apache / arrow-rs

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate `arrow`

Dependencies

(2 total, all up-to-date)

Crate	Required	Latest	Status
rand	`^0.9`	`0.9.2`	up to date
half	`^2.1`	`2.6.0`	up to date

Dev dependencies

(6 total, all up-to-date)

Crate	Required	Latest	Status
criterion	`^0.6`	`0.6.0`	up to date
half	`^2.1`	`2.6.0`	up to date
rand	`^0.9`	`0.9.2`	up to date
serde	`^1.0`	`1.0.219`	up to date
memmap2	`^0.9.3`	`0.9.7`	up to date
bytes	`^1.9`	`1.10.1`	up to date

Crate `arrow-arith`

Dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
num	`^0.4`	`0.4.3`	up to date

Crate `arrow-array`

Dependencies

(5 total, all up-to-date)

Crate	Required	Latest	Status
chrono-tz	`^0.10`	`0.10.4`	up to date
num	`^0.4.1`	`0.4.3`	up to date
half	`^2.1`	`2.6.0`	up to date
hashbrown	`^0.15.1`	`0.15.4`	up to date
ahash	`^0.8`	`0.8.12`	up to date

Dev dependencies

(2 total, 1 outdated)

Crate	Required	Latest	Status
rand	`^0.9`	`0.9.2`	up to date
criterion	`^0.5`	`0.6.0`	out of date

Crate `arrow-avro`

Dependencies

(9 total, all up-to-date)

Crate	Required	Latest	Status
serde_json	`^1.0`	`1.0.141`	up to date
serde	`^1.0.188`	`1.0.219`	up to date
flate2	`^1.0`	`1.1.2`	up to date
snap	`^1.0`	`1.1.1`	up to date
zstd	`^0.13`	`0.13.3`	up to date
bzip2	`^0.6.0`	`0.6.0`	up to date
xz	`^0.1`	`0.1.0`	up to date
crc	`^3.0`	`3.3.0`	up to date
uuid	`^1.17`	`1.17.0`	up to date

Dev dependencies

(6 total, all up-to-date)

Crate	Required	Latest	Status
rand	`^0.9.1`	`0.9.2`	up to date
criterion	`^0.6.0`	`0.6.0`	up to date
tempfile	`^3.3`	`3.20.0`	up to date
futures	`^0.3.31`	`0.3.31`	up to date
bytes	`^1.10.1`	`1.10.1`	up to date
async-stream	`^0.3.6`	`0.3.6`	up to date

Crate `arrow-buffer`

Dependencies

(3 total, all up-to-date)

Crate	Required	Latest	Status
bytes	`^1.4`	`1.10.1`	up to date
num	`^0.4`	`0.4.3`	up to date
half	`^2.1`	`2.6.0`	up to date

Dev dependencies

(2 total, 1 outdated)

Crate	Required	Latest	Status
criterion	`^0.5`	`0.6.0`	out of date
rand	`^0.9`	`0.9.2`	up to date

Crate `arrow-cast`

Dependencies

(7 total, all up-to-date)

Crate	Required	Latest	Status
half	`^2.1`	`2.6.0`	up to date
num	`^0.4`	`0.4.3`	up to date
lexical-core	`^1.0`	`1.0.5`	up to date
atoi	`^2.0.0`	`2.0.0`	up to date
comfy-table	`^7.0`	`7.1.4`	up to date
base64	`^0.22`	`0.22.1`	up to date
ryu	`^1.0.16`	`1.0.20`	up to date

Dev dependencies

(3 total, 1 outdated)

Crate	Required	Latest	Status
criterion	`^0.5`	`0.6.0`	out of date
half	`^2.1`	`2.6.0`	up to date
rand	`^0.9`	`0.9.2`	up to date

Crate `arrow-csv`

Dependencies

(3 total, all up-to-date)

Crate	Required	Latest	Status
csv	`^1.1`	`1.3.1`	up to date
csv-core	`^0.1`	`0.1.12`	up to date
regex	`^1.7.0`	`1.11.1`	up to date

Dev dependencies

(4 total, all up-to-date)

Crate	Required	Latest	Status
tempfile	`^3.3`	`3.20.0`	up to date
futures	`^0.3`	`0.3.31`	up to date
tokio	`^1.27`	`1.46.1`	up to date
bytes	`^1.4`	`1.10.1`	up to date

Crate `arrow-data`

Dependencies

(2 total, all up-to-date)

Crate	Required	Latest	Status
num	`^0.4`	`0.4.3`	up to date
half	`^2.1`	`2.6.0`	up to date

Crate `arrow-flight`

Dependencies

(13 total, 2 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
base64	`^0.22`	`0.22.1`	up to date
bytes	`^1`	`1.10.1`	up to date
futures	`^0.3`	`0.3.31`	up to date
once_cell	`^1`	`1.21.3`	up to date
paste	`^1.0`	`1.0.15`	up to date
prost	`^0.13.1`	`0.14.1`	out of date
prost-types	`^0.13.1`	`0.14.1`	out of date
tokio ⚠️	`^1.0`	`1.46.1`	maybe insecure
tonic	`^0.13`	`0.13.1`	up to date
anyhow	`^1.0`	`1.0.98`	up to date
clap	`^4.4.6`	`4.5.41`	up to date
tracing-log	`^0.2`	`0.2.0`	up to date
tracing-subscriber	`^0.3.1`	`0.3.19`	up to date

Dev dependencies

(12 total, 1 possibly insecure)

Crate	Required	Latest	Status
assert_cmd	`^2.0.8`	`2.0.17`	up to date
http	`^1.1.0`	`1.3.1`	up to date
http-body	`^1.0.0`	`1.0.1`	up to date
hyper-util	`^0.1`	`0.1.15`	up to date
pin-project-lite	`^0.2`	`0.2.16`	up to date
tempfile	`^3.3`	`3.20.0`	up to date
tracing-log	`^0.2`	`0.2.0`	up to date
tracing-subscriber	`^0.3.1`	`0.3.19`	up to date
tokio ⚠️	`^1.0`	`1.46.1`	maybe insecure
tokio-stream	`^0.1`	`0.1.17`	up to date
tower	`^0.5.0`	`0.5.2`	up to date
uuid	`^1.10.0`	`1.17.0`	up to date

Crate `gen`

Dependencies

(2 total, 1 outdated)

Crate	Required	Latest	Status
prost-build	`=0.13.5`	`0.14.1`	out of date
tonic-build	`=0.13.1`	`0.13.1`	up to date

Crate `arrow-integration-test`

Dependencies

(4 total, all up-to-date)

Crate	Required	Latest	Status
hex	`^0.4`	`0.4.3`	up to date
serde	`^1.0`	`1.0.219`	up to date
serde_json	`^1.0`	`1.0.141`	up to date
num	`^0.4`	`0.4.3`	up to date

Crate `arrow-integration-testing`

Dependencies

(9 total, 1 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
clap	`^4`	`4.5.41`	up to date
futures	`^0.3`	`0.3.31`	up to date
prost	`^0.13`	`0.14.1`	out of date
serde	`^1.0`	`1.0.219`	up to date
serde_json	`^1.0`	`1.0.141`	up to date
tokio ⚠️	`^1.0`	`1.46.1`	maybe insecure
tonic	`^0.13`	`0.13.1`	up to date
tracing-subscriber	`^0.3.1`	`0.3.19`	up to date
flate2	`^1`	`1.1.2`	up to date

Dev dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
tempfile	`^3`	`3.20.0`	up to date

Crate `arrow-ipc`

Dependencies

(3 total, all up-to-date)

Crate	Required	Latest	Status
flatbuffers	`^25.2.10`	`25.2.10`	up to date
lz4_flex	`^0.11`	`0.11.5`	up to date
zstd	`^0.13.0`	`0.13.3`	up to date

Dev dependencies

(5 total, 1 outdated)

Crate	Required	Latest	Status
criterion	`^0.5.1`	`0.6.0`	out of date
tempfile	`^3.3`	`3.20.0`	up to date
tokio	`^1.43.0`	`1.46.1`	up to date
memmap2	`^0.9.3`	`0.9.7`	up to date
bytes	`^1.9`	`1.10.1`	up to date

Crate `arrow-json`

Dependencies

(7 total, all up-to-date)

Crate	Required	Latest	Status
half	`^2.1`	`2.6.0`	up to date
indexmap	`^2.0`	`2.10.0`	up to date
num	`^0.4`	`0.4.3`	up to date
serde	`^1.0`	`1.0.219`	up to date
serde_json	`^1.0`	`1.0.141`	up to date
lexical-core	`^1.0`	`1.0.5`	up to date
memchr	`^2.7.4`	`2.7.5`	up to date

Dev dependencies

(7 total, 1 outdated)

Crate	Required	Latest	Status
flate2	`^1`	`1.1.2`	up to date
serde	`^1.0`	`1.0.219`	up to date
futures	`^0.3`	`0.3.31`	up to date
tokio	`^1.27`	`1.46.1`	up to date
bytes	`^1.4`	`1.10.1`	up to date
criterion	`^0.5`	`0.6.0`	out of date
rand	`^0.9`	`0.9.2`	up to date

Crate `arrow-ord`

Dev dependencies

(2 total, all up-to-date)

Crate	Required	Latest	Status
half	`^2.1`	`2.6.0`	up to date
rand	`^0.9`	`0.9.2`	up to date

Crate `arrow-pyarrow`

Dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
pyo3	`^0.25.1`	`0.25.1`	up to date

Crate `arrow-row`

Dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
half	`^2.1`	`2.6.0`	up to date

Dev dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
rand	`^0.9`	`0.9.2`	up to date

Crate `arrow-schema`

Dependencies

(3 total, all up-to-date)

Crate	Required	Latest	Status
serde	`^1.0`	`1.0.219`	up to date
bitflags	`^2.0.0`	`2.9.1`	up to date
serde_json	`^1.0`	`1.0.141`	up to date

Dev dependencies

(2 total, 2 outdated)

Crate	Required	Latest	Status
bincode	`^1.3.3`	`2.0.1`	out of date
criterion	`^0.5`	`0.6.0`	out of date

Crate `arrow-select`

Dependencies

(2 total, all up-to-date)

Crate	Required	Latest	Status
num	`^0.4`	`0.4.3`	up to date
ahash	`^0.8`	`0.8.12`	up to date

Dev dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
rand	`^0.9`	`0.9.2`	up to date

Crate `arrow-string`

Dependencies

(4 total, all up-to-date)

Crate	Required	Latest	Status
regex	`^1.7.0`	`1.11.1`	up to date
regex-syntax	`^0.8.0`	`0.8.5`	up to date
num	`^0.4`	`0.4.3`	up to date
memchr	`^2.7.4`	`2.7.5`	up to date

Crate `parquet`

Dependencies

(24 total, 3 possibly insecure)

Crate	Required	Latest	Status
object_store	`^0.12.0`	`0.12.3`	up to date
bytes	`^1.1`	`1.10.1`	up to date
thrift	`^0.17`	`0.17.0`	up to date
snap	`^1.0`	`1.1.1`	up to date
brotli	`^8.0`	`8.0.1`	up to date
flate2	`^1.1`	`1.1.2`	up to date
lz4_flex	`^0.11`	`0.11.5`	up to date
zstd	`^0.13`	`0.13.3`	up to date
num	`^0.4`	`0.4.3`	up to date
num-bigint	`^0.4`	`0.4.6`	up to date
base64	`^0.22`	`0.22.1`	up to date
clap	`^4.1`	`4.5.41`	up to date
serde	`^1.0`	`1.0.219`	up to date
serde_json	`^1.0`	`1.0.141`	up to date
seq-macro	`^0.3`	`0.3.6`	up to date
futures	`^0.3`	`0.3.31`	up to date
tokio ⚠️	`^1.0`	`1.46.1`	maybe insecure
hashbrown ⚠️	`^0.15`	`0.15.4`	maybe insecure
twox-hash	`^2.0`	`2.1.1`	up to date
paste	`^1.0`	`1.0.15`	up to date
half	`^2.1`	`2.6.0`	up to date
crc32fast	`^1.4.2`	`1.5.0`	up to date
ring ⚠️	`^0.17`	`0.17.14`	maybe insecure
ahash	`^0.8`	`0.8.12`	up to date

Dev dependencies

(13 total, 1 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
base64	`^0.22`	`0.22.1`	up to date
criterion	`^0.5`	`0.6.0`	out of date
snap	`^1.0`	`1.1.1`	up to date
tempfile	`^3.0`	`3.20.0`	up to date
brotli	`^8.0`	`8.0.1`	up to date
flate2	`^1.0`	`1.1.2`	up to date
lz4_flex	`^0.11`	`0.11.5`	up to date
zstd	`^0.13`	`0.13.3`	up to date
serde_json	`^1.0`	`1.0.141`	up to date
tokio ⚠️	`^1.0`	`1.46.1`	maybe insecure
rand	`^0.9`	`0.9.2`	up to date
object_store	`^0.12.0`	`0.12.3`	up to date
sysinfo	`^0.36.0`	`0.36.1`	up to date

Crate `parquet-variant`

Dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
indexmap	`^2.10.0`	`2.10.0`	up to date

Dev dependencies

(3 total, all up-to-date)

Crate	Required	Latest	Status
paste	`^1.0`	`1.0.15`	up to date
criterion	`^0.6`	`0.6.0`	up to date
rand	`^0.9`	`0.9.2`	up to date

Crate `parquet-variant-compute`

Dev dependencies

(2 total, all up-to-date)

Crate	Required	Latest	Status
rand	`^0.9.1`	`0.9.2`	up to date
criterion	`^0.6`	`0.6.0`	up to date

Crate `parquet-variant-json`

Dependencies

(2 total, all up-to-date)

Crate	Required	Latest	Status
serde_json	`^1.0`	`1.0.141`	up to date
base64	`^0.22`	`0.22.1`	up to date

Crate `parquet_derive`

Dependencies

(3 total, all up-to-date)

Crate	Required	Latest	Status
proc-macro2	`^1.0`	`1.0.95`	up to date
quote	`^1.0`	`1.0.40`	up to date
syn	`^2.0`	`2.0.104`	up to date

Crate `parquet_derive_test`

Dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
uuid	`^1`	`1.17.0`	up to date

Security Vulnerabilities

`tokio`: reject_remote_clients Configuration corruption

RUSTSEC-2023-0001

On Windows, configuring a named pipe server with pipe_mode will force ServerOptions::reject_remote_clients as false.

This drops any intended explicit configuration for the reject_remote_clients that may have been set as true previously.

The default setting of reject_remote_clients is normally true meaning the default is also overridden as false.

Workarounds

Ensure that pipe_mode is set first after initializing a ServerOptions. For example:

let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);

`hashbrown`: Borsh serialization of HashMap is non-canonical

RUSTSEC-2024-0402

The borsh serialization of the HashMap did not follow the borsh specification. It potentially produced non-canonical encodings dependent on insertion order. It also did not perform canonicty checks on decoding.

This can result in consensus splits and cause equivalent objects to be considered distinct.

This was patched in 0.15.1.

`ring`: Some AES functions may panic when overflow checking is enabled.

RUSTSEC-2025-0009

ring::aead::quic::HeaderProtectionKey::new_mask() may panic when overflow checking is enabled. In the QUIC protocol, an attacker can induce this panic by sending a specially-crafted packet. Even unintentionally it is likely to occur in 1 out of every 2**32 packets sent and/or received.

On 64-bit targets operations using ring::aead::{AES_128_GCM, AES_256_GCM} may panic when overflow checking is enabled, when encrypting/decrypting approximately 68,719,476,700 bytes (about 64 gigabytes) of data in a single chunk. Protocols like TLS and SSH are not affected by this because those protocols break large amounts of data into small chunks. Similarly, most applications will not attempt to encrypt/decrypt 64GB of data in one chunk.

Overflow checking is not enabled in release mode by default, but RUSTFLAGS="-C overflow-checks" or overflow-checks = true in the Cargo.toml profile can override this. Overflow checking is usually enabled by default in debug mode.

apache / arrow-rs

Crate arrow

Dependencies

Dev dependencies

Crate arrow-arith

Dependencies

Crate arrow-array

Dependencies

Dev dependencies

Crate arrow-avro

Dependencies

Dev dependencies

Crate arrow-buffer

Dependencies

Dev dependencies

Crate arrow-cast

Dependencies

Dev dependencies

Crate arrow-csv

Dependencies

Dev dependencies

Crate arrow-data

Dependencies

Crate arrow-flight

Dependencies

Dev dependencies

Crate gen

Dependencies

Crate arrow-integration-test

Dependencies

Crate arrow-integration-testing

Dependencies

Dev dependencies

Crate arrow-ipc

Dependencies

Dev dependencies

Crate arrow-json

Dependencies

Dev dependencies

Crate arrow-ord

Dev dependencies

Crate arrow-pyarrow

Dependencies

Crate arrow-row

Dependencies

Dev dependencies

Crate arrow-schema

Dependencies

Dev dependencies

Crate arrow-select

Dependencies

Dev dependencies

Crate arrow-string

Dependencies

Crate parquet

Dependencies

Dev dependencies

Crate parquet-variant

Dependencies

Dev dependencies

Crate parquet-variant-compute

Dev dependencies

Crate parquet-variant-json

Dependencies

Crate parquet_derive

Dependencies

Crate parquet_derive_test

Dependencies

Security Vulnerabilities

tokio: reject_remote_clients Configuration corruption

Workarounds

hashbrown: Borsh serialization of HashMap is non-canonical

ring: Some AES functions may panic when overflow checking is enabled.

Crate `arrow`

Crate `arrow-arith`

Crate `arrow-array`

Crate `arrow-avro`

Crate `arrow-buffer`

Crate `arrow-cast`

Crate `arrow-csv`

Crate `arrow-data`

Crate `arrow-flight`

Crate `gen`

Crate `arrow-integration-test`

Crate `arrow-integration-testing`

Crate `arrow-ipc`

Crate `arrow-json`

Crate `arrow-ord`

Crate `arrow-pyarrow`

Crate `arrow-row`

Crate `arrow-schema`

Crate `arrow-select`

Crate `arrow-string`

Crate `parquet`

Crate `parquet-variant`

Crate `parquet-variant-compute`

Crate `parquet-variant-json`

Crate `parquet_derive`

Crate `parquet_derive_test`

`tokio`: reject_remote_clients Configuration corruption

`hashbrown`: Borsh serialization of HashMap is non-canonical

`ring`: Some AES functions may panic when overflow checking is enabled.