Add new security warning for the fixed soundness issue.

daboross · Oct 20, 2024 · b78b76e · b78b76e
1 parent fdd525c
commit b78b76e
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -6,6 +6,21 @@ fern
 
 Simple, efficient logging for [Rust].
 
+---
+
+## fern 0.4.4, 0.5.\*, 0.6.\* security warning - `colored` feature + global allocator
+
+One of our downstream dependencies, [atty](https://docs.rs/atty/), through
+[colored](https://docs.rs/colored/), has an unsoundness issue:
+<https://rustsec.org/advisories/RUSTSEC-2021-0145.html>.
+
+This shows up in one situation: if you're using `colored` 0.1.0 (the crate, or our
+feature), and a custom global allocator.
+
+Upgrade to `fern` 0.7.0, and `colored` 0.2.0 if you depend on it directly, to fix this issue.
+
+---
+
 Logging configuration is recursively branched, like a fern: formatting, filters, and output can be applied recursively to match increasingly specific kinds of logging. Fern provides a builder-based configuration backing for rust's standard [log] crate.
 
 ```rust

diff --git a/src/lib.rs b/src/lib.rs
@@ -2,6 +2,17 @@
 #![doc(html_root_url = "https://docs.rs/fern/0.6.2")]
 //! Efficient, configurable logging in Rust.
 //!
+//! # fern 0.4.4, 0.5.\*, 0.6.\* security warning - `colored` feature + global allocator
+//!
+//! One of our downstream dependencies, [atty](https://docs.rs/atty/), through
+//! [colored](https://docs.rs/colored/), has an unsoundness issue:
+//! <https://rustsec.org/advisories/RUSTSEC-2021-0145.html>.
+//!
+//! This shows up in one situation: if you're using `colored` 0.1.0 (the crate, or our
+//! feature), and a custom global allocator.
+//!
+//! Upgrade to `fern` 0.7.0, and `colored` 0.2.0 if you depend on it directly, to fix this issue.
+//!
 //! # Depending on fern
 //!
 //! Ensure you require both fern and log in your project's `Cargo.toml`: