Closed afck closed 5 years ago
cargo audit warns:
cargo audit
error: Vulnerable crates found! ID: RUSTSEC-2019-0011 Crate: memoffset Version: 0.2.1 Date: 2019-07-16 URL: https://github.com/Gilnaa/memoffset/issues/9#issuecomment-505461490 Title: Flaw in offset_of and span_of causes SIGILL, drops uninitialized memory of arbitrary type on panic in client code Solution: upgrade to: >= 0.5.0 error: 1 vulnerability found!
However, this is an indirect dependency:
$ cargo tree -ip memoffset memoffset v0.2.1 └── crossbeam-epoch v0.7.1 ├── crossbeam v0.7.1 │ [dev-dependencies] │ └── hbbft v0.1.1 (/home/andreas/git/hbbft) │ └── hbbft_testing v0.1.0 (/home/andreas/git/hbbft/hbbft_testing) │ [dev-dependencies] │ └── hbbft v0.1.1 (/home/andreas/git/hbbft) (*) ├── crossbeam-deque v0.6.3 │ ├── rayon v1.1.0 │ │ └── reed-solomon-erasure v3.1.1 │ │ └── hbbft v0.1.1 (/home/andreas/git/hbbft) (*) │ └── rayon-core v1.5.0 │ └── rayon v1.1.0 (*) └── crossbeam-deque v0.7.1 └── crossbeam v0.7.1 (*)
Let's disable cargo audit in ci.sh for now, until we can fix this.
ci.sh
Hopefully we won't need to do anything, if crossbeam releases a minor version with the fix: https://github.com/crossbeam-rs/crossbeam/pull/402
cargo auditwarns:However, this is an indirect dependency:
Let's disable
cargo auditinci.shfor now, until we can fix this.Hopefully we won't need to do anything, if crossbeam releases a minor version with the fix: https://github.com/crossbeam-rs/crossbeam/pull/402