Deps.rs

finch 0.6.0

[![dependency status](https://deps.rs/crate/finch/0.6.0/status.svg)](https://deps.rs/crate/finch/0.6.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate finch

Dependencies

(11 total, 6 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 bincode^1.2.03.0.0out of date
 capnp ⚠️^0.140.25.2out of date
 memmap^0.7.00.7.0up to date
 murmurhash3^0.0.50.0.5up to date
 needletail^0.50.6.3out of date
 numpy^0.180.28.0out of date
 pyo3 ⚠️^0.180.28.2out of date
 rayon^1.2.01.11.0up to date
 serde^1.01.0.228up to date
 serde_json^11.0.149up to date
 thiserror^12.0.18out of date

Dev dependencies

(2 total, 1 outdated)

CrateRequiredLatestStatus
 predicates^23.1.4out of date
 proptest^11.10.0up to date

Security Vulnerabilities

pyo3: Risk of buffer overflow in `PyString::from_object`

RUSTSEC-2025-0020

PyString::from_object took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).

In PyO3 0.24.1 this function will now allocate a CString to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes &CStr arguments.

capnp: Unsound APIs of public `constant::Reader` and `StructSchema`

RUSTSEC-2025-0143

The safe API functions constant::Reader::get and StructSchema::new rely on PointerReader::get_root_unchecked, which can cause undefined behavior (UB) by constructing arbitrary words or schemas.

Reader::get

pub fn get(&self) -> Result<<T as Owned>::Reader<'static>> {
    // ...
    // UNSAFE: access `words` without validation
}

StructSchema::new

pub fn new(builder: RawBrandedStructSchema) -> StructSchema {
    // ...
    // UNSAFE: access encoded nodes without validation
}

This vulnerability allows safe Rust code to trigger UB, which violates Rust's safety guarantees.

The issue is resolved in version 0.24.0 by making constructor functions unsafe and mark the fields of struct as visible only in the crate.