This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.
pyo3(17 total, 7 outdated, 2 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| anyhow | ^1.0 | 1.0.82 | up to date |
| cfg-if | ^1.0 | 1.0.0 | up to date |
| chrono ⚠️ | ^0.4 | 0.4.38 | maybe insecure |
| eyre ⚠️ | >=0.4, <0.7 | 0.6.12 | maybe insecure |
| hashbrown | >=0.9, <0.14 | 0.14.3 | out of date |
| indexmap | ^1.6 | 2.2.6 | out of date |
| indoc | ^1.0.3 | 2.0.5 | out of date |
| inventory | ^0.3.0 | 0.3.15 | up to date |
| libc | ^0.2.62 | 0.2.153 | up to date |
| memoffset | ^0.8 | 0.9.1 | out of date |
| num-bigint | ^0.4 | 0.4.4 | up to date |
| num-complex | >=0.2, <0.5 | 0.4.5 | up to date |
| parking_lot | >=0.11, <0.13 | 0.12.1 | up to date |
| pyo3-ffi | =0.18.2 | 0.21.2 | out of date |
| pyo3-macros | =0.18.2 | 0.21.2 | out of date |
| serde | ^1.0 | 1.0.198 | up to date |
| unindent | ^0.1.4 | 0.2.3 | out of date |
(11 total, 3 outdated, 1 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| assert_approx_eq | ^1.1.0 | 1.1.0 | up to date |
| chrono ⚠️ | ^0.4 | 0.4.38 | maybe insecure |
| criterion | ^0.3.5 | 0.5.1 | out of date |
| proptest | ^0.10.1 | 1.4.0 | out of date |
| rayon | ^1.0.2 | 1.10.0 | up to date |
| rustversion | ^1.0 | 1.0.15 | up to date |
| send_wrapper | ^0.6 | 0.6.0 | up to date |
| serde | ^1.0 | 1.0.198 | up to date |
| serde_json | ^1.0.61 | 1.0.116 | up to date |
| trybuild | >=1.0.70 | 1.0.91 | up to date |
| widestring | ^0.5.1 | 1.1.0 | out of date |
chrono: Potential segfault in `localtime_r` invocationsUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
No workarounds are known.
eyre: Parts of Report are dropped as the wrong type during downcastIn affected versions, after a Report is constructed using wrap_err or
wrap_err_with to attach a message of type D onto an error of type E, then
using downcast to recover ownership of either the value of type D or the
value of type E, one of two things can go wrong:
If downcasting to E, there remains a value of type D to be dropped. It is
incorrectly "dropped" by running E's drop behavior, rather than D's. For
example if D is &str and E is std::io::Error, there would be a call of
std::io::Error::drop in which the reference received by the Drop impl does
not refer to a valid value of type std::io::Error, but instead to &str.
If downcasting to D, there remains a value of type E to be dropped. When
D and E do not happen to be the same size, E's drop behavior is
incorrectly executed in the wrong location. The reference received by the
Drop impl may point left or right of the real E value that is meant to be
getting dropped.
In both cases, when the Report contains an error E that has nontrivial drop
behavior, the most likely outcome is memory corruption.
When the Report contains an error E that has trivial drop behavior (for
example a Utf8Error) but where D has nontrivial drop behavior (such as
String), the most likely outcome is that downcasting to E would leak D.