Open JulianDroste opened 1 year ago
I just ran cargo audit on the cargo.toml with the following output:
cargo audit
cargo.toml
Crate: hyper Version: 0.10.16 Title: Lenient `hyper` header parsing of `Content-Length` could allow request smuggling Date: 2021-07-07 ID: RUSTSEC-2021-0078 URL: https://rustsec.org/advisories/RUSTSEC-2021-0078 Severity: 5.3 (medium) Solution: Upgrade to >=0.14.10 Dependency tree: hyper 0.10.16 ├── websocket 0.18.0 │ └── discord 0.9.0 │ └── discord_movie_night 0.1.0 ├── hyper-native-tls 0.3.0 │ └── discord 0.9.0 └── discord 0.9.0 Crate: hyper Version: 0.10.16 Title: Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss Date: 2021-07-07 ID: RUSTSEC-2021-0079 URL: https://rustsec.org/advisories/RUSTSEC-2021-0079 Severity: 9.1 (critical) Solution: Upgrade to >=0.14.10 Crate: hyper Version: 0.12.36 Title: Lenient `hyper` header parsing of `Content-Length` could allow request smuggling Date: 2021-07-07 ID: RUSTSEC-2021-0078 URL: https://rustsec.org/advisories/RUSTSEC-2021-0078 Severity: 5.3 (medium) Solution: Upgrade to >=0.14.10 Dependency tree: hyper 0.12.36 ├── reqwest 0.9.24 │ └── tmdb 3.0.0 │ └── discord_movie_night 0.1.0 └── hyper-tls 0.3.2 └── reqwest 0.9.24 Crate: hyper Version: 0.12.36 Title: Integer overflow in `hyper`'s parsing of the `Transfer-Encoding` header leads to data loss Date: 2021-07-07 ID: RUSTSEC-2021-0079 URL: https://rustsec.org/advisories/RUSTSEC-2021-0079 Severity: 9.1 (critical) Solution: Upgrade to >=0.14.10 Crate: rustc-serialize Version: 0.3.24 Title: Stack overflow in rustc_serialize when parsing deeply nested JSON Date: 2022-01-01 ID: RUSTSEC-2022-0004 URL: https://rustsec.org/advisories/RUSTSEC-2022-0004 Solution: No fixed upgrade is available! Dependency tree: rustc-serialize 0.3.24 └── websocket 0.18.0 └── discord 0.9.0 └── discord_movie_night 0.1.0 Crate: time Version: 0.1.45 Title: Potential segfault in the time crate Date: 2020-11-18 ID: RUSTSEC-2020-0071 URL: https://rustsec.org/advisories/RUSTSEC-2020-0071 Severity: 6.2 (medium) Solution: Upgrade to >=0.2.23 Dependency tree: time 0.1.45 ├── reqwest 0.9.24 │ └── tmdb 3.0.0 │ └── discord_movie_night 0.1.0 ├── hyper 0.12.36 │ ├── reqwest 0.9.24 │ └── hyper-tls 0.3.2 │ └── reqwest 0.9.24 ├── hyper 0.10.16 │ ├── websocket 0.18.0 │ │ └── discord 0.9.0 │ │ └── discord_movie_night 0.1.0 │ ├── hyper-native-tls 0.3.0 │ │ └── discord 0.9.0 │ └── discord 0.9.0 ├── cookie_store 0.7.0 │ └── reqwest 0.9.24 ├── cookie 0.12.0 │ ├── reqwest 0.9.24 │ └── cookie_store 0.7.0 └── chrono 0.4.24 ├── discord_movie_night 0.1.0 └── discord 0.9.0 Crate: tokio Version: 0.1.22 Title: Data race when sending and receiving after closing a `oneshot` channel Date: 2021-11-16 ID: RUSTSEC-2021-0124 URL: https://rustsec.org/advisories/RUSTSEC-2021-0124 Solution: Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1 Dependency tree: tokio 0.1.22 ├── reqwest 0.9.24 │ └── tmdb 3.0.0 │ └── discord_movie_night 0.1.0 └── hyper 0.12.36 ├── reqwest 0.9.24 └── hyper-tls 0.3.2 └── reqwest 0.9.24 Crate: failure Version: 0.1.8 Warning: unmaintained Title: failure is officially deprecated/unmaintained Date: 2020-05-02 ID: RUSTSEC-2020-0036 URL: https://rustsec.org/advisories/RUSTSEC-2020-0036 Severity: 9.8 (critical) Dependency tree: failure 0.1.8 └── cookie_store 0.7.0 └── reqwest 0.9.24 └── tmdb 3.0.0 └── discord_movie_night 0.1.0 Crate: net2 Version: 0.2.38 Warning: unmaintained Title: `net2` crate has been deprecated; use `socket2` instead Date: 2020-05-01 ID: RUSTSEC-2020-0016 URL: https://rustsec.org/advisories/RUSTSEC-2020-0016 Dependency tree: net2 0.2.38 ├── websocket 0.18.0 │ └── discord 0.9.0 │ └── discord_movie_night 0.1.0 ├── miow 0.2.2 │ └── mio 0.6.23 │ ├── tokio-tcp 0.1.4 │ │ ├── tokio 0.1.22 │ │ │ ├── reqwest 0.9.24 │ │ │ │ └── tmdb 3.0.0 │ │ │ │ └── discord_movie_night 0.1.0 │ │ │ └── hyper 0.12.36 │ │ │ ├── reqwest 0.9.24 │ │ │ └── hyper-tls 0.3.2 │ │ │ └── reqwest 0.9.24 │ │ └── hyper 0.12.36 │ ├── tokio-reactor 0.1.12 │ │ ├── tokio-tcp 0.1.4 │ │ ├── tokio 0.1.22 │ │ └── hyper 0.12.36 │ └── tokio 0.1.22 ├── mio 0.6.23 └── hyper 0.12.36 Crate: sodiumoxide Version: 0.2.7 Warning: unmaintained Title: sodiumoxide is deprecated Date: 2021-10-22 ID: RUSTSEC-2021-0137 URL: https://rustsec.org/advisories/RUSTSEC-2021-0137 Dependency tree: sodiumoxide 0.2.7 └── discord 0.9.0 └── discord_movie_night 0.1.0 Crate: traitobject Version: 0.1.0 Warning: unmaintained Title: traitobject is Unmaintained Date: 2021-10-04 ID: RUSTSEC-2021-0144 URL: https://rustsec.org/advisories/RUSTSEC-2021-0144 Dependency tree: traitobject 0.1.0 └── hyper 0.10.16 ├── websocket 0.18.0 │ └── discord 0.9.0 │ └── discord_movie_night 0.1.0 ├── hyper-native-tls 0.3.0 │ └── discord 0.9.0 └── discord 0.9.0 Crate: crossbeam-utils Version: 0.7.2 Warning: unsound Title: Unsoundness of AtomicCell<*64> arithmetics on 32-bit targets that support Atomic*64 Date: 2022-02-05 ID: RUSTSEC-2022-0041 URL: https://rustsec.org/advisories/RUSTSEC-2022-0041 Dependency tree: crossbeam-utils 0.7.2 ├── tokio-timer 0.2.13 │ ├── tokio 0.1.22 │ │ ├── reqwest 0.9.24 │ │ │ └── tmdb 3.0.0 │ │ │ └── discord_movie_night 0.1.0 │ │ └── hyper 0.12.36 │ │ ├── reqwest 0.9.24 │ │ └── hyper-tls 0.3.2 │ │ └── reqwest 0.9.24 │ ├── reqwest 0.9.24 │ └── hyper 0.12.36 ├── tokio-threadpool 0.1.18 │ ├── tokio 0.1.22 │ ├── reqwest 0.9.24 │ └── hyper 0.12.36 ├── tokio-reactor 0.1.12 │ ├── tokio-tcp 0.1.4 │ │ ├── tokio 0.1.22 │ │ └── hyper 0.12.36 │ ├── tokio 0.1.22 │ └── hyper 0.12.36 ├── tokio-executor 0.1.10 │ ├── tokio-timer 0.2.13 │ ├── tokio-threadpool 0.1.18 │ ├── tokio-reactor 0.1.12 │ ├── tokio-current-thread 0.1.7 │ │ └── tokio 0.1.22 │ ├── tokio 0.1.22 │ ├── reqwest 0.9.24 │ └── hyper 0.12.36 ├── crossbeam-queue 0.2.3 │ └── tokio-threadpool 0.1.18 ├── crossbeam-epoch 0.8.2 │ └── crossbeam-deque 0.7.4 │ └── tokio-threadpool 0.1.18 └── crossbeam-deque 0.7.4 Crate: failure Version: 0.1.8 Warning: unsound Title: Type confusion if __private_get_type_id__ is overridden Date: 2019-11-13 ID: RUSTSEC-2019-0036 URL: https://rustsec.org/advisories/RUSTSEC-2019-0036 Severity: 9.8 (critical) Crate: hyper Version: 0.10.16 Warning: unsound Title: Parser creates invalid uninitialized value Date: 2022-05-10 ID: RUSTSEC-2022-0022 URL: https://rustsec.org/advisories/RUSTSEC-2022-0022 Crate: hyper Version: 0.12.36 Warning: unsound Title: Parser creates invalid uninitialized value Date: 2022-05-10 ID: RUSTSEC-2022-0022 URL: https://rustsec.org/advisories/RUSTSEC-2022-0022 Crate: lock_api Version: 0.3.4 Warning: unsound Title: Some lock_api lock guard objects can cause data races Date: 2020-11-08 ID: RUSTSEC-2020-0070 URL: https://rustsec.org/advisories/RUSTSEC-2020-0070 Dependency tree: lock_api 0.3.4 └── parking_lot 0.9.0 └── tokio-reactor 0.1.12 ├── tokio-tcp 0.1.4 │ ├── tokio 0.1.22 │ │ ├── reqwest 0.9.24 │ │ │ └── tmdb 3.0.0 │ │ │ └── discord_movie_night 0.1.0 │ │ └── hyper 0.12.36 │ │ ├── reqwest 0.9.24 │ │ └── hyper-tls 0.3.2 │ │ └── reqwest 0.9.24 │ └── hyper 0.12.36 ├── tokio 0.1.22 └── hyper 0.12.36 Crate: traitobject Version: 0.1.0 Warning: unsound Title: traitobject assumes the layout of fat pointers Date: 2020-06-01 ID: RUSTSEC-2020-0027 URL: https://rustsec.org/advisories/RUSTSEC-2020-0027 Severity: 9.8 (critical) error: 7 vulnerabilities found! warning: 10 allowed warnings found
This mainly affects the crates tmdb and discord. I'll raise isses at those teams as well but I just wanted to let you know. I can only recommend to regularly check your dependencies via i.e. GH Actions.
tmdb
discord
Additionally consider running cargo clippy to furthermore improve the code.
cargo clippy
related - https://gitlab.com/Cir0X/tmdb-rs/-/issues/5
I just ran
cargo audit
on thecargo.toml
with the following output:This mainly affects the crates
tmdb
anddiscord
. I'll raise isses at those teams as well but I just wanted to let you know. I can only recommend to regularly check your dependencies via i.e. GH Actions.