Deps.rs

meep 1.0.1

[![dependency status](https://deps.rs/crate/meep/1.0.1/status.svg)](https://deps.rs/crate/meep/1.0.1)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate meep

Dependencies

(14 total, 7 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 diesel ⚠️^12.1.6out of date
 diesel_migrations^12.1.0out of date
 dotenv_codegen^0.150.15.0up to date
 fehler^1.0.0-alpha.11.0.0up to date
 r2d2^0.80.8.10up to date
 r2d2-diesel^1.01.0.0up to date
 rand^0.70.8.5out of date
 rocket^0.40.5.0out of date
 rocket_codegen^0.40.5.0out of date
 rocket_contrib^0.40.4.11up to date
 serde^11.0.198up to date
 serde_derive^11.0.198up to date
 syntect^35.2.0out of date
 toml^0.50.8.12out of date

Security Vulnerabilities

diesel: Fix a use-after-free bug in diesels Sqlite backend

RUSTSEC-2021-0037

We've misused sqlite3_column_name. The SQLite documentation states that the following:

The returned string pointer is valid until either the prepared statement is destroyed by sqlite3_finalize() or until the statement is automatically reprepared by the first call to sqlite3_step() for a particular run or until the next call to sqlite3_column_name() or sqlite3_column_name16() on the same column.

As part of our query_by_name infrastructure we've first received all field names for the prepared statement and stored them as string slices for later use. After that we called sqlite3_step() for the first time, which invalids the pointer and therefore the stored string slice.