linebender / vello

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate `vello`

No external dependencies! 🙌

Crate `vello_encoding`

Dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
guillotiere	`^0.6.2`	`0.6.2`	up to date

Crate `vello_shaders`

Dependencies

(1 total, 1 outdated)

Crate	Required	Latest	Status
naga	`^26.0.0`	`27.0.3`	out of date

Build dependencies

(1 total, 1 outdated)

Crate	Required	Latest	Status
naga	`^26.0.0`	`27.0.3`	out of date

Crate `vello_tests`

Dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
nv-flip	`^0.1.2`	`0.1.2`	up to date

Crate `xtask`

No external dependencies! 🙌

Crate `headless`

Dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
env_logger	`^0.11.8`	`0.11.8`	up to date

Crate `run_wasm`

Dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
cargo-run-wasm	`^0.4.0`	`0.4.0`	up to date

Crate `scenes`

Dependencies

(2 total, 1 outdated)

Crate	Required	Latest	Status
roxmltree	`^0.20.0`	`0.21.1`	out of date
getrandom	`^0.3.3`	`0.3.4`	up to date

Crate `simple`

Dependencies

(3 total, all up-to-date)

Crate	Required	Latest	Status
anyhow	`^1.0.98`	`1.0.100`	up to date
pollster	`^0.4.0`	`0.4.0`	up to date
winit	`^0.30.10`	`0.30.12`	up to date

Crate `with_winit`

Dependencies

(12 total, 2 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
tracing	`^0.1.41`	`0.1.41`	up to date
env_logger	`^0.11.8`	`0.11.8`	up to date
notify-debouncer-full	`^0.5.0`	`0.6.0`	out of date
android_logger	`^0.15.0`	`0.15.1`	up to date
tracing_android_trace	`^0.1.1`	`0.1.1`	up to date
tracing-subscriber ⚠️	`^0.3.19`	`0.3.20`	maybe insecure
profiling	`^1.0.16`	`1.0.17`	up to date
jni	`^0.21.1`	`0.21.1`	up to date
wasm-bindgen-futures	`^0.4.50`	`0.4.55`	up to date
web-sys	`^0.3.77`	`0.3.82`	up to date
wasm-bindgen	`=0.2.100`	`0.2.105`	out of date
getrandom	`^0.3.3`	`0.3.4`	up to date

Crate `vello_api`

No external dependencies! 🙌

Crate `vello_bench`

Dependencies

(1 total, 1 outdated)

Crate	Required	Latest	Status
parley	`^0.5.0`	`0.6.0`	out of date

Crate `vello_common`

Dependencies

(3 total, 2 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
hashbrown ⚠️	`^0.15`	`0.16.0`	out of date
roxmltree	`^0.20.0`	`0.21.1`	out of date
libm	`^0.2.15`	`0.2.15`	up to date

Crate `vello_cpu`

No external dependencies! 🙌

Crate `wasm_cpu`

Dependencies

(5 total, 1 outdated)

Crate	Required	Latest	Status
js-sys	`^0.3.77`	`0.3.82`	up to date
wasm-bindgen	`^0.2.100`	`0.2.105`	up to date
wasm-bindgen-futures	`^0.4.50`	`0.4.55`	up to date
web-sys	`^0.3.77`	`0.3.82`	up to date
parley	`^0.5.0`	`0.6.0`	out of date

Dev dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
wasm-bindgen-test	`^0.3.50`	`0.3.55`	up to date

Crate `vello_hybrid`

Dependencies

(4 total, 1 outdated, 1 possibly insecure)

Crate	Required	Latest	Status
guillotiere	`^0.6.2`	`0.6.2`	up to date
hashbrown ⚠️	`^0.15`	`0.16.0`	out of date
js-sys	`^0.3.77`	`0.3.82`	up to date
web-sys	`^0.3.77`	`0.3.82`	up to date

Dev dependencies

(1 total, 1 outdated)

Crate	Required	Latest	Status
roxmltree	`^0.20.0`	`0.21.1`	out of date

Crate `vello_sparse_shaders`

Dependencies

(1 total, 1 outdated)

Crate	Required	Latest	Status
naga	`^26.0.0`	`27.0.3`	out of date

Build dependencies

(1 total, 1 outdated)

Crate	Required	Latest	Status
naga	`^26.0.0`	`27.0.3`	out of date

Crate `native_webgl`

Dependencies

(4 total, all up-to-date)

Crate	Required	Latest	Status
js-sys	`^0.3.77`	`0.3.82`	up to date
wasm-bindgen	`^0.2.100`	`0.2.105`	up to date
wasm-bindgen-futures	`^0.4.50`	`0.4.55`	up to date
web-sys	`^0.3.77`	`0.3.82`	up to date

Dev dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
wasm-bindgen-test	`^0.3.50`	`0.3.55`	up to date

Crate `vello_example_scenes`

Dependencies

(1 total, 1 outdated)

Crate	Required	Latest	Status
parley	`^0.5.0`	`0.6.0`	out of date

Crate `wgpu_webgl`

Dependencies

(4 total, all up-to-date)

Crate	Required	Latest	Status
js-sys	`^0.3.77`	`0.3.82`	up to date
wasm-bindgen	`^0.2.100`	`0.2.105`	up to date
wasm-bindgen-futures	`^0.4.50`	`0.4.55`	up to date
web-sys	`^0.3.77`	`0.3.82`	up to date

Dev dependencies

(1 total, all up-to-date)

Crate	Required	Latest	Status
wasm-bindgen-test	`^0.3.50`	`0.3.55`	up to date

Crate `vello_hybrid_winit`

No external dependencies! 🙌

Crate `vello_toy`

No external dependencies! 🙌

Crate `vello_dev_macros`

No external dependencies! 🙌

Crate `vello_sparse_tests`

Dependencies

(5 total, 1 outdated)

Crate	Required	Latest	Status
wasm-bindgen-test	`^0.3.50`	`0.3.55`	up to date
web-sys	`^0.3.77`	`0.3.82`	up to date
wasm-bindgen	`^0.2.100`	`0.2.105`	up to date
wasm-bindgen-futures	`^0.4.50`	`0.4.55`	up to date
wasmparser	`^0.235.0`	`0.241.2`	out of date

Crate `vello_filters_cpu`

No external dependencies! 🙌

Security Vulnerabilities

`hashbrown`: Borsh serialization of HashMap is non-canonical

RUSTSEC-2024-0402

The borsh serialization of the HashMap did not follow the borsh specification. It potentially produced non-canonical encodings dependent on insertion order. It also did not perform canonicty checks on decoding.

This can result in consensus splits and cause equivalent objects to be considered distinct.

This was patched in 0.15.1.

`tracing-subscriber`: Logging user input may result in poisoning logs with ANSI escape sequences

RUSTSEC-2025-0055

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

Manipulate terminal title bars
Clear screens or modify terminal display
Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

This was patched in PR #3368 to escape ANSI control characters from user input.

linebender / vello

Crate vello

Crate vello_encoding

Dependencies

Crate vello_shaders

Dependencies

Build dependencies

Crate vello_tests

Dependencies

Crate xtask

Crate headless

Dependencies

Crate run_wasm

Dependencies

Crate scenes

Dependencies

Crate simple

Dependencies

Crate with_winit

Dependencies

Crate vello_api

Crate vello_bench

Dependencies

Crate vello_common

Dependencies

Crate vello_cpu

Crate wasm_cpu

Dependencies

Dev dependencies

Crate vello_hybrid

Dependencies

Dev dependencies

Crate vello_sparse_shaders

Dependencies

Build dependencies

Crate native_webgl

Dependencies

Dev dependencies

Crate vello_example_scenes

Dependencies

Crate wgpu_webgl

Dependencies

Dev dependencies

Crate vello_hybrid_winit

Crate vello_toy

Crate vello_dev_macros

Crate vello_sparse_tests

Dependencies

Crate vello_filters_cpu

Security Vulnerabilities

hashbrown: Borsh serialization of HashMap is non-canonical

tracing-subscriber: Logging user input may result in poisoning logs with ANSI escape sequences

Crate `vello`

Crate `vello_encoding`

Crate `vello_shaders`

Crate `vello_tests`

Crate `xtask`

Crate `headless`

Crate `run_wasm`

Crate `scenes`

Crate `simple`

Crate `with_winit`

Crate `vello_api`

Crate `vello_bench`

Crate `vello_common`

Crate `vello_cpu`

Crate `wasm_cpu`

Crate `vello_hybrid`

Crate `vello_sparse_shaders`

Crate `native_webgl`

Crate `vello_example_scenes`

Crate `wgpu_webgl`

Crate `vello_hybrid_winit`

Crate `vello_toy`

Crate `vello_dev_macros`

Crate `vello_sparse_tests`

Crate `vello_filters_cpu`

`hashbrown`: Borsh serialization of HashMap is non-canonical

`tracing-subscriber`: Logging user input may result in poisoning logs with ANSI escape sequences