-
Notifications
You must be signed in to change notification settings - Fork 332
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vulnerabilities in unmaintained chrono dependency #1134
Comments
Yeah, I mean, we don't do anything with the vulnerable code, and we support it only so that people can read datetimes and the like out of their databases. I'm in favor of removing it though, we already support |
https://github.com/chronotope/chrono/commits/main |
chronotope/chrono#639 (comment) seems as though the owner is mia and blocking things. being on rust 2015 doesnt help either. either way, there is a medium, almost high, vuln in the version used by rusqlite. |
Quoting @thomcc:
... |
I'll look into it and see if there's anything we can do here, but ultimately a lot of code uses chrono and rusqlite in order to access to time information which is stored in the database. That code is largely stuck without a migration path in this situation, which is... unfortunate. It is also true that However, if your rusqlite dependency does not have Anyway, I've been in favor of removing this for a while, but this is the sort of thing that @gwenn and I need to agree on. At the very least, they feel more strongly about it than I do. (My reason for wanting it gone is so that if a new vulnerability is found that impacts an API we do use, we don't accidentally miss this fact, and also I'd like to add Footnotes
|
Worth noting that (as of #1031) we avoid the vulnerability addressed by that PR, although I believe there's other issues inside It is worth noting that largely speaking the origin of this vulnerability is in the Rust standard library rather than Quite a bit has been written about this in https://internals.rust-lang.org/t/synchronized-ffi-access-to-posix-environment-variable-functions/15475, and the outcome is likely that |
https://www.reddit.com/r/rust/comments/wg3fks/chrono_0420_has_been_released_fixing_the/ |
chrono is unmaintained and not willing to fix discovered vulns in its dependencies. this results in
cargo audit
findings for projects usingrusqlite
. other crates have been swapping to usingtime
directly. can the same be done here to avoid findings and security issues?https://rustsec.org/advisories/RUSTSEC-2020-0159.html
https://rustsec.org/advisories/RUSTSEC-2020-0071.html
The text was updated successfully, but these errors were encountered: