mozilla/gecko-dev
Vendored third-party code
Firefox vendors a substantial number of third-party libraries directly into the tree. This page is a partial map of where to look.
Big-ticket vendored projects
| Path | What |
|---|---|
security/nss/ |
NSS: Mozilla's own, tracked from upstream |
security/sandbox/chromium/ |
Chromium sandbox library (Windows) |
gfx/skia/ |
Skia 2D graphics |
gfx/cairo/ |
Cairo (legacy) |
gfx/harfbuzz/ |
HarfBuzz text shaping |
gfx/angle/ |
ANGLE (WebGL → DirectX on Windows) |
gfx/qcms/ |
qcms color management |
media/libwebrtc/ |
libwebrtc fork |
media/libdav1d/, media/libavif/, media/libvpx/, media/libopus/, media/libvorbis/, media/libtheora/ |
Codec libraries |
media/libcubeb/ |
Cubeb (cross-platform audio) |
xpcom/build/PoisonIOInterposer* |
Detours / function interception (Windows) |
servo/ |
Stylo + selectors + style traits (Rust) |
gfx/wr/ |
WebRender (Rust) |
extensions/spellcheck/hunspell/ |
Hunspell spellchecker |
third_party/python/ |
Python deps |
third_party/rust/ |
Vendored Rust crates |
third_party/aom/, third_party/dav1d/, … |
Some additional codecs |
other-licenses/ |
Code under non-MPL licenses (e.g., bsdiff, ply) |
Updating vendored code
Most projects have a per-tree mach vendor subcommand:
./mach vendor rust
./mach vendor python
# project-specific scripts under media/, third_party/, gfx/skia/Each vendored library has a moz.yaml (or similar manifest) at its root describing the upstream and how to update.
Supply chain audit
Rust crates go through cargo-vet. Configuration lives in supply-chain/config.toml, audits in audits.toml, imports in imports.lock.
Related
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.