epage
commented
3 months ago Is there a reason this is of concern? What is in our lockfile does not affect those who use clap. I generally like to keep Cargo.toml in sync with Cargo.lock as we aren't verifying the minimum bounds of our version requirements and I tend to keep version requirements low to avoid churn. Blanket upgrades run counter to these.
Pi-Cla
It seems that all of the errors are coming from various transitive dependencies in older versions of nushell (which clap_complete_nushell depends on)
Some noteworthy ones include RUSTSEC-2024-0019 and RUSTSEC-2023-0044
See cargo-audit-clap.txt for the full list