chrono 0.4, for legacy reasons, has a dependency on time 0.1. time 0.1 has the potential for CVE-2020-26235.
This dependency can be avoided by turning off the default features. The build succeeds after changing this and disabling the Google clients (which use another library that brings in the default features I'm trying to avoid) so it looks like the other features were not being used directly here.
chrono 0.4, for legacy reasons, has a dependency on time 0.1. time 0.1 has the potential for CVE-2020-26235.
This dependency can be avoided by turning off the default features. The build succeeds after changing this and disabling the Google clients (which use another library that brings in the default features I'm trying to avoid) so it looks like the other features were not being used directly here.