Closed pbrkr closed 2 years ago
We're as unaffected as we were in March:
This issue has been assigned CVE-2022-24713. The severity of this vulnerability is "high" when the
regex
crate is used to parse untrusted regexes. Other uses of theregex
crate are not affected by this vulnerability.
The only regexes we use are, indeed, constant:
src/ops/mod.rs:use regex::Regex;
src/ops/mod.rs: static ref REGISTRY_RGX: Regex = Regex::new(r"([^\s]+) ([^\s]+) \(registry+\+([^\s]+)\)").unwrap();
src/ops/mod.rs: static ref GIT_PACKAGE_RGX: Regex = Regex::new(r"([^\s]+) ([^\s]+) \(git+\+([^#\s]+)#([^\s]{40})\)").unwrap();
And regex 1.5.5 wants rust 1.41.1.
I've followed up with #194 to mark this advisory as ignored so that hopefully no-one else wastes time submitting a useless PR like this one :)
See:
We also need to update memchr to meet the requirements of regex v1.6.0.