Cargo audit security advisories #79
Comments
muursh
assigned iljakuklic, muursh, zorvan, b-yap, sinitcin, TheQuantumPhysicist and altonen
|
Also I'm adding |
|
Let's discuss the priority of this issue at some point. |
|
Of which issue? The entirety of the advisories or just unmaintained crate? |
|
The priority of each, or all of them. I bet some of us think this is super prior and others think the opposite. On one hand, these are not important as long as we're in testnet and we're more focused on features that work properly. On the other hand, these are important because they affect our software in a way or another. I'm more biased towards the former since we're far from being worried about long-term software issues since most of our protocols and implementations are not done anyway. Either way, we should discuss this topic, or at least clearly express the priority. Maybe on Monday's daily we can talk about it a little bit. |
chrono - 0.4.19 - segfault in localtime_r - no safe upgrade
time - 0.1.44 - segfault in time crate - upgrade to >=0.2.23
wasmtime - 0.27.0 - multiple vulnerabilities - upgrade to >=0.30.0
zeroize_derive - 1.1.0 - doesn't implement drop for enum - upgrade to >= 1.1.1
net2 is unmaintained :(
The above is true in staging as of 22/10/21. I have no idea if anyone is changing any of the above in anything they're working on. If anyone is can they comment here and let me know.
I'll create a PR to fix the obvious ones.
We need to decide what to do about net2 given it's not maintained anymore. Do we wait for parity or should we be more proactive?
The text was updated successfully, but these errors were encountered: