Deps.rs

winpax / sfsu

[![dependency status](https://deps.rs/repo/github/winpax/sfsu/status.svg)](https://deps.rs/repo/github/winpax/sfsu)

This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate sfsu

Dependencies

(62 total, 1 outdated, 2 possibly insecure)

CrateRequiredLatestStatus
 anyhow^1.01.0.101up to date
 base64^0.220.22.1up to date
 bat^0.260.26.1up to date
 blake3^1.81.8.3up to date
 bytes ⚠️^1.101.11.1maybe insecure
 cfg-if^1.01.0.4up to date
 chrono ⚠️^0.40.4.43maybe insecure
 clap^4.54.5.57up to date
 console^0.160.16.2up to date
 const_format^0.20.2.35up to date
 crossterm^0.290.29.0up to date
 derive_more^2.02.1.1up to date
 dialoguer^0.120.12.0up to date
 digest^0.100.10.7up to date
 dirs^6.06.0.0up to date
 dunce^1.01.0.5up to date
 futures^0.30.3.31up to date
 git2^0.200.20.4up to date
 gix^0.780.78.0up to date
 gix-object^0.550.55.0up to date
 glob^0.3.30.3.3up to date
 hashbrown^0.160.16.1up to date
 heck^0.50.5.0up to date
 human-panic^2.02.0.6up to date
 indexmap^2.132.13.0up to date
 indicatif^0.180.18.3up to date
 itertools^0.140.14.0up to date
 konst^0.40.4.3up to date
 log^0.40.4.29up to date
 md-5^0.100.10.6up to date
 open^5.15.3.3up to date
 parking_lot^0.120.12.5up to date
 phf^0.130.13.1up to date
 prodash^3131.0.0up to date
 quick-xml^0.390.39.0up to date
 quork^0.90.9.1up to date
 rand^0.90.10.0out of date
 ratatui^0.300.30.0up to date
 rayon^1.101.11.0up to date
 regex^1.121.12.3up to date
 reqwest^0.130.13.2up to date
 semver^1.01.0.27up to date
 serde^1.01.0.228up to date
 serde_json^1.01.0.149up to date
 serde_json_path^0.70.7.2up to date
 serde_with^3.83.16.1up to date
 sha1^0.100.10.6up to date
 sha2^0.100.10.9up to date
 shadow-rs^1.21.7.0up to date
 strum^0.270.27.2up to date
 sxd-document^0.30.3.2up to date
 sxd-xpath^0.40.4.2up to date
 thiserror^2.02.0.18up to date
 tokio^1.471.49.0up to date
 tokio-util^0.70.7.18up to date
 url^2.52.5.8up to date
 urlencoding^2.12.1.3up to date
 vt3^0.70.7.3up to date
 which^8.08.0.0up to date
 windows^0.620.62.2up to date
 windows-version^0.10.1.7up to date
 winreg^0.550.55.0up to date

Dev dependencies

(6 total, all up-to-date)

CrateRequiredLatestStatus
 anyhow^1.01.0.101up to date
 criterion^0.80.8.2up to date
 rayon^1.101.11.0up to date
 rstest^0.260.26.1up to date
 tokio^1.371.49.0up to date
 url^2.52.5.8up to date

Build dependencies

(10 total, all up-to-date)

CrateRequiredLatestStatus
 dotenv^0.150.15.0up to date
 git2^0.200.20.4up to date
 heck^0.50.5.0up to date
 phf_codegen^0.130.13.1up to date
 reqwest^0.130.13.2up to date
 serde_json^1.01.0.149up to date
 shadow-rs^1.01.7.0up to date
 tokio^1.371.49.0up to date
 toml_edit^0.240.24.0+spec-1.1.0up to date
 winres^0.10.1.12up to date

Security Vulnerabilities

chrono: Potential segfault in `localtime_r` invocations

RUSTSEC-2020-0159

Impact

Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.

Workarounds

No workarounds are known.

References

bytes: Integer overflow in `BytesMut::reserve`

RUSTSEC-2026-0007

In the unique reclaim path of BytesMut::reserve, the condition

if v_capacity >= new_cap + offset

uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB.

This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks.

PoC

use bytes::*;

fn main() {
    let mut a = BytesMut::from(&b"hello world"[..]);
    let mut b = a.split_off(5);

    // Ensure b becomes the unique owner of the backing storage
    drop(a);

    // Trigger overflow in new_cap + offset inside reserve
    b.reserve(usize::MAX - 6);

    // This call relies on the corrupted cap and may cause UB & HBO
    b.put_u8(b'h');
}

Workarounds

Users of BytesMut::reserve are only affected if integer overflow checks are configured to wrap. When integer overflow is configured to panic, this issue does not apply.