Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refinery dependency on chrono leads to security issues #191

Closed
vn971 opened this issue Oct 18, 2021 · 4 comments
Closed

Refinery dependency on chrono leads to security issues #191

vn971 opened this issue Oct 18, 2021 · 4 comments

Comments

@vn971
Copy link
Contributor

vn971 commented Oct 18, 2021
edited
Loading

Hi. Currently, refinery_core depends on chrono: https://github.com/rust-db/refinery/blob/main/refinery_core/Cargo.toml#L22

chrono in turn seems to have a security issue that isn't fixed for a long while already: https://rustsec.org/advisories/RUSTSEC-2020-0159
Which is raised in the bug tracker as well (see also the last comments there): chronotope/chrono#499

Currently many libraries are evaluating ways to move away from chrono, such as depending on time directly (example).

Question: is it possible for refinery_core to not depend on chrono and thus eliminate the troublesome library from its dependencies? What can we do?
@jxs
Copy link
Member

jxs commented Oct 20, 2021

Hi, and thanks for your interest! Yeah I plan to add cargo-audit to the repo and fix this issue, which will probably be switching chrono to time as you suggested. Or do you want to go ahead and submit a PR?
thanks!

@vn971
Copy link
Contributor Author

vn971 commented Dec 4, 2021

@jxs thanks for the response! Unfortunately I'm working with refinery in a company context, and our company is very small (I'm the only Rust dev there). There are no resources to spend there at all. So sorry for that, but still thanks for the project!

jxs added a commit to jxs/refinery that referenced this issue Dec 6, 2021
@jxs
switch chrono for time fixes rust-db#191
1419ac6
jxs added a commit to jxs/refinery that referenced this issue Dec 6, 2021
@jxs
switch chrono for time fixes rust-db#191
e92a042
jxs added a commit to jxs/refinery that referenced this issue Dec 6, 2021
@jxs
switch chrono for time fixes rust-db#191
58be299
jxs added a commit to jxs/refinery that referenced this issue Dec 6, 2021
@jxs
switch chrono for time fixes rust-db#191
1db492e
jxs added a commit to jxs/refinery that referenced this issue Dec 6, 2021
@jxs
switch chrono for time fixes rust-db#191
da4abba
jxs added a commit to jxs/refinery that referenced this issue Dec 7, 2021
@jxs
switch chrono for time fixes rust-db#191
a4d3bb4
jxs added a commit to jxs/refinery that referenced this issue Dec 7, 2021
@jxs
switch chrono for time fixes rust-db#191
7bedda2
jxs added a commit to jxs/refinery that referenced this issue Dec 7, 2021
@jxs
switch chrono for time fixes rust-db#191
98813b7
jxs added a commit to jxs/refinery that referenced this issue Dec 7, 2021
@jxs
switch chrono for time fixes rust-db#191
5cdfd2e
@jxs jxs closed this as completed in 886d53a Dec 7, 2021
@jxs
Copy link
Member

jxs commented Dec 7, 2021

Hi, no worries :) It's fixed now. I will also add cargo-audit to the pipeline in the next days and probably cut a new release.
cheers :)

@vn971
Copy link
Contributor Author

vn971 commented Dec 7, 2021

Yaay, thanks! 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jxs @vn971