mimblewimble/grin

Rust-yaml dependency must be updated

Open

#2,175 opened on Dec 18, 2018

View on GitHub
 (4 comments) (0 reactions) (0 assignees)Rust (991 forks)batch import
good first issuetask

Repository metrics

Stars
 (4,876 stars)
PR merge metrics
 (Avg merge 6d 11h) (25 merged PRs in 30d)

Description

Currently we use 0.4.2 (used by serde) and 0.3.5 (used by clap). Cargo audit is unhappy:

$cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 17 security advisories (from /home/ubuntu/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (311 crate dependencies)
error: Vulnerable crates found!

ID:      RUSTSEC-2018-0006
Crate:   yaml-rust
Version: 0.3.5
Date:    2018-09-17
URL:     https://github.com/chyh1990/yaml-rust/pull/109
Title:   Uncontrolled recursion leads to abort in deserialization
Solution: upgrade to: >= 0.4.1

error: 1 vulnerability found!

I sent a PR against clap, opening this issue to track the update https://github.com/clap-rs/clap/pull/1396

Contributor guide