wrangler-legacy
wrangler-legacy copied to clipboard
cloudflare
Tracking issue for fixing `cargo audit` issues
the output of cargo audit gives the following:
Click to expand
❯ cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 370 security advisories (from /Users/cass/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (350 crate dependencies)
Crate: chrono
Version: 0.4.19
Title: Potential segfault in `localtime_r` invocations
Date: 2020-11-10
ID: RUSTSEC-2020-0159
URL: https://rustsec.org/advisories/RUSTSEC-2020-0159
Solution: No safe upgrade is available!
Dependency tree:
chrono 0.4.19
├── wrangler 1.19.4
├── toml_edit 0.2.1
│ └── wrangler 1.19.4
├── sloggers 1.0.1
│ └── cloudflare 0.8.7
│ └── wrangler 1.19.4
├── slog-term 2.8.0
│ ├── sloggers 1.0.1
│ └── cloudflare 0.8.7
├── plist 0.5.5
│ └── os-version 0.1.1
│ └── wrangler 1.19.4
├── oauth2 4.1.0
│ └── wrangler 1.19.4
└── cloudflare 0.8.7
Crate: time
Version: 0.1.44
Title: Potential segfault in the time crate
Date: 2020-11-18
ID: RUSTSEC-2020-0071
URL: https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution: Upgrade to >=0.2.23
Dependency tree:
time 0.1.44
├── zip 0.5.13
│ └── binary-install 0.0.3-alpha.1
│ └── wrangler 1.19.4
├── syncbox 0.2.4
│ └── eventual 0.1.7
│ └── wrangler 1.19.4
├── eventual 0.1.7
└── chrono 0.4.19
├── wrangler 1.19.4
├── toml_edit 0.2.1
│ └── wrangler 1.19.4
├── sloggers 1.0.1
│ └── cloudflare 0.8.7
│ └── wrangler 1.19.4
├── slog-term 2.8.0
│ ├── sloggers 1.0.1
│ └── cloudflare 0.8.7
├── plist 0.5.5
│ └── os-version 0.1.1
│ └── wrangler 1.19.4
├── oauth2 4.1.0
│ └── wrangler 1.19.4
└── cloudflare 0.8.7
Crate: failure
Version: 0.1.8
Warning: unmaintained
Title: failure is officially deprecated/unmaintained
Date: 2020-05-02
ID: RUSTSEC-2020-0036
URL: https://rustsec.org/advisories/RUSTSEC-2020-0036
Dependency tree:
failure 0.1.8
└── binary-install 0.0.3-alpha.1
└── wrangler 1.19.4
Crate: net2
Version: 0.2.37
Warning: unmaintained
Title: `net2` crate has been deprecated; use `socket2` instead
Date: 2020-05-01
ID: RUSTSEC-2020-0016
URL: https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree:
net2 0.2.37
├── miow 0.2.2
└── mio 0.6.23
Crate: term
Version: 0.5.2
Warning: unmaintained
Title: term is looking for a new maintainer
Date: 2018-11-19
ID: RUSTSEC-2018-0015
URL: https://rustsec.org/advisories/RUSTSEC-2018-0015
Dependency tree:
term 0.5.2
error: 2 vulnerabilities found!
warning: 3 allowed warnings found
This issue is meant to be a meta-issue to track progress on solving the issues raised by cargo audit.
Includes:
- [ ] maybe #2109
- [ ] #2107
- [ ] #2105
Since CI fails until we resolve this, it has some amount of priority.
Maybe it's worth to re implement binary-install inside wrangler. It's use curl inside his implementation to fetch data. Since inside wringler use reqwest, we can re implement all functional of binary-install without using curl which reduce bloated dependencies
Also zip crate have time as optional feature and we can easily disable it.
P.S. I cam to this because it's possible to make almost all functional of wrangler work without openssl but curl have hard dependency of openssl. And if we re implement binary-install we can easily build wrangler without openssl.
