This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate pigeon-rs


(20 total, 2 outdated, 2 possibly insecure)

 anyhow^ to date
 rusoto_ses^ to date
 rusoto_core^ to date
 rusoto_credential^ to date
 yaml-rust ⚠️^ insecure
 serde^ to date
 serde_yaml^0.9.340.9.34+deprecatedup to date
 tokio^1.371.38.1up to date
 csv^ to date
 clap^ to date
 chrono ⚠️^ insecure
 polars^0.320.41.3out of date
 connectorx^ to date
 postgres^ to date
 url^ to date
 uuid^ to date
 lettre^ to date
 infer^ of date
 bytes^ to date
 base64^ to date

Dev dependencies

(3 total, all up-to-date)

 assert_cmd^ to date
 predicates^ to date
 tempfile^ to date

Security Vulnerabilities

yaml-rust: Uncontrolled recursion leads to abort in deserialization


Affected versions of this crate did not prevent deep recursion while deserializing data structures.

This allows an attacker to make a YAML file with deeply nested structures that causes an abort while deserializing it.

The flaw was corrected by checking the recursion depth.

Note: clap 2.33 is not affected by this because it uses yaml-rust in a way that doesn't trigger the vulnerability. More specifically:

  1. The input to the YAML parser is always trusted - is included at compile time via include_str!.

  2. The nesting level is never deep enough to trigger the overflow in practice (at most 5).

chrono: Potential segfault in `localtime_r` invocations



Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.


No workarounds are known.