Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

smallvec/parking_lot vulnerability #60

Closed
FintanH opened this issue Jan 27, 2021 · 5 comments
Closed

smallvec/parking_lot vulnerability #60

FintanH opened this issue Jan 27, 2021 · 5 comments

Comments

@FintanH
Copy link

FintanH commented Jan 27, 2021

Hey 👋

There was a vulnerability in smallvec:

I came across this while using cargo deny on our project radicle-link and there was a transitive dep from governor to parking_lot.

I created a pull-request for the parking_lot repo Amanieu/parking_lot#276 and I wanted to track an issue here for updating this project with the fixed version too.

Hope that works for you, and let me know if I can do anything to help ✌️

@antifuchs
Copy link
Collaborator

Thanks for filing the issue! I think we can bump the transitive dependency manually, I'll investigate.

@FintanH
Copy link
Author

FintanH commented Jan 28, 2021

Awesome! Thanks for looking into it :)

bors bot added a commit that referenced this issue Jan 28, 2021
61: Bump smallvec to remove vulnerability r=antifuchs a=antifuchs

This addresses #60.

I also changed some cargo-deny settings so it no longer warns about dev-dependencies and buries me in chunder.

Co-authored-by: Andreas Fuchs <asf@boinkor.net>
@antifuchs
Copy link
Collaborator

The above PR should straighten out the deps such that a non-vulnerable version of smallvec gets used. If you have the time @FintanH, could you test with a git dependency? Otherwise, I'll time out and release v0.3.2 on the weekend.

@FintanH
Copy link
Author

FintanH commented Jan 28, 2021

Looks good on our side :)

@antifuchs
Copy link
Collaborator

Released! Thanks for checking!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants