diff --git a/CHANGELOG.md b/CHANGELOG.md index becd4c28f2..3a809c0ac2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,7 +28,7 @@ The format is loosely based on [Keep a Changelog](https://keepachangelog.com/en/ - `create_order`, `conclude_order`, `fill_order`, `freeze_order` were renamed to `order_create`, `order_conclude`, `order_fill`, `order_freeze`. - - The format of `PartiallySignedTransaction was changed again. + - The format of `PartiallySignedTransaction` was changed again. - Node RPC: - The result of `chainstate_order_info` now also indicates whether the order is frozen. @@ -58,6 +58,10 @@ The format is loosely based on [Keep a Changelog](https://keepachangelog.com/en/ - Parameters and/or returned values having the "plain" `Destination` type were incorrectly designated as "bech32 string", while in reality they are "hexified destination". + - General + - Fixed a bug that could lead to indefinite stalling of the node during initial sync when there + are many peers and the host machine is slow. + ## [1.2.0] - 2025-10-27 ### Changed diff --git a/Cargo.lock b/Cargo.lock index 0b550060af..64551f15ec 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1114,9 +1114,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b" [[package]] name = "bytes" -version = "1.10.1" +version = "1.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a" +checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33" [[package]] name = "calloop" @@ -5466,9 +5466,9 @@ checksum = "a4895175b425cb1f87721b59f0f286c2092bd4af812243672510e1ac53e2e0ad" [[package]] name = "oneshot" -version = "0.1.11" +version = "0.1.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b4ce411919553d3f9fa53a0880544cda985a112117a0444d5ff1e870a893d6ea" +checksum = "269bca4c2591a28585d6bf10d9ed0332b7d76900a1b02bec41bdc3a2cdcda107" [[package]] name = "oorandom" @@ -8372,9 +8372,8 @@ dependencies = [ [[package]] name = "tokio" -version = "1.48.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ff360e02eab121e0bc37a2d3b4d4dc622e6eda3a8e5253d5435ecf5bd4c68408" +version = "1.49.0" +source = "git+https://github.com/tokio-rs/tokio?rev=0d6c7af3e43457350bdc03a6dbcafa276fab7352#0d6c7af3e43457350bdc03a6dbcafa276fab7352" dependencies = [ "bytes", "libc", @@ -8391,8 +8390,7 @@ dependencies = [ [[package]] name = "tokio-macros" version = "2.6.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "af407857209536a95c8e56f8231ef2c2e2aff839b22e07a1ffcbc617e9db9fa5" +source = "git+https://github.com/tokio-rs/tokio?rev=0d6c7af3e43457350bdc03a6dbcafa276fab7352#0d6c7af3e43457350bdc03a6dbcafa276fab7352" dependencies = [ "proc-macro2", "quote", diff --git a/Cargo.toml b/Cargo.toml index 36ace3a586..ce49fac580 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -257,7 +257,9 @@ testing_logger = "0.1" thiserror = "1.0" tracing = "0.1" tracing-subscriber = { version = "0.3", features = ["registry", "env-filter", "json"] } -tokio = { version = "1.27", default-features = false } +# Note: we use an unreleased version of Tokio, because we need a certain bugfix, see the `[patch.crates-io]` +# section for additional details. +tokio = { git = "https://github.com/tokio-rs/tokio", rev = "0d6c7af3e43457350bdc03a6dbcafa276fab7352", default-features = false } tokio-socks = "0.5" tokio-stream = "0.1" tokio-util = { version = "0.7", default-features = false } @@ -324,3 +326,8 @@ default = ["trezor"] # is fontconfig-parser <- fontdb <- cosmic-text <- various "iced" crates. # TODO: investigate this further. fontconfig-parser = { git = "https://github.com/Riey/fontconfig-parser", rev = "f7d13a779e6ee282ce75acbc00a1270c0350e0c2" } + +# We need this PR - https://github.com/tokio-rs/tokio/pull/7879 - to fix potential indefinite stalling of the chainstate +# subsystem (reproducible on a slow machine during initial sync with 30+ connected peers). +# The PR was merged after 1.49, so it should probably be part of 1.50 when it comes out. +tokio = { git = "https://github.com/tokio-rs/tokio", rev = "0d6c7af3e43457350bdc03a6dbcafa276fab7352" } diff --git a/deny.toml b/deny.toml index a2869ed63f..5c3e415b40 100644 --- a/deny.toml +++ b/deny.toml @@ -1,6 +1,7 @@ [sources.allow-org] github = [ "mintlayer", # allow any code from mintlayer's github + "tokio-rs", # we have to use an unreleased version of tokio at this moment ] [licenses] diff --git a/do_checks.sh b/do_checks.sh index ec886ff4fb..6abe98993d 100755 --- a/do_checks.sh +++ b/do_checks.sh @@ -8,12 +8,14 @@ PYTHON=$(which python || which python3) cd "$SCRIPT_DIR" +echo "Running cargo fmt" cargo fmt --check -- --config newline_style=Unix -# Install cargo deny first with: cargo install cargo-deny. # Note: "--allow duplicate" silences the warning "found x duplicate entries for crate y". +echo "Running cargo deny" cargo deny check --allow duplicate --hide-inclusion-graph +echo "Running cargo vet" cargo vet check --locked CLIPPY_VERSION_RESPONSE=$(cargo clippy --version) @@ -46,6 +48,7 @@ fi # replaced with `x.is_multiple_of(2)`, which is a questionable improvement. # * "let_and_return" is disabled because having `let` before returning can be useful at least # as a potential place for a breakpoint. +echo "Running clippy" EXTRA_ARGS=() if [[ $CLIPPY_VERSION -ge 1089 ]]; then EXTRA_ARGS+=(-A clippy::infallible_try_from) @@ -79,7 +82,9 @@ cargo clippy --all-features --workspace --lib --bins --examples -- \ -D clippy::fallible_impl_from \ -D clippy::string_slice +echo "Running codecheck.py" "$PYTHON" "build-tools/codecheck/codecheck.py" # Ensure that wasm documentation is up-to-date +echo "Checking WASM documentation" cargo run -p wasm-doc-gen -- -o wasm-wrappers/WASM-API.md --check diff --git a/subsystem/src/calls/blocking.rs b/subsystem/src/calls/blocking.rs index 543685c35f..22b532ba9a 100644 --- a/subsystem/src/calls/blocking.rs +++ b/subsystem/src/calls/blocking.rs @@ -21,9 +21,9 @@ use utils::shallow_clone::ShallowClone; /// Blocking version of [Handle]. /// -/// This should be used sparingly as blocking calls induce non-trivial overhead. The call takes up -/// a thread in the runtime thread pool. If there is not enough threads for all simultaneous -/// blocking calls, a new one is spawned. +/// The implementation is based on `tokio::task::block_in_place`, which hands off existing tasks +/// from the current thread to another one (via `spawn_blocking`) and then runs the provided +/// blocking closure on the current thread. pub struct BlockingHandle(Handle); impl Clone for BlockingHandle { diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 36eea365fd..b87143333e 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -37,6 +37,12 @@ audit-as-crates-io = true [policy.lmdb-rkv-sys] audit-as-crates-io = false +[policy.tokio] +audit-as-crates-io = true + +[policy.tokio-macros] +audit-as-crates-io = true + [policy.trezor-client] audit-as-crates-io = false @@ -132,10 +138,6 @@ criteria = "safe-to-deploy" version = "0.5.1" criteria = "safe-to-deploy" -[[exemptions.block2]] -version = "0.6.2" -criteria = "safe-to-deploy" - [[exemptions.borsh-derive]] version = "1.5.7" criteria = "safe-to-deploy" @@ -558,7 +560,7 @@ criteria = "safe-to-deploy" [[exemptions.iri-string]] version = "0.7.9" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.jni-sys]] version = "0.3.0" @@ -700,10 +702,6 @@ criteria = "safe-to-deploy" version = "0.29.0" criteria = "safe-to-deploy" -[[exemptions.nu-ansi-term]] -version = "0.50.3" -criteria = "safe-to-deploy" - [[exemptions.num-format]] version = "0.4.4" criteria = "safe-to-deploy" @@ -728,10 +726,6 @@ criteria = "safe-to-deploy" version = "0.5.2" criteria = "safe-to-deploy" -[[exemptions.objc2]] -version = "0.6.3" -criteria = "safe-to-deploy" - [[exemptions.objc2-app-kit]] version = "0.2.2" criteria = "safe-to-deploy" @@ -752,10 +746,6 @@ criteria = "safe-to-deploy" version = "0.2.2" criteria = "safe-to-deploy" -[[exemptions.objc2-core-foundation]] -version = "0.3.2" -criteria = "safe-to-deploy" - [[exemptions.objc2-core-image]] version = "0.2.2" criteria = "safe-to-deploy" @@ -764,18 +754,10 @@ criteria = "safe-to-deploy" version = "0.2.2" criteria = "safe-to-deploy" -[[exemptions.objc2-encode]] -version = "4.1.0" -criteria = "safe-to-deploy" - [[exemptions.objc2-foundation]] version = "0.2.2" criteria = "safe-to-deploy" -[[exemptions.objc2-foundation]] -version = "0.3.2" -criteria = "safe-to-deploy" - [[exemptions.objc2-link-presentation]] version = "0.2.2" criteria = "safe-to-deploy" @@ -809,13 +791,9 @@ version = "0.1.2" criteria = "safe-to-deploy" [[exemptions.oneshot]] -version = "0.1.11" +version = "0.1.13" criteria = "safe-to-deploy" -[[exemptions.oorandom]] -version = "11.1.5" -criteria = "safe-to-run" - [[exemptions.orbclient]] version = "0.3.48" criteria = "safe-to-deploy" @@ -864,10 +842,6 @@ criteria = "safe-to-deploy" version = "0.2.4" criteria = "safe-to-deploy" -[[exemptions.pkg-config]] -version = "0.3.32" -criteria = "safe-to-deploy" - [[exemptions.plotters]] version = "0.3.7" criteria = "safe-to-run" @@ -1068,14 +1042,6 @@ criteria = "safe-to-deploy" version = "2.1.0" criteria = "safe-to-deploy" -[[exemptions.rustls-pemfile]] -version = "1.0.4" -criteria = "safe-to-deploy" - -[[exemptions.rustls-pemfile]] -version = "2.2.0" -criteria = "safe-to-deploy" - [[exemptions.rusty-fork]] version = "0.3.1" criteria = "safe-to-deploy" @@ -1092,10 +1058,6 @@ criteria = "safe-to-run" version = "0.1.28" criteria = "safe-to-deploy" -[[exemptions.schemars]] -version = "0.9.0" -criteria = "safe-to-deploy" - [[exemptions.schemars]] version = "1.0.4" criteria = "safe-to-deploy" @@ -1104,10 +1066,6 @@ criteria = "safe-to-deploy" version = "0.11.5" criteria = "safe-to-deploy" -[[exemptions.sct]] -version = "0.7.1" -criteria = "safe-to-deploy" - [[exemptions.sctk-adwaita]] version = "0.10.1" criteria = "safe-to-deploy" @@ -1122,7 +1080,7 @@ criteria = "safe-to-deploy" [[exemptions.security-framework]] version = "2.11.1" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.security-framework]] version = "3.5.1" @@ -1240,10 +1198,6 @@ criteria = "safe-to-deploy" version = "0.1.19" criteria = "safe-to-deploy" -[[exemptions.sync_wrapper]] -version = "0.1.2" -criteria = "safe-to-run" - [[exemptions.sync_wrapper]] version = "1.0.2" criteria = "safe-to-deploy" @@ -1284,16 +1238,16 @@ criteria = "safe-to-deploy" version = "1.10.0" criteria = "safe-to-deploy" -[[exemptions.tokio-socks]] -version = "0.5.2" +[[exemptions.tokio]] +version = "1.49.0@git:0d6c7af3e43457350bdc03a6dbcafa276fab7352" criteria = "safe-to-deploy" -[[exemptions.tower]] -version = "0.4.13" +[[exemptions.tokio-macros]] +version = "2.6.0@git:0d6c7af3e43457350bdc03a6dbcafa276fab7352" criteria = "safe-to-deploy" -[[exemptions.tower-http]] -version = "0.4.4" +[[exemptions.tokio-socks]] +version = "0.5.2" criteria = "safe-to-deploy" [[exemptions.tower-http]] @@ -1488,10 +1442,6 @@ criteria = "safe-to-deploy" version = "0.10.1" criteria = "safe-to-deploy" -[[exemptions.winreg]] -version = "0.50.0" -criteria = "safe-to-run" - [[exemptions.winres]] version = "0.1.12" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 2d5314cb88..1584c5b2ab 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -275,8 +275,8 @@ user-login = "mbrubeck" user-name = "Matt Brubeck" [[publisher.bytes]] -version = "1.10.1" -when = "2025-03-05" +version = "1.11.1" +when = "2026-02-03" user-id = 6741 user-login = "Darksonn" user-name = "Alice Ryhl" @@ -511,13 +511,6 @@ user-id = 3797 user-login = "JelteF" user-name = "Jelte Fennema-Nio" -[[publisher.digest]] -version = "0.9.0" -when = "2020-06-10" -user-id = 267 -user-login = "tarcieri" -user-name = "Tony Arcieri" - [[publisher.digest]] version = "0.10.7" when = "2023-05-19" @@ -706,13 +699,6 @@ user-id = 1300 user-login = "bluejekyll" user-name = "Benjamin Fry" -[[publisher.http]] -version = "0.2.12" -when = "2024-03-04" -user-id = 359 -user-login = "seanmonstar" -user-name = "Sean McArthur" - [[publisher.http]] version = "1.3.1" when = "2025-03-11" @@ -720,13 +706,6 @@ user-id = 359 user-login = "seanmonstar" user-name = "Sean McArthur" -[[publisher.http-body]] -version = "0.4.6" -when = "2023-12-08" -user-id = 359 -user-login = "seanmonstar" -user-name = "Sean McArthur" - [[publisher.http-body-util]] version = "0.1.3" when = "2025-03-11" @@ -748,13 +727,6 @@ user-id = 4556 user-login = "djc" user-name = "Dirkjan Ochtman" -[[publisher.hyper]] -version = "0.14.32" -when = "2024-12-16" -user-id = 359 -user-login = "seanmonstar" -user-name = "Sean McArthur" - [[publisher.hyper]] version = "1.7.0" when = "2025-08-18" @@ -1493,13 +1465,6 @@ user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" -[[publisher.sha-1]] -version = "0.9.8" -when = "2021-08-27" -user-id = 267 -user-login = "tarcieri" -user-name = "Tony Arcieri" - [[publisher.sha-1]] version = "0.10.1" when = "2022-11-28" @@ -1598,20 +1563,6 @@ user-id = 15682 user-login = "jhpratt" user-name = "Jacob Pratt" -[[publisher.tokio]] -version = "1.48.0" -when = "2025-10-14" -user-id = 6741 -user-login = "Darksonn" -user-name = "Alice Ryhl" - -[[publisher.tokio-macros]] -version = "2.6.0" -when = "2025-10-14" -user-id = 6741 -user-login = "Darksonn" -user-name = "Alice Ryhl" - [[publisher.tokio-postgres]] version = "0.7.15" when = "2025-10-08" @@ -2426,12 +2377,6 @@ criteria = "safe-to-deploy" version = "0.21.0" notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." -[[audits.bytecode-alliance.audits.beef]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "0.5.2" -notes = "This is a more compact implementation of std's Cow. It uses lots of unsafe, but appears sound in my audit." - [[audits.bytecode-alliance.audits.bitflags]] who = "Jamey Sharp " criteria = "safe-to-deploy" @@ -2715,6 +2660,24 @@ criteria = "safe-to-deploy" delta = "0.2.11 -> 0.2.14" notes = "Minor changes, mostly around updating some dependencies, directives, etc." +[[audits.bytecode-alliance.audits.nu-ansi-term]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.46.0" +notes = "one use of unsafe to call windows specific api to get console handle." + +[[audits.bytecode-alliance.audits.nu-ansi-term]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.46.0 -> 0.50.1" +notes = "Lots of stylistic/rust-related chanegs, plus new features, but nothing out of the ordrinary." + +[[audits.bytecode-alliance.audits.nu-ansi-term]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.50.1 -> 0.50.3" +notes = "CI changes, Rust changes, nothing out of the ordinary." + [[audits.bytecode-alliance.audits.num-traits]] who = "Andrew Brown " criteria = "safe-to-deploy" @@ -2747,6 +2710,26 @@ who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" +[[audits.bytecode-alliance.audits.pkg-config]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.25" +notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably." + +[[audits.bytecode-alliance.audits.pkg-config]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.3.26 -> 0.3.29" +notes = """ +No `unsafe` additions or anything outside of the purview of the crate in this +change. +""" + +[[audits.bytecode-alliance.audits.pkg-config]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +delta = "0.3.29 -> 0.3.32" + [[audits.bytecode-alliance.audits.sha1]] who = "Andrew Brown " criteria = "safe-to-deploy" @@ -2952,6 +2935,12 @@ criteria = "safe-to-deploy" version = "0.1.1" notes = "Tiny crate that initializes Android with FFI, looks sane. No other ambient capabilities" +[[audits.embark-studios.audits.schemars]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "0.8.12" +notes = "No unsafe usage (forbidden) or ambient capabilities" + [[audits.embark-studios.audits.tap]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -3018,13 +3007,6 @@ version = "1.4.0" notes = "Contains no unsafe" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.base64]] -who = "Adam Langley " -criteria = "safe-to-deploy" -version = "0.13.1" -notes = "Skimmed the uses of `std` to ensure that nothing untoward is happening. Code uses `forbid(unsafe_code)` and, indeed, there are no uses of `unsafe`" -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - [[audits.google.audits.base64]] who = "amarjotgill " criteria = "safe-to-deploy" @@ -3322,12 +3304,6 @@ Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" -[[audits.google.audits.http-range-header]] -who = "George Burgess IV " -criteria = "safe-to-deploy" -version = "0.3.1" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" - [[audits.google.audits.httpdate]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -4226,7 +4202,7 @@ who = "Nicolas Silva " criteria = "safe-to-deploy" user-id = 1281 # Nicolas Silva (nical) start = "2019-03-14" -end = "2025-04-25" +end = "2027-01-15" notes = "I wrote most of the commits in the euclid reprository and review every change that is not produced by me." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" @@ -4400,6 +4376,13 @@ criteria = "safe-to-deploy" delta = "0.10.2 -> 0.10.3" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.block2]] +who = "Andy Leiserson " +criteria = "safe-to-deploy" +version = "0.6.2" +notes = "Contains unsafe code to interoperate with the ObjC runtime." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.borsh]] who = "Nika Layzell " criteria = "safe-to-deploy" @@ -4573,12 +4556,6 @@ criteria = "safe-to-deploy" delta = "0.15.2 -> 0.15.5" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.hashbrown]] -who = "Erich Gubler " -criteria = "safe-to-deploy" -delta = "0.15.5 -> 0.16.0" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.hex]] who = "Simon Friedberger " criteria = "safe-to-deploy" @@ -4813,6 +4790,65 @@ criteria = "safe-to-deploy" delta = "0.4.0 -> 0.4.2" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.objc2]] +who = "Andy Leiserson " +criteria = "safe-to-deploy" +version = "0.6.3" +notes = """ +Contains substantial unsafe code, as is typical for FFI. + +The (non-published) `header-translator` crate that produces generated bindings +appearing in other `objc2-*` crates was also reviewed, in lieu of a full review +of the generated bindings. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.objc2-core-foundation]] +who = "Andy Leiserson " +criteria = "safe-to-deploy" +version = "0.3.2" +notes = """ +Contains substantial unsafe code, as is typical for FFI. + +The (non-published) `header-translator` crate that produces generated bindings +in this crate was also reviewed, in lieu of a full review of the generated +bindings. + +Users of this crate should be aware of the information in +https://github.com/madsmtm/objc2/blob/main/crates/objc2/src/topics/frameworks_soundness.md. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.objc2-encode]] +who = "Andy Leiserson " +criteria = "safe-to-deploy" +version = "4.1.0" +notes = "Support library for objc2 with no unsafe code" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.objc2-foundation]] +who = "Andy Leiserson " +criteria = "safe-to-deploy" +version = "0.3.2" +notes = """ +Contains substantial unsafe code, as is typical for FFI. + +The (non-published) `header-translator` crate that produces generated bindings +in this crate was also reviewed, in lieu of a full review of the generated +bindings. + +Users of this crate should be aware of the information in +https://github.com/madsmtm/objc2/blob/main/crates/objc2/src/topics/frameworks_soundness.md. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.oorandom]] +who = "Jan-Erik Rediger " +criteria = "safe-to-run" +version = "11.1.5" +notes = "Small random number generator, explicitly not cryptographically secure, no use of unsafe code, no dependencies" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + [[audits.mozilla.audits.option-ext]] who = "Nika Layzell " criteria = "safe-to-deploy" @@ -4847,6 +4883,12 @@ Only functional change is to work around a bug in the negative_impls feature """ aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" +[[audits.mozilla.audits.pkg-config]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.powerfmt]] who = "Alex Franchuk " criteria = "safe-to-deploy" @@ -5448,6 +5490,17 @@ delta = "0.4.0 -> 0.4.1" notes = "Changes to `Command` usage are to add support for `RUSTC_WRAPPER`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.schemars]] +who = "Schell Carl Scivally " +criteria = "safe-to-deploy" +delta = "0.8.12 -> 0.9.0" +notes = """ +The changes are primarily API refactoring and simplification, dependency updates, new type implementations, and feature flag reorganization. +The crate changed from #![forbid(unsafe_code)] (line 9347) to #![deny(unsafe_code)] (line 9348), to accommodate the ref-cast crate integration which requires #[allow(unsafe_code)] on specific functions. +The only notable change is the ref-cast usage which is a sound pattern for creating transparent newtype wrappers. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[audits.zcash.audits.sharded-slab]] who = "Jack Grigg " criteria = "safe-to-deploy"