build(deps): bump the prod group across 1 directory with 11 updates

[dependabot]

Bumps the prod group with 11 updates in the / directory:

Package	From	To
clap	4.5.7	4.5.8
serde	1.0.203	1.0.204
tinyvec	1.6.1	1.7.0
metrics	0.22.3	0.23.0
metrics-exporter-prometheus	0.14.0	0.15.1
log	0.4.21	0.4.22
proptest-derive	0.4.0	0.5.0
console-subscriber	0.2.0	0.3.0
serde_json	1.0.118	1.0.120
serde_with	3.8.1	3.8.3
syn	2.0.68	2.0.69

Updates clap from 4.5.7 to 4.5.8

Release notes

Sourced from clap's releases.

v4.5.8

[4.5.8] - 2024-06-28

Fixes

• Reduce extra flushes

Changelog

Sourced from clap's changelog.

[4.5.8] - 2024-06-28

Fixes

• Reduce extra flushes

Commits

• See full diff in compare view

Updates serde from 1.0.203 to 1.0.204

Release notes

Sourced from serde's releases.

v1.0.204

• Apply #[diagnostic::on_unimplemented] attribute on Rust 1.78+ to suggest adding serde derive or enabling a "serde" feature flag in dependencies (#2767, thanks @​weiznich)

Commits

• 18dcae0 Release 1.0.204
• 58c307f Alphabetize list of rustc-check-cfg
• 8cc4809 Merge pull request #2769 from dtolnay/onunimpl
• 1179158 Update ui test with diagnostic::on_unimplemented from PR 2767
• 91aa40e Add ui test of unsatisfied serde trait bound
• 595019e Cut test_suite from workspace members in old toolchain CI jobs
• b0d7917 Pull in trybuild 'following types implement trait' fix
• 8e6637a Merge pull request #2767 from weiznich/feature/diagnostic_on_unimplemented
• 694fe05 Use the #[diagnostic::on_unimplemented] attribute when possible
• f3dfd2a Suppress dead code warning in test of unit struct remote derive
• Additional commits viewable in compare view

Updates tinyvec from 1.6.1 to 1.7.0

Changelog

Sourced from tinyvec's changelog.

Changelog

1.7

• Fuuzetsu added the rustc_1_61 cargo feature, which adds the retain_mut method. pr 198

Commits

• ed22e15 chore: Release
• f94410b changelog
• 5097217 Add retain_mut (#198)
• See full diff in compare view

Updates metrics from 0.22.3 to 0.23.0

Commits

• 787b170 chore: Release
• b48ed78 update changelog
• 82513b3 Relax bounds on some metrics_util::registry::Registry methods (#484)
• ce9084b permit trailing commans in describe macros (#483)
• deba76a Fix wording for histogram functionality in lib.rs (#477)
• 06fa1be Add community exporter for Sentry to readme (#480)
• 3fc0b4f Implement conversion from cow to std cow (#478)
• cd7de8c Annotate metric types with must_use (#475)
• f322087 chore: bump MSRV to 1.70.0 (#476)
• 65f6e65 metrics-util: derive Clone for Snapshotter (#472)
• Additional commits viewable in compare view

Updates metrics-exporter-prometheus from 0.14.0 to 0.15.1

Commits

• f84efc4 chore: Release
• 20b6ec5 metrics-exporter-promethus: update CHANGELOG
• 9f86b53 Try fixing the Discord invite link... again.
• db56631 Update Discord invite link.
• 654c3a1 metrics-exporter-prometheus: use hyper-rustls (#489)
• 4c002c4 typo fix in CHANGELOG.md (#487)
• 787b170 chore: Release
• b48ed78 update changelog
• 82513b3 Relax bounds on some metrics_util::registry::Registry methods (#484)
• ce9084b permit trailing commans in describe macros (#483)
• Additional commits viewable in compare view

Updates log from 0.4.21 to 0.4.22

Changelog

Sourced from log's changelog.

[0.4.22] - 2024-06-27

What's Changed

• Add some clarifications to the library docs by @​KodrAus in rust-lang/log#620
• Add links to colog crate by @​chrivers in rust-lang/log#621
• adding line_number test + updating some testing infrastructure by @​DIvkov575 in rust-lang/log#619
• Clarify the actual set of functions that can race in _racy variants by @​KodrAus in rust-lang/log#623
• Replace deprecated std::sync::atomic::spin_loop_hint() by @​Catamantaloedis in rust-lang/log#625
• Check usage of max_level features by @​Thomasdezeeuw in rust-lang/log#627
• Remove unneeded import by @​Thomasdezeeuw in rust-lang/log#628
• Loosen orderings for logger initialization in rust-lang/log#632. Originally by @​pwoolcoc in rust-lang/log#599
• Use Location::caller() for file and line info in rust-lang/log#633. Originally by @​Cassy343 in rust-lang/log#520

New Contributors

• @​chrivers made their first contribution in rust-lang/log#621
• @​DIvkov575 made their first contribution in rust-lang/log#619
• @​Catamantaloedis made their first contribution in rust-lang/log#625

Full Changelog: rust-lang/log@0.4.21...0.4.22

Commits

• d5ba2cf Merge pull request #634 from rust-lang/cargo/0.4.22
• d1a8306 prepare for 0.4.22 release
• 46894ef Merge pull request #633 from rust-lang/feat/panic-info
• e0d389c Merge pull request #632 from rust-lang/feat/loosen-atomics
• c9e5e13 use Location::caller() for file and line info
• 507b672 loosen orderings for logger initialization
• c879b01 Merge pull request #628 from Thomasdezeeuw/fix-warnings
• 405fdb4 Merge pull request #627 from Thomasdezeeuw/check-features
• 1307ade Remove unneeded import
• 710560e Don't use --all-features in CI
• Additional commits viewable in compare view

Updates proptest-derive from 0.4.0 to 0.5.0

Commits

• ca308b0 Merge pull request #462 from mirandaconrado/master
• 0a53eda Merge pull request #467 from matthew-russo/macro-0.1
• 96a2dab Merge pull request #464 from matthew-russo/master
• f818fa2 Release : prep for proptest-macro 0.1.0 release
• e275f8a Release : prep for proptest-derive 0.5 release
• f87ec63 Release : prep for proptest 1.5 release
• 060cfbe [Doc] Arbitrary : add a note about the derive macro in Arbitrary's documentation
• 1426f0f Update changelog
• 7774b9c Detect empty ranges during tree creation
• 24412f5 Update compiletest_rs requirement from 0.10 to 0.11 (#455)
• Additional commits viewable in compare view

Updates console-subscriber from 0.2.0 to 0.3.0

Release notes

Sourced from console-subscriber's releases.

console-subscriber-v0.3.0 - (2024-06-10)

Breaking Changes

• Bump tonic to 0.11 (#547) (ef6816c)This is a breaking change for users of console-api and console-subscriber, as it changes the public tonic dependency to a semver-incompatible version. This breaks compatibility with tonic 0.10.x.

Added

• Replace target column with kind column in tasks view (#478) (903d9fa)
• Reduce retention period to fit in max message size (#503) (bd3dd71)
• Support grpc-web and add grpc-web feature (#498) (4150253)

Documented

• Add a grpc-web app example (#526) (4af30f2)
• Fix typo in doc comment (#543) (ff22678)

Fixed

• Don't save poll_ops if no-one is receiving them (#501) (1656c79)
• Ignore metadata that is not a span or event (#554) (852a977)

Updated

• breaking Bump tonic to 0.11 (#547) (ef6816c)

Commits

• b802bf1 chore: release tokio-console-v0.1.11, console-api-v0.7.0, console-subscriber-...
• 87ba91c chore(console): update cargo dist (#556)
• dcf8c2c chore: include tonic updates in release notes (#559)
• 99437b0 chore: automate releases with Release-plz (#545)
• 852a977 fix(subscriber): ignore metadata that is not a span or event (#554)
• a0d20fd docs(console): add note about running on Windows (#510)
• 60bcf87 chore: get rid of remove_dir_all (#542)
• 1c1d599 chore: bump clap and clap_complete to the latest version (#552)
• ef6816c chore: bump tonic to 0.11 (#547)
• 6cbd6db chore(console): bump ratatui to 0.26.2 and crossterm to 0.27.0 (#515)
• Additional commits viewable in compare view

Updates serde_json from 1.0.118 to 1.0.120

Release notes

Sourced from serde_json's releases.

v1.0.120

• Correctly specify required version of indexmap dependency (#1152, thanks @​cforycki)

v1.0.119

• Add serde_json::Map::shift_insert (#1149, thanks @​joshka)

Commits

• bcedc3d Release 1.0.120
• 962c0fb Merge pull request #1152 from cforycki/fix/index-map-minimal-version
• 3480fed fix: indexmap minimal version with Map::shift_insert()
• b48b9a3 Release 1.0.119
• 8878cd7 Make shift_insert available for inlining like other Map methods
• 352b7ab Document the cfg required for Map::shift_insert to exist
• c17e63f Merge pull request #1149 from joshka/master
• 309ef6b Add Map::shift_insert()
• a9e089a Merge pull request #1146 from haouvw/master
• a83fe96 chore: remove repeat words
• See full diff in compare view

Updates serde_with from 3.8.1 to 3.8.3

Release notes

Sourced from serde_with's releases.

serde_with v3.8.3

Fixed

• Fix compile issues when dependency schemars_0_8 is used with the preserve_order features (#762)

serde_with v3.8.2

Changed

• Bump MSRV to 1.67, since that is required for the time dependency. The time version needed to be updated for nightly compatibility.

Fixed

• Implement JsonSchemaAs for OneOrMany instead of JsonSchema by @​swlynch99 (#760)

Commits

• 1c4b022 Bump version to v3.8.3 (#765)
• 7de9838 Bump version to v3.8.3
• 19bfe18 Make code compile with schemars_0_8/preserve_order enabled (#764)
• 4c8c2db Make code compile with schemars_0_8/preserve_order enabled
• 2274dd1 Bump version to 3.8.2 (#761)
• e9e7a7e Bump version to 3.8.2
• c9d9672 Implement JsonSchemaAs for OneOrMany instead of JsonSchema (#760)
• dee706a Implement JsonSchemaAs for OneOrMany instead of JsonSchema
• f74b460 Fix two clippy issues (#755)
• 3ae4424 Fix two clippy issues
• Additional commits viewable in compare view

Updates syn from 2.0.68 to 2.0.69

Release notes

Sourced from syn's releases.

2.0.69

• Correctly parenthesize labeled loops inside a break value (#1692)
• Add Punctuated::get and get_mut (#1693)

Commits

• d4a0ff5 Release 2.0.69
• 0f72134 Improve precedence variant name of sum and product operators
• 06f34fc Merge pull request #1693 from dtolnay/get
• a443857 Add Punctuated::get and get_mut
• f0dfdbd Update test suite to nightly-2024-07-05
• 1560f9a Merge pull request #1692 from dtolnay/break
• 4e71c1c Parenthesize labeled loops inside break value
• 93931a4 Add fixup test for break with leading label
• cc5e64e Update test suite to nightly-2024-06-29
• 2bbf612 Merge pull request #1691 from dtolnay/postfix
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[oxarbitrage]

I am not really sure how to intepret cargo vet output. Here is what i get when running locally over this PR:

alfredo@spaceship:~/zebra/pr8664/zebra$ cargo vet
Vetting Failed!

93 unvetted dependencies:
  anstyle-query:1.1.0 missing ["safe-to-deploy"]
  anyhow:1.0.86 missing ["safe-to-deploy"]
  async-compression:0.4.11 missing ["safe-to-deploy"]
  atomic-waker:1.1.2 missing ["safe-to-deploy"]
  camino:1.1.7 missing ["safe-to-deploy"]
  cc:1.0.100 missing ["safe-to-deploy"]
  clang-sys:1.8.1 missing ["safe-to-deploy"]
  clap:4.5.8 missing ["safe-to-deploy"]
  clap_builder:4.5.8 missing ["safe-to-deploy"]
  clap_derive:4.5.8 missing ["safe-to-deploy"]
  clap_lex:0.7.1 missing ["safe-to-deploy"]
  console-api:0.7.0 missing ["safe-to-deploy"]
  console-subscriber:0.3.0 missing ["safe-to-deploy"]
  crc32fast:1.4.2 missing ["safe-to-deploy"]
  crossbeam-channel:0.5.13 missing ["safe-to-deploy"]
  darling:0.20.9 missing ["safe-to-deploy"]
  darling_core:0.20.9 missing ["safe-to-deploy"]
  darling_macro:0.20.9 missing ["safe-to-deploy"]
  either:1.12.0 missing ["safe-to-deploy"]
  fiat-crypto:0.2.9 missing ["safe-to-deploy"]
  getrandom:0.2.15 missing ["safe-to-deploy"]
  h2:0.4.5 missing ["safe-to-deploy"]
  http-body-util:0.1.2 missing ["safe-to-deploy"]
  httparse:1.9.4 missing ["safe-to-deploy"]
  hyper:0.14.29 missing ["safe-to-deploy"]
  hyper-util:0.1.5 missing ["safe-to-deploy"]
  instant:0.1.13 missing ["safe-to-deploy"]
  itertools:0.12.1 missing ["safe-to-deploy"]
  libc:0.2.155 missing ["safe-to-deploy"]
  libloading:0.8.4 missing ["safe-to-deploy"]
  libz-sys:1.1.18 missing ["safe-to-deploy"]
  linux-raw-sys:0.4.14 missing ["safe-to-deploy"]
  log:0.4.22 missing ["safe-to-deploy"]
  lz4-sys:1.9.5 missing ["safe-to-deploy"]
  memchr:2.7.4 missing ["safe-to-deploy"]
  metrics:0.23.0 missing ["safe-to-deploy"]
  metrics-exporter-prometheus:0.15.1 missing ["safe-to-deploy"]
  metrics-util:0.17.0 missing ["safe-to-deploy"]
  miniz_oxide:0.7.4 missing ["safe-to-deploy"]
  num-traits:0.2.19 missing ["safe-to-deploy"]
  parity-scale-codec:3.6.12 missing ["safe-to-deploy"]
  parity-scale-codec-derive:3.6.12 missing ["safe-to-deploy"]
  parking_lot:0.12.3 missing ["safe-to-deploy"]
  petgraph:0.6.5 missing ["safe-to-deploy"]
  plotters:0.3.6 missing ["safe-to-run"]
  plotters-backend:0.3.6 missing ["safe-to-run"]
  plotters-svg:0.3.6 missing ["safe-to-run"]
  prettyplease:0.2.20 missing ["safe-to-deploy"]
  proc-macro-crate:3.1.0 missing ["safe-to-deploy"]
  proptest:1.5.0 missing ["safe-to-deploy"]
  proptest-derive:0.5.0 missing ["safe-to-deploy"]
  prost-build:0.12.6 missing ["safe-to-deploy"]
  prost-types:0.12.6 missing ["safe-to-deploy"]
  redox_syscall:0.5.2 missing ["safe-to-deploy"]
  regex:1.10.5 missing ["safe-to-deploy"]
  regex-automata:0.4.7 missing ["safe-to-deploy"]
  regex-syntax:0.8.4 missing ["safe-to-deploy"]
  ryu:1.0.18 missing ["safe-to-deploy"]
  serde:1.0.204 missing ["safe-to-deploy"]
  serde_derive:1.0.204 missing ["safe-to-deploy"]
  serde_json:1.0.120 missing ["safe-to-deploy"]
  serde_with:3.8.3 missing ["safe-to-deploy"]
  serde_with_macros:3.8.3 missing ["safe-to-deploy"]
  syn:2.0.69 missing ["safe-to-deploy"]
  tinyvec:1.7.0 missing ["safe-to-deploy"]
  tokio:1.38.0 missing ["safe-to-deploy"]
  tokio-macros:2.3.0 missing ["safe-to-deploy"]
  toml:0.8.14 missing ["safe-to-deploy"]
  toml_edit:0.21.1 missing ["safe-to-deploy"]
  toml_edit:0.22.14 missing ["safe-to-deploy"]
  tower-batch-control:0.2.41-beta.14 missing ["safe-to-deploy"]
  tower-fallback:0.2.41-beta.14 missing ["safe-to-deploy"]
  tracing-test:0.2.5 missing ["safe-to-run"]
  tracing-test-macro:0.2.5 missing ["safe-to-run"]
  unicode-width:0.1.13 missing ["safe-to-deploy"]
  url:2.5.2 missing ["safe-to-deploy"]
  utf8parse:0.2.2 missing ["safe-to-deploy"]
  uuid:1.9.1 missing ["safe-to-deploy"]
  winnow:0.6.13 missing ["safe-to-deploy"]
  zcash_primitives:0.15.1 missing ["safe-to-deploy"]
  zebra-chain:1.0.0-beta.38 missing ["safe-to-deploy"]
  zebra-consensus:1.0.0-beta.38 missing ["safe-to-deploy"]
  zebra-grpc:0.1.0-alpha.5 missing ["safe-to-deploy"]
  zebra-network:1.0.0-beta.38 missing ["safe-to-deploy"]
  zebra-node-services:1.0.0-beta.38 missing ["safe-to-deploy"]
  zebra-rpc:1.0.0-beta.38 missing ["safe-to-deploy"]
  zebra-scan:0.1.0-alpha.7 missing ["safe-to-deploy"]
  zebra-script:1.0.0-beta.38 missing ["safe-to-deploy"]
  zebra-state:1.0.0-beta.38 missing ["safe-to-deploy"]
  zebra-test:1.0.0-beta.38 missing ["safe-to-deploy"]
  zebra-utils:1.0.0-beta.38 missing ["safe-to-deploy"]
  zebrad:1.8.0 missing ["safe-to-deploy"]
  zeroize:1.8.1 missing ["safe-to-deploy"]

recommended audits for safe-to-deploy:
    Command                                               Publisher        Used By                                     Audit Size
    cargo vet diff fiat-crypto 0.2.8 0.2.9                JasonGross       curve25519-dalek                            2 files changed, 2 insertions(+), 2 deletions(-)
      NOTE: cargo vet import isrg would eliminate this
    cargo vet diff parity-scale-codec-derive 3.6.9 3.6.12
                                                          tdimitrov        parity-scale-codec                          2 files changed, 4 insertions(+), 4 deletions(-)
    cargo vet diff tower-fallback 0.2.41-beta.13 0.2.41-beta.14
                                                          arya2            zebra-consensus and tower-batch-control     2 files changed, 4 insertions(+), 4 deletions(-)
    cargo vet diff serde_derive 1.0.203 1.0.204           dtolnay          serde, criterion, serde_with, and 1 other   4 files changed, 5 insertions(+), 5 deletions(-)
      NOTE: mozilla trusts David Tolnay (dtolnay) - consider cargo vet trust serde_derive or cargo vet trust --all dtolnay
    cargo vet diff parity-scale-codec 3.6.9 3.6.12        tdimitrov        impl-codec                                  3 files changed, 7 insertions(+), 4 deletions(-)
    cargo vet diff zcash_primitives 0.15.0 0.15.1         str4d            zebra-rpc, zcash_keys, and 6 others         3 files changed, 9 insertions(+), 2 deletions(-)
      NOTE: zcash and zcashd trust str4d - consider cargo vet trust zcash_primitives str4d
    cargo vet diff darling_macro 0.20.8 0.20.9            TedDriggs        darling                                     2 files changed, 8 insertions(+), 6 deletions(-)
    cargo vet diff prettyplease 0.2.19 0.2.20             dtolnay          bindgen, prost-build, and tonic-build       4 files changed, 17 insertions(+), 3 deletions(-)
      NOTE: mozilla trusts David Tolnay (dtolnay) - consider cargo vet trust prettyplease or cargo vet trust --all dtolnay
    cargo vet diff tower-batch-control 0.2.41-beta.13 0.2.41-beta.14
                                                          arya2            zebra-consensus                             2 files changed, 15 insertions(+), 8 deletions(-)
    cargo vet diff utf8parse 0.2.1 0.2.2                  chrisduerr       anstream and anstyle-parse                  3 files changed, 18 insertions(+), 9 deletions(-)
    cargo vet diff parking_lot 0.12.2 0.12.3              Amanieu          tokio and howudoin                          4 files changed, 26 insertions(+), 2 deletions(-)
      NOTE: mozilla trusts Amanieu d'Antras (Amanieu) - consider cargo vet trust parking_lot Amanieu
    cargo vet diff regex-automata 0.4.6 0.4.7             BurntSushi       regex and globset                           10 files changed, 18 insertions(+), 12 deletions(-)
      NOTE: mozilla trusts Andrew Gallant (BurntSushi) - consider cargo vet trust regex-automata or cargo vet trust --all BurntSushi
    cargo vet diff either 1.11.0 1.12.0                   cuviper          rayon, which, itertools, and 2 others       5 files changed, 19 insertions(+), 15 deletions(-)
      NOTE: mozilla trusts Josh Stone (cuviper) - consider cargo vet trust either cuviper
    cargo vet diff anstyle-query 1.0.3 1.1.0              epage            anstream                                    3 files changed, 28 insertions(+), 9 deletions(-)
      NOTE: mozilla trusts Ed Page (epage) - consider cargo vet trust anstyle-query or cargo vet trust --all epage
    cargo vet diff crc32fast 1.4.0 1.3.2                  srijs            flate2                                      5 files changed, 8 insertions(+), 29 deletions(-)
    cargo vet diff serde 1.0.203 1.0.204                  dtolnay          hex, ron, url, axum, bstr, and 55 others    7 files changed, 29 insertions(+), 8 deletions(-)
      NOTE: mozilla trusts David Tolnay (dtolnay) - consider cargo vet trust serde or cargo vet trust --all dtolnay
    cargo vet diff prost-types 0.12.4 0.12.6              LucioFranco      console-api, prost-build, and 2 others      6 files changed, 17 insertions(+), 22 deletions(-)
    cargo vet diff memchr 2.7.2 2.7.4                     BurntSushi       nom, axum, bstr, pest, regex, and 7 others  4 files changed, 34 insertions(+), 8 deletions(-)
      NOTE: mozilla trusts Andrew Gallant (BurntSushi) - consider cargo vet trust memchr or cargo vet trust --all BurntSushi
    cargo vet diff metrics-exporter-prometheus 0.14.0 0.15.1
                                                          tobz             zebrad                                      4 files changed, 31 insertions(+), 15 deletions(-)
    cargo vet diff serde_with_macros 3.8.1 3.8.3          jonasbb          serde_with                                  4 files changed, 32 insertions(+), 18 deletions(-)
    cargo vet diff instant 0.1.12 0.1.13                  sebcrozet        indicatif, parking_lot, and 1 other         5 files changed, 43 insertions(+), 10 deletions(-)
    cargo vet diff libloading 0.8.3 0.8.4                 nagisa           clang-sys                                   4 files changed, 42 insertions(+), 13 deletions(-)
    cargo vet diff ryu 1.0.17 1.0.18                      dtolnay          serde_json, serde_yaml, and 1 other         4 files changed, 54 insertions(+), 4 deletions(-)
      NOTE: mozilla trusts David Tolnay (dtolnay) - consider cargo vet trust ryu or cargo vet trust --all dtolnay
    cargo vet diff lz4-sys 1.9.4 1.9.5                    pmarks           librocksdb-sys                              5 files changed, 60 insertions(+), 4 deletions(-)
    cargo vet diff proc-macro-crate 2.0.0 3.1.0           bkchr            parity-scale-codec-derive                   4 files changed, 39 insertions(+), 31 deletions(-)
    cargo vet diff regex-syntax 0.8.3 0.8.4               BurntSushi       regex, globset, proptest, and 1 other       5 files changed, 43 insertions(+), 34 deletions(-)
      NOTE: mozilla trusts Andrew Gallant (BurntSushi) - consider cargo vet trust regex-syntax or cargo vet trust --all BurntSushi
    cargo vet diff console-api 0.6.0 0.7.0                hawkw            console-subscriber                          5 files changed, 75 insertions(+), 11 deletions(-)
    cargo vet diff tokio-macros 2.2.0 2.3.0               carllerche       tokio                                       6 files changed, 49 insertions(+), 40 deletions(-)
      NOTE: mozilla trusts Carl Lerche (carllerche) - consider cargo vet trust tokio-macros carllerche
    cargo vet diff metrics 0.22.3 0.23.0                  tobz             zebrad, zebra-state, and 4 others           11 files changed, 76 insertions(+), 16 deletions(-)
    cargo vet diff zebra-test 1.0.0-beta.37 1.0.0-beta.38
                                                          arya2            zebrad, zebra-rpc, and 9 others             4 files changed, 22 insertions(+), 81 deletions(-)
    cargo vet diff zebra-node-services 1.0.0-beta.37 1.0.0-beta.38
                                                          arya2            zebrad, zebra-rpc, and 4 others             3 files changed, 23 insertions(+), 82 deletions(-)
    cargo vet diff http-body-util 0.1.1 0.1.2             seanmonstar      metrics-exporter-prometheus                 9 files changed, 93 insertions(+), 15 deletions(-)
      NOTE: mozilla trusts Sean McArthur (seanmonstar) - consider cargo vet trust http-body-util or cargo vet trust --all seanmonstar
    cargo vet diff async-compression 0.4.9 0.4.11         NobodyXu         reqwest                                     13 files changed, 107 insertions(+), 4 deletions(-)
    cargo vet diff serde_json 1.0.117 1.0.120             dtolnay          zebrad, jsonrpc, reqwest, and 14 others     12 files changed, 72 insertions(+), 44 deletions(-)
      NOTE: mozilla trusts David Tolnay (dtolnay) - consider cargo vet trust serde_json or cargo vet trust --all dtolnay
    cargo vet diff miniz_oxide 0.7.2 0.7.4                oyvindln         flate2 and backtrace                        4 files changed, 78 insertions(+), 51 deletions(-)
    cargo vet diff tinyvec 1.6.1 1.7.0                    Lokathor         bs58, zebrad, zebra-test, and 6 others      5 files changed, 132 insertions(+), 2 deletions(-)
    cargo vet diff clap_lex 0.7.0 0.7.1                   epage            clap_builder                                5 files changed, 108 insertions(+), 27 deletions(-)
      NOTE: mozilla trusts Ed Page (epage) - consider cargo vet trust clap_lex or cargo vet trust --all epage
    cargo vet diff zeroize 1.7.0 1.8.1                    tarcieri         der, cipher, reddsa, bip0039, and 6 others  7 files changed, 116 insertions(+), 30 deletions(-)
    cargo vet diff regex 1.10.4 1.10.5                    BurntSushi       vergen, zebrad, bindgen, and 10 others      7 files changed, 128 insertions(+), 19 deletions(-)
      NOTE: mozilla trusts Andrew Gallant (BurntSushi) - consider cargo vet trust regex or cargo vet trust --all BurntSushi
    cargo vet diff log 0.4.21 0.4.22                      KodrAus          git2, ureq, rustls, zebrad, and 17 others   9 files changed, 107 insertions(+), 53 deletions(-)
    cargo vet diff darling 0.20.8 0.20.9                  TedDriggs        serde_with_macros                           12 files changed, 120 insertions(+), 57 deletions(-)
    cargo vet diff hyper 0.14.28 0.14.29                  seanmonstar      axum, tonic, zebrad, reqwest, and 4 others  7 files changed, 61 insertions(+), 135 deletions(-)
      NOTE: mozilla trusts Sean McArthur (seanmonstar) - consider cargo vet trust hyper or cargo vet trust --all seanmonstar
    cargo vet diff zebra-grpc 0.1.0-alpha.4 0.1.0-alpha.5
                                                          arya2            zebrad and zebra-scan                       6 files changed, 69 insertions(+), 129 deletions(-)
    cargo vet diff redox_syscall 0.5.1 0.5.2              4lDO2            parking_lot_core                            7 files changed, 209 insertions(+), 5 deletions(-)
    cargo vet diff crossbeam-channel 0.5.12 0.5.13        taiki-e          bellman, tracing-appender, and 2 others     9 files changed, 195 insertions(+), 28 deletions(-)
    cargo vet diff darling_core 0.20.8 0.20.9             TedDriggs        darling and darling_macro                   26 files changed, 145 insertions(+), 88 deletions(-)
    cargo vet diff proptest 1.4.0 1.5.0                   matthew-russo    zebrad, zebra-rpc, and 6 others             21 files changed, 237 insertions(+), 27 deletions(-)
    cargo vet diff zebra-utils 1.0.0-beta.37 1.0.0-beta.38
                                                          arya2            zebrad                                      5 files changed, 144 insertions(+), 124 deletions(-)
    cargo vet diff libc 0.2.154 0.2.155                   the8472          cc, mio, atty, git2, net2, and 38 others    8 files changed, 146 insertions(+), 137 deletions(-)
      NOTE: mozilla trusts Yuki Okushi (JohnTitor), who published another version of this crate - consider cargo vet trust libc JohnTitor
    cargo vet diff clap 4.5.4 4.5.8                       epage            zebrad, criterion, and abscissa_core        16 files changed, 209 insertions(+), 79 deletions(-)
      NOTE: mozilla trusts Ed Page (epage) - consider cargo vet trust clap epage
    cargo vet diff url 2.5.0 2.5.2                        valenting        git2, ureq, reqwest, and 3 others           10 files changed, 198 insertions(+), 101 deletions(-)
    cargo vet diff zebra-network 1.0.0-beta.37 1.0.0-beta.38
                                                          arya2            zebrad and zebra-rpc                        11 files changed, 131 insertions(+), 178 deletions(-)
    cargo vet diff serde_with 3.8.1 3.8.3                 jonasbb          zebra-chain                                 19 files changed, 198 insertions(+), 136 deletions(-)
    cargo vet diff proptest-derive 0.4.0 0.5.0            matthew-russo    zebrad, zebra-scan, and 4 others            30 files changed, 252 insertions(+), 83 deletions(-)
    cargo vet diff num-traits 0.2.18 0.2.19               cuviper          fpe, chrono, plotters, and 5 others         12 files changed, 86 insertions(+), 265 deletions(-)
      NOTE: cargo vet import bytecode-alliance would eliminate this
      NOTE: cargo vet import isrg would eliminate this
      NOTE: mozilla trusts Josh Stone (cuviper) - consider cargo vet trust num-traits or cargo vet trust --all cuviper
    cargo vet diff zebra-state 1.0.0-beta.37 1.0.0-beta.38
                                                          arya2            zebrad, zebra-rpc, and 3 others             16 files changed, 167 insertions(+), 184 deletions(-)
    cargo vet diff clang-sys 1.7.0 1.8.1                  KyleMayes        bindgen                                     16 files changed, 266 insertions(+), 93 deletions(-)
    cargo vet diff getrandom 0.2.14 0.2.15                newpavlov        ring, ahash, nanorand, and 2 others         17 files changed, 158 insertions(+), 201 deletions(-)
      NOTE: cargo vet import isrg would eliminate this
    cargo vet diff clap_derive 4.5.4 4.5.8                epage            clap                                        18 files changed, 231 insertions(+), 154 deletions(-)
      NOTE: mozilla trusts Ed Page (epage) - consider cargo vet trust clap_derive epage
    cargo vet diff metrics-util 0.16.3 0.17.0             tobz             metrics-exporter-prometheus                 5 files changed, 211 insertions(+), 185 deletions(-)
    cargo vet diff zebra-script 1.0.0-beta.37 1.0.0-beta.38
                                                          arya2            zebra-rpc and zebra-consensus               4 files changed, 173 insertions(+), 226 deletions(-)
    cargo vet diff zebra-scan 0.1.0-alpha.6 0.1.0-alpha.7
                                                          arya2            zebrad and zebra-utils                      10 files changed, 174 insertions(+), 240 deletions(-)
    cargo vet diff toml 0.8.13 0.8.14                     epage            zebrad and zebra-network                    8 files changed, 282 insertions(+), 164 deletions(-)
      NOTE: mozilla trusts Ed Page (epage) - consider cargo vet trust toml epage
    cargo vet diff anyhow 1.0.83 1.0.86                   dtolnay          vergen and prost-derive                     8 files changed, 373 insertions(+), 102 deletions(-)
      NOTE: mozilla trusts David Tolnay (dtolnay) - consider cargo vet trust anyhow or cargo vet trust --all dtolnay
    cargo vet diff h2 0.4.4 0.4.5                         seanmonstar      hyper                                       14 files changed, 432 insertions(+), 47 deletions(-)
      NOTE: mozilla trusts Sean McArthur (seanmonstar) - consider cargo vet trust h2 or cargo vet trust --all seanmonstar
    cargo vet diff toml_edit 0.20.7 0.21.1                epage            proc-macro-crate                            64 files changed, 369 insertions(+), 134 deletions(-)
      NOTE: mozilla trusts Ed Page (epage) - consider cargo vet trust toml_edit epage
    cargo vet diff syn 2.0.66 2.0.69                      dtolnay          bindgen, async-trait, and 24 others         23 files changed, 349 insertions(+), 256 deletions(-)
      NOTE: mozilla trusts David Tolnay (dtolnay) - consider cargo vet trust syn or cargo vet trust --all dtolnay
    cargo vet diff clap_builder 4.5.2 4.5.8               epage            clap                                        36 files changed, 306 insertions(+), 319 deletions(-)
      NOTE: mozilla trusts Ed Page (epage) - consider cargo vet trust clap_builder or cargo vet trust --all epage
    cargo vet diff camino 1.1.6 1.1.7                     sunshowers       cargo_metadata                              8 files changed, 769 insertions(+), 56 deletions(-)
    cargo vet diff zebra-consensus 1.0.0-beta.37 1.0.0-beta.38
                                                          arya2            zebrad and zebra-rpc                        19 files changed, 668 insertions(+), 174 deletions(-)
    cargo vet diff zebrad 1.7.0 1.8.0                     arya2                                                        12 files changed, 495 insertions(+), 386 deletions(-)
    cargo vet diff zebra-rpc 1.0.0-beta.37 1.0.0-beta.38  arya2            zebrad and zebra-utils                      25 files changed, 507 insertions(+), 433 deletions(-)
    cargo vet inspect atomic-waker 1.1.2                  notgull          h2                                          990 lines
    cargo vet diff cc 1.0.96 1.0.100                      rust-lang-owner  ring, lz4-sys, libz-sys, and 7 others       14 files changed, 580 insertions(+), 459 deletions(-)
      NOTE: cargo vet import bytecode-alliance would reduce this to a 951-line diff
      NOTE: mozilla trusts Amanieu d'Antras (Amanieu), who published another version of this crate - consider cargo vet trust cc Amanieu
    cargo vet diff toml_edit 0.22.13 0.22.14              epage            toml                                        14 files changed, 699 insertions(+), 442 deletions(-)
      NOTE: mozilla trusts Ed Page (epage) - consider cargo vet trust toml_edit epage
    cargo vet diff uuid 1.8.0 1.9.1                       KodrAus          debugid and sentry-types                    18 files changed, 882 insertions(+), 290 deletions(-)
    cargo vet diff hyper-util 0.1.3 0.1.5                 seanmonstar      metrics-exporter-prometheus                 18 files changed, 1320 insertions(+), 88 deletions(-)
      NOTE: mozilla trusts Sean McArthur (seanmonstar) - consider cargo vet trust hyper-util or cargo vet trust --all seanmonstar
    cargo vet diff zebra-chain 1.0.0-beta.37 1.0.0-beta.38
                                                          arya2            zebrad, zebra-rpc, and 8 others             31 files changed, 775 insertions(+), 887 deletions(-)
    cargo vet diff winnow 0.6.7 0.6.13                    epage            toml_edit                                   48 files changed, 1397 insertions(+), 582 deletions(-)
      NOTE: mozilla trusts Ed Page (epage) - consider cargo vet trust winnow or cargo vet trust --all epage
    cargo vet diff petgraph 0.6.4 0.6.5                   indietyp         prost-build                                 47 files changed, 1828 insertions(+), 357 deletions(-)
    cargo vet diff httparse 1.8.0 1.9.4                   seanmonstar      hyper                                       18 files changed, 1776 insertions(+), 568 deletions(-)
      NOTE: mozilla trusts Sean McArthur (seanmonstar) - consider cargo vet trust httparse or cargo vet trust --all seanmonstar
    cargo vet diff itertools 0.13.0 0.12.1                jswrenn          bindgen, prost-build, and prost-derive      51 files changed, 1203 insertions(+), 2077 deletions(-)
      NOTE: cargo vet import bytecode-alliance would eliminate this
    cargo vet diff prost-build 0.12.4 0.12.6              LucioFranco      tonic-build                                 11 files changed, 1886 insertions(+), 1710 deletions(-)
    cargo vet diff tokio 1.37.0 1.38.0                    carllerche       h2, hyper, tonic, tower, and 29 others      127 files changed, 3272 insertions(+), 2072 deletions(-)
      NOTE: mozilla trusts Carl Lerche (carllerche) - consider cargo vet trust tokio carllerche
    cargo vet diff console-subscriber 0.2.0 0.3.0         hawkw            zebrad                                      44 files changed, 7777 insertions(+), 118 deletions(-)
    cargo vet diff unicode-width 0.1.12 0.1.13            Manishearth      clap, console, textwrap, and indicatif      10 files changed, 20260 insertions(+), 808 deletions(-)
      NOTE: mozilla trusts Alex Crichton (alexcrichton), who published another version of this crate - consider cargo vet trust unicode-width alexcrichton
    cargo vet diff linux-raw-sys 0.4.13 0.4.14            sunfishcode      rustix                                      76 files changed, 53425 insertions(+), 193 deletions(-)
      NOTE: mozilla trusts Dan Gohman (sunfishcode) - consider cargo vet trust linux-raw-sys or cargo vet trust --all sunfishcode
    cargo vet diff libz-sys 1.1.16 1.1.18                 Byron            libgit2-sys and librocksdb-sys              418 files changed, 577 insertions(+), 119792 deletions(-)
      NOTE: mozilla trusts Josh Triplett (joshtriplett), who published another version of this crate - consider cargo vet trust libz-sys joshtriplett

recommended audits for safe-to-run:
    Command                                        Publisher     Used By                    Audit Size
    cargo vet diff plotters-svg 0.3.5 0.3.6        AaronErhardt  plotters                   3 files changed, 6 insertions(+), 6 deletions(-)
    cargo vet diff plotters-backend 0.3.5 0.3.6    AaronErhardt  plotters and plotters-svg  7 files changed, 71 insertions(+), 64 deletions(-)
    cargo vet diff tracing-test 0.2.4 0.2.5        dbrgn         zebrad                     5 files changed, 207 insertions(+), 17 deletions(-)
    cargo vet diff tracing-test-macro 0.2.4 0.2.5  dbrgn         tracing-test               5 files changed, 212 insertions(+), 21 deletions(-)
    cargo vet diff plotters 0.3.5 0.3.6            AaronErhardt  criterion                  66 files changed, 850 insertions(+), 277 deletions(-)

estimated audit backlog: 246631 lines

Use |cargo vet certify| to record the audits.
alfredo@spaceship:~/zebra/pr8664/zebra$ 

@arya2 can you help me when you get a chance ?

[arya2]

We could start by adding a some of these to our list of trusted dependencies like those in this commit.

We could also self-certify the Zebra crates or add them as exemptions by running cargo vet certify zebra-chain 1.0.0-beta.38 or cargo vet add-exemption zebra-chain 1.0.0-beta.38

There are already many exemptions in supply-chain/audits.toml for dependency versions that Zebra was using before cargo vet was added, these were added automatically when running cargo vet init, we probably want to add all of the dependency versions on main as exemptions again (many dependencies were updated just before the 1.8.0 release). We could do that by editing the audits.toml file manually, or by running either:

• cargo vet init again on main, copying over the exemptions to this branch, and running cargo vet prune to remove any unnecessary exemptions, or
• cargo vet add-exemption for every dependency version that's already on main

Then we should be left with a much shorter list of untrusted, uncertified dependency versions. cargo vet recommends using cargo vet inspect or cargo vet diff to review the changes between the versions on crates.io. If there's an issue with sourcegraph, it might work with cargo vet inspect --mode=local {pkg} {version} (we could also review the diffs on Github and verify that the old and new version checksums are the same in Cargo.lock when using the git references instead of getting the crates from crates.io).

Once we've reviewed the changes between the dependency versions, we can run cargo vet certify to add the dependency at that version to the list of audited dependencies in audits.toml, and once everything is either trusted, exempt, or audited, cargo vet check should pass.

[oxarbitrage]

Ok, thank you for the details. I did some of that, pushed the supply_chain and now we are green:

alfredo@spaceship:~/zebra/pr8664/zebra$ cargo vet
Vetting Succeeded (83 fully audited, 10 partially audited, 491 exempted)
alfredo@spaceship:~/zebra/pr8664/zebra$ 

Can you take a look at #8664 (comment) when you get a chance and let me know what do you think. Thanks!

[oxarbitrage]

@Mergifyio refresh

[mergify]

refresh

✅ Pull request refreshed