Deps.rs

autumnai / leaf

[![dependency status](https://deps.rs/repo/github/autumnai/leaf/status.svg)](https://deps.rs/repo/github/autumnai/leaf)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate leaf

Dependencies

(9 total, 5 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 collenchyma^0.0.80.0.8up to date
 collenchyma-blas^0.2.00.2.0up to date
 collenchyma-nn^0.3.20.3.4up to date
 log^0.3.20.4.29out of date
 rand^0.3.00.10.0out of date
 num^0.10.4.3out of date
 capnp ⚠️^0.6.20.25.1out of date
 timeit^0.1.20.1.2up to date
 clippy^0.0.410.0.302out of date

Dev dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 env_logger^0.30.11.9out of date

Build dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 capnpc^0.6.10.25.0out of date

Security Vulnerabilities

capnp: out-of-bounds read possible when setting list-of-pointers

RUSTSEC-2022-0068

If a message consumer expects data of type "list of pointers", and if the consumer performs certain specific actions on such data, then a message producer can cause the consumer to read out-of-bounds memory. This could trigger a process crash in the consumer, or in some cases could allow exfiltration of private in-memory data.

The C++ Cap'n Proto library is also affected by this bug. See the advisory on the main Cap'n Proto repo for a succinct description of the exact circumstances in which the problem can arise.

capnp: Unsound APIs of public `constant::Reader` and `StructSchema`

RUSTSEC-2025-0143

The safe API functions constant::Reader::get and StructSchema::new rely on PointerReader::get_root_unchecked, which can cause undefined behavior (UB) by constructing arbitrary words or schemas.

Reader::get

pub fn get(&self) -> Result<<T as Owned>::Reader<'static>> {
    // ...
    // UNSAFE: access `words` without validation
}

StructSchema::new

pub fn new(builder: RawBrandedStructSchema) -> StructSchema {
    // ...
    // UNSAFE: access encoded nodes without validation
}

This vulnerability allows safe Rust code to trigger UB, which violates Rust's safety guarantees.

The issue is resolved in version 0.24.0 by making constructor functions unsafe and mark the fields of struct as visible only in the crate.