I’m attempting to upgrade target-lexicon dependency to 0.12.12
in the Cargo.toml, but that leads to cargo vet
complaining about this not having been audited, despite the [[trusted.target-lexicon]]
in audits.toml
. I tried running cargo vet
locally as well, but can’t really figure out what are the steps to get the information about the crate updated correctly. I’ve reviewed the changes between the current version and 0.12.12, but running cargo vet certify target-lexicon 0.12.12
ends up adding
+[[audits.target-lexicon]]
+who = "Simonas Kazlauskas <git@kazlauskas.me>"
+criteria = "safe-to-deploy"
+version = "0.12.12"
+
rather than a diff
based audit I would have expected. And yet I can’t find any indication that target-lexicon
has been audited before. There's a [[trusted.target-lexicon]]
section, but as seen in the PR that’s not good enough for whatever reason?
So the question then is, what’s the right way to mark 0.12.12 as good?
The target-lexicon crate is maintained by Dan, who is also a core maintainer of Wasmtime, so we have cargo vet configured to automatically trust all target-lexicon crates published by dan, see audits.toml:3262
when I update the crate locally and then just run cargo vet
, it fills in the import of the 0.12.12 version automatically
[phickey@pch-tower:src/wasmtime]% cargo update -p target-lexicon
Updating crates.io index
Updating target-lexicon v0.12.3 -> v0.12.12
[phickey@pch-tower:src/wasmtime]% cargo vet
Vetting Succeeded (260 fully audited, 32 partially audited, 84 exempted)
WARN Your supply-chain has unnecessary exemptions which could be relaxed or pruned.
WARN Consider running `cargo vet prune` to prune unnecessary exemptions and imports.
[phickey@pch-tower:src/wasmtime]% git diff
diff --git a/Cargo.lock b/Cargo.lock
index 43c3d1089..eb98babe7 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2605,9 +2605,9 @@ dependencies = [
[[package]]
name = "target-lexicon"
-version = "0.12.3"
+version = "0.12.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7fa7e55043acb85fca6b3c01485a2eeb6b69c5d21002e273c79e465f43b7ac1"
+checksum = "14c39fd04924ca3a864207c66fc2cd7d22d7c016007f9ce846cbb9326331930a"
[[package]]
name = "tempfile"
diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock
index 9a5b1830e..f8eb0fea5 100644
--- a/supply-chain/imports.lock
+++ b/supply-chain/imports.lock
@@ -715,6 +715,13 @@ user-id = 6825
user-login = "sunfishcode"
user-name = "Dan Gohman"
+[[publisher.target-lexicon]]
+version = "0.12.12"
+when = "2023-10-19"
+user-id = 6825
+user-login = "sunfishcode"
+user-name = "Dan Gohman"
+
[[publisher.termcolor]]
version = "1.1.3"
when = "2022-03-02"
at any rate, commits to the cargo vet files are only accepted from core wasmtime contributors, in part to maintain our own supply chain security and in part because our vets are imported by other projects who transitively trust just our core contributors. so, whenever you make a PR to update something like this, just leave the cargo vet failures in CI and wait for a core contributor to make a PR like https://github.com/bytecodealliance/wasmtime/pull/7380/, then merge with main once the vet PR lands.
Last updated: Dec 23 2024 at 12:05 UTC