cargo audit reported vulnerabilities in 2.12.0
cataggar opened this issue · comments
http-types 2.12.0 is the latest version. The default features pull in dependencies with reported vulnerabilities.
Steps to reproduce. The cargo check
will create the Cargo.lock
that cargo audit
uses.
git checkout tags/v2.12.0
cargo check
cargo audit
PS C:\Users\cataggar\io\http-types> cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 421 security advisories (from C:\Users\cataggar\.cargo\advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (135 crate dependencies)
Crate: aes-soft
Version: 0.6.4
Warning: unmaintained
Title: `aes-soft` has been merged into the `aes` crate
Date: 2021-04-29
ID: RUSTSEC-2021-0060
URL: https://rustsec.org/advisories/RUSTSEC-2021-0060
Dependency tree:
aes-soft 0.6.4
└── aes 0.6.0
└── aes-gcm 0.8.0
└── cookie 0.14.4
└── http-types 2.12.0
Crate: aesni
Version: 0.10.0
Warning: unmaintained
Title: `aesni` has been merged into the `aes` crate
Date: 2021-04-29
ID: RUSTSEC-2021-0059
URL: https://rustsec.org/advisories/RUSTSEC-2021-0059
Dependency tree:
aesni 0.10.0
└── aes 0.6.0
└── aes-gcm 0.8.0
└── cookie 0.14.4
└── http-types 2.12.0
Crate: cpuid-bool
Version: 0.2.0
Warning: unmaintained
Title: `cpuid-bool` has been renamed to `cpufeatures`
Date: 2021-05-06
ID: RUSTSEC-2021-0064
URL: https://rustsec.org/advisories/RUSTSEC-2021-0064
Dependency tree:
cpuid-bool 0.2.0
└── polyval 0.4.5
└── ghash 0.3.1
└── aes-gcm 0.8.0
└── cookie 0.14.4
└── http-types 2.12.0
Crate: stdweb
Version: 0.4.20
Warning: unmaintained
Title: stdweb is unmaintained
Date: 2020-05-04
ID: RUSTSEC-2020-0056
URL: https://rustsec.org/advisories/RUSTSEC-2020-0056
Dependency tree:
stdweb 0.4.20
└── time 0.2.27
└── cookie 0.14.4
└── http-types 2.12.0
warning: 4 allowed warnings found
The main
branch updates to cookie v0.14.4 -> v0.16.0
and does not have the vulnerabilities. It would be good to publish a new version.
An alternative is to disable the optional feature.
http-types = { version = "2.12", default-features = false }
@jbr @yoshuawuyts @Fishrock123 Could one of you make a new release so this can be closed?
I am once again asking for a new release 😄