Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable dependency: time brought in via chrono #226

Closed
DarthHater opened this issue Jul 20, 2021 · 6 comments
Closed

Vulnerable dependency: time brought in via chrono #226

DarthHater opened this issue Jul 20, 2021 · 6 comments
Assignees
@estk
Labels
blocked Blocked by an external dependency

Comments

@DarthHater
Copy link

DarthHater commented Jul 20, 2021
edited
Loading

Hi there!

The crate time before 0.2.23 has a vulnerability, more info here: https://github.com/RustSec/advisory-db/blob/main/crates/time/RUSTSEC-2020-0071.md

FYI time is brought in via chrono to this project.

I've made a comment on a chrono issue where they are discussing upgrading time: chronotope/chrono#553 (comment)

I imagine you can't do too much until chrono updates, but pointing this out seemed like a good idea!

Cheers,
Jeffry

cc @bhamail
@DarthHater DarthHater changed the title Vulnerable dependency: time Vulnerable dependency: time brought in via chrono Jul 20, 2021
@estk
Copy link
Owner

estk commented Aug 3, 2021

Waiting on chronotope/chrono#578

@estk estk self-assigned this Aug 3, 2021
@estk estk added the blocked Blocked by an external dependency label Aug 3, 2021
@msrd0
Copy link

msrd0 commented Nov 14, 2021

chrono itself is also considered vulnerable: https://rustsec.org/advisories/RUSTSEC-2020-0159

@HTGAzureX1212
Copy link

The PR still seem to not be merged. Could a potential move to the time 0.3 crate instead of chrono be feasible?

@msrd0
Copy link

msrd0 commented Feb 8, 2022

I've opened #241 to at least remove the time 0.1 dependency

@estk
Copy link
Owner

estk commented Apr 19, 2022

I would like to remove the chrono dependency, I think migrating to time is feasible now

@estk
Copy link
Owner

estk commented Apr 22, 2022

Closing this in favor of removing chrono for time 0.3

@estk estk closed this as completed Apr 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@estk estk

Labels
blocked Blocked by an external dependency
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@estk @DarthHater @msrd0 @HTGAzureX1212