This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate actix-diesel

Dependencies

(9 total, 6 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 actix^0.7.90.13.3out of date
 actix-web^0.7.184.5.1out of date
 derive_more^0.13.00.99.17out of date
 diesel ⚠️^1.4.12.1.5out of date
 failure^0.1.50.1.8up to date
 futures^0.1.250.3.30out of date
 num_cpus^1.9.01.16.0up to date
 once_cell^0.1.71.19.0out of date
 r2d2^0.8.30.8.10up to date

Security Vulnerabilities

diesel: Fix a use-after-free bug in diesels Sqlite backend

RUSTSEC-2021-0037

We've misused sqlite3_column_name. The SQLite documentation states that the following:

The returned string pointer is valid until either the prepared statement is destroyed by sqlite3_finalize() or until the statement is automatically reprepared by the first call to sqlite3_step() for a particular run or until the next call to sqlite3_column_name() or sqlite3_column_name16() on the same column.

As part of our query_by_name infrastructure we've first received all field names for the prepared statement and stored them as string slices for later use. After that we called sqlite3_step() for the first time, which invalids the pointer and therefore the stored string slice.