Ashutosh0x / rust-finance

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate `common`

Dependencies

(12 total, 2 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
serde	`^1.0`	`1.0.228`	up to date
zeroize	`^1`	`1.8.2`	up to date
serde_json	`^1.0`	`1.0.149`	up to date
anyhow	`^1.0`	`1.0.102`	up to date
thiserror	`^1.0`	`2.0.18`	out of date
chrono ⚠️	`^0.4`	`0.4.44`	maybe insecure
tokio	`^1.35`	`1.51.0`	up to date
dotenvy	`^0.15`	`0.15.7`	up to date
envy	`^0.4`	`0.4.2`	up to date
tracing	`^0.1`	`0.1.44`	up to date
postcard	`^1.0`	`1.1.3`	up to date
compact_str	`^0.8`	`0.9.0`	out of date

Crate `ingestion`

Dependencies

(13 total, 4 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
tokio	`^1.35`	`1.51.0`	up to date
async-trait	`^0.1`	`0.1.89`	up to date
async-stream	`^0.3`	`0.3.6`	up to date
futures	`^0.3`	`0.3.32`	up to date
tokio-tungstenite	`^0.20`	`0.29.0`	out of date
serde	`^1.0`	`1.0.228`	up to date
serde_json	`^1.0`	`1.0.149`	up to date
compact_str	`^0.8`	`0.9.0`	out of date
chrono ⚠️	`^0.4`	`0.4.44`	maybe insecure
thiserror	`^1.0`	`2.0.18`	out of date
anyhow	`^1.0`	`1.0.102`	up to date
tracing	`^0.1`	`0.1.44`	up to date
reqwest	`^0.11`	`0.13.2`	out of date

Dev dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
tokio	`^1.35`	`1.51.0`	up to date

Crate `feature`

Dependencies

(3 total, 1 outdated)

Crate	Required	Latest	Status
serde	`^1.0`	`1.0.228`	up to date
anyhow	`^1.0`	`1.0.102`	up to date
dashmap	`^5.5`	`6.1.0`	out of date

Crate `strategy`

Dependencies

(3 total, all up-to-date)

Crate	Required	Latest	Status
serde	`^1.0`	`1.0.228`	up to date
anyhow	`^1.0`	`1.0.102`	up to date
tracing	`^0.1`	`0.1.44`	up to date

Crate `model`

Dependencies

(2 total, all up-to-date)

Crate	Required	Latest	Status
anyhow	`^1.0`	`1.0.102`	up to date
tracing	`^0.1`	`0.1.44`	up to date

Crate `risk`

Dependencies

(2 total, 1 outdated)

Crate	Required	Latest	Status
compact_str	`^0.8`	`0.9.0`	out of date
tracing	`^0.1`	`0.1.44`	up to date

Crate `daemon`

Dependencies

(13 total, 2 outdated, 2 possibly insecure)

Crate	Required	Latest	Status
dotenvy	`^0.15`	`0.15.7`	up to date
chrono ⚠️	`^0.4`	`0.4.44`	maybe insecure
rand	`^0.8`	`0.10.0`	out of date
tokio	`^1.35`	`1.51.0`	up to date
async-trait	`^0.1`	`0.1.89`	up to date
futures	`^0.3`	`0.3.32`	up to date
tracing	`^0.1`	`0.1.44`	up to date
tracing-subscriber ⚠️	`^0.3`	`0.3.23`	maybe insecure
serde	`^1`	`1.0.228`	up to date
serde_json	`^1`	`1.0.149`	up to date
compact_str	`^0.8`	`0.9.0`	out of date
anyhow	`^1.0`	`1.0.102`	up to date
clap	`^4.4`	`4.6.0`	up to date

Crate `event_bus`

Dependencies

(7 total, all up-to-date)

Crate	Required	Latest	Status
tokio	`^1.35`	`1.51.0`	up to date
serde	`^1.0`	`1.0.228`	up to date
serde_json	`^1.0`	`1.0.149`	up to date
anyhow	`^1.0`	`1.0.102`	up to date
tracing	`^0.1`	`0.1.44`	up to date
tokio-retry	`^0.3.0`	`0.3.0`	up to date
postcard	`^1.0`	`1.1.3`	up to date

Crate `cli`

Dependencies

(3 total, all up-to-date)

Crate	Required	Latest	Status
clap	`^4.4`	`4.6.0`	up to date
anyhow	`^1.0`	`1.0.102`	up to date
tokio	`^1.35`	`1.51.0`	up to date

Crate `tui`

Dependencies

(11 total, 3 outdated)

Crate	Required	Latest	Status
ratatui	`^0.29`	`0.30.0`	out of date
crossterm	`^0.27`	`0.29.0`	out of date
anyhow	`^1.0`	`1.0.102`	up to date
tokio	`^1.35`	`1.51.0`	up to date
zeroize	`^1`	`1.8.2`	up to date
dotenvy	`^0.15`	`0.15.7`	up to date
compact_str	`^0.8`	`0.9.0`	out of date
postcard	`^1.0`	`1.1.3`	up to date
crossbeam-channel	`^0.5`	`0.5.15`	up to date
serde_json	`^1.0`	`1.0.149`	up to date
tokio-retry	`^0.3.0`	`0.3.0`	up to date

Crate `web`

Dependencies

(7 total, 1 outdated, 2 possibly insecure)

Crate	Required	Latest	Status
tokio ⚠️	`^1`	`1.51.0`	maybe insecure
axum	`^0.7`	`0.8.8`	out of date
serde	`^1.0`	`1.0.228`	up to date
serde_json	`^1.0`	`1.0.149`	up to date
tracing	`^0.1`	`0.1.44`	up to date
anyhow	`^1.0`	`1.0.102`	up to date
tracing-subscriber ⚠️	`^0.3`	`0.3.23`	maybe insecure

Crate `web-dashboard`

Dependencies

(9 total, 2 outdated, 3 possibly insecure)

Crate	Required	Latest	Status
tokio ⚠️	`^1`	`1.51.0`	maybe insecure
axum	`^0.7`	`0.8.8`	out of date
tokio-tungstenite	`^0.20`	`0.29.0`	out of date
futures	`^0.3`	`0.3.32`	up to date
serde	`^1`	`1.0.228`	up to date
serde_json	`^1`	`1.0.149`	up to date
tracing	`^0.1`	`0.1.44`	up to date
tracing-subscriber ⚠️	`^0.3`	`0.3.23`	maybe insecure
chrono ⚠️	`^0.4`	`0.4.44`	maybe insecure

Crate `dashboard`

Dependencies

(7 total, 2 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
tokio ⚠️	`^1.0`	`1.51.0`	maybe insecure
ratatui	`^0.26`	`0.30.0`	out of date
crossterm	`^0.27`	`0.29.0`	out of date
tracing	`^0.1`	`0.1.44`	up to date
anyhow	`^1.0`	`1.0.102`	up to date
serde	`^1.0`	`1.0.228`	up to date
serde_json	`^1.0`	`1.0.149`	up to date

Crate `tests`

Dev dependencies

(2 total, all up-to-date)

Crate	Required	Latest	Status
tokio	`^1.35`	`1.51.0`	up to date
anyhow	`^1.0`	`1.0.102`	up to date

Crate `persistence`

Dependencies

(11 total, 4 outdated, 2 possibly insecure)

Crate	Required	Latest	Status
serde	`>=1.0.228`	`1.0.228`	up to date
serde_json	`^1.0`	`1.0.149`	up to date
chrono ⚠️	`^0.4`	`0.4.44`	maybe insecure
anyhow	`^1.0`	`1.0.102`	up to date
tokio ⚠️	`^1`	`1.51.0`	maybe insecure
sqlx-core	`^0.7.4`	`0.8.6`	out of date
sqlx-postgres	`^0.7.4`	`0.8.6`	out of date
sqlx-sqlite	`^0.7.4`	`0.8.6`	out of date
uuid	`^1.0`	`1.23.0`	up to date
redis	`^0.26`	`1.2.0`	out of date
tracing	`^0.1`	`0.1.44`	up to date

Crate `ai`

Dependencies

(10 total, 4 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
tokio ⚠️	`^1.0`	`1.51.0`	maybe insecure
serde	`^1.0`	`1.0.228`	up to date
serde_json	`^1.0`	`1.0.149`	up to date
reqwest	`^0.11`	`0.13.2`	out of date
tracing	`^0.1`	`0.1.44`	up to date
anyhow	`^1.0`	`1.0.102`	up to date
thiserror	`^1.0`	`2.0.18`	out of date
chumsky	`^0.9`	`0.12.0`	out of date
schemars	`^1.2.1`	`1.2.1`	up to date
jsonschema	`^0.17`	`0.45.0`	out of date

Crate `ml`

No external dependencies! 🙌

Crate `backtest`

Dependencies

(1 total, 1 possibly insecure)

Crate	Required	Latest	Status
chrono ⚠️	`^0.4`	`0.4.44`	maybe insecure

Crate `compliance`

Dependencies

(5 total, 2 outdated)

Crate	Required	Latest	Status
sha2	`^0.10`	`0.11.0`	out of date
serde	`^1.0`	`1.0.228`	up to date
serde_json	`^1.0`	`1.0.149`	up to date
tracing	`^0.1`	`0.1.44`	up to date
thiserror	`^1.0`	`2.0.18`	out of date

Crate `execution`

Dependencies

(4 total, 1 outdated)

Crate	Required	Latest	Status
async-trait	`^0.1`	`0.1.89`	up to date
compact_str	`^0.8`	`0.9.0`	out of date
anyhow	`^1.0`	`1.0.102`	up to date
tracing	`^0.1`	`0.1.44`	up to date

Crate `alerts`

Dependencies

(5 total, 1 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
serde	`^1.0`	`1.0.228`	up to date
serde_json	`^1.0`	`1.0.149`	up to date
tokio ⚠️	`^1.0`	`1.51.0`	maybe insecure
reqwest	`^0.12`	`0.13.2`	out of date
tracing	`^0.1`	`0.1.44`	up to date

Crate `signals`

Dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
tracing	`^0.1`	`0.1.44`	up to date

Crate `pricing`

Dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
tracing	`^0.1`	`0.1.44`	up to date

Crate `metrics_lib`

Dependencies

(3 total, 2 outdated)

Crate	Required	Latest	Status
metrics	`^0.23`	`0.24.3`	out of date
metrics-exporter-prometheus	`^0.15`	`0.18.1`	out of date
tracing	`^0.1.40`	`0.1.44`	up to date

Crate `fix`

Dependencies

(4 total, 1 outdated, 2 possibly insecure)

Crate	Required	Latest	Status
tokio ⚠️	`^1`	`1.51.0`	maybe insecure
tracing	`^0.1`	`0.1.44`	up to date
chrono ⚠️	`^0.4`	`0.4.44`	maybe insecure
thiserror	`^1.0`	`2.0.18`	out of date

Crate `oms`

No external dependencies! 🙌

Crate `swarm_sim`

Dependencies

(5 total, 3 outdated)

Crate	Required	Latest	Status
rayon	`^1.10`	`1.11.0`	up to date
rand	`^0.8`	`0.10.0`	out of date
anyhow	`^1.0`	`1.0.102`	up to date
rand_distr	`^0.4`	`0.6.0`	out of date
statrs	`^0.16`	`0.18.0`	out of date

Dev dependencies

(3 total, 1 outdated)

Crate	Required	Latest	Status
tokio-test	`^0.4`	`0.4.5`	up to date
approx	`^0.5`	`0.5.1`	up to date
criterion	`^0.5`	`0.8.2`	out of date

Crate `knowledge_graph`

Dependencies

(7 total, 1 outdated, 2 possibly insecure)

Crate	Required	Latest	Status
petgraph	`^0.6`	`0.8.3`	out of date
serde	`^1`	`1.0.228`	up to date
serde_json	`^1`	`1.0.149`	up to date
tokio ⚠️	`^1`	`1.51.0`	maybe insecure
tracing	`^0.1`	`0.1.44`	up to date
chrono ⚠️	`^0.4`	`0.4.44`	maybe insecure
anyhow	`^1`	`1.0.102`	up to date

Crate `polymarket`

Dependencies

(15 total, 4 outdated)

Crate	Required	Latest	Status
reqwest	`^0.12`	`0.13.2`	out of date
tokio-tungstenite	`^0.21`	`0.29.0`	out of date
futures-util	`^0.3`	`0.3.32`	up to date
ethers-core	`^2.0`	`2.0.14`	up to date
ethers-signers	`^2.0`	`2.0.14`	up to date
rust_decimal	`^1.36`	`1.41.0`	up to date
rust_decimal_macros	`^1.36`	`1.40.0`	up to date
hmac	`^0.12`	`0.13.0`	out of date
sha2	`^0.10`	`0.11.0`	out of date
base64	`^0.22`	`0.22.1`	up to date
hex	`^0.4`	`0.4.3`	up to date
url	`^2`	`2.5.8`	up to date
dotenvy	`^0.15`	`0.15.7`	up to date
envy	`^0.4`	`0.4.2`	up to date
anyhow	`^1.0`	`1.0.102`	up to date

Crate `benchmarks`

Dev dependencies

(7 total, 2 outdated)

Crate	Required	Latest	Status
criterion	`^0.5`	`0.8.2`	out of date
hdrhistogram	`^7.5`	`7.5.4`	up to date
iai	`^0.1`	`0.1.1`	up to date
dhat	`^0.3`	`0.3.3`	up to date
rand	`^0.8`	`0.10.0`	out of date
serde	`^1.0`	`1.0.228`	up to date
serde_json	`^1.0`	`1.0.149`	up to date

Security Vulnerabilities

`chrono`: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

time-rs/time#293

`tokio`: reject_remote_clients Configuration corruption

RUSTSEC-2023-0001

On Windows, configuring a named pipe server with pipe_mode will force ServerOptions::reject_remote_clients as false.

This drops any intended explicit configuration for the reject_remote_clients that may have been set as true previously.

The default setting of reject_remote_clients is normally true meaning the default is also overridden as false.

Workarounds

Ensure that pipe_mode is set first after initializing a ServerOptions. For example:

let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);

`tracing-subscriber`: Logging user input may result in poisoning logs with ANSI escape sequences

RUSTSEC-2025-0055

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

Manipulate terminal title bars
Clear screens or modify terminal display
Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

This was patched in PR #3368 to escape ANSI control characters from user input.

Ashutosh0x / rust-finance

Crate common

Dependencies

Crate ingestion

Dependencies

Dev dependencies

Crate feature

Dependencies

Crate strategy

Dependencies

Crate model

Dependencies

Crate risk

Dependencies

Crate daemon

Dependencies

Crate event_bus

Dependencies

Crate cli

Dependencies

Crate tui

Dependencies

Crate web

Dependencies

Crate web-dashboard

Dependencies

Crate dashboard

Dependencies

Crate tests

Dev dependencies

Crate persistence

Dependencies

Crate ai

Dependencies

Crate ml

Crate backtest

Dependencies

Crate compliance

Dependencies

Crate execution

Dependencies

Crate alerts

Dependencies

Crate signals

Dependencies

Crate pricing

Dependencies

Crate metrics_lib

Dependencies

Crate fix

Dependencies

Crate oms

Crate swarm_sim

Dependencies

Dev dependencies

Crate knowledge_graph

Dependencies

Crate polymarket

Dependencies

Crate benchmarks

Dev dependencies

Security Vulnerabilities

chrono: Potential segfault in `localtime_r` invocations

Impact

Workarounds

References

tokio: reject_remote_clients Configuration corruption

Workarounds

tracing-subscriber: Logging user input may result in poisoning logs with ANSI escape sequences

Crate `common`

Crate `ingestion`

Crate `feature`

Crate `strategy`

Crate `model`

Crate `risk`

Crate `daemon`

Crate `event_bus`

Crate `cli`

Crate `tui`

Crate `web`

Crate `web-dashboard`

Crate `dashboard`

Crate `tests`

Crate `persistence`

Crate `ai`

Crate `ml`

Crate `backtest`

Crate `compliance`

Crate `execution`

Crate `alerts`

Crate `signals`

Crate `pricing`

Crate `metrics_lib`

Crate `fix`

Crate `oms`

Crate `swarm_sim`

Crate `knowledge_graph`

Crate `polymarket`

Crate `benchmarks`

`chrono`: Potential segfault in `localtime_r` invocations

`tokio`: reject_remote_clients Configuration corruption

`tracing-subscriber`: Logging user input may result in poisoning logs with ANSI escape sequences