gacallea
commented
2 months ago here's the full output of cargo audit to put things into a dependency tree:
╰─❯ cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 630 security advisories (from /Users/andreacfromtheapp/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (458 crate dependencies)
Crate: yaml-rust
Version: 0.4.5
Warning: unmaintained
Title: yaml-rust is unmaintained.
Date: 2024-03-20
ID: RUSTSEC-2024-0320
URL: https://rustsec.org/advisories/RUSTSEC-2024-0320
Dependency tree:
yaml-rust 0.4.5
└── serde_yaml 0.8.26
├── rust-i18n-support 3.0.1
│ ├── rust-i18n-macro 3.0.0
│ │ └── rust-i18n 3.0.1
│ │ └── this_is_my_package 0.1.0
│ └── rust-i18n 3.0.1
└── rust-i18n-macro 3.0.0
warning: 1 allowed warning foundyaml-rust is being pulled in by serde_yaml which is archived and deprecated.
I hope this helps.
Tanguille
huacnlee
Hi,
I am learning Rust (very early stages still) and, along with it, computer science. Because I want to be a good self-taught software engineer. I recently started exploring and learning about AppSec/DevSec and the importance of Securing the entire SDLC. Among other "findings" (tools, websites, guidelines and so forth), I just found out about RustSec.
Because I love learning by both studying and doing, I have an itch to scratch app that I will (knock knock) start coding as soon as I finish The Book and Rust in Action. That said, I have already researched the tools and crates I will be using. One of them is
rusti18n. So today, out of curiosity I rancargo audit(from RustSec) and found out about https://rustsec.org/advisories/RUSTSEC-2024-0320 impacting this very project.I believe it would be beneficial if
rusti18ncould adopt the proposed resolution of that CVE: switching to a maintained package.Please and thank you
EDIT post merge:
I notified that this project has fixed the issue on the CVE by linking it here. I renamed the issue as well, as everyone seem to use the same one. cheers and thank you!