Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Remove vulnerable time-0.1.x chrono dependency #4750

Merged
merged 1 commit into from Dec 23, 2022
Merged

fix: Remove vulnerable time-0.1.x chrono dependency #4750

merged 1 commit into from Dec 23, 2022

Conversation

ixti
Copy link
Contributor

@ixti ixti commented Dec 21, 2022
edited by davidkna

The dependency is optional for chrono and enabled by default for backward compatibility only.

RUSTSEC-2020-0071: https://rustsec.org/advisories/RUSTSEC-2020-0071

Closes #3163

@ixti ixti force-pushed the remove-time-0-1-x-dependency branch from fafd1d8 to 0c11180 Compare December 21, 2022 22:08
@ixti ixti mentioned this pull request Dec 21, 2022
Closed
syphar
syphar reviewed Dec 22, 2022
View reviewed changes
Copy link
Contributor

@syphar syphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you probably also can remove the ignore from .cargo/audit.toml, right?

@davidkna
Copy link
Member

you probably also can remove the ignore from .cargo/audit.toml, right?

Agreed, but please just remove the whole file. Looks like I forgot to add the default-features toggle when attempting to restrict the feature set.

@davidkna davidkna changed the title sec: Remove time-0.1.x dependency fix: Remove vulnerable time-0.1.x chrono dependency Dec 22, 2022
@ixti ixti force-pushed the remove-time-0-1-x-dependency branch from 0c11180 to b940dc7 Compare December 22, 2022 16:54
@ixti
Copy link
Contributor Author

ixti commented Dec 22, 2022
edited

@davidkna you said:

I forgot to add the default-features toggle when attempting to restrict the feature set

Does it mean we should remove wasmbind feature too? I believe so, but not sure :D

@davidkna
Copy link
Member

@ixti I think it wasn't a feature yet when I changed it. You can keep it, but starship doesn't build for wasm targets either way.

@ixti
Copy link
Contributor Author

ixti commented Dec 22, 2022

@ixti I think it wasn't a feature yet when I changed it. You can keep it, but starship doesn't build for wasm targets either way.

Okay. Either way, I believe such cleanup belongs to a different PR ;))

@ixti ixti force-pushed the remove-time-0-1-x-dependency branch from b940dc7 to 245ca8f Compare December 23, 2022 01:32
@davidkna davidkna merged commit 255f91c into starship:master Dec 23, 2022
@davidkna
Copy link
Member

Thanks for the fix!

@github-actions github-actions bot mentioned this pull request Dec 23, 2022
Merged
This was referenced Feb 25, 2023
Closed
Closed
Closed
This was referenced Apr 11, 2023
Closed
Closed
Closed
Closed
Closed
Merged
Closed
Closed
@github-actions github-actions bot mentioned this pull request Jun 6, 2023
Closed
Indyandie pushed a commit to Indyandie/starship that referenced this pull request Jul 26, 2023
@ixti @Indyandie
fix: Remove vulnerable time-0.1.x chrono dependency (starship#4750)
b1785ca 
The dependency is optional for chrono and enabled by default for
backward compatibility only.

See: https://rustsec.org/advisories/RUSTSEC-2020-0071
See: https://github.com/chronotope/chrono/blob/v0.4.23/CHANGELOG.md#0416
@github-actions github-actions bot mentioned this pull request Jul 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@syphar syphar syphar left review comments

@davidkna davidkna davidkna approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

RUSTSEC-2020-0071: Potential segfault in the time crate
3 participants
@ixti @davidkna @syphar