According to https://github.com/servo/rust-smallvec/issues/353, there was a memory corruption in smallvec 2.0.0-alpha.5. I didn't check the range of affected versions, although that bug report mentions that:
Smallvec 1.x works fine.
I don't know what's the policy for vulnerabilities in pre-release versions, but given that smallvec is used a lot (and the 2.0.0-alpha.x branch already has 8 reverse dependencies according to https://lib.rs/crates/smallvec/rev), it may be worth recording that in the advisory database.
Perhaps using the version range >= 2.0.0 <= 2.0.0-alpha.5 to be conservative (I'm not sure how the tool works w.r.t. version suffixes)?
According to https://github.com/servo/rust-smallvec/issues/353, there was a memory corruption in
smallvec 2.0.0-alpha.5
. I didn't check the range of affected versions, although that bug report mentions that:I don't know what's the policy for vulnerabilities in pre-release versions, but given that smallvec is used a lot (and the 2.0.0-alpha.x branch already has 8 reverse dependencies according to https://lib.rs/crates/smallvec/rev), it may be worth recording that in the advisory database.
Perhaps using the version range
>= 2.0.0 <= 2.0.0-alpha.5
to be conservative (I'm not sure how the tool works w.r.t. version suffixes)?