This project contains known security vulnerabilities. Find detailed information at the bottom.
polars-io(30 total, 12 outdated, 2 insecure, 2 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| ahash | ^0.8 | 0.8.12 | up to date |
| arrow2 ⚠️ | ^0.17 | 0.18.0 | insecure |
| async-trait | ^0.1.59 | 0.1.88 | up to date |
| bytes | ^1.3.0 | 1.10.1 | up to date |
| chrono ⚠️ | ^0.4 | 0.4.41 | maybe insecure |
| chrono-tz | ^0.8.1 | 0.10.3 | out of date |
| fast-float ⚠️ | ^0.2.0 | 0.2.0 | insecure |
| flate2 | ^1 | 1.1.2 | up to date |
| futures | ^0.3.25 | 0.3.31 | up to date |
| home | ^0.5.4 | 0.5.11 | up to date |
| lexical | ^6 | 7.0.4 | out of date |
| lexical-core | ^0.8 | 1.0.5 | out of date |
| memchr | ^2 | 2.7.5 | up to date |
| memmap2 | ^0.5.2 | 0.9.5 | out of date |
| num-traits | ^0.2 | 0.2.19 | up to date |
| object_store ⚠️ | ^0.5.3 | 0.12.2 | out of date |
| once_cell | ^1 | 1.21.3 | up to date |
| polars-arrow | ^0.29.0 | 0.49.1 | out of date |
| polars-core | ^0.29.0 | 0.49.1 | out of date |
| polars-error | ^0.29.0 | 0.49.1 | out of date |
| polars-time | ^0.29.0 | 0.49.1 | out of date |
| polars-utils | ^0.29.0 | 0.49.1 | out of date |
| rayon | ^1.6 | 1.10.0 | up to date |
| regex | ^1.6 | 1.11.1 | up to date |
| serde | ^1 | 1.0.219 | up to date |
| serde_json | ^1 | 1.0.140 | up to date |
| simd-json | ^0.9 | 0.15.1 | out of date |
| simdutf8 | ^0.1 | 0.1.5 | up to date |
| tokio | ^1.26.0 | 1.46.1 | up to date |
| url | ^2.3.1 | 2.5.4 | up to date |
(1 total, all up-to-date)
| Crate | Required | Latest | Status |
|---|---|---|---|
| tempdir | ^0.3.7 | 0.3.7 | up to date |
chrono: Potential segfault in `localtime_r` invocationsUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
No workarounds are known.
object_store: Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log filesExposure of temporary credentials in logs in Apache Arrow Rust Object Store, version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens.
On certain error conditions, the logs may contain the OIDC token passed to AssumeRoleWithWebIdentity. This allows someone with access to the logs to impersonate that identity, including performing their own calls to AssumeRoleWithWebIdentity, until the OIDC token expires. Typically OIDC tokens are valid for up to an hour, although this will vary depending on the issuer.
Users are recommended to use a different AWS authentication mechanism, disable logging or upgrade to version 0.10.2, which fixes this issue.
When using AWS WebIdentityTokens with the object_store crate, in the event of
a failure and automatic retry, the underlying reqwest error, including the
full URL with the credentials, potentially in the parameters, is written to the
logs.
Thanks to Paul Hatcherian for reporting this vulnerability
fast-float: Segmentation fault due to lack of bound checkIn this case, the "fast_float::common::AsciiStr::first" method within the "AsciiStr" struct uses the unsafe keyword to reading from memory without performing bounds checking. Specifically, it directly dereferences a pointer offset by "self.ptr". Because of the above reason, the method accesses invalid memory address when it takes an empty string as its input. This approach violates Rust’s memory safety guarantees, as it can lead to invalid memory access if empty buffer is provided.
No patched version for fast-float crate has been released, but a patch is available in the fast-float2 fork.
arrow2: Out of bounds access in public safe APIRows::row_unchecked() allows out of bounds access to the underlying
buffer without sufficient checks.
The arrow2 crate is no longer maintained, so there are no plans to fix this issue. Users are advised to migrate to the arrow crate, instead.