{{!-- Copyright 2024 The Chromium Authors Use of this source code is governed by a BSD-style license that can be found in the LICENSE file. TODO(lukasza: https://github.com/mozilla/cargo-vet/issues/589): Reintroduce Chromium-specific comments if/when `cargo vet ... --locked` stops complaining about them with: "A file in the store is not correctly formatted". These should include the copyright comment above, but maybe more importantly they should include: # @generated by tools/crates/gnrt vendor. Do not edit. --}} # cargo-vet config file default-criteria = "safe-to-run" [cargo-vet] version = "0.9" [imports.chromeos] url = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [imports.chromeos.criteria-map] crypto-safe = "crypto-safe" does-not-implement-crypto = "does-not-implement-crypto" ub-risk-0 = "ub-risk-0" ub-risk-1 = "ub-risk-1" ub-risk-2 = "ub-risk-2" ub-risk-3 = "ub-risk-3" ub-risk-4 = "ub-risk-4" [imports.fuchsia] url = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [imports.fuchsia.criteria-map] crypto-safe = "crypto-safe" does-not-implement-crypto = "does-not-implement-crypto" ub-risk-0 = "ub-risk-0" ub-risk-1 = "ub-risk-1" ub-risk-2 = "ub-risk-2" ub-risk-3 = "ub-risk-3" ub-risk-4 = "ub-risk-4" [imports.google] url = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [imports.google.criteria-map] crypto-safe = "crypto-safe" does-not-implement-crypto = "does-not-implement-crypto" ub-risk-0 = "ub-risk-0" ub-risk-1 = "ub-risk-1" ub-risk-2 = "ub-risk-2" ub-risk-3 = "ub-risk-3" ub-risk-4 = "ub-risk-4" {{#each this.policies}} [policy."{{crate_name}}"] criteria = [{{#each criteria}}{{#if @first}}{{else}}, {{/if}}"{{this}}"{{/each}}] {{/each}} [[exemptions.cxx]] version = "1.0.117" criteria = ["safe-to-deploy", "ub-risk-2"] notes = """ Grandparented-in when setting up `cargo vet` in Jan 2024 Delta audit of 1.0.110 -> 1.0.115 has been done in Jan 2024, but because of a lack of a fully-audited baseline nothing was recorded in audits.toml Exemption updated to 1.0.116 in Feb 2024. Exemption updated to 1.0.117 in Feb 2024. """ [[exemptions.cxxbridge-macro]] version = "1.0.117" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] notes = """ Grandparented-in when setting up `cargo vet` in Jan 2024 Delta audit of 1.0.110 -> 1.0.115 has been done in Jan 2024, but because of a lack of a fully-audited baseline nothing was recorded in audits.toml Exemption updated to 1.0.116 in Feb 2024. Exemption updated to 1.0.117 in Feb 2024. """ [[exemptions.libc]] version = "0.2.153" criteria = ["safe-to-deploy", "ub-risk-2"] notes = """ Grandparented-in when setting up `cargo vet` in Jan 2024 Unsoundness was found in 0.2.152 behind a crate feature (called \"extra_traits\") that is unused by Chromium. https://crbug.com/1524111 tracks ensuring that we don't accidentally start depending on this feature. Exemption updated to 0.2.153 in Feb 2024. """ [[exemptions.memchr]] version = "2.7.2" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] notes = """ Grandparented-in when setting up `cargo vet` in Jan 2024 Bumped up the exemption to 2.7.1 when updating the crates. When removing the exemptions in the future we may want to look at the notes in cl/568617493 but even with those notes a review of the whole crate (rather than just the delta) may be needed for `ub-risk-2`. Bumped up the exemption to 2.7.2 in April 2024. The delta was relatively small and straightfoward (focusing on `target_feature = \"simd128\"`). Note that an unfinished audit of 2.7.1 has been started at https://crrev.com/c/5367005 and I hear that Fuchsia has also been working on reviewing 2.7.1 (so we should check later if maybe we can just import their audit). """ [[exemptions.rand_chacha]] version = "0.3.1" criteria = "does-not-implement-crypto" notes = "Grandparented-in when setting up `cargo vet` in Jan 2024" [[exemptions.rand_core]] version = "0.6.4" criteria = "does-not-implement-crypto" notes = "Grandparented-in when setting up `cargo vet` in Jan 2024" [[exemptions.read-fonts]] version = "0.15.6" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] notes = """ 0.15.2 grandparented-in when setting up `cargo vet` in Jan 2024. Exemption updated to 0.15.5 when updating the crate in Feb 2024. Exemption updated to 0.15.6 when updating the crate in Feb 2024. """ [[exemptions.ryu]] version = "1.0.17" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] notes = """ Grandparented-in when setting up `cargo vet` in Jan 2024. Delta audit of 1.0.15 -> 1.0.16 has been done in Jan 2024, but because of a lack of a fully-audited baseline nothing was recorded in audits.toml Exemption updated to 1.0.17 in Feb 2024. """ [[exemptions.skrifa]] version = "0.15.5" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] notes = """ 0.15.2 grandparented-in when setting up `cargo vet` in Jan 2024. Exemption updated to 0.15.5 when updating the crate in Feb 2024. """ [[exemptions.syn]] version = "2.0.52" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] notes = """ Grandparented-in when setting up `cargo vet` in Jan 2024 Delta audit of 2.0.39 -> syn-2.0.48 has been done in Jan 2024 (including an `unsafe` review done at https://crrev.com/c/5178771), but because of a lack of a fully-audited baseline nothing was recorded in audits.toml Exemption updated to 2.0.50 when updating the crate in Feb 2024. Exemption updated to 2.0.52 when updating the crate in Mar 2024. """