This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate async-graphql

Dependencies

(48 total, 16 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 async-graphql-derive^4.0.167.0.6out of date
 async-graphql-parser^4.0.167.0.6out of date
 async-graphql-value^4.0.167.0.6out of date
 async-stream^0.3.00.3.5up to date
 async-trait^0.1.480.1.80up to date
 base64^0.13.00.22.1out of date
 bigdecimal^0.3.00.4.5out of date
 blocking^1.0.21.6.1up to date
 bson^2.4.02.11.0up to date
 bytes^1.0.11.6.0up to date
 chrono ⚠️^0.4.190.4.38maybe insecure
 chrono-tz^0.6.10.9.0out of date
 fast_chemail^0.9.60.9.6up to date
 fnv^1.0.71.0.7up to date
 futures-channel^0.3.130.3.30up to date
 futures-timer^3.0.23.0.3up to date
 futures-util^0.3.00.3.30up to date
 hashbrown^0.12.00.14.5out of date
 http^0.2.31.1.0out of date
 indexmap^1.6.22.2.6out of date
 iso8601-duration^0.1.00.2.0out of date
 log^0.4.160.4.21up to date
 lru^0.7.10.12.3out of date
 mime^0.3.150.3.17up to date
 multer^2.0.03.1.0out of date
 num-traits^0.2.140.2.19up to date
 once_cell^1.7.21.19.0up to date
 opentelemetry^0.18.00.23.0out of date
 pin-project-lite^0.2.60.2.14up to date
 regex^1.5.51.10.5up to date
 rust_decimal^1.14.31.35.0up to date
 secrecy^0.8.00.8.0up to date
 serde^1.0.1251.0.203up to date
 serde_cbor^0.11.10.11.2up to date
 serde_json^1.0.641.0.117up to date
 serde_urlencoded^0.7.00.7.1up to date
 sha2^0.10.20.10.8up to date
 smol_str^0.1.210.2.2out of date
 static_assertions^1.1.01.1.0up to date
 tempfile^3.2.03.10.1up to date
 thiserror^1.0.241.0.61up to date
 time^0.3.50.3.36up to date
 tokio ⚠️^1.17.01.38.0maybe insecure
 tracing-futures^0.2.50.2.5up to date
 tracing^0.1.350.1.40up to date
 url^2.2.12.5.2up to date
 uuid^0.81.8.0out of date
 zxcvbn^2.1.23.0.1out of date

Dev dependencies

(2 total, 1 possibly insecure)

CrateRequiredLatestStatus
 futures-channel^0.3.130.3.30up to date
 tokio ⚠️^1.4.01.38.0maybe insecure

Security Vulnerabilities

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

tokio: reject_remote_clients Configuration corruption

RUSTSEC-2023-0001

On Windows, configuring a named pipe server with pipe_mode will force ServerOptions::reject_remote_clients as false.

This drops any intended explicit configuration for the reject_remote_clients that may have been set as true previously.

The default setting of reject_remote_clients is normally true meaning the default is also overridden as false.

Workarounds

Ensure that pipe_mode is set first after initializing a ServerOptions. For example:

let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);