This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate syntect

Dependencies

(15 total, 1 outdated, 1 insecure)

CrateRequiredLatestStatus
 bincode^1.01.3.3up to date
 bitflags^1.0.41.2.1up to date
 fancy-regex^0.3.20.7.1out of date
 flate2^1.01.0.20up to date
 fnv^1.01.0.7up to date
 lazy_static^1.01.4.0up to date
 lazycell^1.01.3.0up to date
 onig^6.06.2.0up to date
 plist^11.2.0up to date
 regex-syntax^0.60.6.25up to date
 serde^1.01.0.127up to date
 serde_derive^1.01.0.127up to date
 serde_json^1.01.0.66up to date
 walkdir^2.02.3.2up to date
 yaml-rust^0.40.4.5insecure

Dev dependencies

(5 total, 1 outdated)

CrateRequiredLatestStatus
 criterion^0.30.3.5up to date
 getopts^0.20.2.21up to date
 pretty_assertions^0.60.7.2out of date
 rayon^1.0.01.5.1up to date
 regex^1.01.5.4up to date

Security Vulnerabilities

yaml-rust: Uncontrolled recursion leads to abort in deserialization

RUSTSEC-2018-0006

Affected versions of this crate did not prevent deep recursion while deserializing data structures.

This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it.

The flaw was corrected by checking the recursion depth.

Note: clap 2.33 is not affected by this because it uses yaml-rust in a way that doesn't trigger the vulnerability. More specifically:

  1. The input to the YAML parser is always trusted - is included at compile time via include_str!.

  2. The nesting level is never deep enough to trigger the overflow in practice (at most 5).