Release `0.9.4` is affected by `RUSTSEC-2024-0384`

alexcrichton / ssh2-rs

Rust bindings for libssh2

https://docs.rs/ssh2

Apache License 2.0

491 stars 148 forks source link

Release `0.9.4` is affected by `RUSTSEC-2024-0384` #338

Open MarkusPettersson98 opened 2 weeks ago

MarkusPettersson98 commented 2 weeks ago

Hello, thanks for the great crate!

I just want to bring attention to RUSTSEC-2024-0384 - instant is unmaintained. The problem here is that the latest release of ssh2 depend on instant through parking_lot 0.11, but parking_lot 0.12 was merged to main since over a year ago.

Please consider cutting a new release so that projects that check for vulnerabilities reported to the OSV database don't have to silence this warning or change to a git dependency on ssh2 :pray:

yodaldevoid commented 1 week ago

Thank you for bringing this to my attention. I will look at making a release this weekend.