Bug 1982003 - Upgrade allocator-api2 to 0.2.21. a=RyanVM

The issue that made us fork the crate locally was actually fixed upstream in 0.2.21. Original Revision: https://phabricator.services.mozilla.com/D264361 Differential Revision: https://phabricator.services.mozilla.com/D264536
2025-09-25 19:54:59 +00:00
parent 713f5caf2d
commit 40dc24686f
17 changed files with 342 additions and 132 deletions
--- a/supply-chain/audits.toml
+++ b/supply-chain/audits.toml
@@ -652,6 +652,11 @@ who = "Nicolas Silva <nical@fastmail.com>"
 criteria = "safe-to-deploy"
 version = "0.2.18"

+[[audits.allocator-api2]]
+who = "Mike Hommey <mh+mozilla@glandium.org>"
+criteria = "safe-to-deploy"
+delta = "0.2.20 -> 0.2.21"
+
 [[audits.alsa]]
 who = "Mike Hommey <mh+mozilla@glandium.org>"
 criteria = "safe-to-deploy"
--- a/supply-chain/config.toml
+++ b/supply-chain/config.toml
@@ -19,10 +19,6 @@ url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/au
 [imports.mozilla]
 url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml"

-[policy.allocator-api2]
-audit-as-crates-io = true
-notes = "This is the upstream code without the Box implementation which may have a soundness issue."
-
 [policy.any_all_workaround]
 audit-as-crates-io = true
 notes = "This is the upstream code plus the ARM intrinsics workaround from qcms, see bug 1882209."
--- a/supply-chain/imports.lock
+++ b/supply-chain/imports.lock
@@ -1,10 +1,6 @@

 # cargo-vet imports lock

-[[unpublished.allocator-api2]]
-version = "0.2.999"
-audited_as = "0.2.20"
-
 [[publisher.aho-corasick]]
 version = "1.1.0"
 when = "2023-09-18"