Deps.rs

swc_ecma_ast 20.0.1

[![dependency status](https://deps.rs/crate/swc_ecma_ast/20.0.1/status.svg)](https://deps.rs/crate/swc_ecma_ast/20.0.1)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate swc_ecma_ast

Dependencies

(18 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 arbitrary^11.4.2up to date
 bitflags^2.5.02.10.0up to date
 bytecheck^0.8.00.8.2up to date
 cbor4ii^1.21.2.2up to date
 is-macro^0.3.50.3.7up to date
 num-bigint^0.4.30.4.6up to date
 once_cell^1.19.01.21.3up to date
 phf^0.11.20.13.1out of date
 rancor^0.1.00.1.1up to date
 rkyv ⚠️^0.8.80.8.14maybe insecure
 rustc-hash^22.1.1up to date
 serde^1.0.2251.0.228up to date
 shrink-to-fit^0.2.10.2.10up to date
 string_enum^1.0.21.0.2up to date
 swc_atoms^9.0.09.0.0up to date
 swc_common^18.0.118.0.1up to date
 swc_visit^2.0.12.0.1up to date
 unicode-id-start^1.2.01.4.0up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 serde_json^1.0.1401.0.149up to date

Security Vulnerabilities

rkyv: Potential Undefined Behaviors in `Arc<T>`/`Rc<T>` impls of `from_value` on OOM

RUSTSEC-2026-0001

The SharedPointer::alloc implementation for sync::Arc<T> and rc::Rc<T> in rkyv/src/impls/alloc/rc/atomic.rs (and rc.rs) does not check if the allocator returns a null pointer on OOM (Out of Memory).

This null pointer can flow through to SharedPointer::from_value, which calls Box::from_raw(ptr) with the null pointer. This triggers undefined behavior when utilizing safe deserialization APIs (such as rkyv::from_bytes or rkyv::deserialize_using) if an OOM condition occurs during the allocation of the shared pointer.

The issue is reachable through safe code and violates Rust's safety guarantees.