Update vulnerable dependencies #1295
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This brings the number of vulnerable dependencies down from 8 to 1.
The remaining vulnerability can't be easily fixed:
```
> cargo tree -i generic-array:0.12.3
generic-array v0.12.3
├── block-buffer v0.7.3
│ └── sha-1 v0.8.2
│ [build-dependencies]
│ └── pest_meta v2.1.3
│ └── pest_generator v2.1.3
│ └── pest_derive v2.1.0 (proc-macro)
│ ├── comrak v0.9.1
│ │ └── docs-rs v0.6.0 (/home/joshua/src/rust/docs.rs)
│ └── tera v1.5.0
│ └── docs-rs v0.6.0 (/home/joshua/src/rust/docs.rs)
└── digest v0.8.1
└── sha-1 v0.8.2 (*)
```
`pest` or `sha-1` will need to release a new version that depends on a
fixed version of generic-array.
Here's a list of all changes:
```
$ cat updates.txt
comrak
futures-core
futures-util
generic-array:0.12.3
generic-array:0.14.3
hyper:0.10.16
hyper:0.13.6
pest_derive
pest_generator
pest_meta
sha-1
smallvec:0.6.13
smallvec:1.4.0
time:0.2.16
$ xargs -n1 cargo update -p < updates.txt
Updating arc-swap v0.4.6 -> v0.4.8
Updating futures-core v0.3.5 -> v0.3.13
Updating futures-channel v0.3.5 -> v0.3.13
Updating futures-io v0.3.5 -> v0.3.13
Updating futures-macro v0.3.5 -> v0.3.13
Updating futures-sink v0.3.5 -> v0.3.13
Updating futures-task v0.3.5 -> v0.3.13
Updating futures-util v0.3.5 -> v0.3.13
Adding pin-project-lite v0.2.4
Updating proc-macro-hack v0.5.15 -> v0.5.19
Updating generic-array v0.14.3 -> v0.14.4
Adding cfg-if v1.0.0
Adding httpdate v0.3.2
Updating hyper v0.13.6 -> v0.13.10
Adding pin-project v1.0.5
Adding pin-project-internal v1.0.5
Updating proc-macro2 v1.0.13 -> v1.0.24
Updating syn v1.0.22 -> v1.0.60
Adding tracing v0.1.25
Adding tracing-core v0.1.17
Updating smallvec v0.6.13 -> v0.6.14
Updating smallvec v1.4.0 -> v1.6.1
Adding const_fn v0.4.5
Updating time v0.2.16 -> v0.2.25
```
Here are the previous warnings:
```
> cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 249 security advisories (from /home/joshua/.local/lib/cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (417 crate dependencies)
error: Vulnerable crates found!
ID: RUSTSEC-2020-0091
Crate: arc-swap
Version: 0.4.6
Date: 2020-12-10
URL: https://rustsec.org/advisories/RUSTSEC-2020-0091
Title: Dangling reference in `access::Map` with Constant
Solution: upgrade to >= 1.1.0 OR >= 0.4.8
Dependency tree:
arc-swap 0.4.6
├── signal-hook-registry 1.2.0
│ └── tokio 0.2.22
│ ├── tokio-util 0.3.1
│ │ ├── tokio-postgres 0.5.5
│ │ │ └── postgres 0.17.5
│ │ │ ├── schemamama_postgres 0.3.0
│ │ │ │ └── docs-rs 0.6.0
│ │ │ ├── r2d2_postgres 0.16.0
│ │ │ │ └── docs-rs 0.6.0
│ │ │ └── docs-rs 0.6.0
│ │ └── h2 0.2.5
│ │ └── hyper 0.13.6
│ ├── tokio-tls 0.3.1
│ │ ├── reqwest 0.10.6
│ │ │ ├── rustwide 0.11.0
│ │ │ │ └── docs-rs 0.6.0
│ │ │ └── docs-rs 0.6.0
│ │ └── hyper-tls 0.4.1
│ │ ├── rusoto_core 0.45.0
│ │ │ ├── rusoto_s3 0.45.0
│ │ │ │ └── docs-rs 0.6.0
│ │ │ └── docs-rs 0.6.0
│ │ └── reqwest 0.10.6
│ ├── tokio-postgres 0.5.5
│ ├── rustwide 0.11.0
│ ├── rusoto_signature 0.45.0
│ │ └── rusoto_core 0.45.0
│ ├── rusoto_credential 0.45.0
│ │ ├── rusoto_signature 0.45.0
│ │ ├── rusoto_core 0.45.0
│ │ └── docs-rs 0.6.0
│ ├── rusoto_core 0.45.0
│ ├── reqwest 0.10.6
│ ├── postgres 0.17.5
│ ├── hyper-tls 0.4.1
│ ├── hyper 0.13.6
│ ├── h2 0.2.5
│ └── docs-rs 0.6.0
└── docs-rs 0.6.0
ID: RUSTSEC-2020-0060
Crate: futures-task
Version: 0.3.5
Date: 2020-09-04
URL: https://rustsec.org/advisories/RUSTSEC-2020-0060
Title: futures_task::waker may cause a use-after-free if used on a type that isn't 'static
Solution: upgrade to >= 0.3.6
Dependency tree:
futures-task 0.3.5
├── futures-util 0.3.5
│ ├── rustwide 0.11.0
│ │ └── docs-rs 0.6.0
│ ├── reqwest 0.10.6
│ │ ├── rustwide 0.11.0
│ │ └── docs-rs 0.6.0
│ ├── hyper 0.13.6
│ ├── h2 0.2.5
│ │ └── hyper 0.13.6
│ ├── futures-executor 0.3.5
│ │ └── futures 0.3.5
│ │ ├── tokio-postgres 0.5.5
│ │ │ └── postgres 0.17.5
│ │ │ ├── schemamama_postgres 0.3.0
│ │ │ │ └── docs-rs 0.6.0
│ │ │ ├── r2d2_postgres 0.16.0
│ │ │ │ └── docs-rs 0.6.0
│ │ │ └── docs-rs 0.6.0
│ │ ├── rusoto_signature 0.45.0
│ │ │ └── rusoto_core 0.45.0
│ │ │ ├── rusoto_s3 0.45.0
│ │ │ │ └── docs-rs 0.6.0
│ │ │ └── docs-rs 0.6.0
│ │ ├── rusoto_s3 0.45.0
│ │ ├── rusoto_credential 0.45.0
│ │ │ ├── rusoto_signature 0.45.0
│ │ │ ├── rusoto_core 0.45.0
│ │ │ └── docs-rs 0.6.0
│ │ ├── rusoto_core 0.45.0
│ │ └── postgres 0.17.5
│ ├── futures 0.3.5
│ └── docs-rs 0.6.0
├── futures-executor 0.3.5
└── futures 0.3.5
ID: RUSTSEC-2020-0059
Crate: futures-util
Version: 0.3.5
Date: 2020-10-22
URL: https://rustsec.org/advisories/RUSTSEC-2020-0059
Title: MutexGuard::map can cause a data race in safe code
Solution: upgrade to >= 0.3.7
Dependency tree:
futures-util 0.3.5
├── rustwide 0.11.0
│ └── docs-rs 0.6.0
├── reqwest 0.10.6
│ ├── rustwide 0.11.0
│ └── docs-rs 0.6.0
├── hyper 0.13.6
├── h2 0.2.5
│ └── hyper 0.13.6
├── futures-executor 0.3.5
│ └── futures 0.3.5
│ ├── tokio-postgres 0.5.5
│ │ └── postgres 0.17.5
│ │ ├── schemamama_postgres 0.3.0
│ │ │ └── docs-rs 0.6.0
│ │ ├── r2d2_postgres 0.16.0
│ │ │ └── docs-rs 0.6.0
│ │ └── docs-rs 0.6.0
│ ├── rusoto_signature 0.45.0
│ │ └── rusoto_core 0.45.0
│ │ ├── rusoto_s3 0.45.0
│ │ │ └── docs-rs 0.6.0
│ │ └── docs-rs 0.6.0
│ ├── rusoto_s3 0.45.0
│ ├── rusoto_credential 0.45.0
│ │ ├── rusoto_signature 0.45.0
│ │ ├── rusoto_core 0.45.0
│ │ └── docs-rs 0.6.0
│ ├── rusoto_core 0.45.0
│ └── postgres 0.17.5
├── futures 0.3.5
└── docs-rs 0.6.0
ID: RUSTSEC-2020-0146
Crate: generic-array
Version: 0.12.3
Date: 2020-04-09
URL: https://rustsec.org/advisories/RUSTSEC-2020-0146
Title: arr! macro erases lifetimes
Solution: upgrade to >= 0.14.0
Dependency tree:
generic-array 0.12.3
ID: RUSTSEC-2021-0020
Crate: hyper
Version: 0.13.6
Date: 2021-02-05
URL: https://rustsec.org/advisories/RUSTSEC-2021-0020
Title: Multiple Transfer-Encoding headers misinterprets request payload
Solution: upgrade to >= 0.14.3 OR ^0.13.10
Dependency tree:
hyper 0.13.6
ID: RUSTSEC-2021-0003
Crate: smallvec
Version: 0.6.13
Date: 2021-01-08
URL: https://rustsec.org/advisories/RUSTSEC-2021-0003
Title: Buffer overflow in SmallVec::insert_many
Solution: upgrade to >= 0.6.14, < 1.0.0 OR >= 1.6.1
Dependency tree:
smallvec 0.6.13
ID: RUSTSEC-2021-0003
Crate: smallvec
Version: 1.4.0
Date: 2021-01-08
URL: https://rustsec.org/advisories/RUSTSEC-2021-0003
Title: Buffer overflow in SmallVec::insert_many
Solution: upgrade to >= 0.6.14, < 1.0.0 OR >= 1.6.1
Dependency tree:
smallvec 1.4.0
ID: RUSTSEC-2020-0071
Crate: time
Version: 0.2.16
Date: 2020-11-18
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Title: Potential segfault in the time crate
Solution: upgrade to >= 0.2.23
Dependency tree:
time 0.2.16
```
This fixes a broken `time` dependency; see time-rs/time#313.
Nemo157
approved these changes
Mar 2, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This brings the number of vulnerable dependencies down from 8 to 1.
The remaining vulnerability can't be easily fixed:
pestorsha-1will need to release a new version that depends on afixed version of generic-array. Fortunately it's only a build-time dependency for a pre-determined grammar, so it shouldn't impact us in practice.
Here's a list of all changes:
Here are the previous warnings: