This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate pigeon-rs

Dependencies

(20 total, 2 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 anyhow^1.01.0.94up to date
 rusoto_ses^0.48.00.48.0up to date
 rusoto_core^0.48.00.48.0up to date
 rusoto_credential^0.48.00.48.0up to date
 yaml-rust ⚠️^0.40.4.5maybe insecure
 serde^1.01.0.216up to date
 serde_yaml^0.9.340.9.34+deprecatedup to date
 tokio^1.371.42.0up to date
 csv^1.31.3.1up to date
 clap^4.5.44.5.23up to date
 chrono ⚠️^0.40.4.39maybe insecure
 polars^0.320.45.1out of date
 connectorx^0.3.20.3.3up to date
 postgres^0.19.20.19.9up to date
 url^2.52.5.4up to date
 uuid^1.81.11.0up to date
 lettre^0.110.11.11up to date
 infer^0.150.16.0out of date
 bytes^1.61.9.0up to date
 base64^0.220.22.1up to date

Dev dependencies

(3 total, all up-to-date)

CrateRequiredLatestStatus
 assert_cmd^2.0.142.0.16up to date
 predicates^3.1.03.1.3up to date
 tempfile^3.10.13.14.0up to date

Security Vulnerabilities

yaml-rust: Uncontrolled recursion leads to abort in deserialization

RUSTSEC-2018-0006

Affected versions of this crate did not prevent deep recursion while deserializing data structures.

This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it.

The flaw was corrected by checking the recursion depth.

Note: clap 2.33 is not affected by this because it uses yaml-rust in a way that doesn't trigger the vulnerability. More specifically:

  1. The input to the YAML parser is always trusted - is included at compile time via include_str!.

  2. The nesting level is never deep enough to trigger the overflow in practice (at most 5).

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References