Deps.rs

sieve-rs 0.7.1

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate sieve-rs

Dependencies

(8 total, 1 possibly insecure)

CrateRequiredLatestStatus
 ahash^0.8.00.8.12up to date
 arc-swap^1.7.11.9.0up to date
 fancy-regex^0.17.00.17.0up to date
 hashify^0.20.2.9up to date
 mail-builder^0.40.4.4up to date
 mail-parser^0.110.11.2up to date
 rkyv ⚠️^0.80.8.15maybe insecure
 serde^1.01.0.228up to date

Dev dependencies

(4 total, 1 outdated)

CrateRequiredLatestStatus
 evalexpr^11.1.013.1.0out of date
 mail-parser^0.110.11.2up to date
 serde^1.01.0.228up to date
 serde_json^1.01.0.149up to date

Security Vulnerabilities

rkyv: Potential Undefined Behaviors in `Arc<T>`/`Rc<T>` impls of `from_value` on OOM

RUSTSEC-2026-0001

The SharedPointer::alloc implementation for sync::Arc<T> and rc::Rc<T> in rkyv/src/impls/alloc/rc/atomic.rs (and rc.rs) does not check if the allocator returns a null pointer on OOM (Out of Memory).

This null pointer can flow through to SharedPointer::from_value, which calls Box::from_raw(ptr) with the null pointer. This triggers undefined behavior when utilizing safe deserialization APIs (such as rkyv::from_bytes or rkyv::deserialize_using) if an OOM condition occurs during the allocation of the shared pointer.

The issue is reachable through safe code and violates Rust's safety guarantees.