Deps.rs

holochain_json_api 0.0.36

[![dependency status](https://deps.rs/crate/holochain_json_api/0.0.36/status.svg)](https://deps.rs/crate/holochain_json_api/0.0.36)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate holochain_json_api

Dependencies

(19 total, 11 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 arrayref=0.3.50.3.7out of date
 base64=0.10.10.22.0out of date
 chrono ⚠️=0.4.60.4.38out of date
 futures-channel-preview=0.3.0-alpha.170.2.2up to date
 futures-core-preview=0.3.0-alpha.170.2.3up to date
 futures-executor-preview=0.3.0-alpha.170.2.2up to date
 futures-io-preview=0.3.0-alpha.170.2.2up to date
 futures-preview=0.3.0-alpha.170.2.2up to date
 futures-sink-preview=0.3.0-alpha.170.2.2up to date
 futures-util-preview=0.3.0-alpha.170.2.2up to date
 hcid=0.0.60.0.6up to date
 holochain_json_derive=0.0.360.0.51out of date
 multihash ⚠️=0.8.00.19.1out of date
 objekt=0.1.20.2.0out of date
 serde=1.0.1041.0.198out of date
 serde_derive=1.0.1041.0.198out of date
 serde_json=1.0.481.0.116out of date
 shrinkwraprs=0.2.10.3.0out of date
 uuid=0.7.11.8.0out of date

Dev dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 maplit=1.0.11.0.2out of date

Security Vulnerabilities

multihash: Unexpected panic in multihash `from_slice` parsing code

RUSTSEC-2020-0068

In versions prior 0.11.3 it's possible to make from_slice panic by feeding it certain malformed input. It's never documented that from_slice (and from_bytes which wraps it) can panic, and its' return type (Result<Self, DecodeError>) suggests otherwise.

In practice, from_slice/from_bytes is frequently used in networking code (for example in rust-libp2p) and is being called with unsanitized data from untrusted sources. This can allow attackers to cause DoS by causing an unexpected panic in the network client's code.

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References