This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.
prism-mcp-rs(47 total, 10 outdated, 4 possibly insecure)
| Crate | Required | Latest | Status |
|---|---|---|---|
| serde | ^1.0 | 1.0.219 | up to date |
| serde_json | ^1.0 | 1.0.143 | up to date |
| serde_yaml | ^0.9 | 0.9.34+deprecated | up to date |
| tokio | ^1.34 | 1.47.1 | up to date |
| async-trait | ^0.1 | 0.1.89 | up to date |
| tracing | ^0.1 | 0.1.41 | up to date |
| tracing-subscriber | ^0.3 | 0.3.19 | up to date |
| thiserror | ^2.0 | 2.0.16 | up to date |
| anyhow | ^1.0 | 1.0.99 | up to date |
| chrono ⚠️ | ^0.4 | 0.4.41 | maybe insecure |
| futures | ^0.3 | 0.3.31 | up to date |
| tokio-util | ^0.7 | 0.7.16 | up to date |
| bytes | ^1.5 | 1.10.1 | up to date |
| pin-project | ^1.1 | 1.1.10 | up to date |
| once_cell | ^1.19 | 1.21.3 | up to date |
| indexmap | ^2.0 | 2.10.0 | up to date |
| dashmap | ^6.1.0 | 6.1.0 | up to date |
| parking_lot | ^0.12 | 0.12.4 | up to date |
| reqwest | ^0.12 | 0.12.23 | up to date |
| hyper | ^1.6 | 1.7.0 | up to date |
| tower | ^0.5 | 0.5.2 | up to date |
| tower-http | ^0.6 | 0.6.6 | up to date |
| axum | ^0.7 | 0.8.4 | out of date |
| tokio-tungstenite | ^0.20 | 0.27.0 | out of date |
| tungstenite ⚠️ | ^0.20 | 0.27.0 | out of date |
| libloading | ^0.8 | 0.8.8 | up to date |
| jsonwebtoken | ^9.1 | 9.3.1 | up to date |
| argon2 | ^0.5 | 0.5.3 | up to date |
| rustls ⚠️ | ^0.21 | 0.23.31 | out of date |
| tokio-rustls | ^0.24 | 0.26.2 | out of date |
| color-eyre | ^0.6 | 0.6.5 | up to date |
| url | ^2.5 | 2.5.4 | up to date |
| rand | ^0.8 | 0.9.2 | out of date |
| brotli | ^7.0 | 8.0.2 | out of date |
| zstd | ^0.13 | 0.13.3 | up to date |
| notify | ^6.1 | 8.2.0 | out of date |
| base64 | ^0.22 | 0.22.1 | up to date |
| sha2 | ^0.10 | 0.10.9 | up to date |
| futures-util | ^0.3 | 0.3.31 | up to date |
| tokio-stream | ^0.1 | 0.1.17 | up to date |
| h2 ⚠️ | ^0.4 | 0.4.12 | maybe insecure |
| flate2 | ^1.0 | 1.1.2 | up to date |
| uuid | ^1.10 | 1.18.0 | up to date |
| http | ^1.3 | 1.3.1 | up to date |
| dirs | ^5.0 | 6.0.0 | out of date |
| fastrand | ^2.3 | 2.3.0 | up to date |
| criterion | ^0.5 | 0.7.0 | out of date |
(14 total, 3 outdated)
| Crate | Required | Latest | Status |
|---|---|---|---|
| proptest | ^1.3 | 1.7.0 | up to date |
| test-log | ^0.2 | 0.2.18 | up to date |
| env_logger | ^0.10 | 0.11.8 | out of date |
| tokio-test | ^0.4 | 0.4.4 | up to date |
| mockito | ^1.2 | 1.7.0 | up to date |
| wiremock | ^0.6 | 0.6.4 | up to date |
| serial_test | ^3.0 | 3.2.0 | up to date |
| tempfile | ^3.8 | 3.21.0 | up to date |
| regex | ^1.10 | 1.11.1 | up to date |
| rstest | ^0.18 | 0.26.1 | out of date |
| fake | ^2.8 | 4.4.0 | out of date |
| quickcheck | ^1.0 | 1.0.3 | up to date |
| quickcheck_macros | ^1.0 | 1.1.0 | up to date |
| insta | ^1.34 | 1.43.1 | up to date |
chrono: Potential segfault in `localtime_r` invocationsUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
No workarounds are known.
tungstenite: Tungstenite allows remote attackers to cause a denial of serviceThe Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes).
h2: Degradation of service in h2 servers with CONTINUATION FloodAn attacker can send a flood of CONTINUATION frames, causing h2 to process them indefinitely.
This results in an increase in CPU usage.
Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency.
More details at "https://seanmonstar.com/blog/hyper-http2-continuation-flood/.
Patches available for 0.4.x and 0.3.x versions.
rustls: `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network inputIf a close_notify alert is received during a handshake, complete_io
does not terminate.
Callers which do not call complete_io are not affected.
rustls-tokio and rustls-ffi do not call complete_io
and are not affected.
rustls::Stream and rustls::StreamOwned types use
complete_io and are affected.