Deps.rs

semver 0.11.0

[![dependency status](https://deps.rs/crate/semver/0.11.0/status.svg)](https://deps.rs/crate/semver/0.11.0)

This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate semver

Dependencies

(3 total, 1 insecure)

CrateRequiredLatestStatus
 diesel^1.11.4.7insecure
 semver-parser^0.10.00.10.2up to date
 serde^1.01.0.127up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 serde_derive^1.01.0.127up to date
 serde_json^1.01.0.66up to date

Security Vulnerabilities

diesel: Fix a use-after-free bug in diesels Sqlite backend

RUSTSEC-2021-0037

We've misused sqlite3_column_name. The SQLite documentation states that the following:

The returned string pointer is valid until either the prepared statement is destroyed by sqlite3_finalize() or until the statement is automatically reprepared by the first call to sqlite3_step() for a particular run or until the next call to sqlite3_column_name() or sqlite3_column_name16() on the same column.

As part of our query_by_name infrastructure we've first received all field names for the prepared statement and stored them as string slices for later use. After that we called sqlite3_step() for the first time, which invalids the pointer and therefore the stored string slice.