Closed rllola closed 2 years ago
When I am running cargo audit I see a vulnerability on chrono but no potential upgrade.
cargo audit
Crate: chrono Version: 0.4.19 Title: Potential segfault in `localtime_r` invocations Date: 2020-11-10 ID: RUSTSEC-2020-0159 URL: https://rustsec.org/advisories/RUSTSEC-2020-0159 Solution: No safe upgrade is available! Dependency tree: chrono 0.4.19 └── fvm_shared 0.3.1 ├── fvm_sdk 0.3.0 │ └── fil_actors_runtime 8.0.0-alpha.1 │ ├── fil_actor_paych 8.0.0-alpha.1 │ │ ├── filecoin-signer 0.10.1 │ │ │ ├── hfuzz-signer 0.0.0 │ │ │ ├── filecoin-signer-wasm 0.1.0 │ │ │ └── filecoin-signer-ffi 0.1.0 │ │ └── extras 0.1.0 │ │ └── filecoin-signer 0.10.1 │ ├── fil_actor_multisig 8.0.0-alpha.1 │ │ ├── filecoin-signer 0.10.1 │ │ └── extras 0.1.0 │ ├── fil_actor_init 8.0.0-alpha.1 │ │ ├── filecoin-signer 0.10.1 │ │ └── extras 0.1.0 │ └── fil_actor_cron 8.0.0-alpha.1 │ └── extras 0.1.0 ├── fvm_ipld_hamt 0.3.0 │ ├── fil_actors_runtime 8.0.0-alpha.1 │ ├── fil_actor_multisig 8.0.0-alpha.1 │ └── fil_actor_init 8.0.0-alpha.1 ├── fvm_ipld_amt 0.3.0 │ └── fil_actors_runtime 8.0.0-alpha.1 ├── filecoin-signer 0.10.1 ├── fil_actors_runtime 8.0.0-alpha.1 ├── fil_actor_paych 8.0.0-alpha.1 ├── fil_actor_multisig 8.0.0-alpha.1 ├── fil_actor_init 8.0.0-alpha.1 ├── fil_actor_cron 8.0.0-alpha.1 └── extras 0.1.0
The repo is active but they didn't do any new release in 2 years.
already removed in https://github.com/filecoin-project/ref-fvm/pull/433
When I am running
cargo audit
I see a vulnerability on chrono but no potential upgrade.The repo is active but they didn't do any new release in 2 years.