Tracking Issue for `chrono`/`time` fixes #786

Adam-Gleave · 2021-10-20T15:19:07Z

This is a tracking issue for addressing #783 and #779.

Remove chrono as a direct dependency of Bee.
Update any dependencies that have subdependencies on chrono or an effected time version, if these have been patched with fixes.
For dependencies that appear inactive, fork and patch them ourselves, and submit a PR to the maintainer.
Remove the advisories CI bypass

The text was updated successfully, but these errors were encountered:

Adam-Gleave · 2021-10-20T15:21:24Z

tracing has merged a patch for this issue, but we are waiting on a release.

Adam-Gleave · 2021-10-20T16:56:07Z

Opened this PR for simple_asn1, which is used in jsonwebtoken.

(This has now been merged).

Adam-Gleave · 2021-10-28T11:30:08Z

Opened this PR for jsonwebtoken, now that simple_asn1 has had a new release, and tokio-console has merged dependency updates.

jyhi · 2021-11-18T16:53:34Z

Looks like a lot has been made regarding to the two security issues, but this tracking issue is not updated for a while.

thibault-martinez · 2021-11-18T16:55:02Z

We're just waiting for dependencies to merge the PRs we did to fix these issues.

Adam-Gleave added the c-tracking-issue Category - Tracking issue label Oct 20, 2021

This was referenced Oct 20, 2021

Remove chrono #784

Merged

Ignore time related vulnerabilities #785

Merged

Adam-Gleave mentioned this issue Oct 29, 2021

Coordicide: add bee-time crate #807

Merged

7 tasks

Provide feedback