Update aggregated cargo-vet audits

zcash · Sep 26, 2024 · 4816dbc · 4816dbc
1 parent eee59e2
commit 4816dbc
Showing 1 changed file with 204 additions and 0 deletions.
diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml
@@ -83,6 +83,13 @@ criteria = "safe-to-deploy"
 delta = "0.2.16 -> 0.2.18"
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[audits.ambassador]]
+who = "Kris Nuttycombe <[email protected]>"
+criteria = "safe-to-deploy"
+version = "0.4.1"
+notes = "Crate uses no unsafe code and the macros introduced by this crate generate the expected trait implementations without introducing additional unexpected operations."
+aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
+
 [[audits.anyhow]]
 who = "Daira-Emma Hopwood <[email protected]>"
 criteria = "safe-to-deploy"
@@ -161,6 +168,19 @@ criteria = "safe-to-deploy"
 delta = "0.3.6 -> 0.3.7"
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[audits.arrayref]]
+who = "Daira-Emma Hopwood <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "0.3.6 -> 0.3.8"
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
+[[audits.arrayref]]
+who = "Jack Grigg <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "0.3.8 -> 0.3.9"
+notes = "Changes to `unsafe` lines are to make some existing `unsafe fn`s `const`."
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
 [[audits.async-trait]]
 who = "Daira-Emma Hopwood <[email protected]>"
 criteria = "safe-to-deploy"
@@ -387,6 +407,12 @@ and appear correct as far as I can see.
 """
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[audits.bytes]]
+who = "Jack Grigg <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "1.7.1 -> 1.7.2"
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
 [[audits.cc]]
 who = "Daira-Emma Hopwood <[email protected]>"
 criteria = "safe-to-deploy"
@@ -411,6 +437,12 @@ I did not review the use of library handles in the `com` package on Windows.
 """
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[audits.cc]]
+who = "Daira-Emma Hopwood <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "1.1.6 -> 1.1.13"
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
 [[audits.chacha20]]
 who = "Jack Grigg <[email protected]>"
 criteria = ["crypto-reviewed", "safe-to-deploy"]
@@ -534,6 +566,12 @@ delta = "0.2.6 -> 0.3.0"
 notes = "Replaces some `unsafe` code by bumping MSRV to 1.66 (to access `core::hint::black_box`)."
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[audits.constant_time_eq]]
+who = "Jack Grigg <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "0.3.0 -> 0.3.1"
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
 [[audits.cpufeatures]]
 who = "Jack Grigg <[email protected]>"
 criteria = "safe-to-deploy"
@@ -570,6 +608,16 @@ criteria = "safe-to-deploy"
 delta = "0.2.11 -> 0.2.12"
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[audits.cpufeatures]]
+who = "Jack Grigg <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "0.2.13 -> 0.2.14"
+notes = """
+New `unsafe` block is to call `sysctlbyname` to detect DIT on Apple ARM64, which
+is done in the same way as existing target feature checks on that arch.
+"""
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
 [[audits.crossbeam-channel]]
 who = "Jack Grigg <[email protected]>"
 criteria = "safe-to-deploy"
@@ -845,6 +893,16 @@ notes = """
 """
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[audits.cxx]]
+who = "Jack Grigg <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "1.0.126 -> 1.0.128"
+notes = """
+`unsafe` changes are to copy the `SyncUnsafeCell` type from nightly Rust. It is
+used as the ZST `SyncUnsafeCell<PhantomData<()>>` to fix an LLVM miscompilation.
+"""
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
 [[audits.cxxbridge-flags]]
 who = "Daira Hopwood <[email protected]>"
 criteria = "safe-to-deploy"
@@ -1029,6 +1087,12 @@ delta = "1.0.122 -> 1.0.124"
 notes = "Only changes to lints."
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[audits.cxxbridge-macro]]
+who = "Jack Grigg <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "1.0.126 -> 1.0.128"
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
 [[audits.darling]]
 who = "Jack Grigg <[email protected]>"
 criteria = "safe-to-deploy"
@@ -1232,6 +1296,12 @@ criteria = "safe-to-deploy"
 delta = "2.0.2 -> 2.1.0"
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[audits.fastrand]]
+who = "Jack Grigg <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "2.1.0 -> 2.1.1"
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
 [[audits.ff]]
 who = "Jack Grigg <[email protected]>"
 criteria = "safe-to-deploy"
@@ -1730,6 +1800,12 @@ criteria = "safe-to-deploy"
 delta = "2.8.0 -> 2.9.0"
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[audits.ipnet]]
+who = "Jack Grigg <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "2.9.0 -> 2.10.0"
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
 [[audits.is-terminal]]
 who = "Daira-Emma Hopwood <[email protected]>"
 criteria = "safe-to-run"
@@ -2818,6 +2894,13 @@ be set correctly by `cargo`.
 """
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[audits.rustc_version]]
+who = "Jack Grigg <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "0.4.0 -> 0.4.1"
+notes = "Changes to `Command` usage are to add support for `RUSTC_WRAPPER`."
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
 [[audits.rustix]]
 who = "Daira-Emma Hopwood <[email protected]>"
 criteria = "safe-to-deploy"
@@ -3351,6 +3434,12 @@ delta = "3.5.0 -> 3.6.0"
 notes = "New `build.rs` file uses `autocfg` crate to conditionally enable new trait impls."
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[audits.tempfile]]
+who = "Daira-Emma Hopwood <[email protected]>"
+criteria = "safe-to-run"
+delta = "3.5.0 -> 3.12.0"
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
 [[audits.tempfile]]
 who = "Jack Grigg <[email protected]>"
 criteria = "safe-to-deploy"
@@ -3844,6 +3933,17 @@ criteria = "safe-to-run"
 delta = "0.2.1 -> 0.2.2"
 aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
 
+[[audits.visibility]]
+who = "Kris Nuttycombe <[email protected]>"
+criteria = ["safe-to-deploy", "license-reviewed"]
+version = "0.1.1"
+notes = """
+- Crate has no unsafe code, and sets `#![forbid(unsafe_code)]`.
+- Crate has no powerful imports, and exclusively provides a proc macro
+  that safely malleates a visibility modifier.
+"""
+aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
+
 [[audits.wagyu-zcash-parameters]]
 who = "Sean Bowe <[email protected]>"
 criteria = ["safe-to-deploy", "crypto-reviewed"]
@@ -4040,6 +4140,40 @@ criteria = "safe-to-deploy"
 delta = "2.5.0 -> 2.5.2"
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[audits.zcash_address]]
+who = "Kris Nuttycombe <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "0.3.2 -> 0.4.0"
+notes = "This release contains no unsafe code and consists soley of added convenience methods."
+aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
+
+[[audits.zcash_encoding]]
+who = "Kris Nuttycombe <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "0.2.0 -> 0.2.1"
+notes = "This release adds minor convenience methods and involves no unsafe code."
+aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
+
+[[audits.zcash_keys]]
+who = "Kris Nuttycombe <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "0.2.0 -> 0.3.0"
+aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
+
+[[audits.zcash_primitives]]
+who = "Kris Nuttycombe <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "0.15.1 -> 0.16.0"
+notes = "The primary change here is the switch from the `hdwallet` dependency to using `bip32`."
+aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
+
+[[audits.zcash_proofs]]
+who = "Kris Nuttycombe <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "0.15.0 -> 0.16.0"
+notes = "This release involves only updates of previously-vetted dependencies."
+aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
+
 [[audits.zerocopy]]
 who = "Daira-Emma Hopwood <[email protected]>"
 criteria = "safe-to-deploy"
@@ -4242,6 +4376,20 @@ start = "2022-10-19"
 end = "2025-04-22"
 aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
 
+[[trusted.orchard]]
+criteria = "safe-to-deploy"
+user-id = 169181
+start = "2024-08-12"
+end = "2025-08-12"
+aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
+
+[[trusted.orchard]]
+criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"]
+user-id = 169181
+start = "2024-08-12"
+end = "2025-08-12"
+aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
+
 [[trusted.orchard]]
 criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"]
 user-id = 6289
@@ -4263,6 +4411,20 @@ start = "2024-01-26"
 end = "2025-04-22"
 aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
 
+[[trusted.sapling-crypto]]
+criteria = "safe-to-deploy"
+user-id = 169181
+start = "2024-08-12"
+end = "2025-08-12"
+aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
+
+[[trusted.sapling-crypto]]
+criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"]
+user-id = 169181
+start = "2024-08-12"
+end = "2025-08-12"
+aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
+
 [[trusted.sapling-crypto]]
 criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"]
 user-id = 6289
@@ -4438,6 +4600,13 @@ start = "2021-03-07"
 end = "2025-04-22"
 aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
 
+[[trusted.zcash_address]]
+criteria = "safe-to-deploy"
+user-id = 169181
+start = "2024-08-20"
+end = "2025-08-26"
+aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
+
 [[trusted.zcash_address]]
 criteria = "safe-to-deploy"
 user-id = 1244
@@ -4452,6 +4621,13 @@ start = "2021-03-07"
 end = "2025-03-18"
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[trusted.zcash_address]]
+criteria = "safe-to-deploy"
+user-id = 169181
+start = "2024-08-20"
+end = "2025-08-26"
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
 [[trusted.zcash_client_backend]]
 criteria = "safe-to-deploy"
 user-id = 169181
@@ -4550,6 +4726,13 @@ start = "2019-10-08"
 end = "2025-04-22"
 aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
 
+[[trusted.zcash_primitives]]
+criteria = "safe-to-deploy"
+user-id = 169181
+start = "2024-08-20"
+end = "2025-08-26"
+aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
+
 [[trusted.zcash_primitives]]
 criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"]
 user-id = 6289
@@ -4564,20 +4747,41 @@ start = "2019-10-08"
 end = "2024-09-21"
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[trusted.zcash_primitives]]
+criteria = "safe-to-deploy"
+user-id = 169181
+start = "2024-08-20"
+end = "2025-08-26"
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
 [[trusted.zcash_proofs]]
 criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"]
 user-id = 6289
 start = "2021-03-26"
 end = "2025-04-22"
 aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
 
+[[trusted.zcash_proofs]]
+criteria = "safe-to-deploy"
+user-id = 169181
+start = "2024-08-20"
+end = "2025-08-26"
+aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
+
 [[trusted.zcash_proofs]]
 criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"]
 user-id = 6289
 start = "2021-03-26"
 end = "2024-09-21"
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[trusted.zcash_proofs]]
+criteria = "safe-to-deploy"
+user-id = 169181
+start = "2024-08-20"
+end = "2025-08-26"
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
 [[trusted.zcash_protocol]]
 criteria = "safe-to-deploy"
 user-id = 169181