Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release new askama_axum? Existing latest release doesn't pass "cargo audit". #738

Closed
dpc opened this issue Nov 5, 2022 · 5 comments
Closed

Release new askama_axum? Existing latest release doesn't pass "cargo audit". #738

dpc opened this issue Nov 5, 2022 · 5 comments

Comments

@dpc
Copy link

dpc commented Nov 5, 2022

Our project fails cargo audit due to:

       > Version:       0.1.2
       > Title:         No default limit put on request bodies
       > Date:          2022-08-31
       > ID:            RUSTSEC-2022-0055
       > URL:           https://rustsec.org/advisories/RUSTSEC-2022-0055
       > Solution:      Upgrade to >=0.2.8, <0.3.0-rc.1 OR >=0.3.0-rc.2
       > Dependency tree:
       > axum-core 0.1.2
       >
       > error: 1 vulnerability found!

and askama_axum is pulling in this dependency. I see that the version in git already points to axum-core = "0.2", so that would help, but needs a release.

Thanks!
@djc djc mentioned this issue Nov 7, 2022
Merged
@djc
Copy link
Owner

djc commented Nov 7, 2022

Does #740 work for you?

@dpc
Copy link
Author

dpc commented Nov 7, 2022

I think so! Thanks!

@dpc dpc mentioned this issue Nov 7, 2022
Merged
@bouncydingbat
Copy link

@djc i still see issue with cargo audit still using askama_axum. even if set the version to "*" in Cargo.toml.

using git = and this repo then gives me errors with template derive. is new version release that passes cargo audit?

> cargo add askama_axum
    Updating crates.io index
      Adding askama_axum v0.1.0 to dependencies.

> cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 474 security advisories (from D:\MYUSER\.cargo\advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (167 crate dependencies)
Crate:     axum-core
Version:   0.1.2
Title:     No default limit put on request bodies
Date:      2022-08-31
ID:        RUSTSEC-2022-0055
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0055
Solution:  Upgrade to >=0.2.8, <0.3.0-rc.1 OR >=0.3.0-rc.2
Dependency tree:
axum-core 0.1.2
└── askama_axum 0.1.0
    └── mycrate 0.1.0

in Cargo.lock i see so something broke still somewhere

[[package]]
name = "askama_axum"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1463e29c311d12424dce7d3ef3d064200c56da064e339c37c40478269eb7ea68"
dependencies = [
 "askama",
 "axum-core 0.1.2",
 "http",
 "http-body",
]

@djc
Copy link
Owner

djc commented Dec 20, 2022

Yes, I've submitted #756 for now.

@djc
Copy link
Owner

djc commented Dec 21, 2022

I've published askama_axum 0.2.

@djc djc closed this as completed Dec 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dpc @djc @bouncydingbat