Merge pull request #1554 from zcash/dep-updates

Migrate to `sapling-crypto 0.3`, `orchard 0.10`

Cargo.toml

@@ -57,11 +57,11 @@ bitvec = "1"
 blake2s_simd = "1"
 bls12_381 = "0.8"
 jubjub = "0.10"
-sapling = { package = "sapling-crypto", version = "0.2", default-features = false }
+sapling = { package = "sapling-crypto", version = "0.3", default-features = false }
 
 # - Orchard
 nonempty = "0.7"
-orchard = { version = "0.9", default-features = false }
+orchard = { version = "0.10", default-features = false }
 pasta_curves = "0.5"
 
 # - Transparent
@@ -163,8 +163,5 @@ codegen-units = 1
 unexpected_cfgs = { level = "warn", check-cfg = ['cfg(zcash_unstable, values("zfuture"))'] }
 
 [patch.crates-io]
-sapling-crypto = { git = "https://github.com/zcash/sapling-crypto", rev = "b1ad3694ee13a2fc5d291ad04721a6252da0993c" }
-orchard = { git = "https://github.com/zcash/orchard", rev = "55fb089a335bbbc1cda186c706bc037073df8eb7" }
-incrementalmerkletree = { git = "https://github.com/zcash/incrementalmerkletree", rev = "ffe4234788fd22662b937ba7c6ea01535fcc1293" }
-incrementalmerkletree-testing = { git = "https://github.com/zcash/incrementalmerkletree", rev = "ffe4234788fd22662b937ba7c6ea01535fcc1293" }
-shardtree = { git = "https://github.com/zcash/incrementalmerkletree", rev = "ffe4234788fd22662b937ba7c6ea01535fcc1293" }
+incrementalmerkletree-testing = { git = "https://github.com/zcash/incrementalmerkletree", rev = "336452152536dde5831c9a4029fd26b4ec310608" }
+shardtree = { git = "https://github.com/zcash/incrementalmerkletree", rev = "336452152536dde5831c9a4029fd26b4ec310608" }

supply-chain/config.toml

@@ -87,10 +87,6 @@ criteria = "safe-to-deploy"
 version = "1.1.2"
 criteria = "safe-to-deploy"
 
-[[exemptions.allocator-api2]]
-version = "0.2.16"
-criteria = "safe-to-deploy"
-
 [[exemptions.amplify]]
 version = "4.6.0"
 criteria = "safe-to-deploy"
@@ -223,10 +219,6 @@ criteria = "safe-to-deploy"
 version = "1.2.1"
 criteria = "safe-to-deploy"
 
-[[exemptions.byteorder]]
-version = "1.5.0"
-criteria = "safe-to-deploy"
-
 [[exemptions.bytes]]
 version = "1.5.0"
 criteria = "safe-to-deploy"
@@ -1171,10 +1163,6 @@ criteria = "safe-to-deploy"
 version = "0.1.0"
 criteria = "safe-to-run"
 
-[[exemptions.strsim]]
-version = "0.11.1"
-criteria = "safe-to-deploy"
-
 [[exemptions.symbolic-common]]
 version = "12.9.2"
 criteria = "safe-to-run"
@@ -1363,10 +1351,6 @@ criteria = "safe-to-deploy"
 version = "0.1.27"
 criteria = "safe-to-deploy"
 
-[[exemptions.tracing-core]]
-version = "0.1.32"
-criteria = "safe-to-deploy"
-
 [[exemptions.tracing-log]]
 version = "0.2.0"
 criteria = "safe-to-deploy"

supply-chain/imports.lock

@@ -49,22 +49,22 @@ user-id = 1244
 user-login = "ebfull"
 
 [[publisher.incrementalmerkletree]]
-version = "0.6.0"
-when = "2024-08-12"
+version = "0.7.0"
+when = "2024-09-25"
 user-id = 169181
 user-login = "nuttycom"
 user-name = "Kris Nuttycombe"
 
 [[publisher.orchard]]
-version = "0.9.0"
-when = "2024-08-12"
+version = "0.10.0"
+when = "2024-10-02"
 user-id = 169181
 user-login = "nuttycom"
 user-name = "Kris Nuttycombe"
 
 [[publisher.sapling-crypto]]
-version = "0.2.0"
-when = "2024-08-12"
+version = "0.3.0"
+when = "2024-10-02"
 user-id = 169181
 user-login = "nuttycom"
 user-name = "Kris Nuttycombe"
@@ -918,6 +918,13 @@ instead (see also https://crrev.com/c/5771867).
 """
 aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
 
+[[audits.google.audits.byteorder]]
+who = "danakj <[email protected]>"
+criteria = "safe-to-deploy"
+version = "1.5.0"
+notes = "Unsafe review in https://crrev.com/c/5838022"
+aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
+
 [[audits.google.audits.cast]]
 who = "George Burgess IV <[email protected]>"
 criteria = "safe-to-run"
@@ -1091,12 +1098,6 @@ criteria = "safe-to-run"
 delta = "0.4.2 -> 0.4.9"
 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
 
-[[audits.google.audits.itertools]]
-who = "ChromeOS"
-criteria = "safe-to-run"
-version = "0.10.5"
-aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
-
 [[audits.google.audits.itoa]]
 who = "Lukasz Anforowicz <[email protected]>"
 criteria = "safe-to-deploy"
@@ -1872,6 +1873,12 @@ criteria = "safe-to-deploy"
 delta = "0.8.7 -> 0.8.11"
 aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
 
+[[audits.mozilla.audits.allocator-api2]]
+who = "Nicolas Silva <[email protected]>"
+criteria = "safe-to-deploy"
+version = "0.2.18"
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
 [[audits.mozilla.audits.android_system_properties]]
 who = "Nicolas Silva <[email protected]>"
 criteria = "safe-to-deploy"
@@ -2324,6 +2331,12 @@ criteria = "safe-to-deploy"
 delta = "0.6.27 -> 0.6.28"
 aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
 
+[[audits.mozilla.audits.strsim]]
+who = "Ben Dean-Kawamura <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "0.10.0 -> 0.11.1"
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
 [[audits.mozilla.audits.subtle]]
 who = "Simon Friedberger <[email protected]>"
 criteria = "safe-to-deploy"
@@ -2433,6 +2446,17 @@ criteria = "safe-to-deploy"
 delta = "0.5.10 -> 0.5.11"
 aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
 
+[[audits.mozilla.audits.tracing-core]]
+who = "Alex Franchuk <[email protected]>"
+criteria = "safe-to-deploy"
+version = "0.1.30"
+notes = """
+Most unsafe code is in implementing non-std sync primitives. Unsafe impls are
+logically correct and justified in comments, and unsafe code is sound and
+justified in comments.
+"""
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
 [[audits.mozilla.audits.zerocopy]]
 who = "Alex Franchuk <[email protected]>"
 criteria = "safe-to-deploy"
@@ -2466,12 +2490,6 @@ criteria = "safe-to-deploy"
 delta = "1.1.2 -> 1.1.3"
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
-[[audits.zcash.audits.allocator-api2]]
-who = "Daira-Emma Hopwood <[email protected]>"
-criteria = "safe-to-deploy"
-delta = "0.2.16 -> 0.2.18"
-aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
-
 [[audits.zcash.audits.anyhow]]
 who = "Jack Grigg <[email protected]>"
 criteria = "safe-to-deploy"
@@ -2525,24 +2543,6 @@ delta = "0.3.69 -> 0.3.71"
 notes = "This crate inherently requires a lot of `unsafe` code, but the changes look plausible."
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
-[[audits.zcash.audits.base64]]
-who = "Jack Grigg <[email protected]>"
-criteria = "safe-to-deploy"
-delta = "0.21.3 -> 0.21.4"
-aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
-
-[[audits.zcash.audits.base64]]
-who = "Jack Grigg <[email protected]>"
-criteria = "safe-to-deploy"
-delta = "0.21.4 -> 0.21.5"
-aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
-
-[[audits.zcash.audits.base64]]
-who = "Daira-Emma Hopwood <[email protected]>"
-criteria = "safe-to-deploy"
-delta = "0.21.5 -> 0.21.7"
-aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
-
 [[audits.zcash.audits.blake2b_simd]]
 who = "Jack Grigg <[email protected]>"
 criteria = "safe-to-deploy"
@@ -3350,6 +3350,23 @@ criteria = "safe-to-deploy"
 delta = "0.6.2 -> 0.6.3"
 aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
 
+[[audits.zcash.audits.tracing-core]]
+who = "Jack Grigg <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "0.1.30 -> 0.1.31"
+notes = """
+The only new `unsafe` block is to intentionally leak a scoped subscriber onto
+the heap when setting it as the global default dispatcher. I checked that the
+global default can only be set once and is never dropped.
+"""
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
+[[audits.zcash.audits.tracing-core]]
+who = "Jack Grigg <[email protected]>"
+criteria = "safe-to-deploy"
+delta = "0.1.31 -> 0.1.32"
+aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
+
 [[audits.zcash.audits.tracing-subscriber]]
 who = "Jack Grigg <[email protected]>"
 criteria = "safe-to-deploy"

zcash_client_backend/CHANGELOG.md

@@ -13,6 +13,7 @@ and this library adheres to Rust's notion of
   - `WalletSummary::recovery_progress`
 
 ### Changed
+- Migrated to `orchard 0.10`, `sapling-crypto 0.3`.
 - The `Account` trait now uses an associated type for its `AccountId`
   type instead of a type parameter. This change allows for the simplification
   of some type signatures.

zcash_client_sqlite/CHANGELOG.md

@@ -7,6 +7,8 @@ and this library adheres to Rust's notion of
 
 ## [Unreleased]
 
+### Changed
+- Migrated to `orchard 0.10`, `sapling-crypto 0.3`.
 - `zcash_client_sqlite::error::SqliteClientError::RequestedRewindInvalid`
   is now a structured variant.
 

zcash_keys/CHANGELOG.md

@@ -12,6 +12,9 @@ and this library adheres to Rust's notion of
 - `impl std::error::Error for DecodingError`
 - `impl std::error::Error for DerivationError`
 
+### Changed
+- Migrated to `orchard 0.10`, `sapling-crypto 0.3`.
+
 ## [0.3.0] - 2024-08-19
 ### Notable changes
 - `zcash_keys`:

zcash_primitives/CHANGELOG.md

@@ -10,7 +10,8 @@ and this library adheres to Rust's notion of
 ## [0.17.0] - 2024-08-26
 
 ### Changed
-- Update dependencies to `zcash_protocol 0.3.0`, `zcash_address 0.5.0`
+- Update dependencies to `incrementalmerkletree 0.7`, `orchard 0.10`,
+  `sapling-crypto 0.3`, `zcash_protocol 0.3.0`, `zcash_address 0.5.0`.
 
 ## [0.16.0] - 2024-08-19
 

zcash_proofs/CHANGELOG.md

@@ -7,6 +7,9 @@ and this library adheres to Rust's notion of
 
 ## [Unreleased]
 
+### Changed
+- Migrated to `sapling-crypto 0.3`.
+
 ## [0.17.0] - 2024-08-26
 
 ### Changed