grin icon indicating copy to clipboard operation
grin copied to clipboard

Published 20 hours ago verified publisher icon mimblewimble

Rust-yaml dependency must be updated

Open hashmap opened this issue 5 years ago • 4 comments

Currently we use 0.4.2 (used by serde) and 0.3.5 (used by clap). Cargo audit is unhappy:

$cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 17 security advisories (from /home/ubuntu/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (311 crate dependencies)
error: Vulnerable crates found!

ID:      RUSTSEC-2018-0006
Crate:   yaml-rust
Version: 0.3.5
Date:    2018-09-17
URL:     https://github.com/chyh1990/yaml-rust/pull/109
Title:   Uncontrolled recursion leads to abort in deserialization
Solution: upgrade to: >= 0.4.1

error: 1 vulnerability found!

I sent a PR against clap, opening this issue to track the update https://github.com/clap-rs/clap/pull/1396

hashmap avatar Dec 18 '18 11:12 hashmap

It has been fixed in clap https://github.com/clap-rs/clap/pull/1415 waiting for a release

hashmap avatar Mar 26 '19 14:03 hashmap

Looks like it won't be release https://github.com/clap-rs/clap/pull/1439.

quentinlesceller avatar Apr 05 '19 14:04 quentinlesceller

Still outstanding, and looks as if ncurses and pancurses have been added to the audit unhappiness mix.

yeastplume avatar Jan 21 '20 13:01 yeastplume

Looks like there is a 0.3.0 beta-1. So hopefully that should be fixed soon.

quentinlesceller avatar May 11 '20 14:05 quentinlesceller