mozilla.audits.anyhow]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.57 -> 1.0.61"
[[audits.mozilla.audits.anyhow]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
delta = "1.0.58 -> 1.0.57"
notes = "No functional differences, just CI config and docs."
[[audits.mozilla.audits.anyhow]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.61 -> 1.0.62"
[[audits.mozilla.audits.anyhow]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.62 -> 1.0.68"
[[audits.mozilla.audits.anyhow]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.68 -> 1.0.69"
[[audits.mozilla.audits.askama]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
version = "0.11.1"
notes = """
Just contains some traits and re-exports for use by a broader package of related
crates. No unsafe code or ambient capability usage.
"""
[[audits.mozilla.audits.autocfg]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = "All code written or reviewed by Josh Stone."
[[audits.mozilla.audits.bitflags]]
who = "Alex Franchuk <afranchuk@mozilla.com>"
criteria = "safe-to-deploy"
delta = "1.3.2 -> 2.0.2"
notes = "Removal of some unsafe code/methods. No changes to externals, just some refactoring (mostly internal)."
[[audits.mozilla.audits.bitflags]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
delta = "2.0.2 -> 2.1.0"
[[audits.mozilla.audits.bitflags]]
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
delta = "2.2.1 -> 2.3.2"
[[audits.mozilla.audits.bitflags]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "2.3.3 -> 2.4.0"
[[audits.mozilla.audits.cargo_metadata]]
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
criteria = "safe-to-deploy"
version = "0.15.2"
notes = "I reviewed the whole code base. Parser for the output of cargo-metadata, relying mostly on serde. No unsafe code used."
[[audits.mozilla.audits.cc]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.73 -> 1.0.78"
[[audits.mozilla.audits.crossbeam-utils]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.8.8 -> 0.8.11"
[[audits.mozilla.audits.crossbeam-utils]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.8.11 -> 0.8.14"
[[audits.mozilla.audits.either]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
version = "1.6.1"
notes = """
Straightforward crate providing the Either enum and trait implementations with
no unsafe code.
"""
[[audits.mozilla.audits.errno]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.3.1 -> 0.3.3"
[[audits.mozilla.audits.fastrand]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.9.0 -> 2.0.0"
[[audits.mozilla.audits.goblin]]
who = "Gabriele Svelto <gsvelto@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.6.0 -> 0.7.1"
[[audits.mozilla.audits.lazy_static]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
version = "1.4.0"
notes = "I have read over the macros, and audited the unsafe code."
[[audits.mozilla.audits.libc]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.2.147 -> 0.2.148"
[[audits.mozilla.audits.log]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
version = "0.4.17"
[[audits.mozilla.audits.num-integer]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
version = "0.1.45"
notes = "All code written or reviewed by Josh Stone."
[[audits.mozilla.audits.num-traits]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
version = "0.2.15"
notes = "All code written or reviewed by Josh Stone."
[[audits.mozilla.audits.proc-macro2]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
version = "1.0.39"
notes = """
`proc-macro2` acts as either a thin(-ish) wrapper around the std-provided
`proc_macro` crate, or as a fallback implementation of the crate, depending on
where it is used.
If using this crate on older versions of rustc (1.56 and earlier), it will
temporarily replace the panic handler while initializing in order to detect if
it is running within a `proc_macro`, which could lead to surprising behaviour.
This should not be an issue for more recent compiler versions, which support
`proc_macro::is_available()`.
The `proc-macro2` crate's fallback behaviour is not identical to the complex
behaviour of the rustc compiler (e.g. it does not perform unicode normalization
for identifiers), however it behaves well enough for its intended use-case
(tests and scripts processing rust code).
`proc-macro2` does not use unsafe code, however exposes one `unsafe` API to
allow bypassing checks in the fallback implementation when constructing
`Literal` using `from_str_unchecked`. This was intended to only be used by the
`quote!` macro, however it has been removed
and is likely completely unused. Even when used, this API shouldn't be able to
cause unsoundness.
"""
[[audits.mozilla.audits.proc-macro2]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.39 -> 1.0.43"
[[audits.mozilla.audits.proc-macro2]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.43 -> 1.0.49"
[[audits.mozilla.audits.proc-macro2]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.49 -> 1.0.51"
[[audits.mozilla.audits.quote]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
version = "1.0.18"
notes = """
`quote` is a utility crate used by proc-macros to generate TokenStreams
conveniently from source code. The bulk of the logic is some complex
interlocking `macro_rules!` macros which are used to parse and build the
`TokenStream` within the proc-macro.
This crate contains no unsafe code, and the internal logic, while difficult to
read, is generally straightforward. I have audited the the quote macros, ident
formatter, and runtime logic.
"""
[[audits.mozilla.audits.quote]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.18 -> 1.0.21"
[[audits.mozilla.audits.quote]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.21 -> 1.0.23"
[[audits.mozilla.audits.redox_syscall]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.2.13 -> 0.2.16"
[[audits.mozilla.audits.rkv]]
who = "Chris H-C <chutten@mozilla.com>"
criteria = "safe-to-deploy"
version = "0.18.4"
[[audits.mozilla.audits.tempfile]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "3.6.0 -> 3.8.0"
[[audits.mozilla.audits.textwrap]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.15.0 -> 0.15.2"
[[audits.mozilla.audits.textwrap]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.15.2 -> 0.16.0"
[[audits.mozilla.audits.unicode-normalization]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.19 -> 0.1.20"
notes = "I am the author of most of these changes upstream, and prepared the release myself, at which point I looked at the other changes since 0.1.19."
[[audits.mozilla.audits.unicode-normalization]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.20 -> 0.1.21"
[[audits.mozilla.audits.unicode-normalization]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.21 -> 0.1.22"
[[audits.mozilla.audits.whatsys]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
version = "0.1.2"
notes = """
Contains platform-specific FFI code for apple, mac, and windows. The windows code
also contains a small C file compiled at build-time. I audited all of it and it
looks correct.
"""
[[audits.mozilla.audits.whatsys]]
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.1.2 -> 0.3.1"
notes = "Maintained by me. I have written or reviewed all of the code."