Deps.rs

acorn-lib 0.1.52

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate acorn-lib

Dependencies

(54 total, 10 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 aho-corasick^1.1.41.1.4up to date
 ariadne^0.6.00.6.0up to date
 bat^0.26.00.26.1up to date
 bon^3.8.13.9.1up to date
 chrono^0.4.420.4.44up to date
 color-eyre^0.6.50.6.5up to date
 comfy-table^7.2.17.2.2up to date
 console^0.16.10.16.3up to date
 convert_case^0.11.00.11.0up to date
 data-encoding^2.10.02.11.0up to date
 derive_more^2.1.12.1.1up to date
 directories^6.0.06.0.0up to date
 dotenvy^0.15.00.15.7up to date
 duct^1.1.01.1.1up to date
 fancy-regex^0.17.00.18.0out of date
 flate2^1.1.51.1.9up to date
 glob^0.3.10.3.3up to date
 hashbrown^0.16.00.17.1out of date
 human-units^0.5.30.5.3up to date
 is_executable^1.0.51.0.5up to date
 itertools^0.14.00.14.0up to date
 lazy_static^1.5.01.5.0up to date
 lychee-lib^0.23.00.24.2out of date
 nanoid^0.4.00.5.0out of date
 nucleo-matcher^0.3.10.3.1up to date
 owo-colors^4.2.34.3.0up to date
 percy-dom^0.10.00.10.1up to date
 petgraph^0.8.30.8.3up to date
 polars^0.51.00.53.0out of date
 quick-xml^0.39.10.40.0out of date
 rayon^1.10.01.12.0up to date
 reqwest^0.13.20.13.3up to date
 ring^0.17.140.17.14up to date
 rust-embed^8.11.08.11.0up to date
 rust-ini^0.21.30.21.3up to date
 schemars^1.0.41.2.1up to date
 secrecy^0.8.00.10.3out of date
 serde^1.0.2251.0.228up to date
 serde_json^1.0.1491.0.149up to date
 serde_repr^0.10.1.20up to date
 serde_trim^1.1.01.1.0up to date
 serde_with^3.15.13.20.0up to date
 serde_yml^0.0.120.0.12up to date
 similar^2.7.03.1.0out of date
 sysinfo^0.38.20.39.1out of date
 tar ⚠️^0.4.440.4.45maybe insecure
 tera^1.20.01.20.1up to date
 tokio^1.48.01.52.3up to date
 tracing^0.1.400.1.44up to date
 uriparse^0.6.40.6.4up to date
 urlencoding^2.1.32.1.3up to date
 validator^0.20.00.20.0up to date
 which^8.0.08.0.2up to date
 zip^6.0.08.6.0out of date

Dev dependencies

(5 total, 1 outdated)

CrateRequiredLatestStatus
 insta^1.42.01.47.2up to date
 mockall^0.14.00.14.0up to date
 pretty_assertions^1.4.11.4.1up to date
 similar-asserts^1.7.02.0.0out of date
 temp-env^0.3.60.3.6up to date

Security Vulnerabilities

tar: `unpack_in` can chmod arbitrary directories by following symlinks

RUSTSEC-2026-0067

In versions 0.4.44 and below of tar-rs, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root.

This issue has been fixed in version 0.4.45.

tar: tar-rs incorrectly ignores PAX size headers if header size is nonzero

RUSTSEC-2026-0068

Versions 0.4.44 and below of tar-rs have conditional logic that skips the PAX size header in cases where the base header size is nonzero.

As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue.

Any discrepancy in how tar parsers honor file size can be used to create archives that appear differently when unpacked by different archivers. In this case, the tar-rs (Rust tar) crate is an outlier in checking for the header size — other tar parsers (including e.g. Go archive/tar) unconditionally use the PAX size override. This can affect anything that uses the tar crate to parse archives and expects to have a consistent view with other parsers.

This issue has been fixed in version 0.4.45.