Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade regex package versions to >=1.5.5 (security vulnerabilities) #106

Open
John15321 opened this issue May 31, 2022 · 0 comments
Open

Comments

@John15321
Copy link

Im not sure if that is the right place but when I run cargo audit on the duckscript repo I get this error:

https://github.com/sagiegurari/duckscript

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 416 security advisories (from /Users/john/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (124 crate dependencies)
Crate:     regex
Version:   0.1.80
Title:     Regexes with large repetitions on empty sub-expressions take a very long time to parse
Date:      2022-03-08
ID:        RUSTSEC-2022-0013
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0013
Solution:  Upgrade to >=1.5.5
Dependency tree:
regex 0.1.80
└── ftp 3.0.1
    └── duckscriptsdk 0.8.12
        └── duckscript_cli 0.8.12

Crate:     thread_local
Version:   0.2.7
Title:     Data race in `Iter` and `IterMut`
Date:      2022-01-23
ID:        RUSTSEC-2022-0006
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0006
Solution:  Upgrade to >=1.1.4
Dependency tree:
thread_local 0.2.7
└── regex 0.1.80
    └── ftp 3.0.1
        └── duckscriptsdk 0.8.12
            └── duckscript_cli 0.8.12

error: 2 vulnerabilities found!

So I'm not sure if that's the rust-ftp that has an old regex version or duckscript if its duckscript I will move my issue there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant