This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.
sad-monte-carlo(16 total, 9 outdated, 2 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| serde | ^1.0 | 1.0.217 | up to date |
| serde_derive | ^1.0 | 1.0.217 | up to date |
| serde_yaml | ^0.8.11 | 0.9.34+deprecated | out of date |
| serde_cbor ⚠️ | ^0.10 | 0.11.2 | out of date |
| serde_json | ^1.0 | 1.0.138 | up to date |
| auto-args | ^0.2.7 | 0.3.1 | out of date |
| internment ⚠️ | ^0.3.2 | 0.8.6 | out of date |
| vector3d | ^0.2.1 | 0.2.1 | up to date |
| statrs | ^0.7.0 | 0.18.0 | out of date |
| rand_core | ^0.5.1 | 0.9.0 | out of date |
| rand | ^0.7.2 | 0.9.0 | out of date |
| rand_distr | ^0.2.2 | 0.5.0 | out of date |
| rand_xoshiro | ^0.4 | 0.7.0 | out of date |
| tempfile | ^3.0.3 | 3.16.0 | up to date |
| git-version | ^0.3.0 | 0.3.9 | up to date |
| rayon | ^1.4 | 1.10.0 | up to date |
(2 total, 1 outdated)
| Crate | Required | Latest | Status |
|---|---|---|---|
| criterion | ^0.3 | 0.5.1 | out of date |
| difference | ^2.0 | 2.0.0 | up to date |
serde_cbor: Flaw in CBOR deserializer allows stack overflowAffected versions of this crate did not properly check if semantic tags were nested excessively during deserialization.
This allows an attacker to craft small (< 1 kB) CBOR documents that cause a stack overflow.
The flaw was corrected by limiting the allowed number of nested tags.
internment: Use after free in ArcIntern::dropArcIntern::drop has a race condition where it can release memory
which is about to get another user. The new user will get a reference
to freed memory.
This was fixed by serializing access to an interned object while it is being deallocated.
Versions prior to 0.3.12 used stronger locking which avoided the problem.
internment: Intern<T>: Data race allowed on TAffected versions of this crate unconditionally implements Sync for Intern<T>.
This allows users to create data race on T: !Sync, which may lead to undefined behavior
(for example, memory corruption).
The flaw was corrected in commit 2928a87 by adding the trait bound T: Sync in the Sync impl of Intern<T>.