This project contains known security vulnerabilities. Find detailed information at the bottom.
polars-plan(17 total, 9 outdated, 1 insecure, 2 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| ahash | ^0.8 | 0.8.12 | up to date |
| arrow2 ⚠️ | ^0.17 | 0.18.0 | insecure |
| chrono ⚠️ | ^0.4 | 0.4.41 | maybe insecure |
| chrono-tz | ^0.8 | 0.10.3 | out of date |
| futures | ^0.3.25 | 0.3.31 | up to date |
| once_cell | ^1 | 1.21.3 | up to date |
| polars-arrow | ^0.29.0 | 0.49.1 | out of date |
| polars-core | ^0.29.0 | 0.49.1 | out of date |
| polars-io | ^0.29.0 | 0.49.1 | out of date |
| polars-ops | ^0.29.0 | 0.49.1 | out of date |
| polars-time | ^0.29.0 | 0.49.1 | out of date |
| polars-utils | ^0.29.0 | 0.49.1 | out of date |
| pyo3 ⚠️ | ^0.18 | 0.25.1 | out of date |
| rayon | ^1.6 | 1.10.0 | up to date |
| regex | ^1.6 | 1.11.1 | up to date |
| serde | ^1 | 1.0.219 | up to date |
| smartstring | ^1 | 1.0.1 | up to date |
chrono: Potential segfault in `localtime_r` invocationsUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
No workarounds are known.
pyo3: Risk of buffer overflow in `PyString::from_object`PyString::from_object took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).
In PyO3 0.24.1 this function will now allocate a CString to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes &CStr arguments.
arrow2: Out of bounds access in public safe APIRows::row_unchecked() allows out of bounds access to the underlying
buffer without sufficient checks.
The arrow2 crate is no longer maintained, so there are no plans to fix this issue. Users are advised to migrate to the arrow crate, instead.