Current version (0.8.0) fails cargo audit

[newAM]

Recently nixpkgs was scanned for vulnerabilities in rust binaries reported in the advisory-db (see nixpkgs/issues/141368), and unfortunately the current version of cargo-deadlinks (0.8.0) on crates.io has some problems:

Click to expand...

$ cargo install cargo-audit
$ wget https://crates.io/api/v1/crates/cargo-deadlinks/0.8.0/download
$ tar xzf download
$ cd cargo-deadlinks-0.8.0/
$ cargo audit
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (147 crate dependencies)
Crate:         crossbeam-deque
Version:       0.8.0
Title:         Data race in crossbeam-deque
Date:          2021-07-30
ID:            RUSTSEC-2021-0093
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0093
Solution:      Upgrade to >=0.7.4, <0.8.0 OR >=0.8.1
Dependency tree:
crossbeam-deque 0.8.0
├── rayon-core 1.9.0
│   └── rayon 1.5.0
│       └── cargo-deadlinks 0.8.0
└── rayon 1.5.0

Crate:         smallvec
Version:       0.6.13
Title:         Buffer overflow in SmallVec::insert_many
Date:          2021-01-08
ID:            RUSTSEC-2021-0003
URL:           https://rustsec.org/advisories/RUSTSEC-2021-0003
Solution:      Upgrade to >=0.6.14, <1.0.0 OR >=1.6.1
Dependency tree:
smallvec 0.6.13
├── selectors 0.21.0
│   └── lol_html 0.2.0
│       └── cargo-deadlinks 0.8.0
└── cssparser 0.25.9
    ├── selectors 0.21.0
    └── lol_html 0.2.0

Crate:         difference
Version:       2.0.0
Warning:       unmaintained
Title:         difference is unmaintained
Date:          2020-12-20
ID:            RUSTSEC-2020-0095
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0095
Dependency tree:
difference 2.0.0
├── predicates 1.0.5
│   ├── cargo-deadlinks 0.8.0
│   └── assert_cmd 1.0.1
│       └── cargo-deadlinks 0.8.0
└── mockito 0.28.0
    └── cargo-deadlinks 0.8.0

Crate:         crossbeam-deque
Version:       0.8.0
Warning:       yanked

Crate:         crossbeam-epoch
Version:       0.9.0
Warning:       yanked
Dependency tree:
crossbeam-epoch 0.9.0
└── crossbeam-deque 0.8.0
    ├── rayon-core 1.9.0
    │   └── rayon 1.5.0
    │       └── cargo-deadlinks 0.8.0
    └── rayon 1.5.0

error: 2 vulnerabilities found!
warning: 3 allowed warnings found

Would you be willing to make a 0.8.1 release with updated dependencies?
I created pull request #151 with the necessary updates.

P.S. Thanks for creating this, it is very useful for maintain working links in my projects!

[jyn514]

Thanks for bringing this to my attention! I'll make a PR fixing it shortly (#151 fails CI because it bumps the MSRV, and I also want to add an audit check at the same time).

[newAM]

Thanks for the quick fix! Would it be possible to get a release with the updated dependencies?

[jyn514]

@newAM sure, pushed a new release :) the build should finish in a minute or two and it will publish to crates.io automatically.

[newAM]

Thank you again! I really appreciate the crate and the effort you put into it!