Readme lists an incorrect set of default features.

[bfish510]

"old_time" is still a default feature in 0.4.26 despite the Readme saying otherwise. I believe this commit in mainline needs to be merged into the 0.4.x branch.

The semver of the time package has a related vulnerability

References:
0.4.x defaults
Defaults commit in mainline
Readme Commit
time-rs vulnerability for time 0.1.43

[djc]

See #602 for discussion of the time 0.1 vulnerability and #1073 for discussion of getting rid of time 0.1 in chrono 0.4.

[bfish510]

To rephrase, my concern isn't that oldtime should or shouldn't be a default at the moment or a stance on getting rid of the time dependency but that the documentation for 0.4.x is inaccurate. I wasn't certain if the commit inferred that the intent was to modify the defaults along with the documentation, or that the readme for the branch is inaccurate and potentially has other issues.

Readme for 0.4.x
Defaults listed: alloc, std, clock, wasmbind

Default list for 0.4.x
Defaults listed: clock, std, oldtime, wasmbind

[djc]

Right. Would you be able to submit a PR?

[bfish510]

Gladly! Can you confirm it's just the documentation that needs to be updated and not a change to the defaults.

[djc]

Yup!

[pitdicker]

@bfish510 You would be fixing my mistake, so thank you 😄.

But if we go with #1095 your documentation change will be very short-lived, and maybe not even make it to a release.

[pitdicker]

#1095 is merged.