unionlabs / union

Crate	Required	Latest	Status
cosmwasm-schema	`^1.5`	`3.0.2`	out of date
cosmwasm-std	`^1.5.11`	`3.0.2`	out of date
cw-storage-plus	`^1.2`	`3.0.1`	out of date

Crate	Required	Latest	Status
serde-json-wasm ⚠️	`^1.0`	`1.0.1`	maybe insecure

Crate	Required	Latest	Status
cw-multi-test	`^2.4`	`3.0.1`	out of date
cw20	`^2.0.0`	`2.0.0`	up to date

Crate	Required	Latest	Status
cw20	`^2.0.0`	`2.0.0`	up to date
serde-json-wasm ⚠️	`^1.0`	`1.0.1`	maybe insecure

Crate	Required	Latest	Status
serde-json-wasm ⚠️	`^1.0`	`1.0.1`	maybe insecure
strum	`^0.26.3`	`0.27.2`	out of date

Crate	Required	Latest	Status
cliclack	`^0.2.5`	`0.3.6`	out of date
console	`^0.15.11`	`0.16.0`	out of date
strum	`^0.26.3`	`0.27.2`	out of date

Crate	Required	Latest	Status
async-nats	`^0.41.0`	`0.42.0`	out of date
backon	`^0.4.4`	`1.5.2`	out of date
base58	`^0.2.0`	`0.2.0`	up to date
bech32	`^0.11.0`	`0.11.0`	up to date
bytes	`^1.10.1`	`1.10.1`	up to date
lz4_flex	`^0.11.3`	`0.11.5`	up to date
prometheus	`^0.13.4`	`0.14.0`	out of date
ruint	`^1.15.0`	`1.16.0`	up to date
tempfile	`^3.20.0`	`3.21.0`	up to date
tracing-error	`^0.2.1`	`0.2.1`	up to date
url	`^2.5.4`	`2.5.7`	up to date
valuable	`^0.1.1`	`0.1.1`	up to date
tikv-jemallocator	`^0.5`	`0.6.0`	out of date

Crate	Required	Latest	Status
moka	`^0.12.10`	`0.12.10`	up to date

Crate	Required	Latest	Status
hex-literal	`^0.4.1`	`1.0.0`	out of date
serde_json	`^1.0.140`	`1.0.143`	up to date
serde_path_to_error	`^0.1.17`	`0.1.17`	up to date

Crate	Required	Latest	Status
num-rational	`^0.4.2`	`0.4.2`	up to date
num-traits	`^0.2.19`	`0.2.19`	up to date

Crate	Required	Latest	Status
rand	`^0.8.5`	`0.9.2`	out of date

Crate	Required	Latest	Status
tracing-subscriber	`^0.3.19`	`0.3.19`	up to date

Crate	Required	Latest	Status
ark-bls12-381	`^0.4`	`0.5.0`	out of date
substrate-bn	`^0.6`	`0.6.0`	up to date

Crate	Required	Latest	Status
ark-bn254	`^0.4`	`0.5.0`	out of date
ark-ff	`^0.4.2`	`0.5.0`	out of date
ark-serialize	`^0.4.2`	`0.5.0`	out of date

Crate	Required	Latest	Status
ark-bls12-377	`^0.4`	`0.5.0`	out of date
ark-bn254	`^0.4`	`0.5.0`	out of date
ark-ff	`^0.4`	`0.5.0`	out of date

Crate	Required	Latest	Status
proc-macro2	`^1.0.95`	`1.0.101`	up to date

Crate	Required	Latest	Status
futures-util	`^0.3.31`	`0.3.31`	up to date

Crate	Required	Latest	Status
ethereum-types	`^0.14`	`0.15.1`	out of date
ff_ce	`^0.14`	`0.14.3`	up to date
rand	`^0.4`	`0.9.2`	out of date

Crate	Required	Latest	Status
criterion	`^0.3`	`0.7.0`	out of date

Crate	Required	Latest	Status
primitive-types	`^0.12.2`	`0.13.1`	out of date

Crate	Required	Latest	Status
proc-macro2	`^1.0.95`	`1.0.101`	up to date

Crate	Required	Latest	Status
trybuild	`^1.0.105`	`1.0.110`	up to date

Crate	Required	Latest	Status
serde_json	`^1.0.140`	`1.0.143`	up to date

Crate	Required	Latest	Status
serde_json	`^1.0.140`	`1.0.143`	up to date
tracing-subscriber	`^0.3.19`	`0.3.19`	up to date

Crate	Required	Latest	Status
derivative	`^2.2.0`	`2.2.0`	up to date
smallvec	`^1.15.0`	`1.15.1`	up to date

Crate	Required	Latest	Status
serde_yaml	`^0.9.34`	`0.9.34+deprecated`	up to date
snap	`^1.1.1`	`1.1.1`	up to date

Crate	Required	Latest	Status
serde_yaml	`^0.9.34`	`0.9.34+deprecated`	up to date
snap	`^1.1.1`	`1.1.1`	up to date

Crate	Required	Latest	Status
proc-macro2	`^1.0.95`	`1.0.101`	up to date

Crate	Required	Latest	Status
k256	`^0.13.4`	`0.13.4`	up to date
near-primitives-core	`^0.21`	`0.31.0`	out of date
serde_bytes	`^0.11.17`	`0.11.17`	up to date

Crate	Required	Latest	Status
rand	`^0.8.5`	`0.9.2`	out of date

Crate	Required	Latest	Status
serde_bytes	`^0.11.17`	`0.11.17`	up to date
uint	`^0.9.5`	`0.10.0`	out of date

Crate	Required	Latest	Status
ark-ff	`^0.4.2`	`0.5.0`	out of date
byteorder	`^1.5`	`1.5.0`	up to date
substrate-bn	`^0.6`	`0.6.0`	up to date

Crate	Required	Latest	Status
substrate-bn	`^0.6`	`0.6.0`	up to date

Crate	Required	Latest	Status
hash-db	`^0.16.0`	`0.16.0`	up to date
hash256-std-hasher	`^0.15.2`	`0.15.2`	up to date
memory-db	`^0.32.0`	`0.34.0`	out of date
trie-db	`^0.28`	`0.30.0`	out of date

Crate	Required	Latest	Status
blst	`^0.3.14`	`0.3.15`	up to date

Crate	Required	Latest	Status
ed25519-dalek	`^2.1.1`	`2.2.0`	up to date

Crate	Required	Latest	Status
blake2	`^0.10.6`	`0.10.6`	up to date
roaring	`^0.10.12`	`0.11.2`	out of date
serde_repr	`^0.1.20`	`0.1.20`	up to date

Crate	Required	Latest	Status
num-rational	`^0.4.2`	`0.4.2`	up to date
rand	`^0.6`	`0.9.2`	out of date
rand_chacha	`^0.3.1`	`0.9.0`	out of date

Crate	Required	Latest	Status
lazy_static	`^1.5.0`	`1.5.0`	up to date

Crate	Required	Latest	Status
lazy_static	`^1.5.0`	`1.5.0`	up to date

Crate	Required	Latest	Status
ark-bls12-381	`^0.5.0`	`0.5.0`	up to date
ark-ec	`^0.5.0`	`0.5.0`	up to date
ark-serialize	`^0.5.0`	`0.5.0`	up to date

Crate	Required	Latest	Status
lazy_static	`^1.5.0`	`1.5.0`	up to date

Crate	Required	Latest	Status
lazy_static	`^1.5.0`	`1.5.0`	up to date

Crate	Required	Latest	Status
blake2	`^0.10.6`	`0.10.6`	up to date
serde_repr	`^0.1.20`	`0.1.20`	up to date

Crate	Required	Latest	Status
bip39	`^2.1.0`	`2.2.0`	up to date
cosmwasm-std	`^2.2.2`	`3.0.2`	out of date
ed25519-compact	`^2.1.1`	`2.1.1`	up to date
strum	`^0.26.3`	`0.27.2`	out of date
tiny-hderive	`^0.3.0`	`0.3.0`	up to date

Crate	Required	Latest	Status
cargo-util-schemas	`^0.1.0`	`0.9.0`	out of date
cargo_metadata	`^0.18.1`	`0.22.0`	out of date

Crate	Required	Latest	Status
proc-macro2	`^1.0.95`	`1.0.101`	up to date

Crate	Required	Latest	Status
fs_extra	`^1.3.0`	`1.3.0`	up to date

Crate	Required	Latest	Status
tempfile	`^3.20.0`	`3.21.0`	up to date
tracing-test	`^0.2.5`	`0.2.5`	up to date

Crate	Required	Latest	Status
pin-utils	`^0.1.0`	`0.1.0`	up to date
prometheus	`^0.13.4`	`0.14.0`	out of date
serde_jsonc	`^1.0.108`	`1.0.108`	up to date
tikv-jemallocator	`^0.5`	`0.6.0`	out of date
tower	`^0.4.13`	`0.5.2`	out of date
tower-http	`^0.6.4`	`0.6.6`	up to date
tracing-futures	`^0.2.5`	`0.2.5`	up to date

`regex`: Regexes with large repetitions on empty sub-expressions take a very long time to parse

RUSTSEC-2022-0013

The Rust Security Response WG was notified that the regex crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.

This issue has been assigned CVE-2022-24713. The severity of this vulnerability is "high" when the regex crate is used to parse untrusted regexes. Other uses of the regex crate are not affected by this vulnerability.

Overview

The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.

Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.

Affected versions

All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5.

Mitigations

We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the regex crate.

Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.

Acknowledgements

We want to thank Addison Crump for responsibly disclosing this to us according to the Rust security policy, and for helping review the fix.

We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.

`tokio`: reject_remote_clients Configuration corruption

RUSTSEC-2023-0001

On Windows, configuring a named pipe server with pipe_mode will force ServerOptions::reject_remote_clients as false.

This drops any intended explicit configuration for the reject_remote_clients that may have been set as true previously.

The default setting of reject_remote_clients is normally true meaning the default is also overridden as false.

Workarounds

Ensure that pipe_mode is set first after initializing a ServerOptions. For example:

let mut opts = ServerOptions::new();
opts.pipe_mode(PipeMode::Message);
opts.reject_remote_clients(true);

`serde-json-wasm`: Stack overflow during recursive JSON parsing

RUSTSEC-2024-0012

When parsing untrusted, deeply nested JSON, the stack may overflow, possibly enabling a Denial of Service attack. This was fixed by adding a check for recursion depth.

Crate	Required	Latest	Status
async-graphql	`^7.0.17`	`7.0.17`	up to date
async-graphql-axum	`^7.0.17`	`7.0.17`	up to date
async-sqlite	`^0.2.2`	`0.5.3`	out of date
axum	`^0.7.9`	`0.8.4`	out of date

Crate	Required	Latest	Status
async-sqlite	`^0.2.2`	`0.5.3`	out of date
crossterm	`^0.27.0`	`0.29.0`	out of date
futures-util	`^0.3`	`0.3.31`	up to date
http-body-util	`^0.1`	`0.1.3`	up to date
httpdate	`^1.0`	`1.0.3`	up to date
hyper	`^1`	`1.7.0`	up to date
hyper-util	`^0.1`	`0.1.16`	up to date
pgp	`^0.13`	`0.16.0`	out of date
ratatui	`^0.27.0`	`0.29.0`	out of date
throbber-widgets-tui	`^0.6`	`0.8.0`	out of date

Crate	Required	Latest	Status
indexmap	`^2.9.0`	`2.11.0`	up to date
moka	`^0.12.10`	`0.12.10`	up to date

Crate	Required	Latest	Status
derive_builder	`^0.20.2`	`0.20.2`	up to date
indexmap	`^2.9.0`	`2.11.0`	up to date
jaq-core	`^2.2.0`	`2.2.1`	up to date
jaq-json	`^1.1.2`	`1.1.3`	up to date
jaq-std	`^2.1.1`	`2.1.2`	up to date
moka	`^0.12.10`	`0.12.10`	up to date
pin-utils	`^0.1.0`	`0.1.0`	up to date
tower	`^0.5`	`0.5.2`	up to date
tower-http	`^0.6.4`	`0.6.6`	up to date

Crate	Required	Latest	Status
cw2	`^2.0.0`	`3.0.0`	out of date
cw20	`^2.0.0`	`2.0.0`	up to date
semver	`^1`	`1.0.26`	up to date

Crate	Required	Latest	Status
cw-multi-test	`^2.4.0`	`3.0.1`	out of date
cw-utils	`^2.0.0`	`3.0.0`	out of date

Crate	Required	Latest	Status
bytemuck	`^1.23`	`1.23.2`	up to date
const-hex	`^1.14.1`	`1.15.0`	up to date

Crate	Required	Latest	Status
bytemuck	`^1.23.0`	`1.23.2`	up to date
elf	`^0.7.4`	`0.8.0`	out of date

Crate	Required	Latest	Status
paste	`^1.0`	`1.0.15`	up to date
wasmparser	`^0.113`	`0.238.0`	out of date

Crate	Required	Latest	Status
once_cell	`^1.17`	`1.21.3`	up to date
serial_test	`^0.5`	`3.2.0`	out of date
tokio ⚠️	`^1`	`1.47.1`	maybe insecure

unionlabs / union

Crate token-factory-api

Crate ucs00-pingpong

Dependencies

Crate ibc-union-ucs00-pingpong

Crate ucs03-zkgm

Dependencies

Dev dependencies

Crate ucs06-funded-dispatch

Dependencies

Crate multicall

Crate ibc-union

Dependencies

Crate ibc-union-msg

Crate ibc-union-light-client

Crate devnet-compose

Dependencies

Crate ensure-blocks

Crate protos

Crate hubble

Dependencies

Crate beacon-api

Dependencies

Crate cometbft-rpc

Dev dependencies

Crate cosmos-client

Dependencies

Crate cometbft-types

Crate concurrent-keyring

Dependencies

Dev dependencies

Crate gnark-key-parser

Dependencies

Dev dependencies

Crate gnark-mimc

Dependencies

Crate ics008-wasm-client

Crate ics23

Crate linea-verifier

Crate linea-zktrie

Crate macros

Dependencies

Crate pg-queue

Dependencies

Crate poseidon-rs

Dependencies

Dev dependencies

Build dependencies

Crate subset-of-derive

Dependencies

Dev dependencies

Crate scroll-api

Dev dependencies

Crate scroll-codec

Crate scroll-rpc

Dev dependencies

Crate arbitrum-types

Crate arbitrum-client

Crate bob-types

Crate base-client

Crate bob-client

Crate serde-utils

Crate ssz

Dependencies

Dev dependencies

Crate ssz-tests-generator

Dependencies

Crate ssz-derive

Dependencies

Crate unionlabs

Dependencies

Dev dependencies

Crate unionlabs-primitives

Dependencies

Crate unionlabs-encoding

Crate zktrie

Crate galois-rpc

Crate cosmos-sdk-event

Crate frissitheto

Crate parlia-types

Crate `token-factory-api`

Crate `ucs00-pingpong`

Crate `ibc-union-ucs00-pingpong`

Crate `ucs03-zkgm`

Crate `ucs06-funded-dispatch`

Crate `multicall`

Crate `ibc-union`

Crate `ibc-union-msg`

Crate `ibc-union-light-client`

Crate `devnet-compose`

Crate `ensure-blocks`

Crate `protos`

Crate `hubble`

Crate `beacon-api`

Crate `cometbft-rpc`

Crate `cosmos-client`

Crate `cometbft-types`

Crate `concurrent-keyring`

Crate `gnark-key-parser`

Crate `gnark-mimc`

Crate `ics008-wasm-client`

Crate `ics23`

Crate `linea-verifier`

Crate `linea-zktrie`

Crate `macros`

Crate `pg-queue`

Crate `poseidon-rs`

Crate `subset-of-derive`

Crate `scroll-api`

Crate `scroll-codec`

Crate `scroll-rpc`

Crate `arbitrum-types`

Crate `arbitrum-client`

Crate `bob-types`

Crate `base-client`

Crate `bob-client`

Crate `serde-utils`

Crate `ssz`

Crate `ssz-tests-generator`

Crate `ssz-derive`

Crate `unionlabs`

Crate `unionlabs-primitives`

Crate `unionlabs-encoding`

Crate `zktrie`

Crate `galois-rpc`

Crate `cosmos-sdk-event`

Crate `frissitheto`

Crate `parlia-types`

Crate `ibc-solidity`

Crate `base-verifier`

Crate `bob-verifier`

Crate `arbitrum-verifier`

Crate `cometbls-groth16-verifier`

Crate `ethereum-sync-protocol`

Crate `ethereum-sync-protocol-types`

Crate `evm-storage-verifier`

Crate `parlia-verifier`

Crate `scroll-verifier`

Crate `tendermint-verifier`

Crate `base-light-client-types`

Crate `bob-light-client-types`

Crate `arbitrum-light-client-types`

Crate `berachain-light-client-types`

Crate `cometbls-light-client-types`

Crate `tendermint-light-client-types`

Crate `ethereum-light-client-types`

Crate `ethermint-light-client-types`

Crate `movement-light-client-types`

Crate `parlia-light-client-types`

Crate `trusted-mpt-light-client-types`

Crate `linea-light-client-types`

Crate `scroll-light-client-types`

Crate `state-lens-ics23-mpt-light-client-types`

Crate `state-lens-ics23-ics23-light-client-types`

Crate `state-lens-ics23-smt-light-client-types`

Crate `sui-light-client-types`

Crate `cosmwasm-deployer`

Crate `arbitrum-light-client`

Crate `base-light-client`

Crate `berachain-light-client`