From f885fc6c093a03c0efe32e7ee2059bf66cac96f2 Mon Sep 17 00:00:00 2001 From: Simon Brand Date: Fri, 21 Jul 2023 22:22:24 +0000 Subject: [PATCH] update cargo supply-chain --- supply-chain/config.toml | 18 ++--- supply-chain/imports.lock | 160 ++++++++++++++++++++++++++++---------- 2 files changed, 128 insertions(+), 50 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index c329d0e..12874cb 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -23,6 +23,10 @@ url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" version = "1.0.2" criteria = "safe-to-deploy" +[[exemptions.anyhow]] +version = "1.0.72" +criteria = "safe-to-deploy" + [[exemptions.bitflags]] version = "1.3.2" criteria = "safe-to-deploy" @@ -131,10 +135,6 @@ criteria = "safe-to-deploy" version = "0.1.25" criteria = "safe-to-deploy" -[[exemptions.proc-macro2]] -version = "1.0.64" -criteria = "safe-to-deploy" - [[exemptions.prost]] version = "0.11.9" criteria = "safe-to-deploy" @@ -155,10 +155,6 @@ criteria = "safe-to-deploy" version = "0.12.0" criteria = "safe-to-deploy" -[[exemptions.quote]] -version = "1.0.29" -criteria = "safe-to-deploy" - [[exemptions.rand]] version = "0.7.3" criteria = "safe-to-deploy" @@ -184,11 +180,11 @@ version = "1.9.1" criteria = "safe-to-deploy" [[exemptions.regex-automata]] -version = "0.3.2" +version = "0.3.3" criteria = "safe-to-deploy" [[exemptions.regex-syntax]] -version = "0.7.3" +version = "0.7.4" criteria = "safe-to-deploy" [[exemptions.rustix]] @@ -224,7 +220,7 @@ version = "1.15.0" criteria = "safe-to-deploy" [[exemptions.unicode-ident]] -version = "1.0.10" +version = "1.0.11" criteria = "safe-to-deploy" [[exemptions.wasi]] diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 2a5e2ea..e7c194f 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1,11 +1,6 @@ # cargo-vet imports lock -[[audits.bytecodealliance.audits.anyhow]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -delta = "1.0.69 -> 1.0.71" - [[audits.bytecodealliance.audits.base64]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -51,10 +46,24 @@ criteria = "safe-to-deploy" version = "0.4.0" notes = "Contains `forbid_unsafe` and only uses `std::fmt` from the standard library. Otherwise only contains string manipulation." -[[audits.embark.audits.anyhow]] -who = "Johan Andersson " +[[audits.bytecodealliance.audits.proc-macro2]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "1.0.51 -> 1.0.57" + +[[audits.bytecodealliance.audits.proc-macro2]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.0.59 -> 1.0.63" +notes = """ +This is a routine update for new nightly features and new syntax popping up on +nightly, nothing out of the ordinary. +""" + +[[audits.bytecodealliance.audits.quote]] +who = "Pat Hickey " criteria = "safe-to-deploy" -version = "1.0.58" +delta = "1.0.23 -> 1.0.27" [[audits.embark.audits.epaint]] who = "Johan Andersson " @@ -113,37 +122,6 @@ who = "David Cook " criteria = "safe-to-deploy" version = "0.3.0" -[[audits.mozilla.audits.anyhow]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.57 -> 1.0.61" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.anyhow]] -who = "Bobby Holley " -criteria = "safe-to-deploy" -delta = "1.0.58 -> 1.0.57" -notes = "No functional differences, just CI config and docs." -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.anyhow]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.61 -> 1.0.62" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.anyhow]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.62 -> 1.0.68" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.anyhow]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.68 -> 1.0.69" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.autocfg]] who = "Josh Stone " criteria = "safe-to-deploy" @@ -201,6 +179,110 @@ criteria = "safe-to-deploy" delta = "1.16.0 -> 1.17.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.proc-macro2]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.0.39" +notes = """ +`proc-macro2` acts as either a thin(-ish) wrapper around the std-provided +`proc_macro` crate, or as a fallback implementation of the crate, depending on +where it is used. + +If using this crate on older versions of rustc (1.56 and earlier), it will +temporarily replace the panic handler while initializing in order to detect if +it is running within a `proc_macro`, which could lead to surprising behaviour. +This should not be an issue for more recent compiler versions, which support +`proc_macro::is_available()`. + +The `proc-macro2` crate's fallback behaviour is not identical to the complex +behaviour of the rustc compiler (e.g. it does not perform unicode normalization +for identifiers), however it behaves well enough for its intended use-case +(tests and scripts processing rust code). + +`proc-macro2` does not use unsafe code, however exposes one `unsafe` API to +allow bypassing checks in the fallback implementation when constructing +`Literal` using `from_str_unchecked`. This was intended to only be used by the +`quote!` macro, however it has been removed +(https://github.com/dtolnay/quote/commit/f621fe64a8a501cae8e95ebd6848e637bbc79078), +and is likely completely unused. Even when used, this API shouldn't be able to +cause unsoundness. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.proc-macro2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.39 -> 1.0.43" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.proc-macro2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.43 -> 1.0.49" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.proc-macro2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.49 -> 1.0.51" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.proc-macro2]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.57 -> 1.0.59" +notes = "Enabled on Wasm" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.proc-macro2]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.63 -> 1.0.66" +notes = "Removed special support for some really old Rust versions" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.quote]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.0.18" +notes = """ +`quote` is a utility crate used by proc-macros to generate TokenStreams +conveniently from source code. The bulk of the logic is some complex +interlocking `macro_rules!` macros which are used to parse and build the +`TokenStream` within the proc-macro. + +This crate contains no unsafe code, and the internal logic, while difficult to +read, is generally straightforward. I have audited the the quote macros, ident +formatter, and runtime logic. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.quote]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.18 -> 1.0.21" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.quote]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.21 -> 1.0.23" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.quote]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.27 -> 1.0.28" +notes = "Enabled on wasm targets" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.quote]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.28 -> 1.0.31" +notes = "Minimal changes and removal of the build.rs" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + [[audits.mozilla.audits.subtle]] who = "Simon Friedberger " criteria = "safe-to-deploy"