denoland / deno

This project contains known security vulnerabilities. Find detailed information at the bottom.

Crate `deno_bench_util`

Dependencies

(2 total, 1 possibly insecure)

Crate	Required	Latest	Status
bencher	`^0.1`	`0.1.5`	up to date
tokio ⚠️	`^1.10.1`	`1.15.0`	maybe insecure

Crate `deno`

Dependencies

(47 total, 15 outdated, 1 insecure)

Crate	Required	Latest	Status
deno_ast	`^0.9.0`	`0.9.0`	up to date
deno_doc	`^0.26.0`	`0.26.1`	up to date
deno_graph	`^0.18.0`	`0.18.0`	up to date
deno_lint	`^0.22.0`	`0.22.0`	up to date
atty	`=0.2.14`	`0.2.14`	up to date
base64	`=0.13.0`	`0.13.0`	up to date
cache_control	`=0.2.0`	`0.2.0`	up to date
chrono ⚠️	`=0.4.19`	`0.4.19`	insecure
clap	`=3.0.7`	`3.0.10`	out of date
clap_complete	`=3.0.3`	`3.0.4`	out of date
clap_complete_fig	`=3.0.2`	`3.0.2`	up to date
data-url	`=0.1.1`	`0.1.1`	up to date
dissimilar	`=1.0.2`	`1.0.3`	out of date
dprint-plugin-json	`=0.14.0`	`0.14.0`	up to date
dprint-plugin-markdown	`=0.12.0`	`0.12.0`	up to date
dprint-plugin-typescript	`=0.62.0`	`0.62.0`	up to date
encoding_rs	`=0.8.29`	`0.8.30`	out of date
env_logger	`=0.8.4`	`0.9.0`	out of date
fancy-regex	`=0.7.1`	`0.7.1`	up to date
http	`=0.2.4`	`0.2.6`	out of date
import_map	`=0.6.0`	`0.6.0`	up to date
jsonc-parser	`=0.17.1`	`0.18.0`	out of date
libc	`=0.2.106`	`0.2.112`	out of date
log	`=0.4.14`	`0.4.14`	up to date
lspower	`=1.4.0`	`1.5.0`	out of date
notify	`=5.0.0-pre.12`	`4.0.17`	up to date
num_cpus	`=1.13.0`	`1.13.1`	out of date
once_cell	`=1.9.0`	`1.9.0`	up to date
percent-encoding	`=2.1.0`	`2.1.0`	up to date
pin-project	`=1.0.8`	`1.0.10`	out of date
rand	`=0.8.4`	`0.8.4`	up to date
regex	`=1.5.4`	`1.5.4`	up to date
ring	`=0.16.20`	`0.16.20`	up to date
rustyline	`=9.0.0`	`9.1.2`	out of date
rustyline-derive	`=0.5.0`	`0.6.0`	out of date
semver-parser	`=0.10.2`	`0.10.2`	up to date
serde	`=1.0.133`	`1.0.133`	up to date
shell-escape	`=0.1.5`	`0.1.5`	up to date
sourcemap	`=6.0.1`	`6.0.1`	up to date
tempfile	`=3.2.0`	`3.3.0`	out of date
text-size	`=1.1.0`	`1.1.0`	up to date
text_lines	`=0.4.1`	`0.4.1`	up to date
tokio	`=1.14`	`1.15.0`	out of date
typed-arena	`^2.0.1`	`2.0.1`	up to date
uuid	`=0.8.2`	`0.8.2`	up to date
walkdir	`=2.3.2`	`2.3.2`	up to date
zstd	`=0.9.2`	`0.9.2+zstd.1.5.1`	up to date

Dev dependencies

(5 total, 2 outdated)

Crate	Required	Latest	Status
flaky_test	`=0.1.0`	`0.1.0`	up to date
os_pipe	`=0.9.2`	`1.0.0`	out of date
pretty_assertions	`=0.7.2`	`1.0.0`	out of date
trust-dns-client	`=0.20.3`	`0.20.3`	up to date
trust-dns-server	`=0.20.3`	`0.20.3`	up to date

Build dependencies

(3 total, all up-to-date)

Crate	Required	Latest	Status
regex	`=1.5.4`	`1.5.4`	up to date
serde	`=1.0.133`	`1.0.133`	up to date
zstd	`=0.9.2`	`0.9.2+zstd.1.5.1`	up to date

Crate `deno_core`

Dependencies

(12 total, all up-to-date)

Crate	Required	Latest	Status
anyhow	`^1.0.43`	`1.0.52`	up to date
futures	`^0.3.16`	`0.3.19`	up to date
indexmap	`^1.7.0`	`1.8.0`	up to date
libc	`^0.2.106`	`0.2.112`	up to date
log	`^0.4.14`	`0.4.14`	up to date
once_cell	`=1.9.0`	`1.9.0`	up to date
parking_lot	`^0.11.1`	`0.11.2`	up to date
pin-project	`^1.0.7`	`1.0.10`	up to date
serde	`^1.0.129`	`1.0.133`	up to date
serde_json	`^1.0.66`	`1.0.75`	up to date
url	`^2.2.2`	`2.2.2`	up to date
v8	`^0.37.0`	`0.37.0`	up to date

Dev dependencies

(1 total, 1 possibly insecure)

Crate	Required	Latest	Status
tokio ⚠️	`^1.10.1`	`1.15.0`	maybe insecure

Crate `deno_runtime`

Dependencies

(21 total, 1 possibly insecure)

Crate	Required	Latest	Status
atty	`^0.2.14`	`0.2.14`	up to date
dlopen	`^0.1.8`	`0.1.8`	up to date
encoding_rs	`^0.8.29`	`0.8.30`	up to date
filetime	`^0.2.15`	`0.2.15`	up to date
fs3	`^0.5.0`	`0.5.0`	up to date
http	`^0.2.4`	`0.2.6`	up to date
hyper	`^0.14.12`	`0.14.16`	up to date
libc	`^0.2.106`	`0.2.112`	up to date
log	`^0.4.14`	`0.4.14`	up to date
lzzzz	`=0.8.0`	`0.8.0`	up to date
netif	`^0.1.0`	`0.1.1`	up to date
notify	`=5.0.0-pre.12`	`4.0.17`	up to date
once_cell	`=1.9.0`	`1.9.0`	up to date
regex	`^1.5.4`	`1.5.4`	up to date
ring	`^0.16.20`	`0.16.20`	up to date
serde	`^1.0.129`	`1.0.133`	up to date
signal-hook-registry	`^1.4.0`	`1.4.0`	up to date
sys-info	`^0.9.0`	`0.9.1`	up to date
termcolor	`^1.1.2`	`1.1.2`	up to date
tokio ⚠️	`^1.10.1`	`1.15.0`	maybe insecure
uuid	`^0.8.2`	`0.8.2`	up to date

Build dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
lzzzz	`=0.8.0`	`0.8.0`	up to date

Crate `serde_v8`

Dependencies

(3 total, all up-to-date)

Crate	Required	Latest	Status
serde	`^1.0.130`	`1.0.133`	up to date
serde_bytes	`^0.11`	`0.11.5`	up to date
v8	`^0.37.0`	`0.37.0`	up to date

Dev dependencies

(2 total, all up-to-date)

Crate	Required	Latest	Status
bencher	`^0.1`	`0.1.5`	up to date
serde_json	`^1.0.64`	`1.0.75`	up to date

Crate `test_ffi`

No external dependencies! 🙌

Crate `test_util`

Dependencies

(16 total, 1 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
anyhow	`^1.0.43`	`1.0.52`	up to date
async-stream	`^0.3.2`	`0.3.2`	up to date
atty	`^0.2.14`	`0.2.14`	up to date
base64	`^0.13.0`	`0.13.0`	up to date
futures	`^0.3.16`	`0.3.19`	up to date
hyper	`^0.14.12`	`0.14.16`	up to date
lazy_static	`^1.4.0`	`1.4.0`	up to date
os_pipe	`^0.9.2`	`1.0.0`	out of date
regex	`^1.5.4`	`1.5.4`	up to date
rustls-pemfile	`^0.2.1`	`0.2.1`	up to date
serde	`^1.0.126`	`1.0.133`	up to date
serde_json	`^1.0.65`	`1.0.75`	up to date
tempfile	`^3.2.0`	`3.3.0`	up to date
tokio ⚠️	`^1.10.1`	`1.15.0`	maybe insecure
tokio-rustls	`^0.23`	`0.23.2`	up to date
tokio-tungstenite	`^0.16`	`0.16.1`	up to date

Crate `deno_broadcast_channel`

Dependencies

(3 total, 1 possibly insecure)

Crate	Required	Latest	Status
async-trait	`^0.1`	`0.1.52`	up to date
tokio ⚠️	`^1.10.1`	`1.15.0`	maybe insecure
uuid	`^0.8.2`	`0.8.2`	up to date

Crate `deno_console`

No external dependencies! 🙌

Crate `deno_crypto`

Dependencies

(21 total, 6 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
aes	`^0.7.5`	`0.7.5`	up to date
aes-gcm	`^0.9.4`	`0.9.4`	up to date
aes-kw	`^0.1`	`0.1.0`	up to date
base64	`^0.13.0`	`0.13.0`	up to date
block-modes	`^0.8.1`	`0.8.1`	up to date
ctr	`^0.8.0`	`0.8.0`	up to date
elliptic-curve	`^0.10.6`	`0.11.9`	out of date
num-traits	`^0.2.14`	`0.2.14`	up to date
once_cell	`=1.9.0`	`1.9.0`	up to date
p256	`^0.9.0`	`0.10.1`	out of date
p384	`^0.8.0`	`0.9.0`	out of date
rand	`^0.8.4`	`0.8.4`	up to date
ring	`^0.16.20`	`0.16.20`	up to date
rsa	`^0.5.0`	`0.5.0`	up to date
serde	`^1.0.129`	`1.0.133`	up to date
serde_bytes	`^0.11`	`0.11.5`	up to date
sha-1	`^0.9.7`	`0.10.0`	out of date
sha2	`^0.9.5`	`0.10.1`	out of date
spki	`^0.4.1`	`0.5.4`	out of date
tokio ⚠️	`^1.10.1`	`1.15.0`	maybe insecure
uuid	`^0.8.2`	`0.8.2`	up to date

Crate `deno_fetch`

Dependencies

(9 total, 1 possibly insecure)

Crate	Required	Latest	Status
bytes	`^1.1.0`	`1.1.0`	up to date
data-url	`^0.1.0`	`0.1.1`	up to date
dyn-clone	`^1`	`1.0.4`	up to date
http	`^0.2.4`	`0.2.6`	up to date
reqwest	`^0.11.7`	`0.11.9`	up to date
serde	`^1.0.129`	`1.0.133`	up to date
tokio ⚠️	`^1.10.1`	`1.15.0`	maybe insecure
tokio-stream	`^0.1.7`	`0.1.8`	up to date
tokio-util	`^0.6.7`	`0.6.9`	up to date

Crate `deno_ffi`

Dependencies

(4 total, 1 possibly insecure)

Crate	Required	Latest	Status
dlopen	`^0.1.8`	`0.1.8`	up to date
libffi	`^2.0.0`	`2.0.0`	up to date
serde	`^1.0.129`	`1.0.133`	up to date
tokio ⚠️	`^1.10.1`	`1.15.0`	maybe insecure

Crate `deno_http`

Dependencies

(7 total, 2 possibly insecure)

Crate	Required	Latest	Status
base64	`^0.13.0`	`0.13.0`	up to date
bytes	`^1`	`1.1.0`	up to date
hyper ⚠️	`^0.14.9`	`0.14.16`	maybe insecure
ring	`^0.16.20`	`0.16.20`	up to date
serde	`^1.0.129`	`1.0.133`	up to date
tokio ⚠️	`^1.10.1`	`1.15.0`	maybe insecure
tokio-util	`^0.6.7`	`0.6.9`	up to date

Crate `deno_net`

Dependencies

(5 total, 1 possibly insecure)

Crate	Required	Latest	Status
log	`^0.4.14`	`0.4.14`	up to date
serde	`^1.0.129`	`1.0.133`	up to date
tokio ⚠️	`^1.10.1`	`1.15.0`	maybe insecure
trust-dns-proto	`^0.20.3`	`0.20.3`	up to date
trust-dns-resolver	`^0.20.3`	`0.20.3`	up to date

Crate `deno_timers`

Dependencies

(1 total, 1 possibly insecure)

Crate	Required	Latest	Status
tokio ⚠️	`^1.10.1`	`1.15.0`	maybe insecure

Crate `deno_url`

Dependencies

(3 total, all up-to-date)

Crate	Required	Latest	Status
serde	`^1.0.129`	`1.0.133`	up to date
serde_repr	`^0.1.7`	`0.1.7`	up to date
urlpattern	`^0.1.3`	`0.1.4`	up to date

Crate `deno_web`

Dependencies

(6 total, 1 possibly insecure)

Crate	Required	Latest	Status
async-trait	`^0.1.51`	`0.1.52`	up to date
base64	`^0.13.0`	`0.13.0`	up to date
encoding_rs	`^0.8.29`	`0.8.30`	up to date
serde	`^1.0.129`	`1.0.133`	up to date
tokio ⚠️	`^1.10.1`	`1.15.0`	maybe insecure
uuid	`^0.8.2`	`0.8.2`	up to date

Crate `deno_webgpu`

Dependencies

(4 total, 2 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
serde	`^1.0.129`	`1.0.133`	up to date
tokio ⚠️	`^1.10.1`	`1.15.0`	maybe insecure
wgpu-core	`^0.10.1`	`0.12.2`	out of date
wgpu-types	`^0.10.0`	`0.12.0`	out of date

Crate `deno_webidl`

No external dependencies! 🙌

Crate `deno_websocket`

Dependencies

(6 total, 1 possibly insecure)

Crate	Required	Latest	Status
http	`^0.2.4`	`0.2.6`	up to date
hyper	`^0.14.12`	`0.14.16`	up to date
serde	`^1.0.129`	`1.0.133`	up to date
tokio ⚠️	`^1.10.1`	`1.15.0`	maybe insecure
tokio-rustls	`^0.23.0`	`0.23.2`	up to date
tokio-tungstenite	`^0.16.0`	`0.16.1`	up to date

Crate `deno_webstorage`

Dependencies

(2 total, 1 outdated)

Crate	Required	Latest	Status
rusqlite	`^0.25.3`	`0.26.3`	out of date
serde	`^1.0.129`	`1.0.133`	up to date

Crate `deno_tls`

Dependencies

(7 total, all up-to-date)

Crate	Required	Latest	Status
once_cell	`=1.9.0`	`1.9.0`	up to date
rustls	`^0.20`	`0.20.2`	up to date
rustls-native-certs	`^0.6.1`	`0.6.1`	up to date
rustls-pemfile	`^0.2.1`	`0.2.1`	up to date
serde	`^1.0.129`	`1.0.133`	up to date
webpki	`^0.22`	`0.22.0`	up to date
webpki-roots	`^0.22`	`0.22.2`	up to date

Security Vulnerabilities

`chrono`: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

time-rs/time#293

`hyper`: Lenient `hyper` header parsing of `Content-Length` could allow request smuggling

RUSTSEC-2021-0078

hyper's HTTP header parser accepted, according to RFC 7230, illegal contents inside Content-Length headers. Due to this, upstream HTTP proxies that ignore the header may still forward them along if it chooses to ignore the error.

To be vulnerable, hyper must be used as an HTTP/1 server and using an HTTP proxy upstream that ignores the header's contents but still forwards it. Due to all the factors that must line up, an attack exploiting this vulnerability is unlikely.

`hyper`: Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss

RUSTSEC-2021-0079

When decoding chunk sizes that are too large, hyper's code would encounter an integer overflow. Depending on the situation, this could lead to data loss from an incorrect total size, or in rarer cases, a request smuggling attack.

To be vulnerable, you must be using hyper for any HTTP/1 purpose, including as a client or server, and consumers must send requests or responses that specify a chunk size greater than 18 exabytes. For a possible request smuggling attack to be possible, any upstream proxies must accept a chunk size greater than 64 bits.

`tokio`: Data race when sending and receiving after closing a `oneshot` channel

RUSTSEC-2021-0124

If a tokio::sync::oneshot channel is closed (via the oneshot::Receiver::close method), a data race may occur if the oneshot::Sender::send method is called while the corresponding oneshot::Receiver is awaited or calling try_recv.

When these methods are called concurrently on a closed channel, the two halves of the channel can concurrently access a shared memory location, resulting in a data race. This has been observed to cause memory corruption.

Note that the race only occurs when both halves of the channel are used after the Receiver half has called close. Code where close is not used, or where the Receiver is not awaited and try_recv is not called after calling close, is not affected.

See tokio#4225 for more details.

denoland / deno

Crate deno_bench_util

Dependencies

Crate deno

Dependencies

Dev dependencies

Build dependencies

Crate deno_core

Dependencies

Dev dependencies

Crate deno_runtime

Dependencies

Build dependencies

Crate serde_v8

Dependencies

Dev dependencies

Crate test_ffi

Crate test_util

Dependencies

Crate deno_broadcast_channel

Dependencies

Crate deno_console

Crate deno_crypto

Dependencies

Crate deno_fetch

Dependencies

Crate deno_ffi

Dependencies

Crate deno_http

Dependencies

Crate deno_net

Dependencies

Crate deno_timers

Dependencies

Crate deno_url

Dependencies

Crate deno_web

Dependencies

Crate deno_webgpu

Dependencies

Crate deno_webidl

Crate deno_websocket

Dependencies

Crate deno_webstorage

Dependencies

Crate deno_tls

Dependencies

Security Vulnerabilities

chrono: Potential segfault in `localtime_r` invocations

Impact

Workarounds

References

hyper: Lenient `hyper` header parsing of `Content-Length` could allow request smuggling

hyper: Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss

tokio: Data race when sending and receiving after closing a `oneshot` channel

Crate `deno_bench_util`

Crate `deno`

Crate `deno_core`

Crate `deno_runtime`

Crate `serde_v8`

Crate `test_ffi`

Crate `test_util`

Crate `deno_broadcast_channel`

Crate `deno_console`

Crate `deno_crypto`

Crate `deno_fetch`

Crate `deno_ffi`

Crate `deno_http`

Crate `deno_net`

Crate `deno_timers`

Crate `deno_url`

Crate `deno_web`

Crate `deno_webgpu`

Crate `deno_webidl`

Crate `deno_websocket`

Crate `deno_webstorage`

Crate `deno_tls`

`chrono`: Potential segfault in `localtime_r` invocations

`hyper`: Lenient `hyper` header parsing of `Content-Length` could allow request smuggling

`hyper`: Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss

`tokio`: Data race when sending and receiving after closing a `oneshot` channel