cargo audit reported vulnerabilities in 2.12.0

Question

cargo audit reported vulnerabilities in 2.12.0

cataggar opened this issue 2 years ago · comments

http-types 2.12.0 is the latest version. The default features pull in dependencies with reported vulnerabilities.

Steps to reproduce. The cargo check will create the Cargo.lock that cargo audit uses.

git checkout tags/v2.12.0
cargo check
cargo audit

PS C:\Users\cataggar\io\http-types> cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 421 security advisories (from C:\Users\cataggar\.cargo\advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (135 crate dependencies)
Crate:         aes-soft
Version:       0.6.4
Warning:       unmaintained
Title:         `aes-soft` has been merged into the `aes` crate
Date:          2021-04-29
ID:            RUSTSEC-2021-0060
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0060
Dependency tree:
aes-soft 0.6.4
└── aes 0.6.0
    └── aes-gcm 0.8.0
        └── cookie 0.14.4
            └── http-types 2.12.0

Crate:         aesni
Version:       0.10.0
Warning:       unmaintained
Title:         `aesni` has been merged into the `aes` crate
Date:          2021-04-29
ID:            RUSTSEC-2021-0059
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0059
Dependency tree:
aesni 0.10.0
└── aes 0.6.0
    └── aes-gcm 0.8.0
        └── cookie 0.14.4
            └── http-types 2.12.0

Crate:         cpuid-bool
Version:       0.2.0
Warning:       unmaintained
Title:         `cpuid-bool` has been renamed to `cpufeatures`
Date:          2021-05-06
ID:            RUSTSEC-2021-0064
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0064
Dependency tree:
cpuid-bool 0.2.0
└── polyval 0.4.5
    └── ghash 0.3.1
        └── aes-gcm 0.8.0
            └── cookie 0.14.4
                └── http-types 2.12.0

Crate:         stdweb
Version:       0.4.20
Warning:       unmaintained
Title:         stdweb is unmaintained
Date:          2020-05-04
ID:            RUSTSEC-2020-0056
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree:
stdweb 0.4.20
└── time 0.2.27
    └── cookie 0.14.4
        └── http-types 2.12.0

warning: 4 allowed warnings found

Cameron Taggart · Answer 1 · Wed Jul 06 2022 06:43:53 GMT+0800 (China Standard Time)

The main branch updates to cookie v0.14.4 -> v0.16.0 and does not have the vulnerabilities. It would be good to publish a new version.

Cameron Taggart · Answer 2 · Wed Jul 06 2022 06:56:44 GMT+0800 (China Standard Time)

An alternative is to disable the optional feature.

http-types = { version = "2.12", default-features = false }

Hannes Karppila · Answer 3 · Wed Nov 09 2022 11:11:26 GMT+0800 (China Standard Time)

@jbr @yoshuawuyts @Fishrock123 Could one of you make a new release so this can be closed?

Ashley · Answer 4 · Mon May 22 2023 11:45:29 GMT+0800 (China Standard Time)

I am once again asking for a new release 😄