Skgland
commented
1 month ago Isn't the >= 2.0.0 <= 2.0.0-alpha.5 range empty as 2.0.0-alpha.5 < 2.0.0?
Open gendx opened 1 month ago
Skgland
commented
1 month ago Isn't the >= 2.0.0 <= 2.0.0-alpha.5 range empty as 2.0.0-alpha.5 < 2.0.0?
According to https://github.com/servo/rust-smallvec/issues/353, there was a memory corruption in
smallvec 2.0.0-alpha.5. I didn't check the range of affected versions, although that bug report mentions that:I don't know what's the policy for vulnerabilities in pre-release versions, but given that smallvec is used a lot (and the 2.0.0-alpha.x branch already has 8 reverse dependencies according to https://lib.rs/crates/smallvec/rev), it may be worth recording that in the advisory database.
Perhaps using the version range
>= 2.0.0 <= 2.0.0-alpha.5to be conservative (I'm not sure how the tool works w.r.t. version suffixes)?