Deps.rs

jsonb 0.3.0

[![dependency status](https://deps.rs/crate/jsonb/0.3.0/status.svg)](https://deps.rs/crate/jsonb/0.3.0)

This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate jsonb

Dependencies

(6 total, 3 outdated, 1 insecure)

CrateRequiredLatestStatus
 byteorder^1.5.01.5.0up to date
 fast-float ⚠️^0.2.00.2.0insecure
 nom^7.1.38.0.0out of date
 ordered-float^4.1.15.0.0out of date
 rand^0.8.50.9.1out of date
 serde_json^1.0.1071.0.140up to date

Dev dependencies

(6 total, 2 outdated)

CrateRequiredLatestStatus
 criterion^0.5.10.6.0out of date
 goldenfile^1.5.21.8.0up to date
 json-deserializer^0.4.40.4.4up to date
 mockalloc^0.1.20.1.2up to date
 serde_json^1.0.1071.0.140up to date
 simd-json^0.11.10.15.1out of date

Security Vulnerabilities

fast-float: Segmentation fault due to lack of bound check

RUSTSEC-2025-0003

In this case, the "fast_float::common::AsciiStr::first" method within the "AsciiStr" struct uses the unsafe keyword to reading from memory without performing bounds checking. Specifically, it directly dereferences a pointer offset by "self.ptr". Because of the above reason, the method accesses invalid memory address when it takes an empty string as its input. This approach violates Rust’s memory safety guarantees, as it can lead to invalid memory access if empty buffer is provided.

No patched version for fast-float crate has been released, but a patch is available in the fast-float2 fork.