This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate sqlrite-engine

Dependencies

(10 total, 1 outdated)

CrateRequiredLatestStatus
 log^0.40.4.33up to date
 sqlparser^0.610.62.0out of date
 thiserror^2.02.0.18up to date
 prettytable-rs^0.100.10.0up to date
 serde_json^11.0.150up to date
 rustyline^18.018.0.1up to date
 rustyline-derive^0.120.12.0up to date
 env_logger^0.110.11.11up to date
 clap^4.64.6.1up to date
 fs2^0.40.4.3up to date

Crate sqlrite-ask

Dependencies

(4 total, 1 outdated)

CrateRequiredLatestStatus
 serde^11.0.228up to date
 serde_json^11.0.150up to date
 ureq^23.3.0out of date
 thiserror^22.0.18up to date

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 tiny_http^0.120.12.0up to date

Crate sqlrite-desktop

Dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 tauri^22.11.5up to date
 tauri-plugin-dialog^22.7.1up to date
 serde^11.0.228up to date
 serde_json^11.0.150up to date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 tauri-build^22.6.3up to date

Crate sqlrite-journal

Dependencies

(5 total, all up-to-date)

CrateRequiredLatestStatus
 tauri^22.11.5up to date
 tauri-plugin-dialog^22.7.1up to date
 serde^11.0.228up to date
 serde_json^11.0.150up to date
 thiserror^22.0.18up to date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 tauri-build^22.6.3up to date

Crate sqlrite-ffi

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 serde^11.0.228up to date
 serde_json^11.0.150up to date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 cbindgen^0.290.29.4up to date

Crate sqlrite-mcp

Dependencies

(4 total, all up-to-date)

CrateRequiredLatestStatus
 serde^11.0.228up to date
 serde_json^11.0.150up to date
 clap^44.6.1up to date
 libc^0.20.2.186up to date

Crate sqlrite-python

Dependencies

(1 total, 1 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 pyo3 ⚠️^0.230.29.0out of date

Crate sqlrite-nodejs

Dependencies

(2 total, 2 outdated)

CrateRequiredLatestStatus
 napi^2.163.10.3out of date
 napi-derive^2.163.5.9out of date

Build dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 napi-build^2.22.3.2up to date

Crate sqlrite-benchmarks

Dependencies

(10 total, 4 outdated)

CrateRequiredLatestStatus
 rusqlite^0.360.40.1out of date
 duckdb^1.41.10504.0up to date
 criterion^0.50.8.2out of date
 rand^0.80.10.2out of date
 rand_chacha^0.30.10.0out of date
 serde^11.0.228up to date
 serde_json^11.0.150up to date
 tempfile^33.27.0up to date
 anyhow^11.0.103up to date
 walkdir^22.5.0up to date

Security Vulnerabilities

pyo3: Risk of buffer overflow in `PyString::from_object`

RUSTSEC-2025-0020

PyString::from_object took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).

In PyO3 0.24.1 this function will now allocate a CString to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes &CStr arguments.

pyo3: Missing `Sync` bound on `PyCFunction::new_closure` closures

RUSTSEC-2026-0177

PyCFunction::new_closure (and the temporary new_closure_bound complement in the 0.21–0.22 series) required the supplied closure to be Send + 'static but not Sync. The resulting PyCFunction is a Python callable that can be invoked from any Python thread, which means the closure may be called concurrently from multiple threads, and needs a Sync bound to prevent possible data races.

The problem exists under all Python versions but is particularly vulnerable under the newer free-threaded Python variant, which do not have serial execution imposed by the Global Interpreter Lock. Under releases protected by the GIL, the ability to "detach" from the Python interpreter temporarily inside the closure (e.g. by Python::detach) makes it possible for interleaved and/or concurrent execution of various portions of the closure.

PyO3 0.29.0 added a Sync bound to close this thread-safety bug.