smallvec/parking_lot vulnerability #60
Comments
|
Thanks for filing the issue! I think we can bump the transitive dependency manually, I'll investigate. |
|
Awesome! Thanks for looking into it :) |
bors bot
added a commit
that referenced
this issue
Jan 28, 2021
61: Bump smallvec to remove vulnerability r=antifuchs a=antifuchs This addresses #60. I also changed some cargo-deny settings so it no longer warns about dev-dependencies and buries me in chunder. Co-authored-by: Andreas Fuchs <[email protected]>
|
The above PR should straighten out the deps such that a non-vulnerable version of smallvec gets used. If you have the time @FintanH, could you test with a git dependency? Otherwise, I'll time out and release v0.3.2 on the weekend. |
|
Looks good on our side :) |
|
Released! Thanks for checking! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey 👋
There was a vulnerability in
smallvec:insert_many()servo/rust-smallvec#252I came across this while using
cargo denyon our projectradicle-linkand there was a transitive dep fromgovernortoparking_lot.I created a pull-request for the
parking_lotrepo Amanieu/parking_lot#276 and I wanted to track an issue here for updating this project with the fixed version too.Hope that works for you, and let me know if I can do anything to help ✌️
The text was updated successfully, but these errors were encountered: