Icelk
commented
1 year ago Thanks!
Due to how cargo resolves dependencies, "0.3" and "0.3.17" are treated the same. I think ">= 0.3.17" should do the trick.
Closed Dylan-DPC closed 1 year ago
Icelk
commented
1 year ago Thanks!
Due to how cargo resolves dependencies, "0.3" and "0.3.17" are treated the same. I think ">= 0.3.17" should do the trick.
Dylan-DPC
commented
1 year ago Well, Cargo does ^ by default, which means in the first case it could potentially install any version that's >= 0.3.0 whereäs in the second case, it will do ^0.3.17 which means >= 0.3.17 which is what you want to ensure it doesn't pull any of the versions with the vulnerability.
Icelk
commented
1 year ago I didn't know that, thanks!
Updates dependency to the patch version of 0.3.17
Advisory