all: audit some dependencies

2024-04-05 11:56:46 +03:00 · 2024-04-05 11:56:46 +03:00 · 0d87f0c8d0
parent f017e8c559
commit 0d87f0c8d0
5 changed files with 82 additions and 54 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -578,7 +578,6 @@ dependencies = [
 "fastrand",
 "getopts",
 "log",
- "once_cell",
 "serde",
 "signal-hook",
 "thiserror",
--- a/master/Cargo.toml
+++ b/master/Cargo.toml
@ -35,5 +35,3 @@ version = "<0.4.27"
 optional = true
 default-features = false
 features = ["clock"]
-[target.wasm32-unknown-emscripten.dependencies]
-once_cell = { version = "<1.18", optional = true }
--- a/supply-chain/audits.toml
+++ b/supply-chain/audits.toml
@ -1,16 +1,71 @@

 # cargo-vet audits file

+[[audits.android-tzdata]]
+who = "Denis Drakhnia <numas13@gmail.com>"
+criteria = "safe-to-deploy"
+version = "0.1.1"
+
+[[audits.bitflags]]
+who = "Denis Drakhnia <numas13@gmail.com>"
+criteria = "safe-to-deploy"
+version = "1.3.2"
+
+[[audits.const-random]]
+who = "Denis Drakhnia <numas13@gmail.com>"
+criteria = "safe-to-deploy"
+version = "0.1.18"
+
+[[audits.const-random-macro]]
+who = "Denis Drakhnia <numas13@gmail.com>"
+criteria = "safe-to-deploy"
+version = "0.1.16"
+
+[[audits.constant_time_eq]]
+who = "Denis Drakhnia <numas13@gmail.com>"
+criteria = "safe-to-deploy"
+version = "0.1.5"
+
 [[audits.fastrand]]
 who = "Denis Drakhnia <numas13@gmail.com>"
 criteria = "safe-to-deploy"
 delta = "2.0.1 -> 2.0.2"

+[[audits.getrandom]]
+who = "Denis Drakhnia <numas13@gmail.com>"
+criteria = "safe-to-deploy"
+version = "0.2.2"
+
 [[audits.iana-time-zone]]
 who = "Denis Drakhnia <numas13@gmail.com>"
 criteria = "safe-to-deploy"
 delta = "0.1.59 -> 0.1.60"

+[[audits.numtoa]]
+who = "Denis Drakhnia <numas13@gmail.com>"
+criteria = "safe-to-deploy"
+version = "0.1.0"
+
+[[audits.once_cell]]
+who = "Denis Drakhnia <numas13@gmail.com>"
+criteria = "safe-to-deploy"
+version = "1.12.0"
+
+[[audits.redox_termios]]
+who = "Denis Drakhnia <numas13@gmail.com>"
+criteria = "safe-to-deploy"
+version = "0.1.3"
+
+[[audits.signal-hook]]
+who = "Denis Drakhnia <numas13@gmail.com>"
+criteria = "safe-to-deploy"
+version = "0.3.17"
+
+[[audits.tiny-keccak]]
+who = "Denis Drakhnia <numas13@gmail.com>"
+criteria = "safe-to-deploy"
+version = "2.0.2"
+
 [[trusted.getopts]]
 criteria = "safe-to-deploy"
 user-id = 1 # Alex Crichton (alexcrichton)
--- a/supply-chain/config.toml
+++ b/supply-chain/config.toml
@ -35,14 +35,6 @@ audit-as-crates-io = true
 version = "0.4.8"
 criteria = "safe-to-deploy"

-[[exemptions.android-tzdata]]
-version = "0.1.1"
-criteria = "safe-to-deploy"
-
-[[exemptions.bitflags]]
-version = "1.3.2"
-criteria = "safe-to-deploy"
-
 [[exemptions.blake2b_simd]]
 version = "0.5.11"
 criteria = "safe-to-deploy"
@ -51,50 +43,14 @@ criteria = "safe-to-deploy"
 version = "0.4.26"
 criteria = "safe-to-deploy"

-[[exemptions.const-random]]
-version = "0.1.17"
-criteria = "safe-to-deploy"
-
-[[exemptions.const-random-macro]]
-version = "0.1.16"
-criteria = "safe-to-deploy"
-
-[[exemptions.constant_time_eq]]
-version = "0.1.5"
-criteria = "safe-to-deploy"
-
-[[exemptions.getrandom]]
-version = "0.2.10"
-criteria = "safe-to-deploy"
-
-[[exemptions.numtoa]]
-version = "0.1.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.once_cell]]
-version = "1.17.2"
-criteria = "safe-to-deploy"
-
 [[exemptions.redox_syscall]]
 version = "0.2.16"
 criteria = "safe-to-deploy"

-[[exemptions.redox_termios]]
-version = "0.1.2"
-criteria = "safe-to-deploy"
-
-[[exemptions.signal-hook]]
-version = "0.3.17"
-criteria = "safe-to-deploy"
-
 [[exemptions.termion]]
 version = "2.0.1"
 criteria = "safe-to-deploy"

-[[exemptions.tiny-keccak]]
-version = "2.0.2"
-criteria = "safe-to-deploy"
-
 [[exemptions.winapi]]
 version = "0.3.9"
 criteria = "safe-to-deploy"
--- a/supply-chain/imports.lock
+++ b/supply-chain/imports.lock
@ -363,6 +363,13 @@ that the RNG here is not cryptographically secure.
 """
 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"

+[[audits.google.audits.getrandom]]
+who = "David Koloski <dkoloski@google.com>"
+criteria = "safe-to-deploy"
+delta = "0.2.2 -> 0.2.12"
+notes = "Audited at https://fxrev.dev/932979"
+aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
+
 [[audits.google.audits.quote]]
 who = "Lukasz Anforowicz <lukasza@chromium.org>"
 criteria = "safe-to-deploy"
@ -424,15 +431,10 @@ who = "David Cook <dcook@divviup.org>"
 criteria = "safe-to-deploy"
 version = "0.2.2"

-[[audits.isrg.audits.getrandom]]
+[[audits.isrg.audits.once_cell]]
 who = "Brandon Pitman <bran@bran.land>"
 criteria = "safe-to-deploy"
-delta = "0.2.10 -> 0.2.11"
-
-[[audits.isrg.audits.getrandom]]
-who = "David Cook <dcook@divviup.org>"
-criteria = "safe-to-deploy"
-delta = "0.2.11 -> 0.2.12"
+delta = "1.17.1 -> 1.17.2"

 [[audits.mozilla.wildcard-audits.core-foundation-sys]]
 who = "Bobby Holley <bobbyholley@gmail.com>"
@ -503,6 +505,24 @@ delta = "0.4.17 -> 0.4.18"
 notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed."
 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"

+[[audits.mozilla.audits.once_cell]]
+who = "Mike Hommey <mh+mozilla@glandium.org>"
+criteria = "safe-to-deploy"
+delta = "1.12.0 -> 1.13.1"
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
+[[audits.mozilla.audits.once_cell]]
+who = "Mike Hommey <mh+mozilla@glandium.org>"
+criteria = "safe-to-deploy"
+delta = "1.13.1 -> 1.16.0"
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
+[[audits.mozilla.audits.once_cell]]
+who = "Mike Hommey <mh+mozilla@glandium.org>"
+criteria = "safe-to-deploy"
+delta = "1.16.0 -> 1.17.1"
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
 [[audits.mozilla.audits.toml]]
 who = "Bobby Holley <bobbyholley@gmail.com>"
 criteria = "safe-to-deploy"