Closed 41Leahcim closed 1 month ago
What is the motivation for this? These look to all be from dev-depedencies and our Cargo.lock
has no affect on our dependents.
I wanted to contribute to the clap crate and when contributing I first check for vulnerabilities with cargo audit. In this case I found some vulnerabilities which could easily be solved with cargo update. I know it doesn't affect dependents, but I don't think that should be a reason not to update your Cargo.lock file when it contains vulnerable (versions of) dependencies.
I generally prefer to keep the lockfile low and these vulnerabilities don't affect us, so I would rather close this.
Updated dependencies to solve 2 vulnerabilities and 7 warnings found with cargo audit.
Vulnerabilities
Tokens for named pipes may be delivered after deregistration in mio 0.8.6
openssl
X509VerifyParamRef::set_host
buffer over-read in openssl 0.10.52Warnings
Use-after-free due to a lifetime error in
Vec::into_iter()
in bumpalo 3.11.0openssl
X509StoreRef::objects
is unsound in openssl in 0.10.52 Unaligned write of u64 on 32-bit and 16-bit platforms in unsafe-libyaml 0.2.8Yanked