Deps.rs

OPEN-NEXT / LOSH-OKH-tool

[![dependency status](https://deps.rs/repo/github/OPEN-NEXT/LOSH-OKH-tool/status.svg)](https://deps.rs/repo/github/OPEN-NEXT/LOSH-OKH-tool)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate okh-tool

Dependencies

(30 total, 4 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 chrono ⚠️^0.40.4.38maybe insecure
 clap^4.44.5.4up to date
 codify_hoijui^0.60.6.0up to date
 const_format^0.20.2.32up to date
 git-version^0.30.3.9up to date
 git2^0.180.18.3up to date
 jsonschema^0.170.18.0out of date
 lingua^1.61.6.2up to date
 log^0.40.4.21up to date
 num-derive^0.40.4.2up to date
 num-traits^0.20.2.19up to date
 once_cell^1.191.19.0up to date
 openssl-sys^0.90.9.102up to date
 projvar^0.190.19.2up to date
 regex^1.101.10.4up to date
 relative-path^1.91.9.3up to date
 reqwest^0.110.12.4out of date
 semver^1.01.0.23up to date
 serde^1.01.0.201up to date
 serde_json^1.01.0.117up to date
 serde_yaml^0.90.9.34+deprecatedup to date
 simplelog^0.120.12.2up to date
 spdx^0.100.10.4up to date
 strum^0.250.26.2out of date
 strum_macros^0.250.26.2out of date
 thiserror^1.01.0.60up to date
 toml^0.80.8.12up to date
 url^2.52.5.0up to date
 walkdir^2.42.5.0up to date
 yaml-rust ⚠️^0.40.4.5maybe insecure

Build dependencies

(5 total, all up-to-date)

CrateRequiredLatestStatus
 codify_hoijui^0.60.6.0up to date
 csv^1.31.3.0up to date
 regex^1.101.10.4up to date
 serde^1.01.0.201up to date
 thiserror^1.01.0.60up to date

Security Vulnerabilities

yaml-rust: Uncontrolled recursion leads to abort in deserialization

RUSTSEC-2018-0006

Affected versions of this crate did not prevent deep recursion while deserializing data structures.

This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it.

The flaw was corrected by checking the recursion depth.

Note: clap 2.33 is not affected by this because it uses yaml-rust in a way that doesn't trigger the vulnerability. More specifically:

  1. The input to the YAML parser is always trusted - is included at compile time via include_str!.

  2. The nesting level is never deep enough to trigger the overflow in practice (at most 5).

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References