-
Notifications
You must be signed in to change notification settings - Fork 510
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Note: Time dependency is outdated #629
Comments
Bump on this, there are related advisories against both
Both are due to CVE-2020-26235, which is a 5.3 (Medium) under CVSS 3.1. |
Related to #602! |
I don't think we'll be updating the version of time used in chrono. Since #478, chrono has a minimal dependency on time (that notably does not call any of the code that is vulnerable per RUSTSEC-2020-0071), and in the next semver-incompatible version we'll remove the dependency entirely. |
Hi
When I created a PR, I noticed many outdated dependencies.
I got some problems with "time" dependencies (no problem with others dependencies when I updated them).
If someone want to update, for removed num_XXX it's easy to replace with whole_XXX.
The problem is with num_nanoseconds. Before time 0.1.43 returned an Option, now whole_nanoseconds returns i32 or i128, but Duration::nanoseconds need a i64 ( Duration::nanoseconds_i128(nanoseconds: i128) is private).
It wasn't connected with my PR and I don't know when I will have enough time to check that deeper so I let the information for someone else.
The text was updated successfully, but these errors were encountered: