Yank 7.2.0 from crates.io?

Keats / jsonwebtoken

JWT lib in rust

MIT License

1.62k stars 252 forks source link

Yank 7.2.0 from crates.io? #301

Closed alekspickle closed 1 year ago

alekspickle commented 1 year ago

I was just wondering does it makes sense to yank 7.2.0 version from crates.io because it depends on a time crate version with a potential segfault issue?


Crate:     time
Version:   0.1.44
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.44
└── chrono 0.4.22
    └── simple_asn1 0.4.1
        └── jsonwebtoken 7.2.0

Keats commented 1 year ago

Can it even happen in practice in jsonwebtoken? I'd rather not yank 3 years old version at this point

alekspickle commented 1 year ago

Well I mean, that's your decision anyway - to enforce onto users or don't. I checked out the 7.2.0 and it uses Utc::now which is included in advisory case.

I totally get that not all maintainers are eager to yank all impacted old versions though. It's just not all devs know about cargo audit, especially new ones.

Anyway, I'll leave you to it, thanks for a quick response!