Rust-yaml dependency must be updated · mimblewimble/grin#2175

(4 comments) (0 reactions) (0 assignees)Rust (4,876 stars) (991 forks)batch import

good first issuetask

説明

Currently we use 0.4.2 (used by serde) and 0.3.5 (used by clap). Cargo audit is unhappy:

$cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 17 security advisories (from /home/ubuntu/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (311 crate dependencies)
error: Vulnerable crates found!

ID:      RUSTSEC-2018-0006
Crate:   yaml-rust
Version: 0.3.5
Date:    2018-09-17
URL:     https://github.com/chyh1990/yaml-rust/pull/109
Title:   Uncontrolled recursion leads to abort in deserialization
Solution: upgrade to: >= 0.4.1

error: 1 vulnerability found!

I sent a PR against clap, opening this issue to track the update https://github.com/clap-rs/clap/pull/1396

コントリビューターガイド

技術スタック: rust
領域: security
Issue 種別: security
難度: 3
推定時間: under 1 hour
活動状況: stale
明確さ: clear
前提条件: RustCargo
初心者向け度: 60
調査方針: The issue tracks a security vulnerability in yaml rust dependency. A PR has been sent to clap to update its dependency (link: https://github.com/clap rs/clap/pull/1396). To resolve this issue, the maintainer needs to update the version of yaml rust in the Cargo.toml file, ensuring compatibility with serde's version. Check the linked PR for any required changes and test the build.