Skip to content

Upstreams: fix insecure packages, or change upstream providers #1

New issue
New issue
Closed
Closed
Upstreams: fix insecure packages, or change upstream providers#1
Assignees
Elizafox
Labels
in progressIssue is in progressupstreamWaiting on upstream
@Elizafox

Description

@Elizafox
Elizafox
opened on Jul 12, 2023

I've filed upstream issues about most of these.

Nothing here seems to affect us, but it would be good to get these fixed.

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── env_logger 0.7.1
    └── pretty_env_logger 0.4.0
        └── fred 6.3.0
            └── async-fred-session 0.1.5
                └── shadyurl-rust 0.1.0

Crate:     borsh
Version:   0.10.3
Warning:   unsound
Title:     Parsing borsh messages with ZST which are not-copy/clone is unsound
Date:      2023-04-12
ID:        RUSTSEC-2023-0033
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0033
Dependency tree:
borsh 0.10.3
└── rust_decimal 1.31.0
    ├── sqlx-postgres 0.7.1
    │   ├── sqlx-macros-core 0.7.1
    │   │   └── sqlx-macros 0.7.1
    │   │       └── sqlx 0.7.1
    │   │           ├── sea-query-binder 0.5.0
    │   │           │   └── sea-orm 0.12.1
    │   │           │       ├── shadyurl-rust 0.1.0
    │   │           │       ├── sea-orm-migration 0.12.1
    │   │           │       │   └── migration 0.1.0
    │   │           │       │       └── shadyurl-rust 0.1.0
    │   │           │       └── entity 0.1.0
    │   │           │           └── shadyurl-rust 0.1.0
    │   │           └── sea-orm 0.12.1
    │   └── sqlx 0.7.1
    ├── sqlx-mysql 0.7.1
    │   ├── sqlx-macros-core 0.7.1
    │   └── sqlx 0.7.1
    ├── sqlx-core 0.7.1
    │   ├── sqlx-sqlite 0.7.1
    │   │   ├── sqlx-macros-core 0.7.1
    │   │   └── sqlx 0.7.1
    │   ├── sqlx-postgres 0.7.1
    │   ├── sqlx-mysql 0.7.1
    │   ├── sqlx-macros-core 0.7.1
    │   ├── sqlx-macros 0.7.1
    │   └── sqlx 0.7.1
    ├── sea-query-binder 0.5.0
    ├── sea-query 0.30.0
    │   ├── shadyurl-rust 0.1.0
    │   ├── sea-schema 0.14.0
    │   │   ├── sea-orm-migration 0.12.1
    │   │   └── sea-orm-cli 0.12.1
    │   │       └── sea-orm-migration 0.12.1
    │   ├── sea-query-binder 0.5.0
    │   └── sea-orm 0.12.1
    └── sea-orm 0.12.1

warning: 2 allowed warnings found

Reasoning about each issue:

  • fred: it doesn't seem that dependency is actually used anywhere in the code, it's just a dev-dep erroneously made a regular dep; even if it did, also not our problem because we don't run on Windows
  • borsh: no fix yet, but we don't parse borsh directly and we don't use ZST's anywhere; see chore: release near/borsh-rs#146

Metadata

Metadata

Assignees

Labels

in progressIssue is in progressupstreamWaiting on upstream

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions