diff --git a/Cargo.lock b/Cargo.lock index e781012a0249..5c52cf7638cf 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -371,7 +371,7 @@ dependencies = [ "cap-primitives", "cap-std", "rustix 1.0.8", - "smallvec", + "smallvec 1.15.1", ] [[package]] @@ -776,7 +776,7 @@ dependencies = [ "serde_derive", "sha2", "similar", - "smallvec", + "smallvec 1.15.1", "souper-ir", "target-lexicon", "wasmtime-internal-math", @@ -837,7 +837,7 @@ dependencies = [ "serde", "serde_derive", "similar", - "smallvec", + "smallvec 1.15.1", "target-lexicon", "thiserror 2.0.17", "toml", @@ -854,7 +854,7 @@ dependencies = [ "hashbrown 0.15.2", "log", "similar", - "smallvec", + "smallvec 1.15.1", "target-lexicon", ] @@ -880,7 +880,7 @@ dependencies = [ "cranelift-reader", "libm", "log", - "smallvec", + "smallvec 1.15.1", "thiserror 2.0.17", ] @@ -957,7 +957,7 @@ version = "0.128.0" dependencies = [ "anyhow", "cranelift-codegen", - "smallvec", + "smallvec 1.15.1", "target-lexicon", ] @@ -1107,6 +1107,16 @@ dependencies = [ "uuid", ] +[[package]] +name = "der" +version = "0.7.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb" +dependencies = [ + "pem-rfc7468", + "zeroize", +] + [[package]] name = "deranged" version = "0.3.11" @@ -1199,7 +1209,7 @@ dependencies = [ "instant", "log", "once_cell", - "smallvec", + "smallvec 1.15.1", "symbolic_expressions", ] @@ -1801,7 +1811,7 @@ dependencies = [ "itoa", "pin-project-lite", "pin-utils", - "smallvec", + "smallvec 1.15.1", "tokio", "want", ] @@ -1885,7 +1895,7 @@ dependencies = [ "icu_normalizer_data", "icu_properties", "icu_provider", - "smallvec", + "smallvec 1.15.1", "utf16_iter", "utf8_iter", "write16", @@ -1960,7 +1970,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de" dependencies = [ "idna_adapter", - "smallvec", + "smallvec 1.15.1", "utf8_iter", ] @@ -2632,24 +2642,22 @@ dependencies = [ [[package]] name = "ort" -version = "2.0.0-rc.2" +version = "2.0.0-rc.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0bc80894094c6a875bfac64415ed456fa661081a278a035e22be661305c87e14" +checksum = "1fa7e49bd669d32d7bc2a15ec540a527e7764aec722a45467814005725bcd721" dependencies = [ - "js-sys", "ort-sys", - "thiserror 1.0.65", - "tracing", - "web-sys", + "smallvec 2.0.0-alpha.10", ] [[package]] name = "ort-sys" -version = "2.0.0-rc.2" +version = "2.0.0-rc.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b3d9c1373fc813d3f024d394f621f4c6dde0734c79b1c17113c3bb5bf0084bbe" +checksum = "e2aba9f5c7c479925205799216e7e5d07cc1d4fa76ea8058c60a9a30f6a4e890" dependencies = [ "flate2", + "pkg-config", "sha2", "tar", "ureq", @@ -2684,6 +2692,15 @@ dependencies = [ "sha2", ] +[[package]] +name = "pem-rfc7468" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412" +dependencies = [ + "base64ct", +] + [[package]] name = "percent-encoding" version = "2.3.2" @@ -2714,9 +2731,9 @@ checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" [[package]] name = "pkg-config" -version = "0.3.29" +version = "0.3.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2900ede94e305130c13ddd391e0ab7cbaeb783945ae07a279c268cb05109c6cb" +checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c" [[package]] name = "postcard" @@ -2981,7 +2998,7 @@ dependencies = [ "log", "rustc-hash", "serde", - "smallvec", + "smallvec 1.15.1", ] [[package]] @@ -3139,26 +3156,14 @@ dependencies = [ ] [[package]] -name = "rustls" -version = "0.23.7" +name = "rustls-pki-types" +version = "1.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ebbbdb961df0ad3f2652da8f3fdc4b36122f568f968f45ad3316f26c025c677b" +checksum = "708c0f9d5f54ba0272468c1d306a52c495b31fa155e91bc25371e6df7996908c" dependencies = [ - "log", - "once_cell", - "ring", - "rustls-pki-types", - "rustls-webpki", - "subtle", "zeroize", ] -[[package]] -name = "rustls-pki-types" -version = "1.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5ede67b28608b4c60685c7d54122d4400d90f62b40caee7700e700380a390fa8" - [[package]] name = "rustls-webpki" version = "0.102.2" @@ -3414,6 +3419,12 @@ dependencies = [ "serde", ] +[[package]] +name = "smallvec" +version = "2.0.0-alpha.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "51d44cfb396c3caf6fbfd0ab422af02631b69ddd96d2eff0b0f0724f9024051b" + [[package]] name = "socket2" version = "0.6.1" @@ -3424,6 +3435,17 @@ dependencies = [ "windows-sys 0.60.2", ] +[[package]] +name = "socks" +version = "0.3.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0c3dbbd9ae980613c6dd8e28a9407b50509d3803b57624d5dfe8315218cd58b" +dependencies = [ + "byteorder", + "libc", + "winapi", +] + [[package]] name = "souper-ir" version = "2.1.0" @@ -3800,7 +3822,7 @@ version = "0.25.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f" dependencies = [ - "rustls 0.22.4", + "rustls", "rustls-pki-types", "tokio", ] @@ -3995,17 +4017,32 @@ checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" [[package]] name = "ureq" -version = "2.10.0" +version = "3.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72139d247e5f97a3eff96229a7ae85ead5328a39efe76f8bf5a06313d505b6ea" +checksum = "d39cb1dbab692d82a977c0392ffac19e188bd9186a9f32806f0aaa859d75585a" dependencies = [ "base64", + "der", "log", - "once_cell", - "rustls 0.23.7", + "native-tls", + "percent-encoding", "rustls-pki-types", - "url", - "webpki-roots", + "socks", + "ureq-proto", + "utf-8", + "webpki-root-certs", +] + +[[package]] +name = "ureq-proto" +version = "0.5.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d81f9efa9df032be5934a46a068815a10a042b494b6a58cb0a1a97bb5467ed6f" +dependencies = [ + "base64", + "http", + "httparse", + "log", ] [[package]] @@ -4020,6 +4057,12 @@ dependencies = [ "serde", ] +[[package]] +name = "utf-8" +version = "0.7.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "09cc8ee72d2a9becf2f2febe0205bbed8fc6615b7cb429ad062dc7b7ddd036a9" + [[package]] name = "utf16_iter" version = "1.0.5" @@ -4290,7 +4333,7 @@ dependencies = [ "serde", "serde_derive", "serde_yaml", - "smallvec", + "smallvec 1.15.1", "wasm-encoder", "wasmparser 0.243.0", "wat", @@ -4479,7 +4522,7 @@ dependencies = [ "serde", "serde_derive", "serde_json", - "smallvec", + "smallvec 1.15.1", "target-lexicon", "tempfile", "tokio", @@ -4588,7 +4631,7 @@ dependencies = [ "serde_derive", "serde_json", "similar", - "smallvec", + "smallvec 1.15.1", "target-lexicon", "tempfile", "termcolor", @@ -4661,7 +4704,7 @@ dependencies = [ "semver", "serde", "serde_derive", - "smallvec", + "smallvec 1.15.1", "target-lexicon", "wasm-encoder", "wasmparser 0.243.0", @@ -4708,7 +4751,7 @@ dependencies = [ "quote", "rand 0.8.5", "rand 0.9.2", - "smallvec", + "smallvec 1.15.1", "target-lexicon", "wasmparser 0.243.0", "wasmtime", @@ -4732,7 +4775,7 @@ dependencies = [ "rayon", "serde", "serde_json", - "smallvec", + "smallvec 1.15.1", "target-lexicon", "tempfile", "test-programs-artifacts", @@ -4822,7 +4865,7 @@ dependencies = [ "log", "object 0.37.3", "pulley-interpreter", - "smallvec", + "smallvec 1.15.1", "target-lexicon", "thiserror 2.0.17", "wasmparser 0.243.0", @@ -5056,7 +5099,7 @@ dependencies = [ "http-body", "http-body-util", "hyper", - "rustls 0.22.4", + "rustls", "sha2", "tempfile", "test-log", @@ -5135,7 +5178,7 @@ dependencies = [ "anyhow", "bytes", "futures", - "rustls 0.22.4", + "rustls", "test-programs-artifacts", "tokio", "tokio-rustls", @@ -5226,13 +5269,12 @@ dependencies = [ ] [[package]] -name = "web-sys" -version = "0.3.57" +name = "webpki-root-certs" +version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7b17e741662c70c8bd24ac5c5b18de314a2c26c32bf8346ee1e6f53de919c283" +checksum = "ee3e3b5f5e80bc89f30ce8d0343bf4e5f12341c51f3e26cbeecbc7c85443e85b" dependencies = [ - "js-sys", - "wasm-bindgen", + "rustls-pki-types", ] [[package]] @@ -5348,7 +5390,7 @@ dependencies = [ "cranelift-codegen", "gimli 0.32.3", "regalloc2", - "smallvec", + "smallvec 1.15.1", "target-lexicon", "thiserror 2.0.17", "wasmparser 0.243.0", diff --git a/crates/wasi-nn/Cargo.toml b/crates/wasi-nn/Cargo.toml index 93bc6c965fcf..36859a29dfa1 100644 --- a/crates/wasi-nn/Cargo.toml +++ b/crates/wasi-nn/Cargo.toml @@ -31,7 +31,7 @@ wasmtime = { workspace = true, features = [ tracing = { workspace = true } thiserror = { workspace = true } -ort = { version = "2.0.0-rc.2", default-features = false, features = [ +ort = { version = "2.0.0-rc.10", default-features = false, features = [ "copy-dylibs", ], optional = true } tch = { version = "0.17.0", default-features = false, optional = true} diff --git a/crates/wasi-nn/src/backend/onnx.rs b/crates/wasi-nn/src/backend/onnx.rs index aa033cfca16d..6ee5835c70f8 100644 --- a/crates/wasi-nn/src/backend/onnx.rs +++ b/crates/wasi-nn/src/backend/onnx.rs @@ -6,8 +6,13 @@ use super::{ use crate::backend::{Id, read}; use crate::wit::types::{ExecutionTarget, GraphEncoding, Tensor, TensorType}; use crate::{ExecutionContext, Graph}; -use anyhow::Context; -use ort::{GraphOptimizationLevel, Session, inputs}; +use ort::{ + inputs, + session::{Input, Output}, + session::{Session, SessionInputValue, builder::GraphOptimizationLevel}, + tensor::TensorElementType, + value::{Tensor as OrtTensor, ValueType}, +}; use std::path::Path; use std::sync::{Arc, Mutex}; @@ -23,7 +28,7 @@ impl BackendInner for OnnxBackend { fn load(&mut self, builders: &[&[u8]], target: ExecutionTarget) -> Result { if builders.len() != 1 { - return Err(BackendError::InvalidNumberOfBuilders(1, builders.len()).into()); + return Err(BackendError::InvalidNumberOfBuilders(1, builders.len())); } let session = Session::builder()? @@ -137,6 +142,13 @@ impl BackendExecutionContext for OnnxExecutionContext { &mut self, inputs: Option>, ) -> Result>, BackendError> { + fn dimensions_as_u32(shape: &ort::tensor::Shape) -> Result, BackendError> { + (*shape) + .iter() + .map(|d| if *d == -1 { Ok(1) } else { convert_i64(d) }) + .collect() + } + match inputs { // WIT Some(inputs) => { @@ -157,8 +169,7 @@ impl BackendExecutionContext for OnnxExecutionContext { idx } else { return Err(BackendError::BackendAccess(anyhow::anyhow!( - "Input index out of range: {}", - idx + "Input index out of range: {idx}" ))); } } else { @@ -177,21 +188,23 @@ impl BackendExecutionContext for OnnxExecutionContext { input_slot.tensor.replace(input.tensor.clone()); } - let mut session_inputs: Vec> = vec![]; + let mut session_inputs: Vec> = vec![]; for i in &self.inputs { session_inputs.extend(to_input_value(i)?); } - let session = self.session.lock().unwrap(); + let mut session = self.session.lock().unwrap(); let session_outputs = session.run(session_inputs.as_slice())?; let mut output_tensors = Vec::new(); for i in 0..self.outputs.len() { // TODO: fix preexisting gap--this only handles f32 tensors. - let raw: (Vec, &[f32]) = session_outputs[i].try_extract_raw_tensor()?; - let f32s = raw.1.to_vec(); + let (shape, data): (&ort::tensor::Shape, &[f32]) = + session_outputs[i].try_extract_tensor()?; + let f32s = data.to_vec(); let output = &mut self.outputs[i]; + let dimensions: Vec = dimensions_as_u32(shape)?; let tensor = Tensor { - dimensions: output.shape.dimensions_as_u32()?, + dimensions, ty: output.shape.ty, data: f32_vec_to_bytes(f32s), }; @@ -206,19 +219,21 @@ impl BackendExecutionContext for OnnxExecutionContext { // WITX None => { - let mut session_inputs: Vec> = vec![]; + let mut session_inputs: Vec> = vec![]; for i in &self.inputs { session_inputs.extend(to_input_value(i)?); } - let session = self.session.lock().unwrap(); + let mut session = self.session.lock().unwrap(); let session_outputs = session.run(session_inputs.as_slice())?; for i in 0..self.outputs.len() { // TODO: fix preexisting gap--this only handles f32 tensors. - let raw: (Vec, &[f32]) = session_outputs[i].try_extract_raw_tensor()?; - let f32s = raw.1.to_vec(); + let (shape, data): (&ort::tensor::Shape, &[f32]) = + session_outputs[i].try_extract_tensor()?; + let f32s = data.to_vec(); let output = &mut self.outputs[i]; + let dimensions: Vec = dimensions_as_u32(shape)?; output.tensor.replace(Tensor { - dimensions: output.shape.dimensions_as_u32()?, + dimensions, ty: output.shape.ty, data: f32_vec_to_bytes(f32s), }); @@ -244,7 +259,7 @@ impl BackendExecutionContext for OnnxExecutionContext { impl From for BackendError { fn from(e: ort::Error) -> Self { - BackendError::BackendAccess(e.into()) + BackendError::BackendAccess(anyhow::anyhow!("{e}")) } } @@ -265,7 +280,7 @@ struct Shape { } impl Shape { - fn from_onnx_input(input: &ort::Input) -> Result { + fn from_onnx_input(input: &Input) -> Result { let name = input.name.clone(); let (dimensions, ty) = convert_value_type(&input.input_type)?; Ok(Self { @@ -275,7 +290,7 @@ impl Shape { }) } - fn from_onnx_output(output: &ort::Output) -> Result { + fn from_onnx_output(output: &Output) -> Result { let name = output.name.clone(); let (dimensions, ty) = convert_value_type(&output.output_type)?; Ok(Self { @@ -285,13 +300,6 @@ impl Shape { }) } - fn dimensions_as_u32(&self) -> Result, BackendError> { - self.dimensions - .iter() - .map(|d| if *d == -1 { Ok(1) } else { convert_i64(d) }) - .collect() - } - fn matches(&self, tensor: &Tensor) -> anyhow::Result<()> { if self.dimensions.len() != tensor.dimensions.len() { return Err(anyhow::anyhow!( @@ -322,12 +330,12 @@ impl Shape { } } -fn convert_value_type(vt: &ort::ValueType) -> Result<(Vec, TensorType), BackendError> { +fn convert_value_type(vt: &ValueType) -> Result<(Vec, TensorType), BackendError> { match vt { - ort::ValueType::Tensor { ty, dimensions } => { - let dims = dimensions.clone(); + ValueType::Tensor { ty, shape, .. } => { + let dimensions = shape.to_vec(); let ty = (*ty).try_into()?; - Ok((dims, ty)) + Ok((dimensions, ty)) } _ => Err(BackendError::BackendAccess(anyhow::anyhow!( "unsupported input type: {vt:?}" @@ -341,15 +349,15 @@ fn convert_i64(i: &i64) -> Result { }) } -impl TryFrom for TensorType { +impl TryFrom for TensorType { type Error = BackendError; - fn try_from(ty: ort::TensorElementType) -> Result { + fn try_from(ty: TensorElementType) -> Result { match ty { - ort::TensorElementType::Float32 => Ok(TensorType::Fp32), - ort::TensorElementType::Float64 => Ok(TensorType::Fp64), - ort::TensorElementType::Uint8 => Ok(TensorType::U8), - ort::TensorElementType::Int32 => Ok(TensorType::I32), - ort::TensorElementType::Int64 => Ok(TensorType::I64), + TensorElementType::Float32 => Ok(TensorType::Fp32), + TensorElementType::Float64 => Ok(TensorType::Fp64), + TensorElementType::Uint8 => Ok(TensorType::U8), + TensorElementType::Int32 => Ok(TensorType::I32), + TensorElementType::Int64 => Ok(TensorType::I64), _ => Err(BackendError::BackendAccess(anyhow::anyhow!( "unsupported tensor type: {ty:?}" ))), @@ -357,18 +365,22 @@ impl TryFrom for TensorType { } } -fn to_input_value(slot: &TensorSlot) -> Result<[ort::SessionInputValue<'_>; 1], BackendError> { +fn to_input_value(slot: &TensorSlot) -> Result<[SessionInputValue<'_>; 1], BackendError> { match &slot.tensor { Some(tensor) => match tensor.ty { TensorType::Fp32 => { let data = bytes_to_f32_vec(tensor.data.to_vec()); - let dimensions = tensor + let dimensions: Vec = tensor .dimensions .iter() .map(|d| *d as i64) // TODO: fewer conversions - .collect::>(); - Ok(inputs![(dimensions, Arc::new(data.into_boxed_slice()))] - .context("failed to create ONNX session input")?) + .collect(); + let ort_tensor = OrtTensor::::from_array((dimensions, data)).map_err(|e| { + BackendError::BackendAccess(anyhow::anyhow!( + "failed to create ONNX session input: {e}" + )) + })?; + Ok(inputs![ort_tensor]) } _ => { unimplemented!("{:?} not supported by ONNX", tensor.ty); diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 4e339a4791e0..e3e0dfdfab38 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -2147,6 +2147,12 @@ who = "Benjamin Bouvier " criteria = "safe-to-deploy" version = "0.1.3" +[[audits.der]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +version = "0.7.10" +notes = "No unsafe code aside from transmutes for transparent newtypes." + [[audits.derive_arbitrary]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" @@ -3426,6 +3432,12 @@ criteria = "safe-to-deploy" delta = "2.0.0-rc.0 -> 2.0.0-rc.2" notes = "Same as previous audit: the crate inherently uses `unsafe` FFI calls for using ONNX through `ort-sys` (e.g., logging C error strings). The changes are relatively uninteresting: a lot of documentation, some `must_use`, and general refactoring due to changes in the underlying API." +[[audits.ort]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +delta = "2.0.0-rc.2 -> 2.0.0-rc.10" +notes = "A bunch of unsafe code inherent to FFI, but nothing that looks malicious." + [[audits.ort-sys]] who = "Andrew Brown " criteria = "safe-to-deploy" @@ -3438,6 +3450,12 @@ criteria = "safe-to-deploy" delta = "2.0.0-rc.0 -> 2.0.0-rc.2" notes = "This crate still downloads the ONNX libraries as a part of the `build.rs` script; now with more platform options for pre-built binaries stored in a `dist.txt` file. Otherwise largely unchanged since the previous audit." +[[audits.ort-sys]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +delta = "2.0.0-rc.2 -> 2.0.0-rc.10" +notes = "Large build.rs script that downloads a binary distribution, so inherently somewhat dangerous; but it appears that the URLs are from the distributor of this library (`ort` at `pyke.io`). The file contents are verified by hash, so could not be swapped out later without a version bump." + [[audits.overload]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -3450,6 +3468,12 @@ criteria = "safe-to-deploy" version = "1.0.0" notes = "I am the author of this crate." +[[audits.pem-rfc7468]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +version = "0.7.0" +notes = "Only `unsafe` around a `from_utf8_unchecked`, and no IO." + [[audits.percent-encoding]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -3486,6 +3510,11 @@ No `unsafe` additions or anything outside of the purview of the crate in this change. """ +[[audits.pkg-config]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +delta = "0.3.29 -> 0.3.32" + [[audits.postcard]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -3706,6 +3735,11 @@ criteria = "safe-to-deploy" delta = "0.22.4 -> 0.23.7" notes = "No new unsafe code." +[[audits.rustls-pki-types]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +delta = "1.3.1 -> 1.13.1" + [[audits.rustls-webpki]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -3820,6 +3854,12 @@ criteria = "safe-to-deploy" delta = "1.13.2 -> 1.14.0" notes = "Minor new feature, nothing out of the ordinary." +[[audits.smallvec]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +delta = "1.15.1 -> 2.0.0-alpha.10" +notes = "Nothing obviously malicious in the (large) diff. There is a lot of unsafe code, as expected for an optimized core data structure library; I didn't internalize all the invariants or review the code in detail for correctness line-by-line. The library is widely used in the ecosystem and well-tested/fuzzed so I trust that basic data structure invariant violations will be found." + [[audits.socket2]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -3843,6 +3883,12 @@ criteria = "safe-to-deploy" delta = "0.6.0 -> 0.6.1" notes = "Minor new changes and windows updates, all looks reasonable." +[[audits.socks]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +version = "0.3.4" +notes = "SOCKS protocol library with `unsafe` only inside a custom readv/writev wrapper, and no IO aside from network IO to the specified endpoint. Unit tests ping Google on the Internet to test functionality." + [[audits.spin]] who = "Alex Crichton " criteria = "safe-to-run" @@ -4206,6 +4252,18 @@ criteria = "safe-to-deploy" delta = "2.9.6 -> 2.10.0" notes = "No `unsafe` changes; this audit observed mainly license and documentation changes." +[[audits.ureq]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +delta = "2.10.0 -> 3.1.4" +notes = "Network protocol library with no unsafe code." + +[[audits.ureq-proto]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +version = "0.5.3" +notes = "Network protocol library with no unsafe code." + [[audits.url]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -4219,6 +4277,12 @@ is similar to what it once was back then. Skimming over the crate there is nothing suspicious and it's everything you'd expect a Rust URL parser to be. """ +[[audits.utf-8]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +version = "0.7.6" +notes = "Small library that uses `unsafe` only around `str::from_utf8_unchecked` after explicitly verifying UTF-8." + [[audits.vcpkg]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -5284,6 +5348,12 @@ criteria = "safe-to-deploy" delta = "1.242.2 -> 1.243.0" notes = "The Bytecode Alliance is the author of this crate" +[[audits.webpki-root-certs]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +version = "1.0.4" +notes = "Purely a data crate." + [[audits.webpki-roots]] who = "Pat Hickey " criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index f4ff144a5365..984c60e67bc7 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1698,13 +1698,6 @@ when = "2025-07-28" user-id = 73222 user-login = "wasmtime-publish" -[[publisher.web-sys]] -version = "0.3.57" -when = "2022-04-07" -user-id = 1 -user-login = "alexcrichton" -user-name = "Alex Crichton" - [[publisher.wiggle]] version = "39.0.1" when = "2025-11-24"