Closed egernst closed 3 years ago
Utilizing cargo-audit, we can see that Prost needs updating. Let's update to >= 0.8, and then rev this crate version.
Audit output:
$ cargo-audit audit Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 317 security advisories (from /home/eernst/.cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (55 crate dependencies) Crate: prost Version: 0.5.0 Title: Parsing a specially crafted message can result in a stack overflow Date: 2020-01-16 ID: RUSTSEC-2020-0002 URL: https://rustsec.org/advisories/RUSTSEC-2020-0002 Solution: Upgrade to >=0.6.1 Dependency tree: prost 0.5.0 ├── ttrpc-compiler 0.4.0 ├── prost-types 0.5.0 │ ├── ttrpc-compiler 0.4.0 │ └── prost-build 0.5.0 │ └── ttrpc-compiler 0.4.0 └── prost-build 0.5.0 Crate: prost-types Version: 0.5.0 Title: Conversion from `prost_types::Timestamp` to `SystemTime` can cause an overflow and panic Date: 2021-07-08 ID: RUSTSEC-2021-0073 URL: https://rustsec.org/advisories/RUSTSEC-2021-0073 Solution: Upgrade to >=0.8.0 Dependency tree: prost-types 0.5.0 ├── ttrpc-compiler 0.4.0 └── prost-build 0.5.0 └── ttrpc-compiler 0.4.0 Crate: failure Version: 0.1.8 Warning: unmaintained Title: failure is officially deprecated/unmaintained Date: 2020-05-02 ID: RUSTSEC-2020-0036 URL: https://rustsec.org/advisories/RUSTSEC-2020-0036 Dependency tree: failure 0.1.8 ├── which 2.0.1 │ └── prost-build 0.5.0 │ └── ttrpc-compiler 0.4.0 └── prost-derive 0.5.0 └── prost 0.5.0 ├── ttrpc-compiler 0.4.0 ├── prost-types 0.5.0 │ ├── ttrpc-compiler 0.4.0 │ └── prost-build 0.5.0 └── prost-build 0.5.0 error: 2 vulnerabilities found! warning: 1 allowed warning found
Utilizing cargo-audit, we can see that Prost needs updating. Let's update to >= 0.8, and then rev this crate version.
Audit output: