iddm
commented
2 years ago Thanks for noticing this! I will be unable to change anything for a week from now, but after this I'll do that.
Closed damccull closed 2 years ago
iddm
commented
2 years ago Thanks for noticing this! I will be unable to change anything for a week from now, but after this I'll do that.
iddm
commented
2 years ago I have just specified the features I need by explicitly mentioning them in my Cargo.toml:
[dependencies.chrono]
optional = true
version = "0.4"
features = ["alloc", "std", "clock"]Is this enough? Or do I still need to specify no-default-features?
damccull
commented
2 years ago Your also need to specify no-default-features because the "oldtime" feature is currently a default one, apparently for backwards compatibility.
iddm
commented
2 years ago Should be done now.
damccull
commented
2 years ago Neat. Thank you. What release shall we expect to see it in?
iddm
commented
2 years ago It has already been published as 3.0.1 :)
Victor Polevoy
On 25 Oct 2021, at 14:33, damccull @.***> wrote:
Neat. Thank you. What release shall we expect to see it in?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
damccull
commented
2 years ago 👍
Hello,
Apparently the 'chrono' crate still includes its 'oldtime' feature as a default, which depends on an old version of the 'time' crate (v0.1.43) that has a vulnerability in it. https://rustsec.org/advisories/RUSTSEC-2020-0071.html
For my own projects, I disable chrono's default features, then manually include all of the defaults except for 'oldtime', which is what the readme on chrono's repo recommends.
However, pulling in serde_aux seems to bring in chrono with the 'default' features selected, including 'oldtime'.
Any chance you could remove the 'oldtime' feature from your dependency on chrono to avoid this CVE in downstream projects?