This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.
poof(23 total, 1 outdated, 1 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| clap | ^4.6 | 4.6.0 | up to date |
| clap_complete | ^4.6 | 4.6.0 | up to date |
| clap_complete_nushell | ^4.6 | 4.6.0 | up to date |
| dirs | ^6.0 | 6.0.0 | up to date |
| errno | ^0.3 | 0.3.14 | up to date |
| lazy_static | ^1.5.0 | 1.5.0 | up to date |
| libc | ^0.2 | 0.2.183 | up to date |
| reqwest | ^0.12.24 | 0.13.2 | out of date |
| serde | ^1.0 | 1.0.228 | up to date |
| zip | ^8.4 | 8.4.0 | up to date |
| tar ⚠️ | ^0.4 | 0.4.45 | maybe insecure |
| flate2 | ^1.1 | 1.1.9 | up to date |
| xz2 | ^0.1 | 0.1.7 | up to date |
| bzip2 | ^0.6 | 0.6.1 | up to date |
| sevenz-rust2 | ^0.20 | 0.20.2 | up to date |
| log | ^0.4.27 | 0.4.29 | up to date |
| env_logger | ^0.11.10 | 0.11.10 | up to date |
| regex | ^1.11.1 | 1.12.3 | up to date |
| rayon | ^1.11.0 | 1.11.0 | up to date |
| semver | ^1.0.26 | 1.0.27 | up to date |
| anyhow | ^1.0 | 1.0.102 | up to date |
| which | ^8.0.2 | 8.0.2 | up to date |
| zstd | ^0.13.3 | 0.13.3 | up to date |
(9 total, all up-to-date)
| Crate | Required | Latest | Status |
|---|---|---|---|
| clap_mangen | ^0.2.33 | 0.2.33 | up to date |
| tempfile | ^3 | 3.27.0 | up to date |
| serial_test | ^3 | 3.4.0 | up to date |
| predicates | ^3.1.4 | 3.1.4 | up to date |
| assert_cmd | ^2.2.0 | 2.2.0 | up to date |
| serde_json | ^1.0 | 1.0.149 | up to date |
| temp-env | ^0.3 | 0.3.6 | up to date |
| mockito | ^1.7 | 1.7.2 | up to date |
| ron | ^0.12 | 0.12.0 | up to date |
(4 total, 1 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| build_cfg | ^1.1.0 | 1.1.0 | up to date |
| chrono ⚠️ | ^0.4 | 0.4.44 | maybe insecure |
| clap_mangen | ^0.2.33 | 0.2.33 | up to date |
| glibc_version | ^0.1.2 | 0.1.2 | up to date |
chrono: Potential segfault in `localtime_r` invocationsUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
No workarounds are known.
tar: `unpack_in` can chmod arbitrary directories by following symlinksIn versions 0.4.44 and below of tar-rs, when unpacking a tar archive, the tar
crate's unpack_dir function uses fs::metadata() to check
whether a path that already exists is a directory. Because fs::metadata()
follows symbolic links, a crafted tarball containing a symlink entry followed
by a directory entry with the same name causes the crate to treat the symlink
target as a valid existing directory — and subsequently apply chmod to it. This
allows an attacker to modify the permissions of arbitrary directories outside
the extraction root.
This issue has been fixed in version 0.4.45.
tar: tar-rs incorrectly ignores PAX size headers if header size is nonzeroVersions 0.4.44 and below of tar-rs have conditional logic that skips the PAX size header in cases where the base header size is nonzero.
As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. This is almost the inverse of the astral-tokio-tar issue.
Any discrepancy in how tar parsers honor file size can be used to create
archives that appear differently when unpacked by different archivers. In this
case, the tar-rs (Rust tar) crate is an outlier in checking for the header size
— other tar parsers (including e.g. Go archive/tar) unconditionally
use the PAX size override. This can affect anything that uses the tar crate to
parse archives and expects to have a consistent view with other parsers.
This issue has been fixed in version 0.4.45.