Latest published version fails `cargo audit`

Question

Latest published version fails `cargo audit`

JonathanWoollett-Light opened this issue a year ago · comments

Jonathan Woollett-Light commented a year ago

The latest published version (837f997) fails cargo audit:

[ec2-user@ip-172-31-1-96 afl.rs]$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 516 security advisories (from /home/ec2-user/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (69 crate dependencies)
Crate:     remove_dir_all
Version:   0.5.3
Title:     Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)
Date:      2023-02-24
ID:        RUSTSEC-2023-0018
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0018
Solution:  Upgrade to >=0.8.0
Dependency tree:
remove_dir_all 0.5.3
└── tempfile 3.3.0
    └── afl 0.12.14

error: 1 vulnerability found!
[ec2-user@ip-172-31-1-96 afl.rs]$

The latest commit on main (a508d22) passes.

It is resolved with the update of tempfile from 3.3.0 to 3.4.0 (a508d22).

The resolution should be as simple as publishing the current main.

Samuel Moelius · Answer 1 · Mon Mar 06 2023 07:49:07 GMT+0800 (China Standard Time)

Thanks very much for pointing this out. I just published a new version.

If you're satisfied the issued is resolved, would you mind closing it? 🙏

Jonathan Woollett-Light · Answer 2 · Mon Mar 06 2023 07:50:48 GMT+0800 (China Standard Time)

Thank you for the fast response, very appreciated 👍