search

wyyerd / stripe-rs

Rust API bindings for the Stripe HTTP API.
Apache License 2.0
224 stars 88 forks source link

Security Vulnerability #104

Closed phayes closed 4 years ago

phayes commented 4 years ago

It looks like stripe-rs has a security vulnerability due a to transitive dependency on http 0.1.18. 

ID:       RUSTSEC-2019-0034
Crate:    http
Version:  0.1.18
Date:     2019-11-16
URL:      https://rustsec.org/advisories/RUSTSEC-2019-0034
Title:    HeaderMap::Drain API is unsound
Solution:  upgrade to >= 0.1.20
Dependency tree:
http 0.1.18
├── reqwest 0.9.24
│   ├── stripe-rust 0.12.0-alpha.1

To fix this we need to upgrade reqwest to 0.10.1, which also has a bunch of async changes.

phayes commented 4 years ago

It looks like this is fixed in #100 , and will be resolved when that PR is merged.

kestred commented 4 years ago

100 has been merged; I'll publish a 0.12.0 soon (hopefully today).