Open laniakea64 opened 1 month ago
During recent research for vim-just I ran across this - https://deps.rs/crate/just
vim-just
Where couple things jumped out:
1) just's dependency on regex states version 1.5.4, which the deps.rs link flags as a security vulnerability. However, just is actually using regex version 1.10.3 - https://github.com/casey/just/blob/c237c0097b50f669f5607a15feafcf1fd6ce40c1/Cargo.lock#L715-L718 Should this be updated in Cargo.toml to prevent false positives?
just
regex
Cargo.toml
2) just declares a development dependency on yaml-rust, which is unmaintained. AFAICT this dependency is completely unused in today's just code, seems its use was removed in https://github.com/casey/just/commit/bb5b962c3dbcf0dc8258e50844602f1f5080f00c ?
yaml-rust
During recent research for
vim-justI ran across this - https://deps.rs/crate/justWhere couple things jumped out:
1)
just's dependency onregexstates version 1.5.4, which the deps.rs link flags as a security vulnerability. However,justis actually usingregexversion 1.10.3 - https://github.com/casey/just/blob/c237c0097b50f669f5607a15feafcf1fd6ce40c1/Cargo.lock#L715-L718 Should this be updated inCargo.tomlto prevent false positives?2)
justdeclares a development dependency onyaml-rust, which is unmaintained. AFAICT this dependency is completely unused in today'sjustcode, seems its use was removed in https://github.com/casey/just/commit/bb5b962c3dbcf0dc8258e50844602f1f5080f00c ?