diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7be5c66..3862faa 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -6,7 +6,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout sources - uses: actions/checkout@v2 + uses: actions/checkout@v3 - run: git submodule update --init --recursive - run: sudo apt-get update - run: sudo apt-get --yes install protobuf-compiler cargo shellcheck diff --git a/Cargo.lock b/Cargo.lock index 1beb323..491fcfc 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -13,9 +13,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.71" +version = "1.0.72" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c7d0618f0e0b7e8ff11427422b64564d5fb0be1940354bfe2e0529b18a9d9b8" +checksum = "3b13c32d80ecc7ab747b80c3784bce54ee8a7a0cc4fbda9bf4cda2cf6fe90854" [[package]] name = "autocfg" @@ -337,9 +337,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.64" +version = "1.0.66" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "78803b62cbf1f46fde80d7c0e803111524b9877184cfe7c3033659490ac7a7da" +checksum = "18fb31db3f9bddb2ea821cde30a9f70117e3f119938b5ee630b7403aa6e2ead9" dependencies = [ "unicode-ident", ] @@ -409,9 +409,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.29" +version = "1.0.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "573015e8ab27661678357f27dc26460738fd2b6c86e46f386fde94cb5d913105" +checksum = "5fe8a65d69dd0808184ebb5f836ab526bb259db23c657efa38711b1072ee47f0" dependencies = [ "proc-macro2", ] @@ -480,9 +480,9 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.3.2" +version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "83d3daa6976cffb758ec878f108ba0e062a45b2d6ca3a2cca965338855476caf" +checksum = "39354c10dd07468c2e73926b23bb9c2caca74c5501e38a35da70406f1d923310" dependencies = [ "aho-corasick", "memchr", @@ -491,9 +491,9 @@ dependencies = [ [[package]] name = "regex-syntax" -version = "0.7.3" +version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2ab07dc67230e4a4718e70fd5c20055a4334b121f1f9db8fe63ef39ce9b8c846" +checksum = "e5ea92a5b6195c6ef2a0295ea818b312502c6fc94dde986c5553242e18fd4ce2" [[package]] name = "rustix" @@ -584,9 +584,9 @@ checksum = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba" [[package]] name = "unicode-ident" -version = "1.0.10" +version = "1.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22049a19f4a68748a168c0fc439f9516686aa045927ff767eca0a85101fb6e73" +checksum = "301abaae475aa91687eb82514b328ab47a211a533026cb25fc3e519b86adfc3c" [[package]] name = "version_check" diff --git a/supply-chain/config.toml b/supply-chain/config.toml index c329d0e..12874cb 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -23,6 +23,10 @@ url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" version = "1.0.2" criteria = "safe-to-deploy" +[[exemptions.anyhow]] +version = "1.0.72" +criteria = "safe-to-deploy" + [[exemptions.bitflags]] version = "1.3.2" criteria = "safe-to-deploy" @@ -131,10 +135,6 @@ criteria = "safe-to-deploy" version = "0.1.25" criteria = "safe-to-deploy" -[[exemptions.proc-macro2]] -version = "1.0.64" -criteria = "safe-to-deploy" - [[exemptions.prost]] version = "0.11.9" criteria = "safe-to-deploy" @@ -155,10 +155,6 @@ criteria = "safe-to-deploy" version = "0.12.0" criteria = "safe-to-deploy" -[[exemptions.quote]] -version = "1.0.29" -criteria = "safe-to-deploy" - [[exemptions.rand]] version = "0.7.3" criteria = "safe-to-deploy" @@ -184,11 +180,11 @@ version = "1.9.1" criteria = "safe-to-deploy" [[exemptions.regex-automata]] -version = "0.3.2" +version = "0.3.3" criteria = "safe-to-deploy" [[exemptions.regex-syntax]] -version = "0.7.3" +version = "0.7.4" criteria = "safe-to-deploy" [[exemptions.rustix]] @@ -224,7 +220,7 @@ version = "1.15.0" criteria = "safe-to-deploy" [[exemptions.unicode-ident]] -version = "1.0.10" +version = "1.0.11" criteria = "safe-to-deploy" [[exemptions.wasi]] diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 2a5e2ea..e7c194f 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1,11 +1,6 @@ # cargo-vet imports lock -[[audits.bytecodealliance.audits.anyhow]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -delta = "1.0.69 -> 1.0.71" - [[audits.bytecodealliance.audits.base64]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -51,10 +46,24 @@ criteria = "safe-to-deploy" version = "0.4.0" notes = "Contains `forbid_unsafe` and only uses `std::fmt` from the standard library. Otherwise only contains string manipulation." -[[audits.embark.audits.anyhow]] -who = "Johan Andersson " +[[audits.bytecodealliance.audits.proc-macro2]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "1.0.51 -> 1.0.57" + +[[audits.bytecodealliance.audits.proc-macro2]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.0.59 -> 1.0.63" +notes = """ +This is a routine update for new nightly features and new syntax popping up on +nightly, nothing out of the ordinary. +""" + +[[audits.bytecodealliance.audits.quote]] +who = "Pat Hickey " criteria = "safe-to-deploy" -version = "1.0.58" +delta = "1.0.23 -> 1.0.27" [[audits.embark.audits.epaint]] who = "Johan Andersson " @@ -113,37 +122,6 @@ who = "David Cook " criteria = "safe-to-deploy" version = "0.3.0" -[[audits.mozilla.audits.anyhow]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.57 -> 1.0.61" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.anyhow]] -who = "Bobby Holley " -criteria = "safe-to-deploy" -delta = "1.0.58 -> 1.0.57" -notes = "No functional differences, just CI config and docs." -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.anyhow]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.61 -> 1.0.62" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.anyhow]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.62 -> 1.0.68" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.anyhow]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.68 -> 1.0.69" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.autocfg]] who = "Josh Stone " criteria = "safe-to-deploy" @@ -201,6 +179,110 @@ criteria = "safe-to-deploy" delta = "1.16.0 -> 1.17.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.proc-macro2]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.0.39" +notes = """ +`proc-macro2` acts as either a thin(-ish) wrapper around the std-provided +`proc_macro` crate, or as a fallback implementation of the crate, depending on +where it is used. + +If using this crate on older versions of rustc (1.56 and earlier), it will +temporarily replace the panic handler while initializing in order to detect if +it is running within a `proc_macro`, which could lead to surprising behaviour. +This should not be an issue for more recent compiler versions, which support +`proc_macro::is_available()`. + +The `proc-macro2` crate's fallback behaviour is not identical to the complex +behaviour of the rustc compiler (e.g. it does not perform unicode normalization +for identifiers), however it behaves well enough for its intended use-case +(tests and scripts processing rust code). + +`proc-macro2` does not use unsafe code, however exposes one `unsafe` API to +allow bypassing checks in the fallback implementation when constructing +`Literal` using `from_str_unchecked`. This was intended to only be used by the +`quote!` macro, however it has been removed +(https://github.com/dtolnay/quote/commit/f621fe64a8a501cae8e95ebd6848e637bbc79078), +and is likely completely unused. Even when used, this API shouldn't be able to +cause unsoundness. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.proc-macro2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.39 -> 1.0.43" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.proc-macro2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.43 -> 1.0.49" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.proc-macro2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.49 -> 1.0.51" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.proc-macro2]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.57 -> 1.0.59" +notes = "Enabled on Wasm" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.proc-macro2]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.63 -> 1.0.66" +notes = "Removed special support for some really old Rust versions" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.quote]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.0.18" +notes = """ +`quote` is a utility crate used by proc-macros to generate TokenStreams +conveniently from source code. The bulk of the logic is some complex +interlocking `macro_rules!` macros which are used to parse and build the +`TokenStream` within the proc-macro. + +This crate contains no unsafe code, and the internal logic, while difficult to +read, is generally straightforward. I have audited the the quote macros, ident +formatter, and runtime logic. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.quote]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.18 -> 1.0.21" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.quote]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.21 -> 1.0.23" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.quote]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.27 -> 1.0.28" +notes = "Enabled on wasm targets" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.quote]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.28 -> 1.0.31" +notes = "Minimal changes and removal of the build.rs" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + [[audits.mozilla.audits.subtle]] who = "Simon Friedberger " criteria = "safe-to-deploy"