Deps.rs

surrealdb-core 2.4.0

[![dependency status](https://deps.rs/crate/surrealdb-core/2.4.0/status.svg)](https://deps.rs/crate/surrealdb-core/2.4.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate surrealdb-core

Dependencies

(96 total, 28 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 addr^0.15.60.15.6up to date
 affinitypool^0.3.10.4.0out of date
 ahash^0.8.110.8.12up to date
 ammonia ⚠️^4.0.04.1.2maybe insecure
 arbitrary^1.3.21.4.2up to date
 argon2^0.5.20.5.3up to date
 any_ascii^0.3.20.3.3up to date
 async-channel^2.3.12.5.0up to date
 async-executor^1.13.11.13.3up to date
 async-graphql^7.0.97.0.17up to date
 base64^0.21.50.22.1out of date
 bcrypt^0.15.00.17.1out of date
 bincode^1.3.32.0.1out of date
 blake3^1.5.31.8.2up to date
 bytes^1.5.01.11.0up to date
 castaway^0.2.30.2.4up to date
 cedar-policy^2.4.24.8.1out of date
 chrono^0.4.380.4.42up to date
 ciborium^0.2.10.2.2up to date
 dashmap^5.5.36.1.0out of date
 deunicode^1.4.11.6.2up to date
 dmp^0.2.00.2.3up to date
 ext-sort^0.1.40.1.5up to date
 foundationdb^0.9.00.10.0out of date
 fst^0.4.70.4.7up to date
 futures^0.3.300.3.31up to date
 fuzzy-matcher^0.3.70.3.7up to date
 geo^0.28.00.31.0out of date
 geo-types^0.7.130.7.17up to date
 getrandom^0.3.20.3.4up to date
 hex^0.4.30.4.3up to date
 http^1.1.01.4.0up to date
 indxdb^0.6.00.11.0out of date
 ipnet^2.9.02.11.0up to date
 tikv-jemallocator^0.6.00.6.1up to date
 rquickjs^0.9.00.10.0out of date
 jsonwebtoken^9.3.010.2.0out of date
 lexicmp^0.1.00.2.0out of date
 linfa-linalg=0.1.00.2.1out of date
 md-5^0.10.60.10.6up to date
 nanoid^0.4.00.4.0up to date
 ndarray=0.15.60.17.1out of date
 ndarray-stats=0.5.10.6.0out of date
 num-traits^0.2.180.2.19up to date
 num_cpus^1.16.01.17.0up to date
 object_store^0.12.00.12.4up to date
 parking_lot^0.12.30.12.5up to date
 pbkdf2^0.12.20.12.2up to date
 pharos^0.5.30.5.3up to date
 phf^0.11.20.13.1out of date
 pin-project-lite^0.2.130.2.16up to date
 quick_cache^0.5.10.6.18out of date
 radix_trie^0.2.10.3.0out of date
 rand^0.8.50.9.2out of date
 rayon^1.10.01.11.0up to date
 reblessive^0.4.20.4.3up to date
 regex^1.10.61.12.2up to date
 regex-syntax^0.8.40.8.8up to date
 reqwest^0.12.70.12.24up to date
 revision^0.11.00.15.0out of date
 ring^0.17.130.17.14up to date
 rmpv^1.0.11.3.0up to date
 roaring^0.10.60.11.2out of date
 surrealdb-rocksdb^0.24.0-surreal.1N/Aup to date
 rust-stemmers^1.2.01.2.0up to date
 rust_decimal^1.36.01.39.0up to date
 scrypt^0.11.00.11.0up to date
 semver^1.0.201.0.27up to date
 serde^1.0.2091.0.228up to date
 serde-content^0.1.00.1.2up to date
 serde_json^1.0.1271.0.145up to date
 sha1^0.10.60.10.6up to date
 sha2^0.10.80.10.9up to date
 snap^1.1.01.1.1up to date
 storekey^0.5.00.10.0out of date
 strsim^0.11.10.11.1up to date
 subtle^2.62.6.1up to date
 surrealcs^0.4.40.4.4up to date
 surrealkv^0.9.10.15.0out of date
 surrealml-core^0.1.10.1.9up to date
 sysinfo^0.33.00.37.2out of date
 tempfile^3.10.13.23.0up to date
 thiserror^1.0.632.0.17out of date
 surrealdb-tikv-client^0.3.0-surreal.3N/Aup to date
 tokio^1.41.11.48.0up to date
 tokio-tungstenite^0.23.10.28.0out of date
 tracing^0.1.400.1.43up to date
 trice^0.4.00.4.0up to date
 ulid^1.1.01.2.1up to date
 unicase^2.7.02.8.1up to date
 url^2.5.02.5.7up to date
 uuid^1.10.01.18.1up to date
 vart^0.8.10.9.3out of date
 wasm-bindgen-futures^0.4.390.4.56up to date
 wasmtimer^0.2.00.4.3out of date
 ws_stream_wasm^0.7.40.7.5up to date

Dev dependencies

(11 total, 3 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 criterion^0.5.10.7.0out of date
 env_logger^0.11.70.11.8up to date
 flate2^1.0.281.1.5up to date
 pprof^0.14.00.15.0out of date
 serial_test^2.0.03.2.0out of date
 temp-dir^0.1.110.1.16up to date
 test-log^0.2.130.2.19up to date
 time^0.3.360.3.44up to date
 tokio^1.41.11.48.0up to date
 tracing-subscriber ⚠️^0.3.180.3.20maybe insecure
 wiremock^0.6.00.6.5up to date

Security Vulnerabilities

tracing-subscriber: Logging user input may result in poisoning logs with ANSI escape sequences

RUSTSEC-2025-0055

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

This was patched in PR #3368 to escape ANSI control characters from user input.

ammonia: Incorrect handling of embedded SVG and MathML leads to mutation XSS after removal

RUSTSEC-2025-0071

Affected versions of this crate did not correctly strip namespace-incompatible tags in certain situations, causing it to incorrectly account for differences between HTML, SVG, and MathML.

This vulnerability only has an effect when the svg or math tag is allowed, because it relies on a tag being parsed as html during the cleaning process, but serialized in a way that causes in to be parsed as xml by the browser.

Additionally, the application using this library must allow a tag that is parsed as raw text in HTML. These elements are:

  • title
  • textarea
  • xmp
  • iframe
  • noembed
  • noframes
  • plaintext
  • noscript
  • style
  • script

Applications that do not explicitly allow any of these tags should not be affected, since none are allowed by default.