cargo 0.82.0

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate `cargo`

Dependencies

(70 total, 15 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
annotate-snippets	`^0.11.2`	`0.11.5`	up to date
anstream	`^0.6.13`	`0.6.19`	up to date
anstyle	`^1.0.6`	`1.0.11`	up to date
anyhow	`^1.0.82`	`1.0.98`	up to date
base64	`^0.22.1`	`0.22.1`	up to date
bytesize	`^1.3`	`2.0.1`	out of date
cargo-credential	`^0.4.2`	`0.4.8`	up to date
cargo-credential-libsecret	`^0.4.7`	`0.4.14`	up to date
cargo-credential-macos-keychain	`^0.4.7`	`0.4.14`	up to date
cargo-credential-wincred	`^0.4.7`	`0.4.14`	up to date
cargo-platform	`^0.1.5`	`0.3.0`	out of date
cargo-util	`^0.2.14`	`0.2.21`	up to date
cargo-util-schemas	`^0.5.0`	`0.8.2`	out of date
clap	`^4.5.4`	`4.5.40`	up to date
color-print	`^0.3.6`	`0.3.7`	up to date
crates-io	`^0.40.4`	`0.40.11`	up to date
curl	`^0.4.46`	`0.4.48`	up to date
curl-sys	`^0.4.72`	`0.4.82+curl-8.14.1`	up to date
filetime	`^0.2.23`	`0.2.25`	up to date
flate2	`^1.0.30`	`1.1.2`	up to date
git2	`^0.19.0`	`0.20.2`	out of date
git2-curl	`^0.20.0`	`0.21.0`	out of date
gix	`^0.64.0`	`0.72.1`	out of date
glob	`^0.3.1`	`0.3.2`	up to date
hex	`^0.4.3`	`0.4.3`	up to date
hmac	`^0.12.1`	`0.12.1`	up to date
home	`^0.5.9`	`0.5.11`	up to date
http-auth	`^0.1.9`	`0.1.10`	up to date
humantime	`^2.1.0`	`2.2.0`	up to date
ignore	`^0.4.22`	`0.4.23`	up to date
im-rc	`^15.1.0`	`15.1.0`	up to date
indexmap	`^2.2.6`	`2.10.0`	up to date
itertools	`^0.13.0`	`0.14.0`	out of date
jobserver	`^0.1.28`	`0.1.33`	up to date
lazycell	`^1.3.0`	`1.3.0`	up to date
libc	`^0.2.154`	`0.2.174`	up to date
libgit2-sys	`^0.17.0`	`0.18.2+1.9.1`	out of date
memchr	`^2.7.2`	`2.7.5`	up to date
opener	`^0.7.0`	`0.8.2`	out of date
openssl ⚠️	`^0.10.57`	`0.10.73`	maybe insecure
os_info	`^3.8.2`	`3.12.0`	up to date
pasetors	`^0.6.8`	`0.7.6`	out of date
pathdiff	`^0.2.1`	`0.2.3`	up to date
rand	`^0.8.5`	`0.9.1`	out of date
regex	`^1.10.4`	`1.11.1`	up to date
rusqlite	`^0.31.0`	`0.36.0`	out of date
rustfix	`^0.8.2`	`0.9.1`	out of date
same-file	`^1.0.6`	`1.0.6`	up to date
semver	`^1.0.22`	`1.0.26`	up to date
serde	`^1.0.199`	`1.0.219`	up to date
serde-untagged	`^0.1.5`	`0.1.7`	up to date
serde_ignored	`^0.1.10`	`0.1.12`	up to date
serde_json	`^1.0.116`	`1.0.140`	up to date
sha1	`^0.10.6`	`0.10.6`	up to date
shell-escape	`^0.1.5`	`0.1.5`	up to date
supports-hyperlinks	`^3.0.0`	`3.1.0`	up to date
supports-unicode	`^3.0.0`	`3.0.0`	up to date
tar	`^0.4.40`	`0.4.44`	up to date
tempfile	`^3.10.1`	`3.20.0`	up to date
time	`^0.3.36`	`0.3.41`	up to date
toml	`^0.8.14`	`0.8.23`	up to date
toml_edit	`^0.22.14`	`0.22.27`	up to date
tracing	`^0.1.40`	`0.1.41`	up to date
tracing-chrome	`^0.7.2`	`0.7.2`	up to date
tracing-subscriber	`^0.3.18`	`0.3.19`	up to date
unicase	`^2.7.0`	`2.8.1`	up to date
unicode-width	`^0.1.12`	`0.2.1`	out of date
url	`^2.5.0`	`2.5.4`	up to date
walkdir	`^2.5.0`	`2.5.0`	up to date
windows-sys	`^0.52`	`0.60.2`	out of date

Dev dependencies

(5 total, 2 outdated)

Crate	Required	Latest	Status
annotate-snippets	`^0.11.2`	`0.11.5`	up to date
cargo-test-support	`^0.3.0`	`0.7.4`	out of date
gix	`^0.64.0`	`0.72.1`	out of date
same-file	`^1.0.6`	`1.0.6`	up to date
snapbox	`^0.6.9`	`0.6.21`	up to date

Security Vulnerabilities

`openssl`: Use-After-Free in `Md::fetch` and `Cipher::fetch`

RUSTSEC-2025-0022

When a Some(...) value was passed to the properties argument of either of these functions, a use-after-free would result.

In practice this would nearly always result in OpenSSL treating the properties as an empty string (due to CString::drop's behavior).

The maintainers thank quitbug for reporting this vulnerability to us.