Patrick Elsen

hyper 1.10.1 is a low-level HTTP/1 and HTTP/2 protocol implementation. No build.rs, no proc macros, no I/O of its own — sockets are delegated to user-supplied rt::Read/Write impls. HTTP/1 headers go through httparse; the chunked decoder uses checked arithmetic with bounded header/extension/trailer limits. unsafe is used in 16 files for MaybeUninit, pin projection, the C ABI, and tokio compat. One low-severity finding: some crate-internal unsafe fn helpers omit # Safety sections.

Audit of mio 1.2.1, the low-level non-blocking I/O library underlying tokio. Matches upstream Git byte-for-byte. No build script, no crypto, no subprocess spawn, no env reads. Capability surface is the kernel sockets/pipes/readiness APIs the crate exists to wrap, with ~114 tightly-scoped unsafe blocks each wrapping a single OS call. Three low-severity findings: a documented-but-not-present epoll race, scope statement on the soundness boundary, and the panicking shell backend when os-poll is off.

socket2 0.6.4 is the rust-lang FFI wrapper over the platform socket API: Socket, SockAddr, SockRef, TcpKeepalive, plus MsgHdr/MaybeUninitSlice. Source matches upstream byte-for-byte. ~240 unsafe sites, all behind a single syscall! macro per back-end (libc on Unix/WASI, windows-sys on Windows); fd/SOCKET lifetimes delegated to libstd's OwnedFd/OwnedSocket. No filesystem, env, exec, crypto, or concurrency primitives implemented. No findings.

Audit of zerocopy 0.8.50, Google's Rust library for safe byte/typed-value transmutation. Matches upstream Git byte-for-byte. Capability surface outside unsafe is small: a build.rs reads Cargo.toml and runs rustc --version; no network, no runtime FS/exec/env, no crypto. ~1249 unsafe occurrences governed by a documented soundness policy, lint-enforced safety comments, and Kani proofs. Four low-severity findings: test-only unsoundness, documentation gap, scope statement, build-script note.

toml_edit 0.25.12+spec-1.1.0 is a format-preserving TOML parser/editor. No unsafe, no I/O, no concurrency; the byte-level lexer is delegated to toml_parser. Parsing bounds recursion at depth 80 by default; numeric overflow surfaces as TomlError. Tested via the language-neutral toml-test suite, proptests, and an upstream libfuzzer target. One low-severity finding: the unbounded Cargo feature, which disables the recursion guard, is undocumented.

zerocopy-derive 0.8.50 is the proc-macro companion to zerocopy: 10 derives (KnownLayout, Immutable, TryFromBytes, FromZeros/FromBytes, IntoBytes, Unaligned, ByteHash, ByteEq, SplitAt) emitting unsafe-trait impls based on type shape and #[repr(...)]. Source matches upstream byte-for-byte. The proc-macro runs pure safe Rust — no I/O, no unsafe in its executable path. Coverage is broad: 35 integration tests, 26 trybuild UI tests, 21 golden-output tests. No findings.

uuid 1.23.2 generates, parses, and formats RFC 9562 UUIDs (v1-v8) with optional serde/borsh/bytemuck/zerocopy/slog/arbitrary integrations; #![no_std] by default. Source matches upstream byte-for-byte. Nine unsafe blocks — ASCII-only from_utf8_unchecked and the NonNilUuid niche — each documented and sound. MD5/SHA-1 via md-5/sha1_smol for v3/v5; entropy via getrandom/rand/WebCrypto. One low-severity finding: a redundant unsafe block in the error path.

memchr 2.8.1 is a #![no_std] library providing SIMD-accelerated byte and substring search (Two-Way, Rabin-Karp, Shift-Or, plus per-arch SSE2/AVX2/NEON/simd128). No build.rs, no proc macros, no I/O, two optional deps. The crate uses extensive unsafe for SIMD intrinsics and raw-pointer loops, but every boundary carries a # Safety block, quickcheck property tests check each implementation against a naive reference, and the upstream tree has miri configuration and 8 cargo-fuzz targets. No findings.

Audit of shlex 2.0.1, a small POSIX-shell-word splitter/quoter (split, try_quote, try_join, Shlex iterator). Matches upstream Git byte-for-byte; no dependencies, no I/O, no concurrency, no build script. The byte-level parser is panic-free and the string-typed unsafe UTF-8 wrappers in lib.rs are sound. Two informational findings: a documented threat-model caveat (output not safe for interactive shells) and the soundness analysis for the unsafe blocks. Includes the RUSTSEC-2024-0006 fix.

typenum 1.20.1 is a #![no_std] library that encodes integers in the Rust type system for compile-time arithmetic, comparison, and bitwise operations. No build.rs, no proc macros, no unsafe (enforced via forbid(unsafe_code)), no runtime I/O, one optional dependency (scale-info). Code matches upstream VCS byte-for-byte; generated constants and ~1700 integration tests are checked in. One low-severity finding: CHANGELOG header advertises stale MSRV (1.37.0 vs. actual 1.41.0).

Audit of inquire 0.9.4, a Rust library for interactive terminal prompts (Text, Editor, DateSelect, Select/MultiSelect, Confirm, CustomType, Password). Matches upstream Git byte-for-byte; ships no binaries, no build.rs, no unsafe. Five low-severity findings: a dead enum_support module, an unreachable NaiveDate-overflow panic in date navigation, a minor password-handling note (no constant-time compare or zeroize), an unreachable panic! in date_utils, and an editor-subprocess note.

serde_test 1.0.177 is a test helper for the serde crate: assert_tokens/assert_ser_tokens/assert_de_tokens over a Token enum mirroring serde's data model. Pure safe Rust, no unsafe, no FFI, no I/O, no concurrency, one runtime dependency (serde). Source matches upstream byte-for-byte modulo cargo's normal Cargo.toml normalisation. One low-severity finding: no in-tree #[test] items — coverage is via doctests and the separate serde test suite.

displaydoc 0.2.6 is a small proc-macro crate that derives core::fmt::Display from /// doc comments. No build.rs, no binaries, no unsafe, no I/O; the only execution surface is the derive itself, a pure token-stream transformation over syn/quote/proc-macro2. Three findings: one medium correctness bug (#[doc(hidden)] panics the macro with "not implemented") and two low quality issues (panic!/expect in place of spanned syn errors; trybuild .stderr files excluded from the published crate).

libredox 0.1.17 is a thin Rust wrapper around the Redox kernel's stable C ABI: ~37 extern "C" syscalls (FDs, processes, signals, namespaces, mmap, time) plus a protocol module of call-number enums and C-layout structs. The crate matches its upstream commit, ships no binaries, build script, or proc-macro, and contains no network, exec, env, crypto, or concurrency code. Three low-severity findings: two unsafe helpers lack safety comments, and no test suite ships.

Audit of cc 1.2.63, a Cargo build-time helper that orchestrates native C/C++/CUDA/assembly compilation. All process spawning is argv-form with no shell, writes are confined to OUT_DIR, environment access goes through a clippy-enforced cache-aware helper, and the small unsafe surface is documented and minimal. No crypto, network, or install/build-time code execution. Two low-severity quality findings on unwrap/expect panics over environment inputs and a non-CSPRNG tempfile name.

rustls 0.23.40 is a #![no_std], #![forbid(unsafe_code)] TLS 1.2/1.3 library; published source is byte-identical to VCS. No unsafe, no FFI, no I/O beyond opt-in SSLKEYLOGFILE. Record-layer sequence limits, oversized-record rejection, and the RFC 8446 downgrade sentinel are present. Crypto primitives and cert validation are delegated to the provider and rustls-webpki (scoped out). No findings.

aws-lc-rs 1.17.0 is Amazon's safe-Rust, ring-compatible crypto API: a typed FFI wrapper over the vendored AWS-LC C library, used as a rustls provider. Source is byte-equivalent to upstream. Crypto is implemented in C, not Rust; the Rust attack surface is 354 FFI unsafe blocks, with no network, filesystem, process, or runtime-environment access and a small benign build script. The AEAD, RNG, pointer, and key-zeroization paths reviewed are sound. C-library correctness was out of scope. No findings.

curve25519-dalek 4.1.3 implements Curve25519 / ristretto255 group arithmetic for X25519 and Ed25519. 37 unsafe sites, almost all AVX2/AVX512-IFMA intrinsics in the SIMD backend gated by cpufeatures CPUID dispatch, were reviewed and hold; no I/O at run time. No findings. Field-arithmetic correctness and constant-time resistance were scoped out and left unasserted.

ring 0.17.14 is the BoringSSL-backed crypto library used by rustls (AEAD, digests, HMAC/HKDF, ECDH, ECDSA, Ed25519, RSA). Scoped audit: supply-chain integrity confirmed against the tagged commit and the build script touches no network and writes only to OUT_DIR. One low-severity finding: 17 pre-assembled Windows object files ship in pregenerated/. Cryptographic correctness and constant-timeness of the vendored C/asm were out of scope.

encoding_rs 0.8.35 implements the WHATWG Encoding Standard (UTF-8/16, legacy CJK and single-byte decoders) with SIMD-accelerated conversion loops. Byte-equivalent to VCS, no I/O and no build-time execution. One low-severity quality finding: per-block unsafe SAFETY documentation is uneven. Exhaustive review of all 271 unsafe blocks and full WHATWG conformance were scoped out.

tokio 1.52.3, Rust's async runtime (work-stealing scheduler, mio reactor, timers, sync primitives). Scoped audit: contents are byte-equivalent to upstream git, no build/install-time execution, all I/O feature-gated and off by default. The work-stealing queue, task vtable, and refcount state machine were read and found sound and documented. No findings; exhaustive unsafe and full loom review across ~1,036 unsafe sites left unasserted.

encoding_rs 0.8.35 implements the WHATWG Encoding Standard (UTF-8/16, legacy CJK and single-byte decoders) with SIMD-accelerated conversion loops. Byte-equivalent to VCS, no I/O and no build-time execution. One low-severity quality finding: per-block unsafe SAFETY documentation is uneven. Exhaustive review of all 271 unsafe blocks and full WHATWG conformance were scoped out.

tokio 1.52.3, Rust's async runtime (work-stealing scheduler, mio reactor, timers, sync primitives). Scoped audit: contents are byte-equivalent to upstream git, no build/install-time execution, all I/O feature-gated and off by default. The work-stealing queue, task vtable, and refcount state machine were read and found sound and documented. No findings; exhaustive unsafe and full loom review across ~1,036 unsafe sites left unasserted.

0.2.186 is raw FFI bindings to platform C standard library interfaces for 80+ target triples. The published crate is byte-for-byte identical to VCS (excluding Cargo normalization). The build script detects ABI variants via rustc/host-tool version probing and emits only cfg directives. No runtime I/O, no crypto, no concurrency, no dependencies beyond an optional rustc-std shim. Unit tests cover the macro helpers. No findings.

fiat-crypto 0.2.9 is the machine-generated, formally-verified Rust extraction of the Fiat Cryptography project: field-arithmetic primitives for P-224, P-256, P-384, P-521, Curve25519, secp256k1, p434, and Poly1305. VCS byte-equivalence holds. No unsafe code, no I/O, no build-time execution, no dependencies, and no binary artefacts. No findings. Correctness and constant-time claims are left unasserted; the upstream Coq proofs are the documented correctness evidence.

aws-lc-sys 0.41.0 is the FFI binding crate for AWS-LC, vendoring the full C crypto library and a substantial build system. The build makes no network requests, compiles only from vendored sources, and writes only to OUT_DIR under normal invocation. 26 prebuilt NASM objects for Windows x86_64 match VCS copies byte-for-byte. One low-severity finding: a developer-only mode writes generated bindings to the source tree. The vendored C crypto and 12,500 auto-generated unsafe blocks are out of scope.

linux-raw-sys 0.12.1 ships pre-generated rust-bindgen UAPI bindings for ~20 Linux architectures; the published crate is byte-equivalent to the tagged VCS source. No build-time execution, no binaries, no I/O. Unsafe evaluation claims are scoped out due to ~480K LOC of machine-generated code; five manually-written unsafe fns in lib.rs are the only hand-authored unsafe code. No findings.

web-sys 0.3.99 is a machine-generated crate of wasm-bindgen FFI declarations covering the full browser Web API surface (1,706 files, ~212K LOC). No build script, no binaries, no I/O. The 17 unsafe fn declarations are all documented and follow a uniform u8-slice-lifetime pattern with safe alternatives generated alongside. No findings.

windows-sys 0.48.0 is Microsoft's machine-generated raw FFI binding crate for the Windows API (~16,800 extern declarations, ~497K LOC). The published source is byte-identical to the VCS at the pinned commit. No unsafe blocks in crate-owned code, no build-time execution, no I/O, no tests in the published artifact, and a single dependency on windows-targets. No findings were raised.

windows-sys 0.52.0 is Microsoft's machine-generated raw FFI bindings to the Windows API (~385K LOC, 3,411 extern declarations). VCS byte-equivalence holds. No binary artifacts, no build-time execution, no runtime capability surface in the crate body. No findings.

windows-sys 0.60.2 is Microsoft's machine-generated crate of raw FFI bindings to the Windows API and WDK (~334K LOC). No build script, no install hooks, no binaries, no tests, and no I/O in the Rust body; unsafe appears only in FFI type signatures. The unsafe-safe, unsafe-documented, and unsafe-minimal claims were not evaluated due to the volume (~8,925 occurrences). VCS diff couldn't be made against the pinned commit. No findings.

winapi 0.3.9 is a large collection of raw FFI bindings for the Windows API (~180K LOC, ~400 generated header files). The build script reads CARGO_FEATURE_* and two optional env vars to emit link-library directives; it makes no network requests and spawns no processes. The published source matches the tagged VCS commit byte-for-byte. No findings were raised. The unsafe sub-claims were left unasserted due to the scale of machine-generated binding code.

windows-sys 0.61.2 is Microsoft's raw FFI binding crate for the Windows API, consisting almost entirely of machine-generated extern "system" declarations and constants. No findings were raised; unsafe sub-claims were left unasserted due to 8,925 generated unsafe items (scoped audit).

rustix 1.1.4 provides memory-safe and I/O-safe wrappers over POSIX/Linux/Winsock syscalls, with a libc-free linux_raw inline-asm backend. The audit read the syscall-argument safety system (typed register marshalling, error-range decoding, unsafe trait ABI contracts) and found one low-severity quality issue: per-block unsafe safety comments are inconsistent across the syscall modules.

nix 0.29.0 wraps the Unix/POSIX syscall API over libc with about 825 focused unsafe FFI sites. Reviewed high-risk paths (cmsg decode, sockaddr length handling, mmap, fork/exec, signal transmutes) uphold their libc preconditions; source is byte-identical to VCS and build.rs is inert. No findings.

regex-syntax 0.8.10 parses regular expressions into an AST and translates them to an HIR, with #![forbid(unsafe_code)], no I/O, and one optional off-by-default dependency. Parsing, traversal, the nest-limit check, and the destructors are all iterative, so deeply nested patterns bound stack usage to a constant; repetition counts are validated as u32. No findings.

time 0.3.47 is a date/time library (~25 KLOC) implementing calendar arithmetic, formatting, and parsing. All 105 unsafe blocks carry safety comments and their invariants hold; the RUSTSEC-2020-0071 localtime thread-safety issue is addressed via thread-count gating. No findings.

regex-automata 0.4.14 is the linear-time finite-automata engine behind the regex crate, with a constant-time DFA serialization format. Read 64.5K LOC; the 57 unsafe sites cluster in the from_bytes deserialization casts (guarded by a documented validation chain over untrusted bytes), the bounds-elided DFA search loops, and a sharded object pool. No findings.

moka 0.12.15 is a W-TinyLFU concurrent cache with sync and async variants; 141 unsafe sites span an intrusive LRU deque, a custom MiniArc, and a lock-free epoch-reclaimed hash table. One low-severity correctness finding: the is_dirty dirty-entry check reads two atomics with Relaxed ordering before an Acquire fence, imprecisely ordering the loads. No I/O, no FFI, no build-time execution.

syn 2.0.117 is a #![no_std] recursive-descent parser for Rust source, used by most proc-macros. Its unsafe is concentrated in one heavily documented module, the Cursor over a flat TokenBuffer, whose offset encoding keeps pointer arithmetic in-bounds. One low-severity finding: unbounded parser recursion can stack-overflow at compile time on adversarially nested input.

wasmparser 0.244.0 is the bytecodealliance WebAssembly binary parser and validator. The audit read the binary reader, validator core, and resource-limit code; LEB128 decoding rejects overlong and out-of-range encodings, section and count fields are bounds-checked with lazy per-item iteration, and validator limits use checked arithmetic. One documented unsafe transmute over a #[repr(transparent)] type. No findings.

quinn-proto 0.11.14 is the sans-I/O QUIC protocol state machine (RFC 9000). The codebase contains exactly five unsafe blocks, all calling VarInt::from_u64_unchecked with structurally bounded values; the invariants hold but lack SAFETY comments (one low-severity finding). The anti-amplification limit, retry/validation token handling, frame parser, and stream-count enforcement were reviewed and are correct. Crypto is delegated to rustls. Four fuzz targets cover the untrusted-input surface.

quick-xml 0.39.4 is a pull-based XML reader/writer with optional serde and tokio support. The crate uses #![forbid(unsafe_code)], has no network access, and does not resolve external entities or expand DTD-declared entities, eliminating XXE and billion-laughs risks at the library level. No findings were recorded.

chrono 0.4.44 is a date and time library implementing timezone-aware and timezone-naive types, strftime-style formatting and parsing, and local timezone resolution. No findings were identified. The 11 unsafe sites are narrow and correctly bounded; the historical localtime_r thread-safety issue (RUSTSEC-2020-0159) is resolved since 4.20 via pure-Rust TZif parsing. Arithmetic overflow is handled via checked arithmetic throughout.

winnow 1.0.3 is a zero-copy parser-combinator library (successor to nom). All 44 unsafe sites are in src/stream/, covering a repr(transparent) transmute and get_unchecked slice operations whose invariants are documented and enforced by callers. Miri runs in upstream CI. No findings.

clap_builder 4.6.0 is the runtime engine behind clap. The entire 29 K-line codebase is safe Rust (#![forbid(unsafe_code)]), with no build scripts, no binary artefacts, and no network or filesystem access. One low-severity correctness finding: display_width misidentifies non-ESC ASCII control characters as ANSI sequences, producing incorrect help-text line widths. All other areas — the argument parser, FlatMap data structure, and did-you-mean algorithm — are sound and well-tested.

h2 0.4.14 implements HTTP/2 (RFC 9113) as an async client and server library. One unsafe block with a documented and sound invariant. Active mitigations for HPACK bomb, CONTINUATION flooding, and Rapid Reset (CVE-2023-44487) are present by default. Flow-control arithmetic uses checked operations. No findings.

tracing-subscriber 0.3.23 implements the Layer composition API, span Registry (sharded slab), EnvFilter directive parser, and fmt output layers for the tracing ecosystem. All 25 unsafe blocks implement downcast_raw with documented invariants; no pointers are dereferenced beyond type-checked reference casts. One low-severity quality finding: regex field-value matching in EnvFilter is enabled by default, presenting a ReDoS surface if filter strings come from untrusted inputs.