Skip to content

chore: bump tempfile from 3.13.0 to 3.14.0 (#5006) #5498

chore: bump tempfile from 3.13.0 to 3.14.0 (#5006)

chore: bump tempfile from 3.13.0 to 3.14.0 (#5006) #5498

GitHub Actions / Security audit succeeded Nov 11, 2024 in 1s

Security advisories found

1 unmaintained, 1 unsound, 2 other

Details

Warnings

RUSTSEC-2024-0370

proc-macro-error is unmaintained

Details
Status unmaintained
Package proc-macro-error
Version 1.0.4
URL https://gitlab.com/CreepySkeleton/proc-macro-error/-/issues/20
Date 2024-09-01

proc-macro-error's maintainer seems to be unreachable, with no commits for 2 years, no releases pushed for 4 years, and no activity on the GitLab repo or response to email.

proc-macro-error also depends on syn 1.x, which may be bringing duplicate dependencies into dependant build trees.

Possible Alternative(s)

RUSTSEC-2023-0086

Multiple soundness issues

Details
Status unsound
Package lexical-core
Version 0.8.5
Date 2023-09-03

RUSTSEC-2024-0377 contains multiple soundness issues:

  1. Bytes::read() allows creating instances of types with invalid bit patterns
  2. BytesIter::read() advances iterators out of bounds
  3. The BytesIter trait has safety invariants but is public and not marked unsafe
  4. write_float() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine
  5. radix() calls MaybeUninit::assume_init() on uninitialized data, which is is not allowed by the Rust abstract machine

Version 1.0 fixes these issues, removes the vast majority of unsafe code, and also fixes some correctness issues.

Crate bytes is yanked

No extra details provided.

Crate clang-sys is yanked

No extra details provided.