search

http-rs / http-types

Common types for HTTP operations
https://docs.rs/http-types
Apache License 2.0
200 stars 83 forks source link

cargo audit reported vulnerabilities in 2.12.0 #505

Open cataggar opened 2 years ago

cataggar commented 2 years ago

http-types 2.12.0 is the latest version. The default features pull in dependencies with reported vulnerabilities.

Steps to reproduce. The cargo check will create the Cargo.lock that cargo audit uses.

git checkout tags/v2.12.0
cargo check
cargo audit
PS C:\Users\cataggar\io\http-types> cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 421 security advisories (from C:\Users\cataggar\.cargo\advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (135 crate dependencies)
Crate:         aes-soft
Version:       0.6.4
Warning:       unmaintained
Title:         `aes-soft` has been merged into the `aes` crate
Date:          2021-04-29
ID:            RUSTSEC-2021-0060
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0060
Dependency tree:
aes-soft 0.6.4
└── aes 0.6.0
    └── aes-gcm 0.8.0
        └── cookie 0.14.4
            └── http-types 2.12.0

Crate:         aesni
Version:       0.10.0
Warning:       unmaintained
Title:         `aesni` has been merged into the `aes` crate
Date:          2021-04-29
ID:            RUSTSEC-2021-0059
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0059
Dependency tree:
aesni 0.10.0
└── aes 0.6.0
    └── aes-gcm 0.8.0
        └── cookie 0.14.4
            └── http-types 2.12.0

Crate:         cpuid-bool
Version:       0.2.0
Warning:       unmaintained
Title:         `cpuid-bool` has been renamed to `cpufeatures`
Date:          2021-05-06
ID:            RUSTSEC-2021-0064
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0064
Dependency tree:
cpuid-bool 0.2.0
└── polyval 0.4.5
    └── ghash 0.3.1
        └── aes-gcm 0.8.0
            └── cookie 0.14.4
                └── http-types 2.12.0

Crate:         stdweb
Version:       0.4.20
Warning:       unmaintained
Title:         stdweb is unmaintained
Date:          2020-05-04
ID:            RUSTSEC-2020-0056
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree:
stdweb 0.4.20
└── time 0.2.27
    └── cookie 0.14.4
        └── http-types 2.12.0

warning: 4 allowed warnings found
cataggar commented 2 years ago

The main branch updates to cookie v0.14.4 -> v0.16.0 and does not have the vulnerabilities. It would be good to publish a new version.

cataggar commented 2 years ago

An alternative is to disable the optional feature.

http-types = { version = "2.12", default-features = false }
Dentosal commented 1 year ago

@jbr @yoshuawuyts @Fishrock123 Could one of you make a new release so this can be closed?

expenses commented 1 year ago

I am once again asking for a new release 😄