Scanning Cargo.lock for vulnerabilities (45 crate dependencies)
Crate: regex
Version: 0.2.11
Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date: 2022-03-08
ID: RUSTSEC-2022-0013
URL: https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution: Upgrade to >=1.5.5
Dependency tree:
regex 0.2.11
Crate: thread_local
Version: 0.3.6
Title: Data race in `Iter` and `IterMut`
Date: 2022-01-23
ID: RUSTSEC-2022-0006
URL: https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution: Upgrade to >=1.1.4
Dependency tree:
thread_local 0.3.6
└── regex 0.2.11
error: 2 vulnerabilities found!
So both of these are due to bindgen, which is at version 0.35.0 in Cargo.toml. Current bindgen version (at the time of writing) is 0.59.2, so quite some new versions exist.
I tried upgrading bindgen, but that leads to doc tests failing as indented comments in enet's source code are now interpreted (and run) as rust code, see https://github.com/rust-lang/rust-bindgen/issues/1313. Also, newer bindgen versions use u128 in signatures, which causes warnings from rustc because u128 is not FFI-safe (known, but very annoying).
Here is a full log of cargo build and cargo test with bindgen at 0.59.2: link to a gist, because too long for inline display (>2.5k lines).
As bindgen is only used as a build dependency, these vulnerabilities might not be too bad, but I guess it'd be nice to fix them anyway.
cargo audit
finds two security vulnerabilities:See https://github.com/futile/enet-rs/issues/15 and https://github.com/futile/enet-rs/issues/16 for further info on these issues.
Checking how enet-sys depends on these using
cargo tree
shows the following:So both of these are due to bindgen, which is at version 0.35.0 in Cargo.toml. Current bindgen version (at the time of writing) is 0.59.2, so quite some new versions exist.
I tried upgrading bindgen, but that leads to doc tests failing as indented comments in enet's source code are now interpreted (and run) as rust code, see https://github.com/rust-lang/rust-bindgen/issues/1313. Also, newer bindgen versions use
u128
in signatures, which causes warnings from rustc becauseu128
is not FFI-safe (known, but very annoying).Here is a full log of
cargo build
andcargo test
with bindgen at 0.59.2: link to a gist, because too long for inline display (>2.5k lines).As bindgen is only used as a build dependency, these vulnerabilities might not be too bad, but I guess it'd be nice to fix them anyway.