Skip to content
This repository has been archived by the owner on Jul 17, 2024. It is now read-only.

Dependabot alert for spin v0.9.6 dependency #25

Closed
antbern opened this issue Dec 1, 2023 · 0 comments · Fixed by #32
Closed

Dependabot alert for spin v0.9.6 dependency #25

antbern opened this issue Dec 1, 2023 · 0 comments · Fixed by #32

Comments

@antbern
Copy link

antbern commented Dec 1, 2023

Issue description
I keep getting Dependabot alerts for GHSA-2qv5-7mw5-j3cg in my project based on esp32-hal v0.16.0. The issue seems to exist in the spin crate for versions below v0.9.8 and using cargo tree I tracked it to this crate which seems to depend on the affected version v0.9.6:

├── esp32-hal v0.16.0
│   ├── embassy-time v0.1.5 (*)
│   └── esp-hal-common v0.13.1
           [..]
│       ├── esp32 v0.27.0
│       │   ├── critical-section v1.1.2
│       │   ├── vcell v0.1.3
│       │   └── xtensa-lx v0.8.0 <---
│       │       ├── bare-metal v1.0.0
│       │       ├── mutex-trait v0.2.0
│       │       └── spin v0.9.6 <---
│       │           └── lock_api v0.4.10
│       │               └── scopeguard v1.1.0
│       │               [build-dependencies]
│       │               └── autocfg v1.1.0

Potential Solution
Bump the dependency of spin to a version that is not vulnerable 🚀
@github-project-automation github-project-automation bot moved this to Todo in esp-rs Dec 1, 2023
@MabezDev MabezDev mentioned this issue Feb 6, 2024
Merged
@github-project-automation github-project-automation bot moved this from Todo to Done in esp-rs Feb 6, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
esp-rs
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update spin to 0.9.8 esp-rs/xtensa-lx
1 participant
@antbern