This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate poem-derive

No external dependencies! 🙌

Crate poem

Dependencies

(50 total, 3 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 async-trait^0.1.510.1.79up to date
 http^1.0.01.1.0up to date
 hyper^1.0.01.2.0up to date
 hyper-util^0.1.10.1.3up to date
 http-body-util^0.1.00.1.1up to date
 tokio-util^0.7.00.7.10up to date
 parking_lot^0.12.00.12.1up to date
 pin-project-lite^0.2.70.2.13up to date
 percent-encoding^2.1.02.3.1up to date
 smallvec^1.6.11.13.2up to date
 headers^0.4.00.4.0up to date
 rfc7239^0.1.00.1.0up to date
 wildmatch^22.3.3up to date
 sync_wrapper^0.1.21.0.0out of date
 multer^3.0.03.0.0up to date
 tokio-tungstenite^0.21.00.21.0up to date
 rustls-pemfile^2.0.02.1.1up to date
 async-compression^0.4.00.4.6up to date
 tower^0.4.80.4.13up to date
 time^0.30.3.34up to date
 mime_guess^2.0.32.0.4up to date
 rand^0.8.40.8.5up to date
 redis^0.25.20.25.2up to date
 cookie^0.180.18.1up to date
 opentelemetry-http^0.11.00.11.1up to date
 opentelemetry-semantic-conventions^0.14.00.14.0up to date
 opentelemetry-prometheus^0.15.00.15.0up to date
 prometheus^0.13.00.13.3up to date
 opentelemetry^0.22.00.22.0up to date
 tempfile^3.2.03.10.1up to date
 priority-queue^2.0.22.0.2up to date
 tokio-native-tls^0.3.00.3.1up to date
 tokio-openssl^0.6.30.6.4up to date
 openssl^0.10.560.10.64up to date
 csrf^0.4.10.4.1up to date
 httpdate^1.0.21.0.3up to date
 sse-codec^0.3.20.3.2up to date
 fluent^0.16.00.16.0up to date
 fluent-langneg^0.13.00.14.0out of date
 fluent-syntax^0.11.00.11.0up to date
 unic-langid^0.9.00.9.4up to date
 intl-memoizer^0.5.10.5.1up to date
 ring^0.17.70.17.8up to date
 rcgen^0.12.00.13.0out of date
 x509-parser^0.16.00.16.0up to date
 tokio-metrics^0.3.00.3.1up to date
 rust-embed^8.08.3.0up to date
 hex^0.40.4.3up to date
 anyhow^1.0.01.0.81up to date
 eyre ⚠️^0.60.6.12maybe insecure

Dev dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 async-stream^0.3.20.3.5up to date

Crate poem-openapi-derive

Dependencies

(1 total, all up-to-date)

CrateRequiredLatestStatus
 http^1.0.01.1.0up to date

Crate poem-openapi

Dependencies

(14 total, all up-to-date)

CrateRequiredLatestStatus
 derive_more^0.99.160.99.17up to date
 num-traits^0.2.140.2.18up to date
 email_address^0.2.10.2.4up to date
 hostname-validator^1.1.01.1.1up to date
 time^0.3.90.3.34up to date
 uuid^1.1.01.8.0up to date
 url^2.2.22.5.0up to date
 bson^2.0.02.9.0up to date
 rust_decimal^1.22.01.35.0up to date
 humantime^2.1.02.1.0up to date
 ipnet^2.7.12.9.0up to date
 prost-wkt-types^0.5.00.5.0up to date
 geo-types^0.7.120.7.13up to date
 geojson^0.24.10.24.1up to date

Crate poem-lambda

Dependencies

(1 total, 1 outdated)

CrateRequiredLatestStatus
 lambda_http^0.10.00.11.0out of date

Crate poem-grpc-build

Dependencies

(2 total, all up-to-date)

CrateRequiredLatestStatus
 prettyplease^0.2.90.2.17up to date
 prost-build^0.12.00.12.3up to date

Crate poem-grpc

Dependencies

(14 total, 1 outdated)

CrateRequiredLatestStatus
 async-stream^0.3.30.3.5up to date
 flate2^1.0.241.0.28up to date
 itoa^1.0.21.0.11up to date
 percent-encoding^2.1.02.3.1up to date
 prost^0.12.00.12.3up to date
 base64^0.21.00.22.0out of date
 prost-types^0.12.00.12.3up to date
 fastrand^2.0.02.0.2up to date
 http^1.0.01.1.0up to date
 hyper^1.0.01.2.0up to date
 hyper-util^0.1.10.1.3up to date
 http-body-util^0.1.00.1.1up to date
 tower-service^0.3.20.3.2up to date
 webpki-roots^0.260.26.1up to date

Security Vulnerabilities

eyre: Parts of Report are dropped as the wrong type during downcast

RUSTSEC-2024-0021

In affected versions, after a Report is constructed using wrap_err or wrap_err_with to attach a message of type D onto an error of type E, then using downcast to recover ownership of either the value of type D or the value of type E, one of two things can go wrong:

  • If downcasting to E, there remains a value of type D to be dropped. It is incorrectly "dropped" by running E's drop behavior, rather than D's. For example if D is &str and E is std::io::Error, there would be a call of std::io::Error::drop in which the reference received by the Drop impl does not refer to a valid value of type std::io::Error, but instead to &str.

  • If downcasting to D, there remains a value of type E to be dropped. When D and E do not happen to be the same size, E's drop behavior is incorrectly executed in the wrong location. The reference received by the Drop impl may point left or right of the real E value that is meant to be getting dropped.

In both cases, when the Report contains an error E that has nontrivial drop behavior, the most likely outcome is memory corruption.

When the Report contains an error E that has trivial drop behavior (for example a Utf8Error) but where D has nontrivial drop behavior (such as String), the most likely outcome is that downcasting to E would leak D.