Deps.rs

ordered-float 4.5.0

[![dependency status](https://deps.rs/crate/ordered-float/4.5.0/status.svg)](https://deps.rs/crate/ordered-float/4.5.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate ordered-float

Dependencies

(12 total, 3 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 arbitrary^1.0.01.4.2up to date
 borsh^1.2.01.6.0up to date
 bytemuck^1.12.21.25.0up to date
 derive-visitor^0.4.00.4.0up to date
 num-cmp^0.1.00.1.0up to date
 num-traits^0.2.10.2.19up to date
 proptest^1.0.01.10.0up to date
 rand^0.8.30.10.0out of date
 rkyv ⚠️^0.7.410.8.14out of date
 schemars^0.8.81.2.1out of date
 serde^1.01.0.228up to date
 speedy^0.8.30.8.7up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 serde_test^1.01.0.177up to date

Security Vulnerabilities

rkyv: Potential Undefined Behaviors in `Arc<T>`/`Rc<T>` impls of `from_value` on OOM

RUSTSEC-2026-0001

The SharedPointer::alloc implementation for sync::Arc<T> and rc::Rc<T> in rkyv/src/impls/alloc/rc/atomic.rs (and rc.rs) does not check if the allocator returns a null pointer on OOM (Out of Memory).

This null pointer can flow through to SharedPointer::from_value, which calls Box::from_raw(ptr) with the null pointer. This triggers undefined behavior when utilizing safe deserialization APIs (such as rkyv::from_bytes or rkyv::deserialize_using) if an OOM condition occurs during the allocation of the shared pointer.

The issue is reachable through safe code and violates Rust's safety guarantees.