This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate datafusion

Dependencies

(51 total, 4 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 ahash^0.80.8.11up to date
 apache-avro^0.160.17.0out of date
 arrow^53.2.053.3.0up to date
 arrow-array^53.2.053.3.0up to date
 arrow-ipc^53.2.053.3.0up to date
 arrow-schema^53.2.053.3.0up to date
 async-compression^0.4.00.4.18up to date
 async-trait^0.1.730.1.83up to date
 bytes^1.41.9.0up to date
 bzip2 ⚠️^0.4.30.5.0out of date
 chrono^0.4.380.4.39up to date
 dashmap^6.0.16.1.0up to date
 datafusion-catalog^43.0.043.0.0up to date
 datafusion-common^43.0.043.0.0up to date
 datafusion-common-runtime^43.0.043.0.0up to date
 datafusion-execution^43.0.043.0.0up to date
 datafusion-expr^43.0.043.0.0up to date
 datafusion-functions^43.0.043.0.0up to date
 datafusion-functions-aggregate^43.0.043.0.0up to date
 datafusion-functions-nested^43.0.043.0.0up to date
 datafusion-functions-window^43.0.043.0.0up to date
 datafusion-optimizer^43.0.043.0.0up to date
 datafusion-physical-expr^43.0.043.0.0up to date
 datafusion-physical-expr-common^43.0.043.0.0up to date
 datafusion-physical-optimizer^43.0.043.0.0up to date
 datafusion-physical-plan^43.0.043.0.0up to date
 datafusion-sql^43.0.043.0.0up to date
 flate2^1.0.241.0.35up to date
 futures^0.30.3.31up to date
 glob^0.3.00.3.1up to date
 half^2.2.12.4.1up to date
 hashbrown^0.14.50.15.2out of date
 indexmap^2.0.02.7.0up to date
 itertools^0.130.13.0up to date
 log^0.40.4.22up to date
 num-traits^0.20.2.19up to date
 num_cpus^1.13.01.16.0up to date
 object_store^0.11.00.11.1up to date
 parking_lot^0.120.12.3up to date
 parquet^53.2.053.3.0up to date
 paste^1.0.151.0.15up to date
 pin-project-lite^0.2.70.2.15up to date
 rand^0.80.8.5up to date
 sqlparser^0.51.00.52.0out of date
 tempfile^33.14.0up to date
 tokio^1.361.42.0up to date
 tokio-util^0.7.40.7.13up to date
 url^2.22.5.4up to date
 uuid^1.71.11.0up to date
 xz2^0.10.1.7up to date
 zstd^0.130.13.2up to date

Dev dependencies

(23 total, 2 outdated)

CrateRequiredLatestStatus
 arrow-buffer^53.2.053.3.0up to date
 async-trait^0.1.730.1.83up to date
 bigdecimal=0.4.10.4.7out of date
 criterion^0.50.5.1up to date
 csv^1.1.61.3.1up to date
 ctor^0.2.00.2.9up to date
 datafusion-functions-window-common^43.0.043.0.0up to date
 doc-comment^0.30.3.3up to date
 env_logger^0.110.11.5up to date
 half^2.2.12.4.1up to date
 nix^0.29.00.29.0up to date
 paste^1.01.0.15up to date
 postgres-protocol^0.6.40.6.7up to date
 postgres-types^0.2.40.2.8up to date
 rand^0.80.8.5up to date
 rand_distr^0.4.30.4.3up to date
 regex^1.81.11.1up to date
 rstest^0.23.00.23.0up to date
 rust_decimal^1.27.01.36.0up to date
 serde_json^11.0.133up to date
 thiserror^1.0.442.0.7out of date
 tokio^1.361.42.0up to date
 tokio-postgres^0.7.70.7.12up to date

Security Vulnerabilities

bzip2: bzip2 Denial of Service (DoS)

RUSTSEC-2023-0004

Working with specific payloads can cause a Denial of Service (DoS) vector.

Both Decompress and Compress implementations can enter into infinite loops given specific payloads entered that trigger it.

The issue is described in great detail in the bzip2 repository issue.

Thanks to bjrjk for finding and providing the patch for the issue and the maintainer responsibly responding to release a fix quickly.

Users who use the crate with untrusted data should update the bzip2 to 0.4.4.