This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate lenna_cli

Dependencies

(16 total, 9 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 libloading^0.70.9.0out of date
 structopt^0.30.3.26up to date
 image^0.240.25.10out of date
 pyo3 ⚠️^0.160.29.0out of date
 ndarray^0.150.17.2out of date
 nshare^0.90.10.0out of date
 numpy^0.160.29.0out of date
 pythonize^0.160.29.0out of date
 serde^1.01.0.228up to date
 serde_json^1.01.0.150up to date
 serde_yaml ⚠️^0.80.9.34+deprecatedout of date
 zip^0.68.6.0out of date
 wasm-bindgen^0.20.2.126up to date
 wasm-bindgen-futures^0.40.4.76up to date
 js-sys^0.30.3.103up to date
 console_error_panic_hook^0.10.1.7up to date

Dev dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 wasm-bindgen-test^0.20.3.76out of date

Security Vulnerabilities

serde_yaml: Uncontrolled recursion leads to abort in deserialization

RUSTSEC-2018-0005

Affected versions of this crate did not properly check for recursion while deserializing aliases.

This allows an attacker to make a YAML file with an alias referring to itself causing an abort.

The flaw was corrected by checking the recursion depth.

pyo3: Risk of buffer overflow in `PyString::from_object`

RUSTSEC-2025-0020

PyString::from_object took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read (by raising a Python exception containing a copy of the data including the overflow).

In PyO3 0.24.1 this function will now allocate a CString to guarantee a terminating nul bytes. PyO3 0.25 will likely offer an alternative API which takes &CStr arguments.

pyo3: Missing `Sync` bound on `PyCFunction::new_closure` closures

RUSTSEC-2026-0177

PyCFunction::new_closure (and the temporary new_closure_bound complement in the 0.21–0.22 series) required the supplied closure to be Send + 'static but not Sync. The resulting PyCFunction is a Python callable that can be invoked from any Python thread, which means the closure may be called concurrently from multiple threads, and needs a Sync bound to prevent possible data races.

The problem exists under all Python versions but is particularly vulnerable under the newer free-threaded Python variant, which do not have serial execution imposed by the Global Interpreter Lock. Under releases protected by the GIL, the ability to "detach" from the Python interpreter temporarily inside the closure (e.g. by Python::detach) makes it possible for interleaved and/or concurrent execution of various portions of the closure.

PyO3 0.29.0 added a Sync bound to close this thread-safety bug.