Deps.rs

clap 2.33.3

[![dependency status](https://deps.rs/crate/clap/2.33.3/status.svg)](https://deps.rs/crate/clap/2.33.3)

This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate clap

Dependencies

(10 total, 4 outdated, 1 insecure)

CrateRequiredLatestStatus
 atty^0.2.20.2.14up to date
 bitflags^1.01.2.1up to date
 clippy~0.0.1660.0.302up to date
 strsim^0.80.10.0out of date
 term_size^0.3.00.3.2up to date
 textwrap^0.11.00.13.4out of date
 unicode-width^0.1.40.1.8up to date
 vec_map^0.80.8.2up to date
 yaml-rust^0.3.50.4.5insecure
 ansi_term^0.110.12.1out of date

Dev dependencies

(3 total, 1 outdated)

CrateRequiredLatestStatus
 lazy_static^1.31.4.0up to date
 regex^11.4.6up to date
 version-sync^0.80.9.2out of date

Security Vulnerabilities

yaml-rust: Uncontrolled recursion leads to abort in deserialization

RUSTSEC-2018-0006

Affected versions of this crate did not prevent deep recursion while deserializing data structures.

This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it.

The flaw was corrected by checking the recursion depth.

Note: clap 2.33 is not affected by this because it uses yaml-rust in a way that doesn't trigger the vulnerability. More specifically:

  1. The input to the YAML parser is always trusted - is included at compile time via include_str!.

  2. The nesting level is never deep enough to trigger the overflow in practice (at most 5).