Deps.rs

quambene / pigeon-rs

[![dependency status](https://deps.rs/repo/github/quambene/pigeon-rs/status.svg)](https://deps.rs/repo/github/quambene/pigeon-rs)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate pigeon-rs

Dependencies

(20 total, 1 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 anyhow^1.01.0.82up to date
 rusoto_ses^0.48.00.48.0up to date
 rusoto_core^0.48.00.48.0up to date
 rusoto_credential^0.48.00.48.0up to date
 yaml-rust ⚠️^0.40.4.5maybe insecure
 serde^1.01.0.200up to date
 serde_yaml^0.9.340.9.34+deprecatedup to date
 tokio^1.371.37.0up to date
 csv^1.31.3.0up to date
 clap^4.5.44.5.4up to date
 chrono ⚠️^0.40.4.38maybe insecure
 polars^0.320.39.2out of date
 connectorx^0.3.20.3.2up to date
 postgres^0.19.20.19.7up to date
 url^2.52.5.0up to date
 uuid^1.81.8.0up to date
 lettre^0.110.11.7up to date
 infer^0.150.15.0up to date
 bytes^1.61.6.0up to date
 base64^0.220.22.1up to date

Dev dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 assert_cmd^2.0.142.0.14up to date
 predicates^3.1.03.1.0up to date
 tempfile^3.10.13.10.1up to date

Security Vulnerabilities

yaml-rust: Uncontrolled recursion leads to abort in deserialization

RUSTSEC-2018-0006

Affected versions of this crate did not prevent deep recursion while deserializing data structures.

This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it.

The flaw was corrected by checking the recursion depth.

Note: clap 2.33 is not affected by this because it uses yaml-rust in a way that doesn't trigger the vulnerability. More specifically:

  1. The input to the YAML parser is always trusted - is included at compile time via include_str!.

  2. The nesting level is never deep enough to trigger the overflow in practice (at most 5).

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References