This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate okh-tool

Dependencies

(30 total, 2 possibly insecure)

CrateRequiredLatestStatus
 chrono ⚠️^0.40.4.39maybe insecure
 clap^4.44.5.23up to date
 codify_hoijui^0.60.6.1up to date
 const_format^0.20.2.34up to date
 git-version^0.30.3.9up to date
 git2^0.190.19.0up to date
 jsonschema^0.260.26.2up to date
 lingua^1.61.6.2up to date
 log^0.40.4.22up to date
 num-derive^0.40.4.2up to date
 num-traits^0.20.2.19up to date
 once_cell^1.191.20.2up to date
 openssl-sys^0.90.9.104up to date
 projvar^0.190.19.6up to date
 regex^1.101.11.1up to date
 relative-path^1.91.9.3up to date
 reqwest^0.120.12.9up to date
 semver^1.01.0.24up to date
 serde^1.01.0.216up to date
 serde_json^1.01.0.134up to date
 serde_yaml^0.90.9.34+deprecatedup to date
 simplelog^0.120.12.2up to date
 spdx^0.100.10.7up to date
 strum^0.260.26.3up to date
 strum_macros^0.260.26.4up to date
 thiserror^2.02.0.9up to date
 toml^0.80.8.19up to date
 url^2.52.5.4up to date
 walkdir^2.42.5.0up to date
 yaml-rust ⚠️^0.40.4.5maybe insecure

Build dependencies

(5 total, all up-to-date)

CrateRequiredLatestStatus
 codify_hoijui^0.60.6.1up to date
 csv^1.31.3.1up to date
 regex^1.101.11.1up to date
 serde^1.01.0.216up to date
 thiserror^2.02.0.9up to date

Security Vulnerabilities

yaml-rust: Uncontrolled recursion leads to abort in deserialization

RUSTSEC-2018-0006

Affected versions of this crate did not prevent deep recursion while deserializing data structures.

This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it.

The flaw was corrected by checking the recursion depth.

Note: clap 2.33 is not affected by this because it uses yaml-rust in a way that doesn't trigger the vulnerability. More specifically:

  1. The input to the YAML parser is always trusted - is included at compile time via include_str!.

  2. The nesting level is never deep enough to trigger the overflow in practice (at most 5).

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References