Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

smallvec/parking_lot vulnerability #60

Closed
FintanH opened this issue Jan 27, 2021 · 5 comments
Closed

smallvec/parking_lot vulnerability #60

FintanH opened this issue Jan 27, 2021 · 5 comments

Comments

@FintanH
Copy link

FintanH commented Jan 27, 2021

Hey 馃憢

There was a vulnerability in smallvec:

I came across this while using cargo deny on our project radicle-link and there was a transitive dep from governor to parking_lot.

I created a pull-request for the parking_lot repo Amanieu/parking_lot#276 and I wanted to track an issue here for updating this project with the fixed version too.

Hope that works for you, and let me know if I can do anything to help 鉁岋笍
@FintanH FintanH mentioned this issue Jan 27, 2021
Closed
@antifuchs
Copy link
Collaborator

Thanks for filing the issue! I think we can bump the transitive dependency manually, I'll investigate.

@FintanH
Copy link
Author

FintanH commented Jan 28, 2021

Awesome! Thanks for looking into it :)

@antifuchs antifuchs mentioned this issue Jan 28, 2021
Merged
bors bot added a commit that referenced this issue Jan 28, 2021
@bors @antifuchs
Merge #61
b90755f 
61: Bump smallvec to remove vulnerability r=antifuchs a=antifuchs

This addresses #60.

I also changed some cargo-deny settings so it no longer warns about dev-dependencies and buries me in chunder.

Co-authored-by: Andreas Fuchs <asf@boinkor.net>
@antifuchs
Copy link
Collaborator

The above PR should straighten out the deps such that a non-vulnerable version of smallvec gets used. If you have the time @FintanH, could you test with a git dependency? Otherwise, I'll time out and release v0.3.2 on the weekend.

@FintanH
Copy link
Author

FintanH commented Jan 28, 2021

Looks good on our side :)

@antifuchs
Copy link
Collaborator

Released! Thanks for checking!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@antifuchs @FintanH