From bc6cb2edec6a3b905d8697b929e2feef9421d0b4 Mon Sep 17 00:00:00 2001 From: David Cook Date: Tue, 3 Feb 2026 16:17:15 -0600 Subject: [PATCH 1/4] Add Dependabot group for rand --- .github/dependabot.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 738a3d17a..f5b115056 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,6 +5,11 @@ updates: schedule: interval: "weekly" open-pull-requests-limit: 20 + groups: + rand: + patterns: + - rand + - rand_* - package-ecosystem: "github-actions" directory: "/" From d9f9afa77f5794260f28db0400fb6c545b98052b Mon Sep 17 00:00:00 2001 From: David Cook Date: Mon, 9 Feb 2026 15:22:52 -0600 Subject: [PATCH 2/4] Update to rand 0.10.0 --- Cargo.lock | 315 ++++++++++++++++++++++++++++----- Cargo.toml | 8 +- benches/speed_tests.rs | 2 +- binaries/Cargo.toml | 2 +- src/dp/rand_bigint.rs | 2 +- src/field.rs | 9 +- src/flp/types/dp.rs | 10 +- src/flp/types/fixedpoint_l2.rs | 5 +- src/fp.rs | 2 +- src/idpf.rs | 10 +- src/prng.rs | 6 +- src/vdaf.rs | 2 +- src/vdaf/dummy.rs | 2 +- src/vdaf/mastic.rs | 4 +- src/vdaf/mastic/szk.rs | 2 +- src/vdaf/poplar1.rs | 6 +- src/vdaf/prio2.rs | 4 +- src/vdaf/prio2/client.rs | 2 +- src/vdaf/prio3.rs | 4 +- src/vdaf/xof.rs | 60 ++++--- src/vidpf.rs | 4 +- 21 files changed, 341 insertions(+), 120 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d56ff051d..b83b40bf5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -10,7 +10,7 @@ checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0" dependencies = [ "cfg-if", "cipher", - "cpufeatures", + "cpufeatures 0.2.5", ] [[package]] @@ -34,6 +34,12 @@ version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9" +[[package]] +name = "anyhow" +version = "1.0.100" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61" + [[package]] name = "approx" version = "0.5.1" @@ -134,6 +140,17 @@ version = "1.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801" +[[package]] +name = "chacha20" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6f8d983286843e49675a4b7a2d174efe136dc93a18d69130dd18198a6c167601" +dependencies = [ + "cfg-if", + "cpufeatures 0.3.0", + "rand_core 0.10.0", +] + [[package]] name = "ciborium" version = "0.2.0" @@ -205,6 +222,15 @@ dependencies = [ "libc", ] +[[package]] +name = "cpufeatures" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8b2a41393f66f16b0823bb79094d54ac5fbd34ab292ddafb9a0456ac9f87d201" +dependencies = [ + "libc", +] + [[package]] name = "criterion" version = "0.8.1" @@ -307,6 +333,12 @@ version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "90e5c1c8368803113bf0c9584fc495a58b86dc8a29edbf8fe877d21d9507e797" +[[package]] +name = "equivalent" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f" + [[package]] name = "fiat-crypto" version = "0.3.0" @@ -331,6 +363,12 @@ dependencies = [ "typenum", ] +[[package]] +name = "foldhash" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2" + [[package]] name = "funty" version = "2.0.0" @@ -355,19 +393,21 @@ checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7" dependencies = [ "cfg-if", "libc", - "wasi 0.11.0+wasi-snapshot-preview1", + "wasi", ] [[package]] name = "getrandom" -version = "0.3.2" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "73fea8450eea4bac3940448fb7ae50d91f034f941199fcd9d909a5a07aa455f0" +checksum = "139ef39800118c7683f2fd3c98c1b23c09ae076556b435f8e9064ae108aaeeec" dependencies = [ "cfg-if", "libc", "r-efi", - "wasi 0.14.2+wasi-0.2.4", + "rand_core 0.10.0", + "wasip2", + "wasip3", ] [[package]] @@ -385,6 +425,27 @@ dependencies = [ "crunchy", ] +[[package]] +name = "hashbrown" +version = "0.15.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1" +dependencies = [ + "foldhash", +] + +[[package]] +name = "hashbrown" +version = "0.16.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100" + +[[package]] +name = "heck" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea" + [[package]] name = "hex" version = "0.4.3" @@ -409,6 +470,24 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "71a816c97c42258aa5834d07590b718b4c9a598944cd39a52dc25b351185d678" +[[package]] +name = "id-arena" +version = "2.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3d3067d79b975e8844ca9eb072e16b31c3c1c36928edf9c6789548c524d0d954" + +[[package]] +name = "indexmap" +version = "2.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7714e70437a7dc3ac8eb7e6f8df75fd8eb422675fc7678aff7364301092b1017" +dependencies = [ + "equivalent", + "hashbrown 0.16.1", + "serde", + "serde_core", +] + [[package]] name = "inout" version = "0.1.3" @@ -448,14 +527,20 @@ version = "0.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8f6d5ed8676d904364de097082f4e7d240b571b67989ced0240f08b7f966f940" dependencies = [ - "cpufeatures", + "cpufeatures 0.2.5", ] +[[package]] +name = "leb128fmt" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2" + [[package]] name = "libc" -version = "0.2.154" +version = "0.2.180" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ae743338b92ff9146ce83992f766a31066a91a8c84a45e0e9f21e7cf6de6d346" +checksum = "bcc35a38544a891a5f7c865aca548a982ccb3b8650a5b06d0fd33a10283c56fc" [[package]] name = "libm" @@ -638,6 +723,16 @@ version = "0.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "eb9f9e6e233e5c4a35559a617bf40a4ec447db2e84c20b55a6f83167b7e57872" +[[package]] +name = "prettyplease" +version = "0.2.37" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b" +dependencies = [ + "proc-macro2", + "syn 2.0.114", +] + [[package]] name = "prio" version = "0.18.1-alpha.2" @@ -663,9 +758,9 @@ dependencies = [ "num-traits", "once_cell", "prio", - "rand 0.9.2", - "rand_core 0.9.5", - "rand_distr 0.5.1", + "rand 0.10.0", + "rand_core 0.10.0", + "rand_distr 0.6.0", "rayon", "serde", "serde_json", @@ -683,14 +778,14 @@ dependencies = [ "base64", "fixed", "prio", - "rand 0.9.2", + "rand 0.10.0", ] [[package]] name = "proc-macro2" -version = "1.0.89" +version = "1.0.106" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f139b0662de085916d1fb67d2b4169d1addddda1919e696f3252b740b629986e" +checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934" dependencies = [ "unicode-ident", ] @@ -723,18 +818,19 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" dependencies = [ "libc", - "rand_chacha 0.3.1", + "rand_chacha", "rand_core 0.6.4", ] [[package]] name = "rand" -version = "0.9.2" +version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1" +checksum = "bc266eb313df6c5c09c1c7b1fbe2510961e5bcd3add930c1e31f7ed9da0feff8" dependencies = [ - "rand_chacha 0.9.0", - "rand_core 0.9.5", + "chacha20", + "getrandom 0.4.1", + "rand_core 0.10.0", ] [[package]] @@ -747,16 +843,6 @@ dependencies = [ "rand_core 0.6.4", ] -[[package]] -name = "rand_chacha" -version = "0.9.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb" -dependencies = [ - "ppv-lite86", - "rand_core 0.9.5", -] - [[package]] name = "rand_core" version = "0.6.4" @@ -768,12 +854,9 @@ dependencies = [ [[package]] name = "rand_core" -version = "0.9.5" +version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c" -dependencies = [ - "getrandom 0.3.2", -] +checksum = "0c8d0fd677905edcbeedbf2edb6494d676f0e98d54d5cf9bda0b061cb8fb8aba" [[package]] name = "rand_distr" @@ -787,12 +870,12 @@ dependencies = [ [[package]] name = "rand_distr" -version = "0.5.1" +version = "0.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6a8615d50dcf34fa31f7ab52692afec947c4dd0ab803cc87cb3b0b4570ff7463" +checksum = "4d431c2703ccf129de4d45253c03f49ebb22b97d6ad79ee3ecfc7e3f4862c1d8" dependencies = [ "num-traits", - "rand 0.9.2", + "rand 0.10.0", ] [[package]] @@ -854,6 +937,12 @@ dependencies = [ "winapi-util", ] +[[package]] +name = "semver" +version = "1.0.27" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2" + [[package]] name = "serde" version = "1.0.228" @@ -881,7 +970,7 @@ checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.114", ] [[package]] @@ -904,7 +993,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283" dependencies = [ "cfg-if", - "cpufeatures", + "cpufeatures 0.2.5", "digest", ] @@ -968,9 +1057,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.87" +version = "2.0.114" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "25aa4ce346d03a6dcd68dd8b4010bcb74e54e62c90c573f394c46eae99aba32d" +checksum = "d4d107df263a3013ef9b1879b0df87d706ff80f65a86ea879bd9c31f9b307c2a" dependencies = [ "proc-macro2", "quote", @@ -1000,7 +1089,7 @@ checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5" dependencies = [ "proc-macro2", "quote", - "syn 2.0.87", + "syn 2.0.114", ] [[package]] @@ -1025,6 +1114,12 @@ version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c4f5b37a154999a8f3f98cc23a628d850e154479cd94decf3414696e12e31aaf" +[[package]] +name = "unicode-xid" +version = "0.2.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ebc1c04c71510c7f702b52b7c350734c9ff1295c464a03335b00bb84fc54f853" + [[package]] name = "version_check" version = "0.9.4" @@ -1049,12 +1144,21 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" [[package]] -name = "wasi" -version = "0.14.2+wasi-0.2.4" +name = "wasip2" +version = "1.0.2+wasi-0.2.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9683f9a5a998d873c0d21fcbe3c083009670149a8fab228644b8bd36b2c48cb3" +checksum = "9517f9239f02c069db75e65f174b3da828fe5f5b945c4dd26bd25d89c03ebcf5" dependencies = [ - "wit-bindgen-rt", + "wit-bindgen", +] + +[[package]] +name = "wasip3" +version = "0.4.0+wasi-0.3.0-rc-2026-01-06" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5428f8bf88ea5ddc08faddef2ac4a67e390b88186c703ce6dbd955e1c145aca5" +dependencies = [ + "wit-bindgen", ] [[package]] @@ -1111,6 +1215,40 @@ version = "0.2.83" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1c38c045535d93ec4f0b4defec448e4291638ee608530863b1e2ba115d4fff7f" +[[package]] +name = "wasm-encoder" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "990065f2fe63003fe337b932cfb5e3b80e0b4d0f5ff650e6985b1048f62c8319" +dependencies = [ + "leb128fmt", + "wasmparser", +] + +[[package]] +name = "wasm-metadata" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bb0e353e6a2fbdc176932bbaab493762eb1255a7900fe0fea1a2f96c296cc909" +dependencies = [ + "anyhow", + "indexmap", + "wasm-encoder", + "wasmparser", +] + +[[package]] +name = "wasmparser" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "47b807c72e1bac69382b3a6fb3dbe8ea4c0ed87ff5629b8685ae6b9a611028fe" +dependencies = [ + "bitflags", + "hashbrown 0.15.5", + "indexmap", + "semver", +] + [[package]] name = "web-sys" version = "0.3.60" @@ -1163,12 +1301,91 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" [[package]] -name = "wit-bindgen-rt" -version = "0.39.0" +name = "wit-bindgen" +version = "0.51.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6f42320e61fe2cfd34354ecb597f86f413484a798ba44a8ca1165c58d42da6c1" +checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5" dependencies = [ + "wit-bindgen-rust-macro", +] + +[[package]] +name = "wit-bindgen-core" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ea61de684c3ea68cb082b7a88508a8b27fcc8b797d738bfc99a82facf1d752dc" +dependencies = [ + "anyhow", + "heck", + "wit-parser", +] + +[[package]] +name = "wit-bindgen-rust" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b7c566e0f4b284dd6561c786d9cb0142da491f46a9fbed79ea69cdad5db17f21" +dependencies = [ + "anyhow", + "heck", + "indexmap", + "prettyplease", + "syn 2.0.114", + "wasm-metadata", + "wit-bindgen-core", + "wit-component", +] + +[[package]] +name = "wit-bindgen-rust-macro" +version = "0.51.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c0f9bfd77e6a48eccf51359e3ae77140a7f50b1e2ebfe62422d8afdaffab17a" +dependencies = [ + "anyhow", + "prettyplease", + "proc-macro2", + "quote", + "syn 2.0.114", + "wit-bindgen-core", + "wit-bindgen-rust", +] + +[[package]] +name = "wit-component" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9d66ea20e9553b30172b5e831994e35fbde2d165325bec84fc43dbf6f4eb9cb2" +dependencies = [ + "anyhow", "bitflags", + "indexmap", + "log", + "serde", + "serde_derive", + "serde_json", + "wasm-encoder", + "wasm-metadata", + "wasmparser", + "wit-parser", +] + +[[package]] +name = "wit-parser" +version = "0.244.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ecc8ac4bc1dc3381b7f59c34f00b67e18f910c2c0f50015669dde7def656a736" +dependencies = [ + "anyhow", + "id-arena", + "indexmap", + "log", + "semver", + "serde", + "serde_derive", + "serde_json", + "unicode-xid", + "wasmparser", ] [[package]] diff --git a/Cargo.toml b/Cargo.toml index 73752dfeb..58f20e998 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -24,9 +24,9 @@ num-integer = { version = "0.1.46", optional = true } num-iter = { version = "0.1.45", optional = true } num-rational = { version = "0.4.2", optional = true, features = ["serde"] } num-traits = "0.2.19" -rand = "0.9" -rand_core = { version = "0.9", features = ["os_rng"] } -rand_distr = { version = "0.5", optional = true } +rand = "0.10" +rand_core = "0.10" +rand_distr = { version = "0.6.0", optional = true } rayon = { version = "1.11.0", optional = true } serde = { version = "1.0", features = ["derive"] } serde_json = { version = "1.0", optional = true } @@ -45,7 +45,7 @@ modinverse = "0.1.0" num-bigint = "0.4.6" once_cell = "1.21.3" prio = { path = ".", features = ["crypto-dependencies", "test-util"] } -rand = { version = "0.9", features = ["std_rng"] } +rand = { version = "0.10", features = ["std_rng"] } statrs = "0.18.0" [features] diff --git a/benches/speed_tests.rs b/benches/speed_tests.rs index 3e33f6b78..11e7c9798 100644 --- a/benches/speed_tests.rs +++ b/benches/speed_tests.rs @@ -33,7 +33,7 @@ use prio::{ vdaf::poplar1::{Poplar1, Poplar1AggregationParam, Poplar1IdpfValue}, }; #[cfg(feature = "experimental")] -use rand::{distr::Distribution, random, rngs::StdRng, Rng, SeedableRng}; +use rand::{distr::Distribution, random, rngs::StdRng, RngExt, SeedableRng}; #[cfg(feature = "experimental")] use std::iter; use std::{hint::black_box, time::Duration}; diff --git a/binaries/Cargo.toml b/binaries/Cargo.toml index 101ef18d6..149aebbbd 100644 --- a/binaries/Cargo.toml +++ b/binaries/Cargo.toml @@ -9,5 +9,5 @@ repository = "https://github.com/divviup/libprio-rs" [dependencies] base64 = "0.22.1" fixed = "1.30" -rand = "0.9" +rand = "0.10" prio = { path = "..", features = ["experimental", "test-util"] } diff --git a/src/dp/rand_bigint.rs b/src/dp/rand_bigint.rs index 69f6418ee..e07f2a4a1 100644 --- a/src/dp/rand_bigint.rs +++ b/src/dp/rand_bigint.rs @@ -31,7 +31,7 @@ use num_bigint::BigUint; use num_integer::Integer; use num_traits::{ToPrimitive, Zero}; use rand::distr::uniform::Error; -use rand::Rng; +use rand::{Rng, RngExt}; /// Use [`Rng::fill`] to generate random bits. /// diff --git a/src/field.rs b/src/field.rs index b845db724..3b99ced28 100644 --- a/src/field.rs +++ b/src/field.rs @@ -12,11 +12,8 @@ use crate::{ fp::{FieldOps, FieldParameters, FP128, FP32, FP64}, prng::Prng, }; -use rand::{ - distr::{Distribution, StandardUniform}, - Rng, -}; -use rand_core::RngCore; +use rand::distr::{Distribution, StandardUniform}; +use rand_core::Rng; use serde::{ de::{DeserializeOwned, Visitor}, Deserialize, Deserializer, Serialize, Serializer, @@ -358,7 +355,7 @@ pub(crate) trait FieldElementExt: FieldElement { /// Generate a uniformly random field element from the provided source of random bytes using /// rejection sampling. - fn generate_random(seed_stream: &mut S) -> Self { + fn generate_random(seed_stream: &mut S) -> Self { // This is analogous to `Prng::get()`, but does not make use of a persistent buffer of // output. let mut buffer = [0u8; 64]; diff --git a/src/flp/types/dp.rs b/src/flp/types/dp.rs index 9452fcf96..70e7e627a 100644 --- a/src/flp/types/dp.rs +++ b/src/flp/types/dp.rs @@ -9,7 +9,7 @@ use crate::flp::{FlpError, TypeWithNoise}; use crate::vdaf::xof::SeedStreamTurboShake128; use num_bigint::{BigInt, BigUint, TryFromBigIntError}; use num_integer::Integer; -use rand::{distr::Distribution, Rng, SeedableRng}; +use rand::{distr::Distribution, make_rng, Rng}; // TODO(#1071): This is implemented for the concrete fields `Field64` and `Field128` in order to // avoid imposing the `BigInt: From` bound on all callers. In the future, we may want to @@ -28,7 +28,7 @@ where self.add_noise( dp_strategy, agg_result, - &mut SeedStreamTurboShake128::from_os_rng(), + &mut make_rng::(), ) } } @@ -46,7 +46,7 @@ where self.add_noise( dp_strategy, agg_result, - &mut SeedStreamTurboShake128::from_os_rng(), + &mut make_rng::(), ) } } @@ -102,7 +102,7 @@ where self.add_noise( dp_strategy, agg_result, - &mut SeedStreamTurboShake128::from_os_rng(), + &mut make_rng::(), ) } } @@ -120,7 +120,7 @@ where self.add_noise( dp_strategy, agg_result, - &mut SeedStreamTurboShake128::from_os_rng(), + &mut make_rng::(), ) } } diff --git a/src/flp/types/fixedpoint_l2.rs b/src/flp/types/fixedpoint_l2.rs index 72998f3ce..8f9b0125d 100644 --- a/src/flp/types/fixedpoint_l2.rs +++ b/src/flp/types/fixedpoint_l2.rs @@ -193,8 +193,7 @@ use crate::vdaf::xof::SeedStreamTurboShake128; use fixed::traits::Fixed; use num_bigint::BigUint; use num_rational::Ratio; -use rand::Rng; -use rand_core::SeedableRng; +use rand::{make_rng, Rng}; use std::{convert::TryFrom, convert::TryInto, fmt::Debug, marker::PhantomData}; /// The fixed point vector sum data type. Each measurement is a vector of fixed point numbers of @@ -635,7 +634,7 @@ where self.add_noise( dp_strategy, agg_result, - &mut SeedStreamTurboShake128::from_os_rng(), + &mut make_rng::(), ) } } diff --git a/src/fp.rs b/src/fp.rs index 6fd955ee5..8c7c0e582 100644 --- a/src/fp.rs +++ b/src/fp.rs @@ -135,7 +135,7 @@ pub(crate) mod tests { use modinverse::modinverse; use num_bigint::{BigInt, ToBigInt}; use num_traits::AsPrimitive; - use rand::{distr::Distribution, rng, Rng}; + use rand::{distr::Distribution, rng, RngExt}; use super::ops::Word; use crate::fp::{log2, FieldOps, FP128, FP32, FP64, MAX_ROOTS}; diff --git a/src/idpf.rs b/src/idpf.rs index 542649605..668cf58a9 100644 --- a/src/idpf.rs +++ b/src/idpf.rs @@ -19,7 +19,7 @@ use bitvec::{ vec::BitVec, view::BitView, }; -use rand::{rng, Rng, RngCore}; +use rand::{rng, Rng, RngExt}; use std::{ collections::{HashMap, VecDeque}, fmt::Debug, @@ -175,7 +175,7 @@ pub trait IdpfValue: /// Generate a pseudorandom value from a seed stream. fn generate(seed_stream: &mut S, parameter: &Self::ValueParameter) -> Self where - S: RngCore; + S: Rng; /// Returns the additive identity. fn zero(parameter: &Self::ValueParameter) -> Self; @@ -195,7 +195,7 @@ where fn generate(seed_stream: &mut S, _: &()) -> Self where - S: RngCore, + S: Rng, { F::generate_random(seed_stream) } @@ -2148,7 +2148,7 @@ mod tests { fn generate(_: &mut S, _: &Self::ValueParameter) -> Self where - S: rand_core::RngCore, + S: rand_core::Rng, { MyUnit } @@ -2215,7 +2215,7 @@ mod tests { fn generate(seed_stream: &mut S, length: &Self::ValueParameter) -> Self where - S: rand_core::RngCore, + S: rand_core::Rng, { let mut output = vec![::zero(); *length]; for element in output.iter_mut() { diff --git a/src/prng.rs b/src/prng.rs index 965c592c6..616eae721 100644 --- a/src/prng.rs +++ b/src/prng.rs @@ -9,7 +9,7 @@ use crate::field::{FieldElement, FieldElementExt}; #[cfg(all(feature = "crypto-dependencies", feature = "experimental"))] use crate::vdaf::xof::SeedStreamAes128; use crate::vdaf::xof::{Seed, SeedStreamTurboShake128, Xof, XofTurboShake128}; -use rand::{rng, Rng, RngCore}; +use rand::{rng, Rng, RngExt}; use std::marker::PhantomData; use std::ops::ControlFlow; @@ -48,7 +48,7 @@ impl Prng { impl Prng where F: FieldElement, - S: RngCore, + S: Rng, { pub(crate) fn from_seed_stream(mut seed_stream: S) -> Self { let mut buffer = vec![0; BUFFER_SIZE_IN_ELEMENTS * F::ENCODED_SIZE]; @@ -105,7 +105,7 @@ where impl Iterator for Prng where F: FieldElement, - S: RngCore, + S: Rng, { type Item = F; diff --git a/src/vdaf.rs b/src/vdaf.rs index 400dfcf4e..39426c45c 100644 --- a/src/vdaf.rs +++ b/src/vdaf.rs @@ -487,7 +487,7 @@ pub mod test_utils { flp::Type, vdaf::{prio3::Prio3, xof::Xof, Vdaf}, }; - use rand::{random, rng, Rng}; + use rand::{random, rng, RngExt}; use serde::Deserialize; use serde_json::Value; diff --git a/src/vdaf/dummy.rs b/src/vdaf/dummy.rs index 94b09b59b..2c6813ee7 100644 --- a/src/vdaf/dummy.rs +++ b/src/vdaf/dummy.rs @@ -346,7 +346,7 @@ where mod tests { use super::*; use crate::vdaf::{test_utils::run_vdaf_sharded, Client}; - use rand::{rng, Rng}; + use rand::{rng, RngExt}; fn run_test(rounds: u32, aggregation_parameter: u8) { let vdaf = Vdaf::new(rounds); diff --git a/src/vdaf/mastic.rs b/src/vdaf/mastic.rs index 24fbb8de9..2b92c45c8 100644 --- a/src/vdaf/mastic.rs +++ b/src/vdaf/mastic.rs @@ -23,7 +23,7 @@ use crate::{ use szk::{Szk, SzkJointShare, SzkProofShare, SzkQueryShare, SzkQueryState}; -use rand::{rng, Rng}; +use rand::{rng, RngExt}; use std::io::{Cursor, Read}; use std::ops::BitAnd; use std::slice::from_ref; @@ -797,7 +797,7 @@ mod tests { use crate::flp::gadgets::{Mul, ParallelSum}; use crate::flp::types::{Count, Histogram, Sum, SumVec}; use crate::vdaf::test_utils::run_vdaf; - use rand::{rng, Rng}; + use rand::rng; const CTX_STR: &[u8] = b"mastic ctx"; diff --git a/src/vdaf/mastic/szk.rs b/src/vdaf/mastic/szk.rs index 5b3fb7889..33ce0fd46 100644 --- a/src/vdaf/mastic/szk.rs +++ b/src/vdaf/mastic/szk.rs @@ -664,7 +664,7 @@ mod tests { Flp, Type, }, }; - use rand::{rng, Rng}; + use rand::{rng, RngExt}; fn generic_szk_test(typ: T, encoded_measurement: &[T::Field], valid: bool) { let mut rng = rng(); diff --git a/src/vdaf/poplar1.rs b/src/vdaf/poplar1.rs index 2a50e4050..80cbf0897 100644 --- a/src/vdaf/poplar1.rs +++ b/src/vdaf/poplar1.rs @@ -14,7 +14,7 @@ use crate::{ Aggregatable, Aggregator, Client, Collector, PrepareTransition, Vdaf, VdafError, VERSION, }, }; -use rand::{rng, Rng, RngCore}; +use rand::{rng, Rng, RngExt}; use std::{ collections::BTreeSet, convert::TryFrom, @@ -1360,7 +1360,7 @@ impl From, Poplar1IdpfValue> // seed, rather than iteratively, as we do in Doplar. This would be more efficient for the // Aggregators. As long as the Client isn't significantly slower, this should be a win. #[allow(non_snake_case)] -fn compute_next_corr_shares, S: RngCore>( +fn compute_next_corr_shares, S: Rng>( prng: &mut Prng, corr_prng_0: &mut Prng, corr_prng_1: &mut Prng, @@ -1451,7 +1451,7 @@ where Self([F::zero(); 2]) } - fn generate(seed_stream: &mut S, _: &()) -> Self { + fn generate(seed_stream: &mut S, _: &()) -> Self { Self([F::generate(seed_stream, &()), F::generate(seed_stream, &())]) } diff --git a/src/vdaf/prio2.rs b/src/vdaf/prio2.rs index 19cecca5e..456fe3361 100644 --- a/src/vdaf/prio2.rs +++ b/src/vdaf/prio2.rs @@ -19,7 +19,7 @@ use crate::{ }, }; use hmac::{Hmac, Mac}; -use rand::{rng, Rng, RngCore}; +use rand::{rng, Rng, RngExt}; use sha2::Sha256; use std::{convert::TryFrom, io::Cursor}; use subtle::{Choice, ConstantTimeEq}; @@ -104,7 +104,7 @@ impl Prio2 { /// The point returned is not one of the roots used for polynomial interpolation. pub(crate) fn choose_eval_at(&self, prng: &mut Prng) -> FieldPrio2 where - S: RngCore, + S: Rng, { // Make sure the query randomness isn't a root of unity. Evaluating the proof at any of // these points would be a privacy violation, since these points were used by the prover to diff --git a/src/vdaf/prio2/client.rs b/src/vdaf/prio2/client.rs index a6c4c108c..343c86656 100644 --- a/src/vdaf/prio2/client.rs +++ b/src/vdaf/prio2/client.rs @@ -11,7 +11,7 @@ use crate::{ vdaf::{xof::SeedStreamAes128, VdafError}, }; -use rand::{rng, Rng}; +use rand::{rng, RngExt}; use std::convert::TryFrom; /// Serialization errors diff --git a/src/vdaf/prio3.rs b/src/vdaf/prio3.rs index 78236b12e..33a2d9cc0 100644 --- a/src/vdaf/prio3.rs +++ b/src/vdaf/prio3.rs @@ -61,7 +61,7 @@ use crate::vdaf::{ }; #[cfg(feature = "experimental")] use fixed::traits::Fixed; -use rand::{rng, Rng}; +use rand::{rng, RngExt}; use std::borrow::Cow; use std::convert::TryFrom; use std::fmt::Debug; @@ -382,7 +382,7 @@ impl Prio3Average { /// Aggregator, Client, Collector, PrepareTransition, /// prio3::Prio3, /// }; -/// use rand::{rng, Rng, RngCore}; +/// use rand::{rng, Rng, RngExt}; /// /// let num_shares = 2; /// let ctx = b"my context str"; diff --git a/src/vdaf/xof.rs b/src/vdaf/xof.rs index 7cc482b26..67b47372d 100644 --- a/src/vdaf/xof.rs +++ b/src/vdaf/xof.rs @@ -29,10 +29,8 @@ use aes::{ use ctr::Ctr64BE; #[cfg(feature = "crypto-dependencies")] use hmac::{Hmac, Mac}; -use rand_core::{ - impls::{next_u32_via_fill, next_u64_via_fill}, - RngCore, SeedableRng, -}; +use rand::RngExt; +use rand_core::{utils::next_word_via_fill, Rng, SeedableRng, TryRng}; use rand::distr::{Distribution, StandardUniform}; #[cfg(feature = "crypto-dependencies")] @@ -44,6 +42,7 @@ use sha3::{ #[cfg(feature = "crypto-dependencies")] use std::fmt::Formatter; use std::{ + convert::Infallible, fmt::Debug, io::{Cursor, Read}, }; @@ -108,12 +107,12 @@ impl Decode for Seed { } /// Trait for deriving a vector of field elements. -pub trait IntoFieldVec: RngCore + Sized { +pub trait IntoFieldVec: Rng + Sized { /// Generate a finite field vector from the seed stream. fn into_field_vec(self, length: usize) -> Vec; } -impl IntoFieldVec for S { +impl IntoFieldVec for S { fn into_field_vec(self, length: usize) -> Vec { Prng::from_seed_stream(self).take(length).collect() } @@ -124,7 +123,7 @@ impl IntoFieldVec for S { /// [draft-irtf-cfrg-vdaf-08]: https://datatracker.ietf.org/doc/draft-irtf-cfrg-vdaf/08/ pub trait Xof: Clone + Debug { /// The type of stream produced by this XOF. - type SeedStream: RngCore + Sized; + type SeedStream: Rng + Sized; /// Construct an instance of [`Xof`] with the given seed. fn init(seed_bytes: &[u8; SEED_SIZE], dst_parts: &[&[u8]]) -> Self; @@ -178,17 +177,20 @@ impl SeedStreamAes128 { } #[cfg(feature = "crypto-dependencies")] -impl RngCore for SeedStreamAes128 { - fn fill_bytes(&mut self, dest: &mut [u8]) { +impl TryRng for SeedStreamAes128 { + type Error = Infallible; + + fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Infallible> { self.fill(dest); + Ok(()) } - fn next_u32(&mut self) -> u32 { - next_u32_via_fill(self) + fn try_next_u32(&mut self) -> Result { + next_word_via_fill(self) } - fn next_u64(&mut self) -> u64 { - next_u64_via_fill(self) + fn try_next_u64(&mut self) -> Result { + next_word_via_fill(self) } } @@ -263,17 +265,20 @@ impl SeedStreamTurboShake128 { } } -impl RngCore for SeedStreamTurboShake128 { - fn fill_bytes(&mut self, dest: &mut [u8]) { +impl TryRng for SeedStreamTurboShake128 { + type Error = Infallible; + + fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Infallible> { XofReader::read(&mut self.0, dest); + Ok(()) } - fn next_u32(&mut self) -> u32 { - next_u32_via_fill(self) + fn try_next_u32(&mut self) -> Result { + next_word_via_fill(self) } - fn next_u64(&mut self) -> u64 { - next_u64_via_fill(self) + fn try_next_u64(&mut self) -> Result { + next_word_via_fill(self) } } @@ -481,17 +486,20 @@ impl SeedStreamFixedKeyAes128 { } #[cfg(all(feature = "crypto-dependencies", feature = "experimental"))] -impl RngCore for SeedStreamFixedKeyAes128 { - fn fill_bytes(&mut self, dest: &mut [u8]) { +impl TryRng for SeedStreamFixedKeyAes128 { + type Error = Infallible; + + fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Infallible> { self.fill(dest); + Ok(()) } - fn next_u32(&mut self) -> u32 { - next_u32_via_fill(self) + fn try_next_u32(&mut self) -> Result { + next_word_via_fill(self) } - fn next_u64(&mut self) -> u64 { - next_u64_via_fill(self) + fn try_next_u64(&mut self) -> Result { + next_word_via_fill(self) } } @@ -536,7 +544,7 @@ impl Xof<32> for XofHmacSha256Aes128 { mod tests { use super::*; use crate::{field::Field128, vdaf::equality_comparison_test}; - use rand::{rng, Rng, RngCore}; + use rand::{rng, Rng, RngExt}; use serde::{Deserialize, Serialize}; use std::{convert::TryInto, io::Cursor}; diff --git a/src/vidpf.rs b/src/vidpf.rs index 96c0cc0ad..24bf90e42 100644 --- a/src/vidpf.rs +++ b/src/vidpf.rs @@ -15,7 +15,7 @@ use core::{ }; use bitvec::prelude::{BitVec, Lsb0}; -use rand::{rng, Rng, RngCore}; +use rand::{rng, Rng, RngExt}; use std::fmt::Debug; use std::io::{Cursor, Read}; use subtle::{Choice, ConditionallyNegatable, ConditionallySelectable, ConstantTimeEq}; @@ -668,7 +668,7 @@ impl IdpfValue for VidpfWeight { /// The parameter determines the number of field elements in the vector. type ValueParameter = usize; - fn generate(seed_stream: &mut S, length: &Self::ValueParameter) -> Self { + fn generate(seed_stream: &mut S, length: &Self::ValueParameter) -> Self { Self( (0..*length) .map(|_| ::generate(seed_stream, &())) From c0318930bb6977cdac8bfa38f20f91081ae32735 Mon Sep 17 00:00:00 2001 From: David Cook Date: Tue, 10 Feb 2026 11:59:23 -0600 Subject: [PATCH 3/4] Trust rust-lang-owner --- supply-chain/audits.toml | 14 +- supply-chain/imports.lock | 375 +++++++++++++++++++++++++++++++++++++- 2 files changed, 378 insertions(+), 11 deletions(-) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 058670644..9473eae72 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -1238,6 +1238,12 @@ user-id = 539 # Josh Stone (cuviper) start = "2025-08-29" end = "2026-12-03" +[[trusted.hashbrown]] +criteria = "safe-to-deploy" +user-id = 55123 # rust-lang-owner +start = "2025-04-30" +end = "2027-02-10" + [[trusted.itoa]] criteria = "safe-to-deploy" user-id = 3618 # David Tolnay (dtolnay) @@ -1258,10 +1264,16 @@ end = "2024-06-08" [[trusted.libc]] criteria = "safe-to-deploy" -user-id = 51017 # Yuki Okushi (JohnTitor) +user-id = 51017 start = "2020-03-17" end = "2025-05-06" +[[trusted.libc]] +criteria = "safe-to-deploy" +user-id = 55123 # rust-lang-owner +start = "2024-08-15" +end = "2027-02-10" + [[trusted.libm]] criteria = "safe-to-deploy" user-id = 2915 # Amanieu d'Antras (Amanieu) diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index bf80a12b1..d22ccc36c 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -35,6 +35,18 @@ user-id = 539 user-login = "cuviper" user-name = "Josh Stone" +[[publisher.hashbrown]] +version = "0.15.5" +when = "2025-08-07" +user-id = 55123 +user-login = "rust-lang-owner" + +[[publisher.hashbrown]] +version = "0.16.1" +when = "2025-11-20" +user-id = 55123 +user-login = "rust-lang-owner" + [[publisher.itoa]] version = "1.0.3" when = "2022-08-03" @@ -50,11 +62,10 @@ user-login = "alexcrichton" user-name = "Alex Crichton" [[publisher.libc]] -version = "0.2.154" -when = "2024-04-29" -user-id = 51017 -user-login = "JohnTitor" -user-name = "Yuki Okushi" +version = "0.2.180" +when = "2026-01-08" +user-id = 55123 +user-login = "rust-lang-owner" [[publisher.libm]] version = "0.2.7" @@ -175,6 +186,13 @@ user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" +[[publisher.unicode-xid]] +version = "0.2.6" +when = "2024-09-19" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + [[publisher.wasi]] version = "0.11.0+wasi-snapshot-preview1" when = "2022-01-19" @@ -182,6 +200,20 @@ user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" +[[publisher.wasip2]] +version = "1.0.2+wasi-0.2.9" +when = "2026-01-15" +user-id = 1 +user-login = "alexcrichton" +user-name = "Alex Crichton" + +[[publisher.wasip3]] +version = "0.4.0+wasi-0.3.0-rc-2026-01-06" +when = "2026-01-15" +user-id = 1 +user-login = "alexcrichton" +user-name = "Alex Crichton" + [[publisher.wasm-bindgen]] version = "0.2.83" when = "2022-09-12" @@ -210,6 +242,22 @@ user-id = 1 user-login = "alexcrichton" user-name = "Alex Crichton" +[[publisher.wasm-encoder]] +version = "0.244.0" +when = "2026-01-06" +trusted-publisher = "github:bytecodealliance/wasm-tools" + +[[publisher.wasm-metadata]] +version = "0.236.0" +when = "2025-07-28" +user-id = 73222 +user-login = "wasmtime-publish" + +[[publisher.wasmparser]] +version = "0.244.0" +when = "2026-01-06" +trusted-publisher = "github:bytecodealliance/wasm-tools" + [[publisher.web-sys]] version = "0.3.60" when = "2022-09-12" @@ -224,11 +272,35 @@ user-id = 189 user-login = "BurntSushi" user-name = "Andrew Gallant" -[[publisher.wit-bindgen-rt]] -version = "0.39.0" -when = "2025-02-05" -user-id = 73222 -user-login = "wasmtime-publish" +[[publisher.wit-bindgen]] +version = "0.51.0" +when = "2026-01-12" +trusted-publisher = "github:bytecodealliance/wit-bindgen" + +[[publisher.wit-bindgen-core]] +version = "0.51.0" +when = "2026-01-12" +trusted-publisher = "github:bytecodealliance/wit-bindgen" + +[[publisher.wit-bindgen-rust]] +version = "0.51.0" +when = "2026-01-12" +trusted-publisher = "github:bytecodealliance/wit-bindgen" + +[[publisher.wit-bindgen-rust-macro]] +version = "0.51.0" +when = "2026-01-12" +trusted-publisher = "github:bytecodealliance/wit-bindgen" + +[[publisher.wit-component]] +version = "0.244.0" +when = "2026-01-06" +trusted-publisher = "github:bytecodealliance/wasm-tools" + +[[publisher.wit-parser]] +version = "0.244.0" +when = "2026-01-06" +trusted-publisher = "github:bytecodealliance/wasm-tools" [[publisher.zmij]] version = "1.0.19" @@ -237,6 +309,70 @@ user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" +[[audits.bytecode-alliance.wildcard-audits.wasip2]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2025-08-10" +end = "2026-08-21" +notes = """ +This is a Bytecode Alliance authored crate. +""" + +[[audits.bytecode-alliance.wildcard-audits.wasip3]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2025-09-10" +end = "2026-08-21" +notes = """ +This is a Bytecode Alliance authored crate. +""" + +[[audits.bytecode-alliance.wildcard-audits.wasm-encoder]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wasm-tools" +start = "2025-08-14" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +user-id = 73222 # wasmtime-publish +start = "2023-01-01" +end = "2026-06-03" +notes = """ +The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate +publication of this crate from CI. This repository requires all PRs are reviewed +by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. +""" + +[[audits.bytecode-alliance.wildcard-audits.wasmparser]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wasm-tools" +start = "2025-08-14" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-bindgen]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wit-bindgen" +start = "2025-08-13" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-bindgen-core]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wit-bindgen" +start = "2025-08-13" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + [[audits.bytecode-alliance.wildcard-audits.wit-bindgen-rt]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -249,12 +385,49 @@ publication of this crate from CI. This repository requires all PRs are reviewed by a Bytecode Alliance maintainer and it owned by the Bytecode Alliance itself. """ +[[audits.bytecode-alliance.wildcard-audits.wit-bindgen-rust]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wit-bindgen" +start = "2025-08-13" +end = "2027-01-12" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-bindgen-rust-macro]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wit-bindgen" +start = "2025-08-13" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-component]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wasm-tools" +start = "2025-08-14" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.wildcard-audits.wit-parser]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +trusted-publisher = "github:bytecodealliance/wasm-tools" +start = "2025-08-14" +end = "2027-01-08" +notes = "The Bytecode Alliance is the author of this crate" + [[audits.bytecode-alliance.audits.anes]] who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.6" notes = "Contains no unsafe code, no IO, no build.rs." +[[audits.bytecode-alliance.audits.anyhow]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "1.0.69 -> 1.0.71" + [[audits.bytecode-alliance.audits.base64]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -339,6 +512,21 @@ criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.4" notes = "Nothing out of the ordinary for a crate finding MSVC tooling." +[[audits.bytecode-alliance.audits.foldhash]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.1.3" +notes = """ +Only a minor amount of `unsafe` code in this crate related to global per-process +initialization which looks correct to me. +""" + +[[audits.bytecode-alliance.audits.heck]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.4.1 -> 0.5.0" +notes = "Minor changes for a `no_std` upgrade but otherwise everything looks as expected." + [[audits.bytecode-alliance.audits.itertools]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" @@ -357,12 +545,71 @@ Lots of new iterators and shuffling some things around. Some new unsafe code but it's well-documented and well-tested. Nothing suspicious. """ +[[audits.bytecode-alliance.audits.leb128fmt]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.1.0" +notes = "Well-scoped crate do doing LEB encoding with no `unsafe` code and does what it says on the tin." + [[audits.bytecode-alliance.audits.shlex]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "1.1.0" notes = "Only minor `unsafe` code blocks which look valid and otherwise does what it says on the tin." +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.236.0 -> 0.237.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.237.0 -> 0.238.1" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.238.1 -> 0.239.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.239.0 -> 0.240.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.240.0 -> 0.241.2" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.241.2 -> 0.242.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.242.0 -> 0.243.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.bytecode-alliance.audits.wasm-metadata]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.243.0 -> 0.244.0" +notes = "The Bytecode Alliance is the author of this crate" + +[[audits.embark-studios.audits.anyhow]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "1.0.58" + [[audits.embark-studios.audits.tap]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -473,6 +720,33 @@ delta = "0.7.1 -> 0.7.2" notes = "No `.rs` changes in the delta." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.equivalent]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.0.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.equivalent]] +who = "Jonathan Hao " +criteria = "safe-to-deploy" +delta = "1.0.1 -> 1.0.2" +notes = "No changes to any .rs files or Rust code." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.foldhash]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.1.4" +notes = "No changes to safety-relevant code" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.foldhash]] +who = "Chris Palmer " +criteria = "safe-to-deploy" +delta = "0.1.4 -> 0.1.5" +notes = "No new `unsafe`." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.getrandom]] who = "danakj@chromium.org" criteria = "safe-to-run" @@ -484,6 +758,19 @@ Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.heck]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "0.4.1" +notes = """ +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` +and there were no hits. + +`heck` (version `0.3.3`) has been added to Chromium in +https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.itertools]] who = "ChromeOS" criteria = "safe-to-run" @@ -565,6 +852,52 @@ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_p [audits.isrg.audits] +[[audits.mozilla.wildcard-audits.unicode-xid]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2019-07-25" +end = "2026-02-01" +notes = "All code written or reviewed by Manish" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.anyhow]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.57 -> 1.0.61" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.anyhow]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +delta = "1.0.58 -> 1.0.57" +notes = "No functional differences, just CI config and docs." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.anyhow]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.61 -> 1.0.62" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.anyhow]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.62 -> 1.0.68" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.anyhow]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.68 -> 1.0.69" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.anyhow]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.71 -> 1.0.95" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + [[audits.mozilla.audits.autocfg]] who = "Josh Stone " criteria = "safe-to-deploy" @@ -799,6 +1132,28 @@ version = "2.5.0" notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.zcash.audits.anyhow]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.95 -> 1.0.97" +aggregated-from = "https://raw.githubusercontent.com/zcash/wallet/main/supply-chain/audits.toml" + +[[audits.zcash.audits.anyhow]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.97 -> 1.0.100" +notes = """ +Changes to the build script are to enable reusing the probe file within the crate, enable +more features on newer Rust versions, and catch more errors. + +Most of the changes to `unsafe` code are refactors to surrounding safe code, and not +actually altering the `unsafe` blocks. The new instances of `unsafe` are to allow errors +to be converted to `Box` in a way that supports downcasting (at the +cost of backtraces), via a new vtable method. The `unsafe` blocks in the new code appear +to match how boxing and downcasting logic is done in other existing vtable methods. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[audits.zcash.audits.clap_lex]] who = "Jack Grigg " criteria = "safe-to-deploy" From 87ea165644888182374815a475cb48d799348602 Mon Sep 17 00:00:00 2001 From: David Cook Date: Tue, 10 Feb 2026 12:16:29 -0600 Subject: [PATCH 4/4] Add more exemptions for WASI-only dependencies --- supply-chain/config.toml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 6f198ce81..2f86c6f6c 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -117,6 +117,16 @@ criteria = "safe-to-deploy" version = "0.1.1" criteria = "safe-to-run" +[[exemptions.id-arena]] +version = "2.3.0" +criteria = "safe-to-deploy" +notes = "This is only used on WASI targets" + +[[exemptions.indexmap]] +version = "2.13.0" +criteria = "safe-to-deploy" +notes = "This is only used on WASI targets" + [[exemptions.matrixmultiply]] version = "0.3.7" criteria = "safe-to-run" @@ -137,6 +147,11 @@ criteria = "safe-to-run" version = "0.2.16" criteria = "safe-to-deploy" +[[exemptions.prettyplease]] +version = "0.2.37" +criteria = "safe-to-deploy" +notes = "This is only used on WASI targets" + [[exemptions.r-efi]] version = "5.2.0" criteria = "safe-to-deploy" @@ -150,6 +165,11 @@ criteria = "safe-to-deploy" version = "0.7.0" criteria = "safe-to-run" +[[exemptions.semver]] +version = "1.0.27" +criteria = "safe-to-deploy" +notes = "This is only used on WASI targets" + [[exemptions.simba]] version = "0.6.0" criteria = "safe-to-run"