From 8ed5fe0b8dcd2604a3f4e108c27a3005a188ee3d Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Thu, 26 Mar 2026 12:01:50 -0600 Subject: [PATCH 01/13] Add `PartialEq` and `Eq` impls for `DiversifiableFullViewingKey`. --- CHANGELOG.md | 5 +++++ src/keys.rs | 4 ++-- src/zip32.rs | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b6950d3e..6a399a6d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,11 @@ and this library adheres to Rust's notion of ## [Unreleased] +### Added +- `impl {PartiaEq, Eq} for sapling_crypto::keys::ViewingKey` +- `impl {PartiaEq, Eq} for sapling_crypto::keys::FullViewingKey` +- `impl {PartiaEq, Eq} for sapling_crypto::zip32::DiversifiableFullViewingKey` + ## [0.6.0] - 2025-12-05 ### Added diff --git a/src/keys.rs b/src/keys.rs index f00c7f34..cc7e0834 100644 --- a/src/keys.rs +++ b/src/keys.rs @@ -346,7 +346,7 @@ impl ProofGenerationKey { #[derive(Debug, Copy, Clone, PartialEq, Eq)] pub struct NullifierDerivingKey(pub jubjub::SubgroupPoint); -#[derive(Debug, Clone)] +#[derive(Debug, Clone, PartialEq, Eq)] pub struct ViewingKey { pub ak: SpendValidatingKey, pub nk: NullifierDerivingKey, @@ -367,7 +367,7 @@ impl ViewingKey { } /// A Sapling key that provides the capability to view incoming and outgoing transactions. -#[derive(Debug)] +#[derive(Debug, PartialEq, Eq)] pub struct FullViewingKey { pub vk: ViewingKey, pub ovk: OutgoingViewingKey, diff --git a/src/zip32.rs b/src/zip32.rs index 5ca8f53f..bfdc9cdd 100644 --- a/src/zip32.rs +++ b/src/zip32.rs @@ -654,7 +654,7 @@ impl ExtendedFullViewingKey { /// Sapling item in a [ZIP 316 Unified Full Viewing Key][zip-0316-ufvk]. /// /// [zip-0316-ufvk]: https://zips.z.cash/zip-0316#encoding-of-unified-full-incoming-viewing-keys -#[derive(Clone, Debug)] +#[derive(Clone, Debug, PartialEq, Eq)] pub struct DiversifiableFullViewingKey { fvk: FullViewingKey, dk: DiversifierKey, From f2576a3b86f4dd17c0058661f9528df579a804c0 Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Thu, 26 Mar 2026 12:10:07 -0600 Subject: [PATCH 02/13] Fix broken no_std CI builds. --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1300123d..70a58d24 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -68,6 +68,8 @@ jobs: - name: Add typenum with the no_std feature working-directory: ./ci-build run: cargo add typenum --no-default-features --features "no_std" + - name: Copy pinned dependencies into synthetic crate + run: cp crate_root/Cargo.lock ci-build/ - name: Show Cargo.toml for the synthetic crate working-directory: ./ci-build run: cat Cargo.toml From e8c8852a51d2cc999d41dd5b72272aa9384ffb99 Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Thu, 26 Mar 2026 12:10:07 -0600 Subject: [PATCH 03/13] Release sapling-crypto version 0.6.1 --- CHANGELOG.md | 2 ++ Cargo.lock | 2 +- Cargo.toml | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6a399a6d..6029907c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ and this library adheres to Rust's notion of ## [Unreleased] +## [0.6.1] - 2026-03-26 + ### Added - `impl {PartiaEq, Eq} for sapling_crypto::keys::ViewingKey` - `impl {PartiaEq, Eq} for sapling_crypto::keys::FullViewingKey` diff --git a/Cargo.lock b/Cargo.lock index 5acbbb24..b9b8e6f6 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1315,7 +1315,7 @@ dependencies = [ [[package]] name = "sapling-crypto" -version = "0.6.0" +version = "0.6.1" dependencies = [ "aes", "bellman", diff --git a/Cargo.toml b/Cargo.toml index 8d352831..7a94e2de 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "sapling-crypto" -version = "0.6.0" +version = "0.6.1" authors = [ "Sean Bowe ", "Jack Grigg ", From d9932f67b8bca1944b48827836fd2a5f0fd0ef5c Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Tue, 31 Mar 2026 10:04:26 -0600 Subject: [PATCH 04/13] Add PartialEq & Eq impls for SaplingIvk & IncomingViewingKey --- CHANGELOG.md | 5 +++++ src/keys.rs | 2 +- src/zip32.rs | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6029907c..cd57dcd1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,11 @@ and this library adheres to Rust's notion of ## [Unreleased] +## [0.6.2] - PENDING + +- `impl {PartiaEq, Eq} for sapling_crypto::keys::SaplingIvk` +- `impl {PartiaEq, Eq} for sapling_crypto::zip32::IncomingViewingKey` + ## [0.6.1] - 2026-03-26 ### Added diff --git a/src/keys.rs b/src/keys.rs index cc7e0834..1699c254 100644 --- a/src/keys.rs +++ b/src/keys.rs @@ -447,7 +447,7 @@ impl FullViewingKey { } } -#[derive(Debug, Clone)] +#[derive(Debug, Clone, PartialEq, Eq)] pub struct SaplingIvk(pub jubjub::Fr); impl SaplingIvk { diff --git a/src/zip32.rs b/src/zip32.rs index bfdc9cdd..5e4d9fea 100644 --- a/src/zip32.rs +++ b/src/zip32.rs @@ -841,7 +841,7 @@ impl DiversifiableFullViewingKey { /// Sapling item in a [ZIP 316 Unified Incoming Viewing Key][zip-0316-ufvk]. /// /// [zip-0316-ufvk]: https://zips.z.cash/zip-0316#encoding-of-unified-full-incoming-viewing-keys -#[derive(Clone, Debug)] +#[derive(Clone, Debug, PartialEq, Eq)] pub struct IncomingViewingKey { dk: DiversifierKey, ivk: SaplingIvk, From b40e3d921db8b614f9c08e4767aa58bc1606b128 Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Tue, 31 Mar 2026 10:06:20 -0600 Subject: [PATCH 05/13] Release sapling-crypto version 0.6.2 --- CHANGELOG.md | 2 +- Cargo.lock | 2 +- Cargo.toml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd57dcd1..8278b5e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,7 +7,7 @@ and this library adheres to Rust's notion of ## [Unreleased] -## [0.6.2] - PENDING +## [0.6.2] - 2026-03-31 - `impl {PartiaEq, Eq} for sapling_crypto::keys::SaplingIvk` - `impl {PartiaEq, Eq} for sapling_crypto::zip32::IncomingViewingKey` diff --git a/Cargo.lock b/Cargo.lock index b9b8e6f6..06783fc8 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1315,7 +1315,7 @@ dependencies = [ [[package]] name = "sapling-crypto" -version = "0.6.1" +version = "0.6.2" dependencies = [ "aes", "bellman", diff --git a/Cargo.toml b/Cargo.toml index 7a94e2de..8117f9ca 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "sapling-crypto" -version = "0.6.1" +version = "0.6.2" authors = [ "Sean Bowe ", "Jack Grigg ", From 1f1171827b51f7eddb229426fe4c850fab97ce16 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 21 Nov 2025 02:07:38 +0000 Subject: [PATCH 06/13] Bump actions/checkout from 4 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3f733612..8592667a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,7 +10,7 @@ jobs: matrix: os: [ubuntu-latest, windows-latest, macOS-latest] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Run tests run: cargo test --all-features --verbose --release - name: Verify working directory is clean @@ -23,7 +23,7 @@ jobs: matrix: os: [ubuntu-latest, windows-latest, macOS-latest] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - uses: dtolnay/rust-toolchain@stable id: toolchain - run: rustup override set ${{steps.toolchain.outputs.name}} @@ -43,7 +43,7 @@ jobs: - wasm32-wasi - thumbv7em-none-eabihf steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: path: crate_root # We use a synthetic crate to ensure no dev-dependencies are enabled, which can @@ -86,7 +86,7 @@ jobs: name: Bitrot check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 # Build benchmarks to prevent bitrot - name: Build benchmarks run: cargo build --all --benches @@ -95,7 +95,7 @@ jobs: name: Clippy (MSRV) runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Run Clippy uses: auguwu/clippy-action@1.4.0 with: @@ -107,7 +107,7 @@ jobs: name: Intra-doc links runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - run: cargo fetch # Requires #![deny(rustdoc::broken_intra_doc_links)] in crate. - name: Check intra-doc links @@ -117,6 +117,6 @@ jobs: name: Rustfmt runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Check formatting run: cargo fmt -- --check From aa88e38271e505099c3513add4f049cb301bc3b3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 Apr 2026 02:32:53 +0000 Subject: [PATCH 07/13] Bump auguwu/clippy-action from 1.4.0 to 1.5.0 Bumps [auguwu/clippy-action](https://github.com/auguwu/clippy-action) from 1.4.0 to 1.5.0. - [Release notes](https://github.com/auguwu/clippy-action/releases) - [Commits](https://github.com/auguwu/clippy-action/compare/1.4.0...1.5.0) --- updated-dependencies: - dependency-name: auguwu/clippy-action dependency-version: 1.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8592667a..4fa420d1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -97,7 +97,7 @@ jobs: steps: - uses: actions/checkout@v6 - name: Run Clippy - uses: auguwu/clippy-action@1.4.0 + uses: auguwu/clippy-action@1.5.0 with: token: ${{ secrets.GITHUB_TOKEN }} working-directory: ${{ inputs.target }} From 19ae37e698e47ca174edb77759eeb46927e2d364 Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Fri, 17 Apr 2026 13:20:50 -0600 Subject: [PATCH 08/13] Update MSRV to 1.85.1 --- .github/workflows/ci.yml | 2 +- CHANGELOG.md | 1 + Cargo.toml | 2 +- rust-toolchain.toml | 2 +- src/circuit/pedersen_hash.rs | 4 ++-- 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8592667a..c664b551 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,7 +40,7 @@ jobs: strategy: matrix: target: - - wasm32-wasi + - wasm32-wasip1 - thumbv7em-none-eabihf steps: - uses: actions/checkout@v6 diff --git a/CHANGELOG.md b/CHANGELOG.md index 30f0c246..4f9a1ea4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ and this library adheres to Rust's notion of ## [Unreleased] ### Changed +- MSRV is now 1.85.1 - `sapling_crypto::pczt::Bundle::extract` now takes its `self` argument by reference instead of by value. diff --git a/Cargo.toml b/Cargo.toml index 8117f9ca..8ca0d7aa 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -7,7 +7,7 @@ authors = [ "Kris Nuttycombe ", ] edition = "2021" -rust-version = "1.70" +rust-version = "1.85.1" description = "Cryptographic library for Zcash Sapling" homepage = "https://github.com/zcash/sapling-crypto" repository = "https://github.com/zcash/sapling-crypto" diff --git a/rust-toolchain.toml b/rust-toolchain.toml index 5299106e..35e9b966 100644 --- a/rust-toolchain.toml +++ b/rust-toolchain.toml @@ -1,3 +1,3 @@ [toolchain] -channel = "1.70.0" +channel = "1.85.1" components = ["clippy", "rustfmt"] diff --git a/src/circuit/pedersen_hash.rs b/src/circuit/pedersen_hash.rs index 29718a8a..4a22c385 100644 --- a/src/circuit/pedersen_hash.rs +++ b/src/circuit/pedersen_hash.rs @@ -123,8 +123,8 @@ mod test { let precomputed_booleans = 2 + (personalized_bits % 3 == 1) as usize; // Count chunks and segments with ceiling division - let chunks = (personalized_bits + 3 - 1) / 3; - let segments = (chunks + 63 - 1) / 63; + let chunks = personalized_bits.div_ceil(3); + let segments = chunks.div_ceil(63); let all_but_last_segments = segments - 1; let last_chunks = chunks - all_but_last_segments * 63; From 56395a861b5e8aee57e73ba77fb13268cc21185b Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Fri, 17 Apr 2026 13:22:31 -0600 Subject: [PATCH 09/13] Migrate from yanked `core2` library to `corez` --- Cargo.lock | 13 +++++-------- Cargo.toml | 4 ++-- src/circuit.rs | 2 +- src/keys.rs | 2 +- src/zip32.rs | 10 +++++----- 5 files changed, 14 insertions(+), 17 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 06783fc8..52dcb197 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1,6 +1,6 @@ # This file is automatically @generated by Cargo. # It is not intended for manual editing. -version = 3 +version = 4 [[package]] name = "addr2line" @@ -343,13 +343,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "21a53c0a4d288377e7415b53dcfc3c04da5cdc2cc95c8d5ac178b58f0b861ad6" [[package]] -name = "core2" -version = "0.3.3" +name = "corez" +version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "239fa3ae9b63c2dc74bd3fa852d4792b8b305ae64eeede946265b6af62f1fff3" -dependencies = [ - "memchr", -] +checksum = "4df6f98652d30167eaeea34d77b730e07c8caba6df17bd4551842b9b8da01deb" [[package]] name = "cpp_demangle" @@ -1324,7 +1321,7 @@ dependencies = [ "blake2s_simd", "bls12_381", "chacha20poly1305", - "core2", + "corez", "criterion", "document-features", "ff", diff --git a/Cargo.toml b/Cargo.toml index 8ca0d7aa..4aaec944 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -30,7 +30,7 @@ zcash_spec = "0.2" getset = "0.1" # No-std support -core2 = { version = "0.3", default-features = false, features = ["alloc"] } +corez = { version = "0.1.1", default-features = false, features = ["alloc"] } # Circuits bellman = { version = "0.14", default-features = false, features = ["groth16"], optional = true } @@ -88,7 +88,7 @@ pprof = { version = "0.11", features = ["criterion", "flamegraph"] } # MSRV 1.56 [features] default = ["multicore", "circuit"] std = [ - "core2/std", + "corez/std", "dep:document-features", "group/wnaf-memuse", "redjubjub/std" diff --git a/src/circuit.rs b/src/circuit.rs index d2f083e1..a4a7cf89 100644 --- a/src/circuit.rs +++ b/src/circuit.rs @@ -2,7 +2,7 @@ use alloc::vec::Vec; use core::fmt; -use core2::io; +use corez::io; use group::{ff::PrimeField, Curve}; diff --git a/src/keys.rs b/src/keys.rs index 1699c254..771bcb32 100644 --- a/src/keys.rs +++ b/src/keys.rs @@ -6,7 +6,7 @@ use alloc::vec::Vec; use core::fmt; -use core2::io::{self, Read, Write}; +use corez::io::{self, Read, Write}; use super::{ address::PaymentAddress, diff --git a/src/zip32.rs b/src/zip32.rs index 5e4d9fea..bdf5852f 100644 --- a/src/zip32.rs +++ b/src/zip32.rs @@ -12,7 +12,7 @@ use zcash_spec::PrfExpand; use zip32::{ChainCode, ChildIndex, DiversifierIndex, Scope}; use core::ops::AddAssign; -use core2::io::{self, Read, Write}; +use corez::io::{self, Read, Write}; use super::{Diversifier, NullifierDerivingKey, PaymentAddress, ViewingKey}; use crate::note_encryption::PreparedIncomingViewingKey; @@ -362,8 +362,8 @@ impl ExtendedSpendingKey { reader.read_exact(&mut child_index_bytes)?; let child_index = KeyIndex::new(depth, u32::from_le_bytes(child_index_bytes)).ok_or_else(|| { - core2::io::Error::new( - core2::io::ErrorKind::InvalidData, + corez::io::Error::new( + corez::io::ErrorKind::InvalidData, "Unsupported child index in encoding", ) })?; @@ -564,8 +564,8 @@ impl ExtendedFullViewingKey { reader.read_exact(&mut child_index_bytes)?; let child_index = KeyIndex::new(depth, u32::from_le_bytes(child_index_bytes)).ok_or_else(|| { - core2::io::Error::new( - core2::io::ErrorKind::InvalidData, + corez::io::Error::new( + corez::io::ErrorKind::InvalidData, "Unsupported child index in encoding", ) })?; From b5300968880d1c170eef573227781cdb18a0dcce Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Tue, 21 Apr 2026 10:48:04 -0600 Subject: [PATCH 10/13] Update dependencies to fix `cargo audit` warnings. --- Cargo.lock | 259 ++++++++++++++++++++++++++++------------------------- Cargo.toml | 4 +- 2 files changed, 137 insertions(+), 126 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 52dcb197..1f4ad7ee 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -60,12 +60,27 @@ dependencies = [ "memchr", ] +[[package]] +name = "aligned-vec" +version = "0.6.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dc890384c8602f339876ded803c97ad529f3842aba97f6392b3dba0dd171769b" +dependencies = [ + "equator", +] + [[package]] name = "anes" version = "0.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4b46cbb362ab8752921c97e041f5e366ee6297bd428a31275b9fcf1e380f7299" +[[package]] +name = "anstyle" +version = "1.0.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "940b3a0ca603d1eade50a4846a2afffd5ef57a9feac2c0e2ec2e14f9ead76000" + [[package]] name = "arrayref" version = "0.3.7" @@ -78,17 +93,6 @@ version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "96d30a06541fbafbc7f82ed10c06164cfbd2c401138f6addd8404629c4b16711" -[[package]] -name = "atty" -version = "0.2.14" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8" -dependencies = [ - "hermit-abi 0.1.19", - "libc", - "winapi", -] - [[package]] name = "autocfg" version = "1.1.0" @@ -97,9 +101,9 @@ checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" [[package]] name = "backtrace" -version = "0.3.69" +version = "0.3.71" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2089b7e3f35b9dd2d0ed921ead4f6d318c27680d4a5bd167b3ee120edb105837" +checksum = "26b05800d2e817c8b3b4b54abd461726265fa9789ae34330622f2db9ee696f9d" dependencies = [ "addr2line", "cc", @@ -213,9 +217,9 @@ checksum = "7f30e7476521f6f8af1a1c4c0b8cc94f0bee37d91763d0ca2665f299b6cd8aec" [[package]] name = "bytemuck" -version = "1.14.0" +version = "1.25.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "374d28ec25809ee0e23827c2ab573d729e293f281dfe393500e7ad618baa61c6" +checksum = "c8efb64bd706a16a1bdde310ae86b351e4d21550d98d056f22f8a7f7a2183fec" [[package]] name = "byteorder" @@ -240,11 +244,12 @@ dependencies = [ [[package]] name = "cc" -version = "1.0.83" +version = "1.2.60" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0" +checksum = "43c5703da9466b66a946814e1adf53ea2c90f10063b86290cc9eb67ce3478a20" dependencies = [ - "libc", + "find-msvc-tools", + "shlex", ] [[package]] @@ -317,25 +322,29 @@ dependencies = [ [[package]] name = "clap" -version = "3.2.25" +version = "4.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4ea181bf566f71cb9a5d17a59e1871af638180a18fb0035c92ae62b705207123" +checksum = "1ddb117e43bbf7dacf0a4190fef4d345b9bad68dfc649cb349e7d17d28428e51" dependencies = [ - "bitflags 1.3.2", - "clap_lex", - "indexmap 1.9.3", - "textwrap", + "clap_builder", ] [[package]] -name = "clap_lex" -version = "0.2.4" +name = "clap_builder" +version = "4.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2850f2f5a82cbf437dd5af4d49848fbdfc27c157c3d010345776f952765261c5" +checksum = "714a53001bf66416adb0e2ef5ac857140e7dc3a0c48fb28b2f10762fc4b5069f" dependencies = [ - "os_str_bytes", + "anstyle", + "clap_lex", ] +[[package]] +name = "clap_lex" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9" + [[package]] name = "constant_time_eq" version = "0.2.6" @@ -368,19 +377,19 @@ dependencies = [ [[package]] name = "criterion" -version = "0.4.0" +version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e7c76e09c1aae2bc52b3d2f29e13c6572553b30c4aa1b8a49fd70de6412654cb" +checksum = "f2b12d017a929603d80db1831cd3a24082f8137ce19c69e6447f54f5fc8d692f" dependencies = [ "anes", - "atty", "cast", "ciborium", "clap", "criterion-plot", + "is-terminal", "itertools", - "lazy_static", "num-traits", + "once_cell", "oorandom", "plotters", "rayon", @@ -480,6 +489,26 @@ version = "1.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a26ae43d7bcc3b814de94796a5e736d4029efb0ee900c12e2d54c993ad1a1e07" +[[package]] +name = "equator" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4711b213838dfee0117e3be6ac926007d7f433d7bbe33595975d4190cb07e6fc" +dependencies = [ + "equator-macro", +] + +[[package]] +name = "equator-macro" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "44f23cf4b44bfce11a86ace86f8a73ffdec849c9fd00a386a53d278bd9e81fb3" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "equivalent" version = "1.0.1" @@ -513,6 +542,12 @@ dependencies = [ "subtle", ] +[[package]] +name = "find-msvc-tools" +version = "0.1.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582" + [[package]] name = "findshlibs" version = "0.10.2" @@ -608,27 +643,12 @@ version = "1.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "eabb4a44450da02c90444cf74558da904edde8fb4e9035a9a6a4e15445af0bd7" -[[package]] -name = "hashbrown" -version = "0.12.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888" - [[package]] name = "hashbrown" version = "0.14.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "290f1a1d9242c78d09ce40a5e87e7554ee637af1351968159f4952f028f75604" -[[package]] -name = "hermit-abi" -version = "0.1.19" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33" -dependencies = [ - "libc", -] - [[package]] name = "hermit-abi" version = "0.3.3" @@ -653,16 +673,6 @@ dependencies = [ "rand_core", ] -[[package]] -name = "indexmap" -version = "1.9.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bd070e393353796e801d209ad339e89596eb4c8d430d18ede6a1cced8fafbd99" -dependencies = [ - "autocfg", - "hashbrown 0.12.3", -] - [[package]] name = "indexmap" version = "2.1.0" @@ -670,7 +680,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d530e1a18b1cb4c484e6e34556a0d948706958449fca0cab753d649f2bce3d1f" dependencies = [ "equivalent", - "hashbrown 0.14.3", + "hashbrown", ] [[package]] @@ -680,7 +690,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "321f0f839cd44a4686e9504b0a62b4d69a50b62072144c71c68f5873c167b8d9" dependencies = [ "ahash", - "indexmap 2.1.0", + "indexmap", "is-terminal", "itoa", "log", @@ -706,7 +716,7 @@ version = "0.4.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cb0889898416213fab133e1d33a0e5858a48177452750691bde3666d0fdbaf8b" dependencies = [ - "hermit-abi 0.3.3", + "hermit-abi", "rustix", "windows-sys 0.48.0", ] @@ -803,9 +813,9 @@ checksum = "f665ee40bc4a3c5590afb1e9677db74a508659dfd71e126420da8274909a0167" [[package]] name = "memmap2" -version = "0.5.10" +version = "0.9.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "83faa42c0a078c393f6b29d5db232d8be22776a891f8f56e5284faee4a20b327" +checksum = "714098028fe011992e1c3962653c96b2d578c4b4bce9036e15ff220319b1e0e3" dependencies = [ "libc", ] @@ -827,9 +837,9 @@ checksum = "3d97bbf43eb4f088f8ca469930cde17fa036207c9a5e02ccc5107c4e8b17c964" [[package]] name = "miniz_oxide" -version = "0.7.1" +version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e7810e0be55b428ada41041c41f32c9f1a42817901b4ccf45fa3d4b6561e74c7" +checksum = "b8a240ddb74feaf34a79a7add65a741f3167852fba007066dcac1ca548d89c08" dependencies = [ "adler", ] @@ -892,7 +902,7 @@ version = "1.16.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43" dependencies = [ - "hermit-abi 0.3.3", + "hermit-abi", "libc", ] @@ -923,12 +933,6 @@ version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5" -[[package]] -name = "os_str_bytes" -version = "6.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2355d85b9a3786f481747ced0e0ff2ba35213a1f9bd406ed906554d7af805a1" - [[package]] name = "pairing" version = "0.23.0" @@ -938,29 +942,6 @@ dependencies = [ "group", ] -[[package]] -name = "parking_lot" -version = "0.12.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f" -dependencies = [ - "lock_api", - "parking_lot_core", -] - -[[package]] -name = "parking_lot_core" -version = "0.9.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c42a9226546d68acdd9c0a280d17ce19bfe27a46bf68784e4066115788d008e" -dependencies = [ - "cfg-if", - "libc", - "redox_syscall", - "smallvec", - "windows-targets 0.48.5", -] - [[package]] name = "pasta_curves" version = "0.5.1" @@ -1021,10 +1002,11 @@ dependencies = [ [[package]] name = "pprof" -version = "0.11.1" +version = "0.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "196ded5d4be535690899a4631cc9f18cdc41b7ebf24a79400f46f48e49a11059" +checksum = "38a01da47675efa7673b032bf8efd8214f1917d89685e07e395ab125ea42b187" dependencies = [ + "aligned-vec", "backtrace", "cfg-if", "criterion", @@ -1034,11 +1016,11 @@ dependencies = [ "log", "nix", "once_cell", - "parking_lot", "smallvec", + "spin", "symbolic-demangle", "tempfile", - "thiserror", + "thiserror 2.0.18", ] [[package]] @@ -1071,9 +1053,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.70" +version = "1.0.106" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "39278fbbf5fb4f646ce651690877f89d1c5811a3d4acb27700c1cb3cdb78fd3b" +checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934" dependencies = [ "unicode-ident", ] @@ -1115,9 +1097,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.33" +version = "1.0.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5267fca4496028628a95160fc423a33e8b2e6af8a5302579e322e4b520293cae" +checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924" dependencies = [ "proc-macro2", ] @@ -1130,9 +1112,9 @@ checksum = "dc33ff2d4973d518d823d61aa239014831e521c75da58e3df4840d3f47749d09" [[package]] name = "rand" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +checksum = "5ca0ecfa931c29007047d1bc58e623ab12e5590e8c7cc53200d5202b69266d8a" dependencies = [ "libc", "rand_chacha", @@ -1201,7 +1183,7 @@ dependencies = [ "pasta_curves", "rand_core", "serde", - "thiserror", + "thiserror 1.0.50", "zeroize", ] @@ -1213,7 +1195,7 @@ checksum = "89b0ac1bc6bb3696d2c6f52cff8fba57238b81da8c0214ee6cd146eb8fde364e" dependencies = [ "rand_core", "reddsa", - "thiserror", + "thiserror 1.0.50", "zeroize", ] @@ -1257,9 +1239,9 @@ checksum = "c08c74e62047bb2de4ff487b251e4a92e24f48745648451635cec7d591162d9f" [[package]] name = "rgb" -version = "0.8.37" +version = "0.8.53" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "05aaa8004b64fd573fc9d002f4e632d51ad4f026c2b5ba95fcb6c2f32c2c47d8" +checksum = "47b34b781b31e5d73e9fbc8689c70551fd1ade9a19e3e28cfec8580a79290cc4" dependencies = [ "bytemuck", ] @@ -1383,12 +1365,27 @@ dependencies = [ "serde", ] +[[package]] +name = "shlex" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" + [[package]] name = "smallvec" version = "1.11.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4dccd0940a2dcdf68d092b8cbab7dc0ad8fa938bf95787e1b916b0e3d0e8e970" +[[package]] +name = "spin" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d5fe4ccb98d9c292d56fec89a5e07da7fc4cf0dc11e156b41793132775d3e591" +dependencies = [ + "lock_api", +] + [[package]] name = "stable_deref_trait" version = "1.2.0" @@ -1415,9 +1412,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" [[package]] name = "symbolic-common" -version = "10.2.1" +version = "12.18.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1b55cdc318ede251d0957f07afe5fed912119b8c1bc5a7804151826db999e737" +checksum = "4bbc8b4f883265fb2207a0d6ce67095f4bd6cf13e5f9183eb8b3e73fa1b2466a" dependencies = [ "debugid", "memmap2", @@ -1427,9 +1424,9 @@ dependencies = [ [[package]] name = "symbolic-demangle" -version = "10.2.1" +version = "12.18.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "79be897be8a483a81fff6a3a4e195b4ac838ef73ca42d348b3f722da9902e489" +checksum = "8eda470a26ea40eb5cafc35487718e23a2f19153d3a589affb9e8f7fa1aa73b3" dependencies = [ "cpp_demangle", "rustc-demangle", @@ -1438,9 +1435,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.40" +version = "2.0.117" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13fa70a4ee923979ffb522cacce59d34421ebdea5625e1073c4326ef9d2dd42e" +checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99" dependencies = [ "proc-macro2", "quote", @@ -1467,18 +1464,21 @@ dependencies = [ ] [[package]] -name = "textwrap" -version = "0.16.0" +name = "thiserror" +version = "1.0.50" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "222a222a5bfe1bba4a77b45ec488a741b3cb8872e5e499451fd7d0129c9c7c3d" +checksum = "f9a7210f5c9a7156bb50aa36aed4c95afb51df0df00713949448cf9e97d382d2" +dependencies = [ + "thiserror-impl 1.0.50", +] [[package]] name = "thiserror" -version = "1.0.50" +version = "2.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f9a7210f5c9a7156bb50aa36aed4c95afb51df0df00713949448cf9e97d382d2" +checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4" dependencies = [ - "thiserror-impl", + "thiserror-impl 2.0.18", ] [[package]] @@ -1492,6 +1492,17 @@ dependencies = [ "syn", ] +[[package]] +name = "thiserror-impl" +version = "2.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + [[package]] name = "tinytemplate" version = "1.2.1" @@ -1843,18 +1854,18 @@ dependencies = [ [[package]] name = "zerocopy" -version = "0.7.30" +version = "0.7.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "306dca4455518f1f31635ec308b6b3e4eb1b11758cefafc782827d0aa7acb5c7" +checksum = "1b9b4fd18abc82b8136838da5d50bae7bdea537c574d8dc1a34ed098d6c166f0" dependencies = [ "zerocopy-derive", ] [[package]] name = "zerocopy-derive" -version = "0.7.30" +version = "0.7.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "be912bf68235a88fbefd1b73415cb218405958d1655b2ece9035a19920bdf6ba" +checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e" dependencies = [ "proc-macro2", "quote", diff --git a/Cargo.toml b/Cargo.toml index 4aaec944..037758ab 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -77,13 +77,13 @@ zip32 = { version = "0.2", default-features = false } [dev-dependencies] chacha20poly1305 = "0.10" -criterion = "0.4" +criterion = "0.5" incrementalmerkletree = { version = "0.8.1", features = ["legacy-api", "test-dependencies"] } proptest = ">=1.0.0, <1.7.0" rand_xorshift = "0.3" [target.'cfg(unix)'.dev-dependencies] -pprof = { version = "0.11", features = ["criterion", "flamegraph"] } # MSRV 1.56 +pprof = { version = "0.15", features = ["criterion", "flamegraph"] } # MSRV 1.74 [features] default = ["multicore", "circuit"] From e1a7a9a6dd7f9a6c0b903535748c55b81e416034 Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Tue, 21 Apr 2026 10:56:30 -0600 Subject: [PATCH 11/13] Add `cargo vet` and `cargo deny` infrastructure & CI workflow. --- .github/workflows/audits.yml | 50 ++ Cargo.lock | 93 ++- Cargo.toml | 1 + deny.toml | 43 ++ supply-chain/audits.toml | 4 + supply-chain/config.toml | 565 +++++++++++++++++ supply-chain/imports.lock | 1111 ++++++++++++++++++++++++++++++++++ 7 files changed, 1842 insertions(+), 25 deletions(-) create mode 100644 .github/workflows/audits.yml create mode 100644 deny.toml create mode 100644 supply-chain/audits.toml create mode 100644 supply-chain/config.toml create mode 100644 supply-chain/imports.lock diff --git a/.github/workflows/audits.yml b/.github/workflows/audits.yml new file mode 100644 index 00000000..7ea54962 --- /dev/null +++ b/.github/workflows/audits.yml @@ -0,0 +1,50 @@ +name: Audits + +on: + pull_request: + push: + branches: main + +permissions: + contents: read + +jobs: + cargo-vet: + name: Vet Rust dependencies + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: dtolnay/rust-toolchain@stable + id: toolchain + - run: rustup override set "${TOOLCHAIN}" + env: + TOOLCHAIN: ${{steps.toolchain.outputs.name}} + - run: cargo install cargo-vet --version ~0.10 + - run: cargo vet --locked + + cargo-deny: + name: Check licenses + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: EmbarkStudios/cargo-deny-action@175dc7fd4fb85ec8f46948fb98f44db001149081 # v2.0.16 + with: + command: check licenses + + required-audits: + name: Required audits have passed + needs: + - cargo-vet + - cargo-deny + if: ${{ always() }} + runs-on: ubuntu-latest + steps: + - name: Determine whether all required-pass steps succeeded + run: | + echo "${NEEDS}" | jq -e '[ .[] | .result == "success" ] | all' + env: + NEEDS: ${{ toJSON(needs) }} diff --git a/Cargo.lock b/Cargo.lock index 1f4ad7ee..90885c8c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -45,7 +45,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "91429305e9f0a25f6205c5b8e0d2db09e0708a7a6df0f42212bb56c32c8ac97a" dependencies = [ "cfg-if", - "getrandom", + "getrandom 0.2.11", "once_cell", "version_check", "zerocopy", @@ -517,9 +517,9 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "errno" -version = "0.3.8" +version = "0.3.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a258e46cdc063eb8519c00b9fc845fc47bcfca4130e2f08e88665ceda8474245" +checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" dependencies = [ "libc", "windows-sys 0.52.0", @@ -527,9 +527,9 @@ dependencies = [ [[package]] name = "fastrand" -version = "2.0.1" +version = "2.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "25cbce373ec4653f1a01a31e8a5e5ec0c622dc27ff9c4e6606eefef5cbbed4a5" +checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6" [[package]] name = "ff" @@ -607,6 +607,18 @@ dependencies = [ "wasi", ] +[[package]] +name = "getrandom" +version = "0.3.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd" +dependencies = [ + "cfg-if", + "libc", + "r-efi", + "wasip2", +] + [[package]] name = "getset" version = "0.1.3" @@ -717,7 +729,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cb0889898416213fab133e1d33a0e5858a48177452750691bde3666d0fdbaf8b" dependencies = [ "hermit-abi", - "rustix", + "rustix 0.38.28", "windows-sys 0.48.0", ] @@ -767,9 +779,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" [[package]] name = "libc" -version = "0.2.151" +version = "0.2.185" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "302d7ab3130588088d277783b1e2d2e10c9e9e4a16dd9050e6ec93fb3e7048f4" +checksum = "52ff2c0fe9bc6cb6b14a0592c2ff4fa9ceb83eea9db979b0487cd054946a2b8f" [[package]] name = "libm" @@ -783,6 +795,12 @@ version = "0.4.12" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c4cd1a83af159aa67994778be9070f0ae1bd732942279cabb14f86f986a21456" +[[package]] +name = "linux-raw-sys" +version = "0.12.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53" + [[package]] name = "litrs" version = "0.4.1" @@ -1104,6 +1122,12 @@ dependencies = [ "proc-macro2", ] +[[package]] +name = "r-efi" +version = "5.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f" + [[package]] name = "radium" version = "0.7.0" @@ -1137,7 +1161,7 @@ version = "0.6.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c" dependencies = [ - "getrandom", + "getrandom 0.2.11", ] [[package]] @@ -1199,15 +1223,6 @@ dependencies = [ "zeroize", ] -[[package]] -name = "redox_syscall" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4722d768eff46b75989dd134e5c353f0d6296e5aaa3132e776cbdb56be7731aa" -dependencies = [ - "bitflags 1.3.2", -] - [[package]] name = "regex" version = "1.10.2" @@ -1261,7 +1276,20 @@ dependencies = [ "bitflags 2.4.1", "errno", "libc", - "linux-raw-sys", + "linux-raw-sys 0.4.12", + "windows-sys 0.52.0", +] + +[[package]] +name = "rustix" +version = "1.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190" +dependencies = [ + "bitflags 2.4.1", + "errno", + "libc", + "linux-raw-sys 0.12.1", "windows-sys 0.52.0", ] @@ -1452,15 +1480,15 @@ checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369" [[package]] name = "tempfile" -version = "3.8.1" +version = "3.24.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7ef1adac450ad7f4b3c28589471ade84f25f731a7a0fe30d71dfa9f60fd808e5" +checksum = "655da9c7eb6305c55742045d5a8d2037996d61d8de95806335c7c86ce0f82e9c" dependencies = [ - "cfg-if", "fastrand", - "redox_syscall", - "rustix", - "windows-sys 0.48.0", + "getrandom 0.3.4", + "once_cell", + "rustix 1.1.4", + "windows-sys 0.52.0", ] [[package]] @@ -1594,6 +1622,15 @@ version = "0.11.0+wasi-snapshot-preview1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" +[[package]] +name = "wasip2" +version = "1.0.1+wasi-0.2.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0562428422c63773dad2c345a1882263bbf4d65cf3f42e90921f787ef5ad58e7" +dependencies = [ + "wit-bindgen", +] + [[package]] name = "wasm-bindgen" version = "0.2.89" @@ -1821,6 +1858,12 @@ version = "0.52.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dff9641d1cd4be8d1a070daf9e3773c5f67e78b4d9d42263020c057706765c04" +[[package]] +name = "wit-bindgen" +version = "0.46.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f17a85883d4e6d00e8a97c586de764dabcc06133f7f1d55dce5cdc070ad7fe59" + [[package]] name = "wyz" version = "0.5.1" diff --git a/Cargo.toml b/Cargo.toml index 037758ab..35508a0e 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -8,6 +8,7 @@ authors = [ ] edition = "2021" rust-version = "1.85.1" +resolver = "3" description = "Cryptographic library for Zcash Sapling" homepage = "https://github.com/zcash/sapling-crypto" repository = "https://github.com/zcash/sapling-crypto" diff --git a/deny.toml b/deny.toml new file mode 100644 index 00000000..ec07d07d --- /dev/null +++ b/deny.toml @@ -0,0 +1,43 @@ +# Configuration file for cargo-deny + +[graph] +targets = [ + # Targets used by zcashd + { triple = "aarch64-unknown-linux-gnu" }, + { triple = "x86_64-apple-darwin" }, + { triple = "x86_64-pc-windows-gnu" }, + { triple = "x86_64-unknown-freebsd" }, + { triple = "x86_64-unknown-linux-gnu" }, + # Targets used by zcash-android-wallet-sdk + { triple = "aarch64-linux-android" }, + { triple = "armv7-linux-androideabi" }, + { triple = "i686-linux-android" }, + { triple = "x86_64-linux-android" }, + # Targets used by zcash-swift-wallet-sdk + { triple = "aarch64-apple-darwin" }, + { triple = "aarch64-apple-ios" }, + { triple = "aarch64-apple-ios-sim" }, + { triple = "x86_64-apple-darwin" }, + { triple = "x86_64-apple-ios" }, +] +all-features = true +exclude-dev = true + +[licenses] +version = 2 +allow = [ + "Apache-2.0", + "MIT", +] +exceptions = [ + { name = "arrayref", allow = ["BSD-2-Clause"] }, + { name = "subtle", allow = ["BSD-3-Clause"] }, + { name = "unicode-ident", allow = ["Unicode-DFS-2016"] }, +] + +[[licenses.clarify]] +name = "ring" +expression = "LicenseRef-ring" +license-files = [ + { path = "LICENSE", hash = 0xbd0eed23 }, +] diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml new file mode 100644 index 00000000..2772ccb2 --- /dev/null +++ b/supply-chain/audits.toml @@ -0,0 +1,4 @@ + +# cargo-vet audits file + +[audits] diff --git a/supply-chain/config.toml b/supply-chain/config.toml new file mode 100644 index 00000000..01e15512 --- /dev/null +++ b/supply-chain/config.toml @@ -0,0 +1,565 @@ + +# cargo-vet config file + +[cargo-vet] +version = "0.10" + +[imports.bytecode-alliance] +url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[imports.embark-studios] +url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + +[imports.fermyon] +url = "https://raw.githubusercontent.com/fermyon/spin/main/supply-chain/audits.toml" + +[imports.google] +url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" + +[imports.isrg] +url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[imports.mozilla] +url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" + +[imports.zcash] +url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml" + +[policy.sapling-crypto] +audit-as-crates-io = true + +[[exemptions.aead]] +version = "0.5.2" +criteria = "safe-to-deploy" + +[[exemptions.aes]] +version = "0.8.3" +criteria = "safe-to-deploy" + +[[exemptions.ahash]] +version = "0.8.6" +criteria = "safe-to-run" + +[[exemptions.aligned-vec]] +version = "0.6.4" +criteria = "safe-to-run" + +[[exemptions.anstyle]] +version = "1.0.14" +criteria = "safe-to-run" + +[[exemptions.arrayvec]] +version = "0.7.4" +criteria = "safe-to-deploy" + +[[exemptions.bellman]] +version = "0.14.0" +criteria = "safe-to-deploy" + +[[exemptions.bitvec]] +version = "1.0.1" +criteria = "safe-to-deploy" + +[[exemptions.blake2b_simd]] +version = "1.0.1" +criteria = "safe-to-deploy" + +[[exemptions.blake2s_simd]] +version = "1.0.1" +criteria = "safe-to-deploy" + +[[exemptions.bls12_381]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.bytemuck]] +version = "1.25.0" +criteria = "safe-to-run" + +[[exemptions.cbc]] +version = "0.1.2" +criteria = "safe-to-deploy" + +[[exemptions.cc]] +version = "1.2.60" +criteria = "safe-to-run" + +[[exemptions.chacha20]] +version = "0.9.1" +criteria = "safe-to-deploy" + +[[exemptions.chacha20poly1305]] +version = "0.10.1" +criteria = "safe-to-deploy" + +[[exemptions.ciborium]] +version = "0.2.1" +criteria = "safe-to-run" + +[[exemptions.ciborium-io]] +version = "0.2.1" +criteria = "safe-to-run" + +[[exemptions.ciborium-ll]] +version = "0.2.1" +criteria = "safe-to-run" + +[[exemptions.clap]] +version = "4.6.1" +criteria = "safe-to-run" + +[[exemptions.clap_builder]] +version = "4.6.0" +criteria = "safe-to-run" + +[[exemptions.clap_lex]] +version = "1.1.0" +criteria = "safe-to-run" + +[[exemptions.corez]] +version = "0.1.1" +criteria = "safe-to-deploy" + +[[exemptions.cpufeatures]] +version = "0.2.11" +criteria = "safe-to-deploy" + +[[exemptions.criterion]] +version = "0.5.1" +criteria = "safe-to-run" + +[[exemptions.criterion-plot]] +version = "0.5.0" +criteria = "safe-to-run" + +[[exemptions.crossbeam-channel]] +version = "0.5.8" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-deque]] +version = "0.8.3" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-epoch]] +version = "0.9.15" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-utils]] +version = "0.8.16" +criteria = "safe-to-deploy" + +[[exemptions.equator]] +version = "0.4.2" +criteria = "safe-to-run" + +[[exemptions.equator-macro]] +version = "0.4.2" +criteria = "safe-to-run" + +[[exemptions.fastrand]] +version = "2.4.1" +criteria = "safe-to-deploy" + +[[exemptions.ff]] +version = "0.13.0" +criteria = "safe-to-deploy" + +[[exemptions.find-msvc-tools]] +version = "0.1.9" +criteria = "safe-to-run" + +[[exemptions.findshlibs]] +version = "0.10.2" +criteria = "safe-to-run" + +[[exemptions.fpe]] +version = "0.6.1" +criteria = "safe-to-deploy" + +[[exemptions.funty]] +version = "2.0.0" +criteria = "safe-to-deploy" + +[[exemptions.generic-array]] +version = "0.14.7" +criteria = "safe-to-deploy" + +[[exemptions.getrandom]] +version = "0.2.11" +criteria = "safe-to-deploy" + +[[exemptions.gimli]] +version = "0.28.1" +criteria = "safe-to-run" + +[[exemptions.group]] +version = "0.13.0" +criteria = "safe-to-deploy" + +[[exemptions.hermit-abi]] +version = "0.3.3" +criteria = "safe-to-deploy" + +[[exemptions.incrementalmerkletree]] +version = "0.8.1" +criteria = "safe-to-deploy" + +[[exemptions.inferno]] +version = "0.11.19" +criteria = "safe-to-run" + +[[exemptions.js-sys]] +version = "0.3.66" +criteria = "safe-to-run" + +[[exemptions.jubjub]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.libc]] +version = "0.2.185" +criteria = "safe-to-deploy" + +[[exemptions.libm]] +version = "0.2.8" +criteria = "safe-to-deploy" + +[[exemptions.linux-raw-sys]] +version = "0.4.12" +criteria = "safe-to-run" + +[[exemptions.linux-raw-sys]] +version = "0.12.1" +criteria = "safe-to-deploy" + +[[exemptions.lock_api]] +version = "0.4.11" +criteria = "safe-to-run" + +[[exemptions.memmap2]] +version = "0.9.10" +criteria = "safe-to-run" + +[[exemptions.memoffset]] +version = "0.9.0" +criteria = "safe-to-deploy" + +[[exemptions.memuse]] +version = "0.2.2" +criteria = "safe-to-deploy" + +[[exemptions.num-format]] +version = "0.4.4" +criteria = "safe-to-run" + +[[exemptions.num_cpus]] +version = "1.16.0" +criteria = "safe-to-deploy" + +[[exemptions.once_cell]] +version = "1.12.0" +criteria = "safe-to-deploy" + +[[exemptions.pairing]] +version = "0.23.0" +criteria = "safe-to-deploy" + +[[exemptions.pasta_curves]] +version = "0.5.1" +criteria = "safe-to-deploy" + +[[exemptions.plotters]] +version = "0.3.5" +criteria = "safe-to-run" + +[[exemptions.plotters-backend]] +version = "0.3.5" +criteria = "safe-to-run" + +[[exemptions.plotters-svg]] +version = "0.3.5" +criteria = "safe-to-run" + +[[exemptions.poly1305]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.pprof]] +version = "0.15.0" +criteria = "safe-to-run" + +[[exemptions.ppv-lite86]] +version = "0.2.17" +criteria = "safe-to-deploy" + +[[exemptions.proc-macro2]] +version = "1.0.106" +criteria = "safe-to-deploy" + +[[exemptions.proptest]] +version = "1.4.0" +criteria = "safe-to-deploy" + +[[exemptions.quick-error]] +version = "1.2.3" +criteria = "safe-to-deploy" + +[[exemptions.quick-xml]] +version = "0.26.0" +criteria = "safe-to-run" + +[[exemptions.quote]] +version = "1.0.45" +criteria = "safe-to-deploy" + +[[exemptions.r-efi]] +version = "5.2.0" +criteria = "safe-to-deploy" + +[[exemptions.radium]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.rand]] +version = "0.8.6" +criteria = "safe-to-deploy" + +[[exemptions.reddsa]] +version = "0.5.1" +criteria = "safe-to-deploy" + +[[exemptions.regex-syntax]] +version = "0.8.2" +criteria = "safe-to-deploy" + +[[exemptions.rgb]] +version = "0.8.53" +criteria = "safe-to-run" + +[[exemptions.rustix]] +version = "0.38.28" +criteria = "safe-to-run" + +[[exemptions.rustix]] +version = "1.1.4" +criteria = "safe-to-deploy" + +[[exemptions.rusty-fork]] +version = "0.3.0" +criteria = "safe-to-deploy" + +[[exemptions.ryu]] +version = "1.0.16" +criteria = "safe-to-run" + +[[exemptions.sapling-crypto]] +version = "0.6.2" +criteria = "safe-to-deploy" + +[[exemptions.scopeguard]] +version = "1.2.0" +criteria = "safe-to-deploy" + +[[exemptions.serde]] +version = "1.0.193" +criteria = "safe-to-deploy" + +[[exemptions.serde_derive]] +version = "1.0.193" +criteria = "safe-to-deploy" + +[[exemptions.smallvec]] +version = "1.11.2" +criteria = "safe-to-run" + +[[exemptions.spin]] +version = "0.10.0" +criteria = "safe-to-run" + +[[exemptions.str_stack]] +version = "0.1.0" +criteria = "safe-to-run" + +[[exemptions.symbolic-common]] +version = "12.18.2" +criteria = "safe-to-run" + +[[exemptions.symbolic-demangle]] +version = "12.18.2" +criteria = "safe-to-run" + +[[exemptions.syn]] +version = "2.0.117" +criteria = "safe-to-deploy" + +[[exemptions.tempfile]] +version = "3.24.0" +criteria = "safe-to-deploy" + +[[exemptions.thiserror]] +version = "1.0.50" +criteria = "safe-to-deploy" + +[[exemptions.thiserror]] +version = "2.0.18" +criteria = "safe-to-run" + +[[exemptions.thiserror-impl]] +version = "1.0.50" +criteria = "safe-to-deploy" + +[[exemptions.thiserror-impl]] +version = "2.0.18" +criteria = "safe-to-run" + +[[exemptions.tracing]] +version = "0.1.40" +criteria = "safe-to-deploy" + +[[exemptions.typenum]] +version = "1.17.0" +criteria = "safe-to-deploy" + +[[exemptions.uuid]] +version = "1.6.1" +criteria = "safe-to-run" + +[[exemptions.wait-timeout]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.walkdir]] +version = "2.4.0" +criteria = "safe-to-run" + +[[exemptions.wasi]] +version = "0.11.0+wasi-snapshot-preview1" +criteria = "safe-to-deploy" + +[[exemptions.wasm-bindgen]] +version = "0.2.89" +criteria = "safe-to-run" + +[[exemptions.wasm-bindgen-backend]] +version = "0.2.89" +criteria = "safe-to-run" + +[[exemptions.wasm-bindgen-macro]] +version = "0.2.89" +criteria = "safe-to-run" + +[[exemptions.wasm-bindgen-macro-support]] +version = "0.2.89" +criteria = "safe-to-run" + +[[exemptions.web-sys]] +version = "0.3.66" +criteria = "safe-to-run" + +[[exemptions.winapi-i686-pc-windows-gnu]] +version = "0.4.0" +criteria = "safe-to-run" + +[[exemptions.winapi-x86_64-pc-windows-gnu]] +version = "0.4.0" +criteria = "safe-to-run" + +[[exemptions.windows-sys]] +version = "0.48.0" +criteria = "safe-to-run" + +[[exemptions.windows-sys]] +version = "0.52.0" +criteria = "safe-to-deploy" + +[[exemptions.windows-targets]] +version = "0.48.5" +criteria = "safe-to-run" + +[[exemptions.windows-targets]] +version = "0.52.0" +criteria = "safe-to-deploy" + +[[exemptions.windows_aarch64_gnullvm]] +version = "0.48.5" +criteria = "safe-to-run" + +[[exemptions.windows_aarch64_gnullvm]] +version = "0.52.0" +criteria = "safe-to-deploy" + +[[exemptions.windows_aarch64_msvc]] +version = "0.48.5" +criteria = "safe-to-run" + +[[exemptions.windows_aarch64_msvc]] +version = "0.52.0" +criteria = "safe-to-deploy" + +[[exemptions.windows_i686_gnu]] +version = "0.48.5" +criteria = "safe-to-run" + +[[exemptions.windows_i686_gnu]] +version = "0.52.0" +criteria = "safe-to-deploy" + +[[exemptions.windows_i686_msvc]] +version = "0.48.5" +criteria = "safe-to-run" + +[[exemptions.windows_i686_msvc]] +version = "0.52.0" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_gnu]] +version = "0.48.5" +criteria = "safe-to-run" + +[[exemptions.windows_x86_64_gnu]] +version = "0.52.0" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_gnullvm]] +version = "0.48.5" +criteria = "safe-to-run" + +[[exemptions.windows_x86_64_gnullvm]] +version = "0.52.0" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_msvc]] +version = "0.48.5" +criteria = "safe-to-run" + +[[exemptions.windows_x86_64_msvc]] +version = "0.52.0" +criteria = "safe-to-deploy" + +[[exemptions.wyz]] +version = "0.5.1" +criteria = "safe-to-deploy" + +[[exemptions.zcash_note_encryption]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.zcash_spec]] +version = "0.2.1" +criteria = "safe-to-deploy" + +[[exemptions.zerocopy]] +version = "0.7.35" +criteria = "safe-to-run" + +[[exemptions.zerocopy-derive]] +version = "0.7.35" +criteria = "safe-to-run" + +[[exemptions.zeroize]] +version = "1.7.0" +criteria = "safe-to-deploy" + +[[exemptions.zip32]] +version = "0.2.0" +criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock new file mode 100644 index 00000000..7269ae35 --- /dev/null +++ b/supply-chain/imports.lock @@ -0,0 +1,1111 @@ + +# cargo-vet imports lock + +[[publisher.bumpalo]] +version = "3.14.0" +when = "2023-09-14" +user-id = 696 +user-login = "fitzgen" +user-name = "Nick Fitzgerald" + +[[publisher.wasip2]] +version = "1.0.1+wasi-0.2.4" +when = "2025-09-15" +user-id = 1 +user-login = "alexcrichton" +user-name = "Alex Crichton" + +[[publisher.wit-bindgen]] +version = "0.46.0" +when = "2025-09-10" +trusted-publisher = "github:bytecodealliance/wit-bindgen" + +[[audits.bytecode-alliance.wildcard-audits.bumpalo]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +user-id = 696 # Nick Fitzgerald (fitzgen) +start = "2019-03-16" +end = "2026-08-21" + +[[audits.bytecode-alliance.wildcard-audits.wasip2]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2025-08-10" +end = "2026-08-21" +notes = """ +This is a Bytecode Alliance authored crate. +""" + +[[audits.bytecode-alliance.wildcard-audits.wit-bindgen]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wit-bindgen" +start = "2025-08-13" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.addr2line]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.19.0 -> 0.20.0" +notes = "This version brings support for split-dwarf which while it uses the filesystem is always done at the behest of the caller, so everything is as expected for this update." + +[[audits.bytecode-alliance.audits.addr2line]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.20.0 -> 0.21.0" +notes = "This version bump updated some dependencies and optimized some internals. All looks good." + +[[audits.bytecode-alliance.audits.adler]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.0.2" +notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm." + +[[audits.bytecode-alliance.audits.anes]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.1.6" +notes = "Contains no unsafe code, no IO, no build.rs." + +[[audits.bytecode-alliance.audits.arrayref]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +version = "0.3.6" +notes = """ +Unsafe code, but its logic looks good to me. Necessary given what it is +doing. Well tested, has quickchecks. +""" + +[[audits.bytecode-alliance.audits.bitflags]] +who = "Jamey Sharp " +criteria = "safe-to-deploy" +delta = "2.1.0 -> 2.2.1" +notes = """ +This version adds unsafe impls of traits from the bytemuck crate when built +with that library enabled, but I believe the impls satisfy the documented +safety requirements for bytemuck. The other changes are minor. +""" + +[[audits.bytecode-alliance.audits.bitflags]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "2.3.2 -> 2.3.3" +notes = """ +Nothing outside the realm of what one would expect from a bitflags generator, +all as expected. +""" + +[[audits.bytecode-alliance.audits.cfg-if]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.0.0" +notes = "I am the author of this crate." + +[[audits.bytecode-alliance.audits.cipher]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "0.4.4" +notes = "Most unsafe is hidden by `inout` dependency; only remaining unsafe is raw-splitting a slice and an unreachable hint. Older versions of this regularly reach ~150k daily downloads." + +[[audits.bytecode-alliance.audits.constant_time_eq]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +version = "0.2.4" +notes = "A few tiny blocks of `unsafe` but each of them is very obviously correct." + +[[audits.bytecode-alliance.audits.crypto-common]] +who = "Benjamin Bouvier " +criteria = "safe-to-deploy" +version = "0.1.3" + +[[audits.bytecode-alliance.audits.errno]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +version = "0.3.0" +notes = "This crate uses libc and windows-sys APIs to get and set the raw OS error value." + +[[audits.bytecode-alliance.audits.errno]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.3.1" +notes = "Just a dependency version bump and a bug fix for redox" + +[[audits.bytecode-alliance.audits.errno]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "0.3.9 -> 0.3.10" + +[[audits.bytecode-alliance.audits.inout]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "0.1.3" +notes = "A part of RustCrypto/utils, this crate is designed to handle unsafe buffers and carefully documents the safety concerns throughout. Older versions of this tally up to ~130k daily downloads." + +[[audits.bytecode-alliance.audits.miniz_oxide]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.7.1" +notes = """ +This crate is a Rust implementation of zlib compression/decompression and has +been used by default by the Rust standard library for quite some time. It's also +a default dependency of the popular `backtrace` crate for decompressing debug +information. This crate forbids unsafe code and does not otherwise access system +resources. It's originally a port of the `miniz.c` library as well, and given +its own longevity should be relatively hardened against some of the more common +compression-related issues. +""" + +[[audits.bytecode-alliance.audits.miniz_oxide]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.8.0" +notes = "Minor updates, using new Rust features like `const`, no major changes." + +[[audits.bytecode-alliance.audits.miniz_oxide]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.7.4" +notes = "Very few changes here, only minor updates here and there." + +[[audits.bytecode-alliance.audits.object]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.30.3 -> 0.31.1" +notes = "A large-ish update to the crate but nothing out of the ordering. Support for new formats like xcoff, new constants, minor refactorings, etc. Nothing out of the ordinary." + +[[audits.bytecode-alliance.audits.shlex]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = "Only minor `unsafe` code blocks which look valid and otherwise does what it says on the tin." + +[[audits.bytecode-alliance.audits.static_assertions]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = "No dependencies and completely a compile-time crate as advertised. Uses `unsafe` in one module as a compile-time check only: `mem::transmute` and `ptr::write` are wrapped in an impossible-to-run closure." + +[[audits.bytecode-alliance.audits.unarray]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.1.4" +notes = """ +Crate is sound, albeit leaky, and not actively malicious. Probably not the best +crate to use in practice but it's suitable for testing dependencies. +""" + +[[audits.embark-studios.audits.tap]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "1.0.1" +notes = "No unsafe usage or ambient capabilities" + +[[audits.fermyon.audits.oorandom]] +who = "Radu Matei " +criteria = "safe-to-run" +version = "11.1.3" + +[[audits.google.audits.addr2line]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.19.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.aho-corasick]] +who = "danakj@chromium.org" +criteria = "safe-to-run" +version = "1.1.2" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.autocfg]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = """ +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` +and there were no hits except for reasonable, client-controlled usage of +`std::fs` in `AutoCfg::with_dir`. + +This crate has been added to Chromium in +https://source.chromium.org/chromium/chromium/src/+/591a0f30c5eac93b6a3d981c2714ffa4db28dbcb +The CL description contains a link to a Google-internal document with audit details. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.backtrace]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.3.67" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.bitflags]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.3.2" +notes = """ +Security review of earlier versions of the crate can be found at +(Google-internal, sorry): go/image-crate-chromium-security-review + +The crate exposes a function marked as `unsafe`, but doesn't use any +`unsafe` blocks (except for tests of the single `unsafe` function). I +think this justifies marking this crate as `ub-risk-1`. + +Additional review comments can be found at https://crrev.com/c/4723145/31 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.byteorder]] +who = "danakj " +criteria = "safe-to-deploy" +version = "1.5.0" +notes = "Unsafe review in https://crrev.com/c/5838022" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.cast]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.3.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.cpp_demangle]] +who = "Hidenori Kobayashi " +criteria = "safe-to-run" +version = "0.4.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.equivalent]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.0.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.hashbrown]] +who = "Nicholas Bishop " +criteria = "safe-to-run" +version = "0.13.2" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.hashbrown]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "0.13.2 -> 0.14.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.indexmap]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "1.9.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.indexmap]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "1.9.3 -> 2.1.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.is-terminal]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.4.2" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.is-terminal]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "0.4.2 -> 0.4.9" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.itertools]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.10.5" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.itoa]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.10" +notes = ''' +I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. + +There are a few places where `unsafe` is used. Unsafe review notes can be found +in https://crrev.com/c/5350697. + +Version 1.0.1 of this crate has been added to Chromium in +https://crrev.com/c/3321896. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.lazy_static]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.4.0" +notes = ''' +I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. + +There are two places where `unsafe` is used. Unsafe review notes can be found +in https://crrev.com/c/5347418. + +This crate has been added to Chromium in https://crrev.com/c/3321895. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.memchr]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "2.6.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.nix]] +who = "David Koloski " +criteria = "safe-to-run" +version = "0.26.2" +notes = """ +Reviewed on https://fxrev.dev/780283 +Issues: +- https://github.com/nix-rust/nix/issues/1975 +- https://github.com/nix-rust/nix/issues/1977 +- https://github.com/nix-rust/nix/pull/1978 +- https://github.com/nix-rust/nix/pull/1979 +- https://github.com/nix-rust/nix/issues/1980 +- https://github.com/nix-rust/nix/issues/1981 +- https://github.com/nix-rust/nix/pull/1983 +- https://github.com/nix-rust/nix/issues/1990 +- https://github.com/nix-rust/nix/pull/1992 +- https://github.com/nix-rust/nix/pull/1993 +""" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.object]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.30.3" +notes = "I'm not counting the code related to the GNU Hash section as crypto for the sake of this review." +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.object]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "0.31.1 -> 0.32.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.pin-project-lite]] +who = "David Koloski " +criteria = "safe-to-deploy" +version = "0.2.9" +notes = "Reviewed on https://fxrev.dev/824504" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.pin-project-lite]] +who = "David Koloski " +criteria = "safe-to-deploy" +delta = "0.2.9 -> 0.2.13" +notes = "Audited at https://fxrev.dev/946396" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rand_chacha]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "0.3.1" +notes = """ +For more detailed unsafe review notes please see https://crrev.com/c/6362797 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rand_core]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "0.6.4" +notes = """ +For more detailed unsafe review notes please see https://crrev.com/c/6362797 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.regex]] +who = "danakj@chromium.org" +criteria = "safe-to-run" +version = "1.10.2" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.regex-automata]] +who = "danakj@chromium.org" +criteria = "safe-to-run" +version = "0.4.3" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustc-demangle]] +who = "danakj@chromium.org" +criteria = "safe-to-run" +version = "0.1.23" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.same-file]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "1.0.6" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.serde_json]] +who = "danakj@chromium.org" +criteria = "safe-to-run" +version = "1.0.108" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.shlex]] +who = "Daniel Verkamp " +criteria = "safe-to-run" +delta = "1.1.0 -> 1.3.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.stable_deref_trait]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "1.2.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.tinytemplate]] +who = "Ying Hsu " +criteria = "safe-to-run" +version = "1.2.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.unicode-ident]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.12" +notes = ''' +I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. + +All two functions from the public API of this crate use `unsafe` to avoid bound +checks for an array access. Cross-module analysis shows that the offsets can +be statically proven to be within array bounds. More details can be found in +the unsafe review CL at https://crrev.com/c/5350386. + +This crate has been added to Chromium in https://crrev.com/c/3891618. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.version_check]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.9.4" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.winapi]] +who = "danakj@chromium.org" +criteria = "safe-to-run" +version = "0.3.9" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.winapi-util]] +who = "danakj@chromium.org" +criteria = "safe-to-run" +version = "0.1.6" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.isrg.audits.either]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "1.6.1" + +[[audits.isrg.audits.getrandom]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.2.11 -> 0.2.12" + +[[audits.isrg.audits.getrandom]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.2.12 -> 0.2.14" + +[[audits.isrg.audits.getrandom]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.2.14 -> 0.2.15" + +[[audits.isrg.audits.getrandom]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.3.3 -> 0.3.4" + +[[audits.isrg.audits.num-bigint]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.4.3 -> 0.4.4" + +[[audits.isrg.audits.num-traits]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.2.15 -> 0.2.16" + +[[audits.isrg.audits.num-traits]] +who = "Ameer Ghani " +criteria = "safe-to-deploy" +delta = "0.2.16 -> 0.2.17" + +[[audits.isrg.audits.once_cell]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.17.1 -> 1.17.2" + +[[audits.isrg.audits.once_cell]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "1.17.2 -> 1.18.0" + +[[audits.isrg.audits.once_cell]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.18.0 -> 1.19.0" + +[[audits.isrg.audits.opaque-debug]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.3.0" + +[[audits.isrg.audits.rayon]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.6.1 -> 1.7.0" + +[[audits.isrg.audits.rayon]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "1.7.0 -> 1.8.0" + +[[audits.isrg.audits.rayon-core]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.10.2 -> 1.11.0" + +[[audits.isrg.audits.rayon-core]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "1.11.0 -> 1.12.0" + +[[audits.isrg.audits.subtle]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "2.5.0 -> 2.6.1" + +[[audits.isrg.audits.universal-hash]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.4.1" + +[[audits.isrg.audits.universal-hash]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.5.0 -> 0.5.1" + +[[audits.isrg.audits.wasm-bindgen-shared]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.2.83" + +[[audits.mozilla.audits.bit-set]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.5.2" +notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bit-set]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.5.2 -> 0.5.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bit-vec]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.6.3" +notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bitflags]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "1.3.2 -> 2.0.2" +notes = "Removal of some unsafe code/methods. No changes to externals, just some refactoring (mostly internal)." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bitflags]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +delta = "2.0.2 -> 2.1.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bitflags]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "2.2.1 -> 2.3.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bitflags]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "2.3.3 -> 2.4.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bitflags]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "2.4.0 -> 2.4.1" +notes = "Only allowing new clippy lints" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.crypto-common]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.1.6" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.debugid]] +who = "Gabriele Svelto " +criteria = "safe-to-deploy" +version = "0.8.0" +notes = "This crates was written by Sentry and I've fully audited it as Firefox crash reporting machinery relies on it." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.document-features]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +version = "0.2.8" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.6.1 -> 1.7.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.7.0 -> 1.8.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.8.0 -> 1.8.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.errno]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.1 -> 0.3.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.fnv]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.0.7" +notes = "Simple hasher implementation with no unsafe code." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.getrandom]] +who = "Chris Martin " +criteria = "safe-to-deploy" +delta = "0.2.15 -> 0.3.1" +notes = """ +I've looked over all unsafe code, and it appears to be safe, fully initializing the rng buffers. +In addition, I've checked Linux, Windows, Mac, and Android more thoroughly against API +documentation. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.getrandom]] +who = "Emilio Cobos Álvarez " +criteria = "safe-to-deploy" +delta = "0.3.1 -> 0.3.3" +notes = """ +Biggest non-trivial change is a new UEFI back-end, which looks reasonable to +the best of my ability: There's some trickiness on initialization but doesn't +look unsafe, at worse it leaks, and it might not if the relevant pointers are +static/non-owning. Other changes also look reasonable too: some tweaks to +inlining and a syscall-based linux back-end, whose relevant unsafe code looks +reasonable. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.half]] +who = "John M. Schanck " +criteria = "safe-to-deploy" +version = "1.8.2" +notes = """ +This crate contains unsafe code for bitwise casts to/from binary16 floating-point +format. I've reviewed these and found no issues. There are no uses of ambient +capabilities. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.hex]] +who = "Simon Friedberger " +criteria = "safe-to-deploy" +version = "0.4.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.litrs]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +version = "0.4.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.log]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +version = "0.4.17" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.log]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "0.4.17 -> 0.4.18" +notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed." +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.log]] +who = "Kagami Sascha Rosylight " +criteria = "safe-to-deploy" +delta = "0.4.18 -> 0.4.20" +notes = "Only cfg attribute and internal macro changes and module refactorings" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.num-bigint]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "0.4.3" +notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.num-integer]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "0.1.45" +notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.num-traits]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "0.2.15" +notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.once_cell]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.12.0 -> 1.13.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.once_cell]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.13.1 -> 1.16.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.once_cell]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.16.0 -> 1.17.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.proc-macro-error-attr2]] +who = "Kagami Sascha Rosylight " +criteria = "safe-to-deploy" +version = "2.0.0" +notes = "No unsafe block." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.proc-macro-error2]] +who = "Kagami Sascha Rosylight " +criteria = "safe-to-deploy" +version = "2.0.1" +notes = "No unsafe block with a lovely `#![forbid(unsafe_code)]`." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rayon]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "1.5.3" +notes = "All code written or reviewed by Josh Stone or Niko Matsakis." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rayon]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.5.3 -> 1.6.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rayon-core]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "1.9.3" +notes = "All code written or reviewed by Josh Stone or Niko Matsakis." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rayon-core]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.9.3 -> 1.10.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rayon-core]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.10.1 -> 1.10.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.subtle]] +who = "Simon Friedberger " +criteria = "safe-to-deploy" +version = "2.5.0" +notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.tracing-core]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.1.30" +notes = """ +Most unsafe code is in implementing non-std sync primitives. Unsafe impls are +logically correct and justified in comments, and unsafe code is sound and +justified in comments. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.zeroize_derive]] +who = "Benjamin Beurdouche " +criteria = "safe-to-deploy" +version = "1.4.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.zcash.audits.arrayref]] +who = "Sean Bowe " +criteria = "safe-to-deploy" +delta = "0.3.6 -> 0.3.7" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.backtrace]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.67 -> 0.3.69" +notes = """ +Changes to `unsafe` blocks: +- New call to `GetCurrentProcessId` on Windows, to help generate a process-unique name to + use inside an existing `CreateMutexA` call. +- Uses `libc::mmap64` on Linux instead of `libc::mmap`. +- Alters `Stash` to allow caching more than one `Mmap`; the existing `unsafe` safety + condition continues to be applicable. + +There are also several more places where DWARF data is mmapped from a filesystem path and +then loaded. These appear to all derive from existing paths that themselves were already +being mmapped and loaded. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.backtrace]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "0.3.69 -> 0.3.71" +notes = "This crate inherently requires a lot of `unsafe` code, but the changes look plausible." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.constant_time_eq]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.4 -> 0.2.5" +notes = "No code changes." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.constant_time_eq]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.5 -> 0.2.6" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.either]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.8.1 -> 1.9.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.errno]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.3 -> 0.3.8" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.errno]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "0.3.8 -> 0.3.9" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.errno]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.10 -> 0.3.11" +notes = "The `__errno` location for vxworks and cygwin looks correct from a quick search." +aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" + +[[audits.zcash.audits.errno]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.11 -> 0.3.13" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.errno]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.13 -> 0.3.14" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.getset]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +version = "0.1.3" +notes = """ +Does what it says on the tin. The proc macro generates unsurprising and obvious +code, and does not produce unsafe code or access any imports. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.memchr]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "2.6.3 -> 2.6.4" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.nix]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.26.2 -> 0.26.4" +notes = """ +Most of the `unsafe` changes are cleaning up their usage: +- Replacing `data.len() * std::mem::size_of::<$ty>()` with `std::mem::size_of_val(data)`. +- Removing some `mem::transmute`s. +- Using `*mut` instead of `*const` to convey intended semantics. + +A new unsafe trait method `SockaddrLike::set_length` is added; it's impls look fine. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.r-efi]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "5.2.0 -> 5.3.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" + +[[audits.zcash.audits.rand_xorshift]] +who = "Sean Bowe " +criteria = "safe-to-deploy" +version = "0.3.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.redjubjub]] +who = "Daira Emma Hopwood " +criteria = "safe-to-deploy" +version = "0.7.0" +notes = """ +This crate is a thin wrapper around the `reddsa` crate, which I did not review. I also +did not review tests or verify test vectors. + +The comment on `batch::Verifier::verify` has an error in the batch verification equation, +filed as https://github.com/ZcashFoundation/redjubjub/issues/163 . It does not affect the +implementation which just delegates to `reddsa`. `reddsa` has the same comment bug filed as +https://github.com/ZcashFoundation/reddsa/issues/52 , but its batch verification implementation +is correct. (I checked the latter against https://zips.z.cash/protocol/protocol.pdf#reddsabatchvalidate +which has had previous cryptographic review by NCC group; see finding NCC-Zcash2018-009 in +https://research.nccgroup.com/wp-content/uploads/2020/07/NCC_Group_Zcash2018_Public_Report_2019-01-30_v1.3.pdf ). +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.redjubjub]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "0.7.0 -> 0.8.0" +notes = "This release adds `no-std` compatibility." +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.tracing-core]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.1.30 -> 0.1.31" +notes = """ +The only new `unsafe` block is to intentionally leak a scoped subscriber onto +the heap when setting it as the global default dispatcher. I checked that the +global default can only be set once and is never dropped. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.tracing-core]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.1.31 -> 0.1.32" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.universal-hash]] +who = "Daira Hopwood " +criteria = "safe-to-deploy" +delta = "0.4.1 -> 0.5.0" +notes = "I checked correctness of to_blocks which uses unsafe code in a safe function." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.wasm-bindgen-shared]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.83 -> 0.2.84" +notes = "Bumps the schema version to add `linked_modules`." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.wasm-bindgen-shared]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.84 -> 0.2.87" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.wasm-bindgen-shared]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.87 -> 0.2.89" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" From 22237cac8e79af724f8f8afa8baf85b17bb159ed Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Tue, 21 Apr 2026 11:06:24 -0600 Subject: [PATCH 12/13] Update to `typenum 0.20` This update removes the `no_std` feature from `typenum`; --no-default-features behavior is now correct and does not require additional flagging for `no_std` support. --- .github/workflows/ci.yml | 3 --- Cargo.lock | 4 ++-- README.md | 1 - supply-chain/config.toml | 2 +- 4 files changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c664b551..99a1cd40 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -65,9 +65,6 @@ jobs: - name: Add lazy_static with the spin_no_std feature working-directory: ./ci-build run: cargo add lazy_static --no-default-features --features "spin_no_std" - - name: Add typenum with the no_std feature - working-directory: ./ci-build - run: cargo add typenum --no-default-features --features "no_std" - name: Copy pinned dependencies into synthetic crate run: cp crate_root/Cargo.lock ci-build/ - name: Show Cargo.toml for the synthetic crate diff --git a/Cargo.lock b/Cargo.lock index 90885c8c..620a999c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1559,9 +1559,9 @@ checksum = "c06d3da6113f116aaee68e4d601191614c9053067f9ab7f6edbcb161237daa54" [[package]] name = "typenum" -version = "1.17.0" +version = "1.20.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825" +checksum = "40ce102ab67701b8526c123c1bab5cbe42d7040ccfd0f64af1a385808d2f43de" [[package]] name = "unarray" diff --git a/README.md b/README.md index 70d57df9..79b3526e 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,6 @@ In order to take advantage of `no_std` builds, downstream users of this crate must enable: * the `spin_no_std` feature of the `lazy_static` crate; and -* the `no_std` feature of the `typenum` crate. This is needed because the `--no-default-features` builds of these crates still rely on `std`. diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 01e15512..931a83f9 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -417,7 +417,7 @@ version = "0.1.40" criteria = "safe-to-deploy" [[exemptions.typenum]] -version = "1.17.0" +version = "1.20.0" criteria = "safe-to-deploy" [[exemptions.uuid]] From 8186b407b47b595a2ea4f04c73d59fdd83bd401f Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Tue, 21 Apr 2026 10:56:57 -0600 Subject: [PATCH 13/13] Release sapling-crypto version 0.7.0 --- CHANGELOG.md | 3 +++ Cargo.lock | 2 +- Cargo.toml | 2 +- supply-chain/imports.lock | 4 ++++ 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4f9a1ea4..04167fc4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,8 +7,11 @@ and this library adheres to Rust's notion of ## [Unreleased] +## [0.7.0] - 2026-04-21 + ### Changed - MSRV is now 1.85.1 +- Migrated from the yanked `core2` crate to `corez` for no_std IO support. - `sapling_crypto::pczt::Bundle::extract` now takes its `self` argument by reference instead of by value. diff --git a/Cargo.lock b/Cargo.lock index 620a999c..d22a0182 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1322,7 +1322,7 @@ dependencies = [ [[package]] name = "sapling-crypto" -version = "0.6.2" +version = "0.7.0" dependencies = [ "aes", "bellman", diff --git a/Cargo.toml b/Cargo.toml index 35508a0e..864bc057 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "sapling-crypto" -version = "0.6.2" +version = "0.7.0" authors = [ "Sean Bowe ", "Jack Grigg ", diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 7269ae35..0d98d6f6 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1,6 +1,10 @@ # cargo-vet imports lock +[[unpublished.sapling-crypto]] +version = "0.7.0" +audited_as = "0.6.2" + [[publisher.bumpalo]] version = "3.14.0" when = "2023-09-14"