Deps.rs

swc_common 19.0.0

[![dependency status](https://deps.rs/crate/swc_common/19.0.0/status.svg)](https://deps.rs/crate/swc_common/19.0.0)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate swc_common

Dependencies

(26 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 anyhow^1.0.981.0.102up to date
 arbitrary^11.4.2up to date
 ast_node^5.0.05.0.0up to date
 better_scoped_tls^1.0.11.0.1up to date
 bytecheck^0.8.00.8.2up to date
 bytes-str^0.2.50.2.7up to date
 cbor4ii^1.21.2.2up to date
 either^1.10.01.15.0up to date
 from_variant^3.0.03.0.0up to date
 num-bigint^0.4.30.4.6up to date
 once_cell^1.19.01.21.4up to date
 parking_lot^0.12.10.12.5up to date
 rancor^0.1.00.1.1up to date
 rkyv ⚠️^0.8.80.8.15maybe insecure
 rustc-hash^22.1.1up to date
 serde^1.0.2251.0.228up to date
 shrink-to-fit^0.2.10.2.10up to date
 siphasher^0.3.91.0.2out of date
 swc_atoms^9.0.09.0.0up to date
 swc_eq_ignore_macros^1.0.11.0.1up to date
 swc_sourcemap^10.0.010.0.2up to date
 swc_visit^2.0.12.0.1up to date
 termcolor^1.01.4.1up to date
 tracing^0.1.410.1.44up to date
 unicode-width^0.2.10.2.2up to date
 url^2.5.42.5.8up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 par-iter^2.0.02.0.0up to date
 serde_json^1.0.1401.0.149up to date

Security Vulnerabilities

rkyv: Potential Undefined Behaviors in `Arc<T>`/`Rc<T>` impls of `from_value` on OOM

RUSTSEC-2026-0001

The SharedPointer::alloc implementation for sync::Arc<T> and rc::Rc<T> in rkyv/src/impls/alloc/rc/atomic.rs (and rc.rs) does not check if the allocator returns a null pointer on OOM (Out of Memory).

This null pointer can flow through to SharedPointer::from_value, which calls Box::from_raw(ptr) with the null pointer. This triggers undefined behavior when utilizing safe deserialization APIs (such as rkyv::from_bytes or rkyv::deserialize_using) if an OOM condition occurs during the allocation of the shared pointer.

The issue is reachable through safe code and violates Rust's safety guarantees.