path: root/supply-chain/imports.lock

# cargo-vet imports lock

[[publisher.aho-corasick]]
version = "1.1.4"
when = "2025-10-28"
user-id = 189
user-login = "BurntSushi"
user-name = "Andrew Gallant"

[[publisher.libc]]
version = "0.2.177"
when = "2025-10-09"
user-id = 55123
user-login = "rust-lang-owner"

[[publisher.loom]]
version = "0.7.2"
when = "2024-04-23"
user-id = 6741
user-login = "Darksonn"
user-name = "Alice Ryhl"

[[publisher.memchr]]
version = "2.7.6"
when = "2025-09-25"
user-id = 189
user-login = "BurntSushi"
user-name = "Andrew Gallant"

[[publisher.paste]]
version = "1.0.15"
when = "2024-05-07"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"

[[publisher.regex-automata]]
version = "0.4.13"
when = "2025-10-13"
user-id = 189
user-login = "BurntSushi"
user-name = "Andrew Gallant"

[[publisher.regex-syntax]]
version = "0.8.8"
when = "2025-10-13"
user-id = 189
user-login = "BurntSushi"
user-name = "Andrew Gallant"

[[publisher.rustversion]]
version = "1.0.22"
when = "2025-08-08"
user-id = 3618
user-login = "dtolnay"
user-name = "David Tolnay"

[[publisher.scoped-tls]]
version = "1.0.1"
when = "2022-10-31"
user-id = 1
user-login = "alexcrichton"
user-name = "Alex Crichton"

[[publisher.thread_local]]
version = "1.1.9"
when = "2025-06-12"
user-id = 2915
user-login = "Amanieu"
user-name = "Amanieu d'Antras"

[[publisher.tracing-subscriber]]
version = "0.3.20"
when = "2025-08-29"
user-id = 10
user-login = "carllerche"
user-name = "Carl Lerche"

[[publisher.windows]]
version = "0.61.3"
when = "2025-06-12"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows-collections]]
version = "0.2.0"
when = "2025-03-18"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows-core]]
version = "0.61.2"
when = "2025-05-19"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows-future]]
version = "0.2.1"
when = "2025-05-15"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows-implement]]
version = "0.60.2"
when = "2025-10-06"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows-interface]]
version = "0.59.3"
when = "2025-10-06"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows-link]]
version = "0.1.3"
when = "2025-06-12"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows-link]]
version = "0.2.1"
when = "2025-10-06"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows-numerics]]
version = "0.2.0"
when = "2025-03-18"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows-result]]
version = "0.3.4"
when = "2025-05-19"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows-strings]]
version = "0.4.2"
when = "2025-05-19"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows-sys]]
version = "0.61.2"
when = "2025-10-06"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[[publisher.windows-threading]]
version = "0.1.0"
when = "2025-05-15"
user-id = 64539
user-login = "kennykerr"
user-name = "Kenny Kerr"

[audits.OpenDevicePartnership.audits]

[[audits.bytecode-alliance.audits.embedded-io]]
who = "Alex Crichton <[email protected]>"
criteria = "safe-to-deploy"
version = "0.4.0"
notes = "No `unsafe` code and only uses `std` in ways one would expect the crate to do so."

[[audits.bytecode-alliance.audits.embedded-io]]
who = "Alex Crichton <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.4.0 -> 0.6.1"
notes = "Major updates, but almost all safe code. Lots of pruning/deletions, nothing out of the ordrinary."

[[audits.bytecode-alliance.audits.futures-core]]
who = "Pat Hickey <[email protected]>"
criteria = "safe-to-deploy"
version = "0.3.27"
notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting."

[[audits.bytecode-alliance.audits.futures-core]]
who = "Pat Hickey <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.3.28 -> 0.3.31"

[[audits.bytecode-alliance.audits.futures-sink]]
who = "Pat Hickey <[email protected]>"
criteria = "safe-to-deploy"
version = "0.3.27"

[[audits.bytecode-alliance.audits.futures-sink]]
who = "Pat Hickey <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.3.28 -> 0.3.31"

[[audits.bytecode-alliance.audits.log]]
who = "Alex Crichton <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.4.22 -> 0.4.27"
notes = "Lots of minor updates to macros and such, nothing touching `unsafe`"

[[audits.bytecode-alliance.audits.log]]
who = "Alex Crichton <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.4.27 -> 0.4.28"
notes = "Minor doc updates and lots new tests, nothing out of the ordinary."

[[audits.bytecode-alliance.audits.matchers]]
who = "Pat Hickey <[email protected]>"
criteria = "safe-to-deploy"
version = "0.1.0"

[[audits.bytecode-alliance.audits.matchers]]
who = "Alex Crichton <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.1.0 -> 0.2.0"
notes = "Some unsafe code, but not more than before. Nothing awry."

[[audits.bytecode-alliance.audits.nu-ansi-term]]
who = "Pat Hickey <[email protected]>"
criteria = "safe-to-deploy"
version = "0.46.0"
notes = "one use of unsafe to call windows specific api to get console handle."

[[audits.bytecode-alliance.audits.nu-ansi-term]]
who = "Alex Crichton <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.46.0 -> 0.50.1"
notes = "Lots of stylistic/rust-related chanegs, plus new features, but nothing out of the ordrinary."

[[audits.bytecode-alliance.audits.nu-ansi-term]]
who = "Alex Crichton <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.50.1 -> 0.50.3"
notes = "CI changes, Rust changes, nothing out of the ordinary."

[[audits.bytecode-alliance.audits.sharded-slab]]
who = "Pat Hickey <[email protected]>"
criteria = "safe-to-deploy"
version = "0.1.4"
notes = "I always really enjoy reading eliza's code, she left perfect comments at every use of unsafe."

[[audits.bytecode-alliance.audits.shlex]]
who = "Alex Crichton <[email protected]>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = "Only minor `unsafe` code blocks which look valid and otherwise does what it says on the tin."

[[audits.bytecode-alliance.audits.tracing-attributes]]
who = "Alex Crichton <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.1.28 -> 0.1.30"
notes = "Few code changes, a pretty minor update."

[[audits.bytecode-alliance.audits.tracing-core]]
who = "Alex Crichton <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.1.33 -> 0.1.34"
notes = "Mostly just an update with Rust stylistic conventions changing. Nothing awry."

[[audits.bytecode-alliance.audits.tracing-log]]
who = "Alex Crichton <[email protected]>"
criteria = "safe-to-deploy"
version = "0.1.3"
notes = """
This is a standard adapter between the `log` ecosystem and the `tracing`
ecosystem. There's one `unsafe` block in this crate and it's well-scoped.
"""

[[audits.bytecode-alliance.audits.tracing-log]]
who = "Alex Crichton <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.1.3 -> 0.2.0"
notes = "Nothing out of the ordinary, a typical major version update and nothing awry."

[[audits.google.audits.bitflags]]
who = "Lukasz Anforowicz <[email protected]>"
criteria = "safe-to-deploy"
version = "1.3.2"
notes = """
Security review of earlier versions of the crate can be found at
(Google-internal, sorry): go/image-crate-chromium-security-review

The crate exposes a function marked as `unsafe`, but doesn't use any
`unsafe` blocks (except for tests of the single `unsafe` function).  I
think this justifies marking this crate as `ub-risk-1`.

Additional review comments can be found at https://crrev.com/c/4723145/31
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.byteorder]]
who = "danakj <[email protected]>"
criteria = "safe-to-deploy"
version = "1.5.0"
notes = "Unsafe review in https://crrev.com/c/5838022"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.lazy_static]]
who = "Lukasz Anforowicz <[email protected]>"
criteria = "safe-to-deploy"
version = "1.4.0"
notes = '''
I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits.

There are two places where `unsafe` is used.  Unsafe review notes can be found
in https://crrev.com/c/5347418.

This crate has been added to Chromium in https://crrev.com/c/3321895.
'''
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.lazy_static]]
who = "Lukasz Anforowicz <[email protected]>"
criteria = "safe-to-deploy"
delta = "1.4.0 -> 1.5.0"
notes = "Unsafe review notes: https://crrev.com/c/5650836"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.log]]
who = "danakj <[email protected]>"
criteria = "safe-to-deploy"
version = "0.4.22"
notes = """
Unsafe review in https://docs.google.com/document/d/1IXQbD1GhTRqNHIGxq6yy7qHqxeO4CwN5noMFXnqyDIM/edit?usp=sharing

Unsafety is generally very well-documented, with one exception, which we
describe in the review doc.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.nb]]
who = "George Burgess IV <[email protected]>"
criteria = "safe-to-deploy"
version = "1.0.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"

[[audits.google.audits.nb]]
who = "George Burgess IV <[email protected]>"
criteria = "safe-to-deploy"
delta = "1.0.0 -> 0.1.3"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"

[[audits.google.audits.nb]]
who = "George Burgess IV <[email protected]>"
criteria = "safe-to-deploy"
delta = "1.0.0 -> 1.1.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"

[[audits.google.audits.num-traits]]
who = "Manish Goregaokar <[email protected]>"
criteria = "safe-to-deploy"
version = "0.2.19"
notes = "Contains a single line of float-to-int unsafe with decent safety comments"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.pin-project-lite]]
who = "David Koloski <[email protected]>"
criteria = "safe-to-deploy"
version = "0.2.9"
notes = "Reviewed on https://fxrev.dev/824504"
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.pin-project-lite]]
who = "David Koloski <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.2.9 -> 0.2.13"
notes = "Audited at https://fxrev.dev/946396"
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.smallvec]]
who = "Manish Goregaokar <[email protected]>"
criteria = "safe-to-deploy"
version = "1.13.2"
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.smallvec]]
who = "Jonathan Hao <[email protected]>"
criteria = "safe-to-deploy"
delta = "1.13.2 -> 1.14.0"
notes = """
WARNING: This certification is a result of a **partial** audit. The
`malloc_size_of` feature has **not** been audited. This feature does
not explicitly document its safety requirements.
See also https://chromium-review.googlesource.com/c/chromium/src/+/6275133/comment/ea0d7a93_98051a2e/
and https://github.com/servo/malloc_size_of/issues/8.
This feature is banned in gnrt_config.toml.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

[[audits.google.audits.void]]
who = "George Burgess IV <[email protected]>"
criteria = "safe-to-deploy"
version = "1.0.2"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"

[[audits.mozilla.audits.futures-core]]
who = "Mike Hommey <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.3.27 -> 0.3.28"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.futures-sink]]
who = "Mike Hommey <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.3.27 -> 0.3.28"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.once_cell]]
who = "Erich Gubler <[email protected]>"
criteria = "safe-to-deploy"
delta = "1.20.1 -> 1.20.2"
notes = "This update works around a Cargo bug that forces the addition of `portable-atomic` into a lockfile, which we have never needed to use."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.once_cell]]
who = "Erich Gubler <[email protected]>"
criteria = "safe-to-deploy"
delta = "1.20.2 -> 1.20.3"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.once_cell]]
who = "Erich Gubler <[email protected]>"
criteria = "safe-to-deploy"
delta = "1.20.3 -> 1.21.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.once_cell]]
who = "Erich Gubler <[email protected]>"
criteria = "safe-to-deploy"
delta = "1.21.1 -> 1.21.3"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.pin-project-lite]]
who = "Mike Hommey <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.2.13 -> 0.2.14"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.pin-project-lite]]
who = "Nika Layzell <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.2.14 -> 0.2.16"
notes = """
Only functional change is to work around a bug in the negative_impls feature
(https://github.com/taiki-e/pin-project/issues/340#issuecomment-2432146009)
"""
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"

[[audits.mozilla.audits.sharded-slab]]
who = "Mark Hammond <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.1.4 -> 0.1.7"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.shlex]]
who = "Max Inden <[email protected]>"
criteria = "safe-to-deploy"
delta = "1.1.0 -> 1.3.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.smallvec]]
who = "Erich Gubler <[email protected]>"
criteria = "safe-to-deploy"
delta = "1.14.0 -> 1.15.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.tracing]]
who = "Alex Franchuk <[email protected]>"
criteria = "safe-to-deploy"
version = "0.1.37"
notes = """
There's only one unsafe impl, and its purpose is to ensure correct behavior by
creating a non-Send marker type (it has nothing to do with soundness). All
dependencies make sense, and no side-effectful std functions are used.
"""
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.tracing]]
who = "Mark Hammond <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.1.37 -> 0.1.41"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.tracing-attributes]]
who = "Alex Franchuk <[email protected]>"
criteria = "safe-to-deploy"
version = "0.1.24"
notes = "No unsafe code, macros extensively tested and produce reasonable code."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.tracing-attributes]]
who = "Mark Hammond <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.1.24 -> 0.1.28"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.tracing-core]]
who = "Alex Franchuk <[email protected]>"
criteria = "safe-to-deploy"
version = "0.1.30"
notes = """
Most unsafe code is in implementing non-std sync primitives. Unsafe impls are
logically correct and justified in comments, and unsafe code is sound and
justified in comments.
"""
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

[[audits.mozilla.audits.tracing-core]]
who = "Mark Hammond <[email protected]>"
criteria = "safe-to-deploy"
delta = "0.1.30 -> 0.1.33"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"