bson-rust icon indicating copy to clipboard operation
bson-rust copied to clipboard

Published 20 hours ago verified publisher icon mongodb

RUST-1129 Make `chrono` dependency optional

Open kamulos opened this issue 3 years ago • 1 comments

The chrono crate is affected by a difficult to solve CVE that triggers in environments using cargo-audit as a security check.

As I understand it, there is a feature flag in bson v2 to enable or disable the chrono related API. But this does not remove the dependency from the dependency tree.

Would that be possible?

kamulos avatar Dec 06 '21 11:12 kamulos

Hi @kamulos, thank you for filing this issue! We've disabled the chrono feature flags affected by the CVE, but I understand that cargo-audit still errors regardless of this fact.

The chrono-related feature flags in bson are for enabling/disabling the usage of chrono in our public API. We still use chrono for the implementation of our own DateTime type regardless of whether the features flags are enabled, so it isn't possible for us to make the dependency optional at this time without re-implementing DateTime. (See #277 for more information.) That said, changing the implementation of DateTime is something we're willing to consider. I filed RUST-1129 to discuss this with the rest of the team in an upcoming meeting.

isabelatkinson avatar Dec 14 '21 22:12 isabelatkinson

This was included in the 2.3.0 release.

patrickfreed avatar Aug 31 '22 17:08 patrickfreed