Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add some more audits for my own crates #4837

Merged
merged 1 commit into from
Aug 31, 2022
Merged

Add some more audits for my own crates #4837

merged 1 commit into from
Aug 31, 2022

Conversation

fitzgen
Copy link
Member

@fitzgen fitzgen commented Aug 31, 2022

Mostly stuff that Firefox is using and asked me to publish audits for, but a couple are in our dep tree as well.

@fitzgen fitzgen requested a review from alexcrichton August 31, 2022 21:11
@fitzgen
Copy link
Member Author

fitzgen commented Aug 31, 2022

cc @bholley

jameysharp
jameysharp reviewed Aug 31, 2022
View reviewed changes
Copy link
Contributor

@jameysharp jameysharp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like "arbitrary" is consistently typo'd, which I assume is why there aren't corresponding exemptions being removed. Perhaps a problem for peeking_take_while as well?

@fitzgen
Copy link
Member Author

fitzgen commented Aug 31, 2022

Good catch, thanks.

We don't use peeking_take_while in Wasmtime so we don't have an exemption for it to remove.

I think maybe the reason that the arbitrary exemptions aren't being remove is that I audited the latest version but we use an older version in Cargo.lock?

@fitzgen
Copy link
Member Author

fitzgen commented Aug 31, 2022

I think maybe the reason that the arbitrary exemptions aren't being remove is that I audited the latest version but we use an older version in Cargo.lock?

Yeah, I added audits for the earlier versions and the exemptions go away now.

jameysharp
jameysharp approved these changes Aug 31, 2022
View reviewed changes
Copy link
Contributor

@jameysharp jameysharp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think that would explain it. It might be nice to add audits for the versions we're currently using as well, but seems okay without too.

@fitzgen
Copy link
Member Author

fitzgen commented Aug 31, 2022

Yep, done.

@bholley
Copy link
Contributor

bholley commented Aug 31, 2022

Thanks!

I think maybe the reason that the arbitrary exemptions aren't being remove is that I audited the latest version but we use an older version in Cargo.lock?

My general recommendation for this situation (which we've run into as well) is to add an audit both for the latest version as well as the older version in tree.

And yes this PR should cover the ones Firefox is using, though while you're at it you might consider some of the other crates you own that have download stats in the millions.

@fitzgen
Add some more audits for my own crates
18a03e1 
Mostly stuff that Firefox is using and asked me to publish audits for, but a
couple are in our dep tree as well.
@fitzgen fitzgen enabled auto-merge (squash) August 31, 2022 22:26
@fitzgen fitzgen merged commit c54d838 into bytecodealliance:main Aug 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexcrichton alexcrichton alexcrichton approved these changes

@jameysharp jameysharp jameysharp approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@fitzgen @bholley @alexcrichton @jameysharp