Deps.rs

boa_engine 0.21.0

[![dependency status](https://deps.rs/crate/boa_engine/0.21.0/status.svg)](https://deps.rs/crate/boa_engine/0.21.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate boa_engine

Dependencies

(68 total, 17 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 aligned-vec^0.6.40.6.4up to date
 arrayvec^0.7.60.7.6up to date
 bitflags^2.9.32.11.0up to date
 boa_ast~0.21.00.21.0up to date
 boa_gc~0.21.00.21.0up to date
 boa_icu_provider~0.21.00.21.0up to date
 boa_interner~0.21.00.21.0up to date
 boa_macros~0.21.00.21.0up to date
 boa_parser~0.21.00.21.0up to date
 boa_string~0.21.00.21.0up to date
 bytemuck^1.24.01.25.0up to date
 cfg-if^1.0.11.0.4up to date
 cow-utils^0.1.30.1.3up to date
 dashmap^6.1.06.1.0up to date
 dynify^0.1.20.1.2up to date
 either^1.15.01.15.0up to date
 fast-float2^0.2.30.2.3up to date
 fixed_decimal^0.7.00.7.1up to date
 float16^0.10.1.5up to date
 futures-channel^0.3.310.3.32up to date
 futures-concurrency^7.6.37.7.1up to date
 futures-lite^2.6.12.6.1up to date
 getrandom^0.3.30.4.1out of date
 hashbrown^0.16.00.16.1up to date
 iana-time-zone^0.1.640.1.65up to date
 icu_calendar~2.0.52.1.1out of date
 icu_casemap~2.0.02.1.1out of date
 icu_collator~2.0.02.1.1out of date
 icu_datetime~2.0.02.1.1out of date
 icu_decimal~2.0.02.1.1out of date
 icu_list~2.0.02.1.1out of date
 icu_locale~2.0.02.1.1out of date
 icu_normalizer~2.0.02.1.1out of date
 icu_plurals~2.0.02.1.1out of date
 icu_provider~2.0.02.1.1out of date
 icu_segmenter~2.0.02.1.2out of date
 indexmap^2.11.42.13.0up to date
 intrusive-collections^0.9.70.10.0out of date
 itertools^0.14.00.14.0up to date
 lz4_flex^0.11.50.12.0out of date
 num-bigint^0.4.60.4.6up to date
 num-integer^0.1.460.1.46up to date
 num-traits^0.2.190.2.19up to date
 num_enum^0.7.40.7.5up to date
 paste^1.01.0.15up to date
 portable-atomic^1.11.01.13.1up to date
 rand^0.9.20.10.0out of date
 regress^0.10.40.10.5up to date
 rustc-hash^2.1.12.1.1up to date
 ryu-js^1.0.21.0.2up to date
 serde^1.0.2191.0.228up to date
 serde_json^1.0.1451.0.149up to date
 small_btree~0.1.00.1.0up to date
 static_assertions^1.1.01.1.0up to date
 sys-locale^0.3.20.3.2up to date
 tag_ptr~0.1.00.1.0up to date
 tap^1.0.11.0.1up to date
 temporal_rs^0.1.00.2.0out of date
 thin-vec^0.2.140.2.14up to date
 thiserror^2.0.172.0.18up to date
 time ⚠️^0.3.440.3.47maybe insecure
 timezone_provider^0.1.00.2.0out of date
 tinystr~0.8.10.8.2up to date
 web-time^1.1.01.1.0up to date
 writeable~0.6.10.6.2up to date
 xsum^0.1.50.1.6up to date
 yoke^0.8.00.8.1up to date
 zerofrom~0.1.60.1.6up to date

Dev dependencies

(6 total, 1 outdated)

CrateRequiredLatestStatus
 criterion^0.5.10.8.2out of date
 float-cmp^0.10.00.10.0up to date
 indoc^2.0.62.0.7up to date
 jemallocator^0.5.40.5.4up to date
 test-case^3.3.13.3.1up to date
 textwrap^0.16.20.16.2up to date

Security Vulnerabilities

time: Denial of Service via Stack Exhaustion

RUSTSEC-2026-0009

Impact

When user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.

Patches

A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.

Workarounds

Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of the stack consumed would be at most a factor of the length of the input.