epage
commented
1 month ago What is the motivation for this? These look to all be from dev-depedencies and our Cargo.lock has no affect on our dependents.
Closed 41Leahcim closed 1 month ago
epage
commented
1 month ago What is the motivation for this? These look to all be from dev-depedencies and our Cargo.lock has no affect on our dependents.
41Leahcim
commented
1 month ago I wanted to contribute to the clap crate and when contributing I first check for vulnerabilities with cargo audit. In this case I found some vulnerabilities which could easily be solved with cargo update. I know it doesn't affect dependents, but I don't think that should be a reason not to update your Cargo.lock file when it contains vulnerable (versions of) dependencies.
epage
commented
1 month ago I generally prefer to keep the lockfile low and these vulnerabilities don't affect us, so I would rather close this.
Updated dependencies to solve 2 vulnerabilities and 7 warnings found with cargo audit.
Vulnerabilities
Tokens for named pipes may be delivered after deregistration in mio 0.8.6
opensslX509VerifyParamRef::set_hostbuffer over-read in openssl 0.10.52Warnings
Use-after-free due to a lifetime error in
Vec::into_iter()in bumpalo 3.11.0opensslX509StoreRef::objectsis unsound in openssl in 0.10.52 Unaligned write of u64 on 32-bit and 16-bit platforms in unsafe-libyaml 0.2.8Yanked