This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate deno_bench_util

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 bencher^0.10.1.5up to date
 once_cell^1.10.01.15.0up to date
 tokio^1.211.21.2up to date

Crate deno

Dependencies

(58 total, 9 outdated)

CrateRequiredLatestStatus
 deno_ast^0.19.00.19.0up to date
 deno_doc^0.46.00.46.0up to date
 deno_emit^0.9.00.9.0up to date
 deno_graph^0.34.00.34.0up to date
 deno_lint^0.33.00.33.0up to date
 deno_task_shell^0.5.20.5.2up to date
 atty=0.2.140.2.14up to date
 base64=0.13.00.13.0up to date
 cache_control=0.2.00.2.0up to date
 chrono=0.4.220.4.22up to date
 clap=3.1.123.2.22out of date
 clap_complete=3.1.23.2.5out of date
 clap_complete_fig=3.1.53.2.4out of date
 data-url=0.1.10.2.0out of date
 dissimilar=1.0.41.0.4up to date
 dprint-plugin-json=0.15.60.15.6up to date
 dprint-plugin-markdown=0.14.10.14.1up to date
 dprint-plugin-typescript=0.74.00.74.0up to date
 encoding_rs=0.8.310.8.31up to date
 env_logger=0.9.00.9.1out of date
 eszip=0.28.00.28.0up to date
 fancy-regex=0.10.00.10.0up to date
 flate2=1.0.241.0.24up to date
 http=0.2.80.2.8up to date
 import_map=0.12.10.12.1up to date
 indexmap=1.9.11.9.1up to date
 indicatif=0.17.10.17.1up to date
 jsonc-parser=0.21.00.21.0up to date
 libc=0.2.1260.2.133out of date
 log=0.4.170.4.17up to date
 mitata=0.0.70.0.7up to date
 monch=0.2.00.2.0up to date
 notify=5.0.05.0.0up to date
 once_cell=1.14.01.15.0out of date
 os_pipe=1.0.11.0.1up to date
 percent-encoding=2.2.02.2.0up to date
 pin-project^1.0.111.0.12up to date
 rand=0.8.50.8.5up to date
 regex=1.6.01.6.0up to date
 ring=0.16.200.16.20up to date
 rustyline=10.0.010.0.0up to date
 rustyline-derive=0.7.00.7.0up to date
 tempfile=3.3.03.3.0up to date
 semver=1.0.141.0.14up to date
 serde=1.0.1441.0.145out of date
 serde_repr=0.1.90.1.9up to date
 shell-escape=0.1.50.1.5up to date
 tar=0.4.380.4.38up to date
 text-size=1.1.01.1.0up to date
 text_lines=0.6.00.6.0up to date
 tokio=1.21.11.21.2out of date
 tokio-util=0.7.40.7.4up to date
 tower-lsp=0.17.00.17.0up to date
 twox-hash=1.6.31.6.3up to date
 typed-arena=2.0.12.0.1up to date
 uuid=1.1.21.1.2up to date
 walkdir=2.3.22.3.2up to date
 zstd=0.11.20.11.2+zstd.1.5.2up to date

Dev dependencies

(9 total, 2 outdated)

CrateRequiredLatestStatus
 csv=1.1.61.1.6up to date
 dotenv=0.15.00.15.0up to date
 flaky_test=0.1.00.1.0up to date
 google-storage1=3.1.04.0.1+20220228out of date
 once_cell=1.14.01.15.0out of date
 os_pipe=1.0.11.0.1up to date
 pretty_assertions=1.3.01.3.0up to date
 trust-dns-client=0.22.00.22.0up to date
 trust-dns-server=0.22.00.22.0up to date

Build dependencies

(3 total, 1 outdated)

CrateRequiredLatestStatus
 regex=1.6.01.6.0up to date
 serde=1.0.1441.0.145out of date
 zstd=0.11.20.11.2+zstd.1.5.2up to date

Crate deno_core

Dependencies

(13 total, all up-to-date)

CrateRequiredLatestStatus
 anyhow^1.0.571.0.65up to date
 futures^0.3.210.3.24up to date
 indexmap^1.61.9.1up to date
 libc^0.2.1260.2.133up to date
 log^0.4.160.4.17up to date
 once_cell^1.10.01.15.0up to date
 parking_lot^0.12.00.12.1up to date
 pin-project^1.0.111.0.12up to date
 serde^1.0.1361.0.145up to date
 serde_json^1.0.791.0.85up to date
 sourcemap^6.16.1.0up to date
 url^2.3.12.3.1up to date
 v8^0.51.00.51.0up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 deno_ast^0.19.00.19.0up to date
 tokio^1.211.21.2up to date

Crate deno_ops

Dependencies

(6 total, all up-to-date)

CrateRequiredLatestStatus
 once_cell^1.10.01.15.0up to date
 proc-macro-crate^1.1.31.2.1up to date
 proc-macro2^11.0.44up to date
 quote^11.0.21up to date
 regex^1.6.01.6.0up to date
 syn^11.0.101up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 trybuild^1.0.611.0.65up to date

Crate deno_runtime

Dependencies

(21 total, all up-to-date)

CrateRequiredLatestStatus
 atty^0.2.140.2.14up to date
 dlopen^0.1.80.1.8up to date
 encoding_rs^0.8.310.8.31up to date
 filetime^0.2.160.2.17up to date
 fs3^0.5.00.5.0up to date
 http^0.2.60.2.8up to date
 hyper^0.14.180.14.20up to date
 libc^0.2.1260.2.133up to date
 log^0.4.160.4.17up to date
 lzzzz^1.01.0.3up to date
 netif^0.1.60.1.6up to date
 notify^5.05.0.0up to date
 once_cell^1.10.01.15.0up to date
 regex^1.6.01.6.0up to date
 ring^0.16.200.16.20up to date
 serde^1.0.1361.0.145up to date
 signal-hook-registry^1.4.01.4.0up to date
 sys-info^0.9.10.9.1up to date
 termcolor^1.1.31.1.3up to date
 tokio^1.211.21.2up to date
 uuid^1.0.01.1.2up to date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 lzzzz^1.01.0.3up to date

Crate serde_v8

Dependencies

(6 total, all up-to-date)

CrateRequiredLatestStatus
 bytes=1.2.11.2.1up to date
 derive_more^0.99.170.99.17up to date
 serde^1.0.1361.0.145up to date
 serde_bytes^0.110.11.7up to date
 smallvec^1.81.9.0up to date
 v8^0.51.00.51.0up to date

Dev dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 bencher^0.10.1.5up to date
 serde_json^1.0.641.0.85up to date

Crate test_ffi

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 pretty_assertions^1.2.11.3.0up to date

Crate test_util

Dependencies

(23 total, 1 outdated)

CrateRequiredLatestStatus
 anyhow^1.0.571.0.65up to date
 async-stream^0.3.30.3.3up to date
 atty^0.2.140.2.14up to date
 base64^0.13.00.13.0up to date
 flate2^1.0.241.0.24up to date
 futures^0.3.210.3.24up to date
 hyper^0.14.180.14.20up to date
 lazy_static^1.4.01.4.0up to date
 once_cell^1.10.01.15.0up to date
 os_pipe^1.0.11.0.1up to date
 parking_lot^0.12.00.12.1up to date
 pretty_assertions^1.31.3.0up to date
 regex^1.6.01.6.0up to date
 reqwest^0.11.110.11.12up to date
 ring^0.16.200.16.20up to date
 rustls-pemfile^1.0.01.0.1up to date
 semver^1.01.0.14up to date
 serde^1.0.1361.0.145up to date
 serde_json^1.0.791.0.85up to date
 tar^0.4.380.4.38up to date
 tokio^1.211.21.2up to date
 tokio-rustls^0.230.23.4up to date
 tokio-tungstenite^0.160.17.2out of date

Crate deno_broadcast_channel

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 async-trait^0.10.1.57up to date
 tokio^1.211.21.2up to date
 uuid^1.0.01.1.2up to date

Crate deno_cache

Dependencies

(5 total, all up-to-date)

CrateRequiredLatestStatus
 async-trait^0.10.1.57up to date
 rusqlite^0.28.00.28.0up to date
 serde^1.0.1291.0.145up to date
 sha2^0.10.20.10.6up to date
 tokio^1.191.21.2up to date

Crate deno_console

No external dependencies! 🙌

Crate deno_crypto

Dependencies

(26 total, 1 outdated)

CrateRequiredLatestStatus
 aes^0.8.10.8.1up to date
 aes-gcm^0.100.10.1up to date
 aes-kw^0.2.10.2.1up to date
 base64^0.13.00.13.0up to date
 block-modes^0.9.10.9.1up to date
 cbc^0.1.20.1.2up to date
 const-oid^0.9.00.9.0up to date
 ctr^0.9.10.9.1up to date
 curve25519-dalek^2.1.33.2.1out of date
 elliptic-curve^0.12.10.12.3up to date
 num-traits^0.2.140.2.15up to date
 once_cell^1.10.01.15.0up to date
 p256^0.11.10.11.1up to date
 p384^0.11.10.11.2up to date
 rand^0.8.40.8.5up to date
 ring^0.16.200.16.20up to date
 rsa=0.7.0-pre0.6.1up to date
 sec1^0.3.00.3.0up to date
 serde^1.0.1291.0.145up to date
 serde_bytes^0.110.11.7up to date
 sha-1^0.10.00.10.0up to date
 sha2^0.10.20.10.6up to date
 spki^0.6.00.6.0up to date
 tokio^1.211.21.2up to date
 uuid^1.0.01.1.2up to date
 x25519-dalek^2.0.0-pre.11.2.0up to date

Crate deno_fetch

Dependencies

(9 total, 1 outdated)

CrateRequiredLatestStatus
 bytes^1.1.01.2.1up to date
 data-url^0.1.10.2.0out of date
 dyn-clone^11.0.9up to date
 http^0.2.60.2.8up to date
 reqwest^0.11.110.11.12up to date
 serde^1.0.1361.0.145up to date
 tokio^1.211.21.2up to date
 tokio-stream^0.1.80.1.10up to date
 tokio-util^0.70.7.4up to date

Crate deno_flash

Dependencies

(9 total, all up-to-date)

CrateRequiredLatestStatus
 http^0.2.60.2.8up to date
 httparse^1.81.8.0up to date
 libc^0.20.2.133up to date
 log^0.4.170.4.17up to date
 mio^0.8.10.8.4up to date
 rustls^0.200.20.6up to date
 rustls-pemfile^1.01.0.1up to date
 serde^1.0.1361.0.145up to date
 tokio^1.211.21.2up to date

Crate deno_ffi

Dependencies

(5 total, all up-to-date)

CrateRequiredLatestStatus
 dlopen^0.1.80.1.8up to date
 dynasmrt^1.2.31.2.3up to date
 libffi^3.0.03.0.1up to date
 serde^1.0.1291.0.145up to date
 tokio^1.211.21.2up to date

Crate deno_http

Dependencies

(15 total, 1 outdated)

CrateRequiredLatestStatus
 async-compression^0.3.120.3.14up to date
 base64^0.13.00.13.0up to date
 brotli^3.3.43.3.4up to date
 bytes^11.2.1up to date
 cache_control^0.2.00.2.0up to date
 flate2^1.0.231.0.24up to date
 fly-accept-encoding^0.2.00.2.0up to date
 hyper^0.14.180.14.20up to date
 mime^0.3.160.3.16up to date
 percent-encoding^2.2.02.2.0up to date
 phf^0.100.11.1out of date
 ring^0.16.200.16.20up to date
 serde^1.0.1361.0.145up to date
 tokio^1.211.21.2up to date
 tokio-util^0.70.7.4up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 bencher^0.10.1.5up to date

Crate deno_net

Dependencies

(6 total, all up-to-date)

CrateRequiredLatestStatus
 log^0.4.160.4.17up to date
 serde^1.0.1361.0.145up to date
 socket2^0.4.40.4.7up to date
 tokio^1.211.21.2up to date
 trust-dns-proto^0.220.22.0up to date
 trust-dns-resolver^0.220.22.0up to date

Crate deno_node

Dependencies

(4 total, 1 possibly insecure)

CrateRequiredLatestStatus
 once_cell^1.12.01.15.0up to date
 path-clean=0.1.00.1.0up to date
 regex ⚠️^11.6.0maybe insecure
 serde^1.0.1361.0.145up to date

Crate deno_url

Dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 serde^1.0.1361.0.145up to date
 serde_repr^0.1.70.1.9up to date
 urlpattern^0.2.00.2.0up to date

Crate deno_web

Dependencies

(7 total, all up-to-date)

CrateRequiredLatestStatus
 async-trait^0.1.510.1.57up to date
 base64-simd^0.70.7.0up to date
 encoding_rs^0.8.310.8.31up to date
 flate2^11.0.24up to date
 serde^1.0.1361.0.145up to date
 tokio^1.211.21.2up to date
 uuid^1.0.01.1.2up to date

Crate deno_webgpu

Dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 serde^1.01.0.145up to date
 tokio^1.211.21.2up to date
 wgpu-core^0.130.13.2up to date
 wgpu-types^0.130.13.2up to date

Crate deno_webidl

No external dependencies! 🙌

Crate deno_websocket

Dependencies

(6 total, 1 outdated)

CrateRequiredLatestStatus
 http^0.2.60.2.8up to date
 hyper^0.14.180.14.20up to date
 serde^1.0.1361.0.145up to date
 tokio^1.211.21.2up to date
 tokio-rustls^0.23.30.23.4up to date
 tokio-tungstenite^0.16.10.17.2out of date

Crate deno_webstorage

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 rusqlite^0.28.00.28.0up to date
 serde^1.0.1361.0.145up to date

Crate deno_tls

Dependencies

(7 total, all up-to-date)

CrateRequiredLatestStatus
 once_cell^1.10.01.15.0up to date
 rustls^0.20.50.20.6up to date
 rustls-native-certs^0.6.20.6.2up to date
 rustls-pemfile^1.0.01.0.1up to date
 serde^1.0.1361.0.145up to date
 webpki^0.220.22.0up to date
 webpki-roots^0.220.22.5up to date

Security Vulnerabilities

regex: Regexes with large repetitions on empty sub-expressions take a very long time to parse

RUSTSEC-2022-0013

The Rust Security Response WG was notified that the regex crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.

This issue has been assigned CVE-2022-24713. The severity of this vulnerability is "high" when the regex crate is used to parse untrusted regexes. Other uses of the regex crate are not affected by this vulnerability.

Overview

The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.

Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.

Affected versions

All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5.

Mitigations

We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the regex crate.

Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.

Acknowledgements

We want to thank Addison Crump for responsibly disclosing this to us according to the Rust security policy, and for helping review the fix.

We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.