Skip to content

cargo audit errors and warnings #3581

Description

@praseodym

We don't run cargo audit automatically but I'm surprised that Dependabot did not report any of these vulnerabilities:

Crate:     crossbeam-epoch
Version:   0.9.18
Title:     Invalid pointer dereference in `fmt::Pointer` impl for `Atomic` and `Shared` when the underlying pointer is invalid
Date:      2026-07-06
ID:        RUSTSEC-2026-0204
URL:       https://rustsec.org/advisories/RUSTSEC-2026-0204
Solution:  Upgrade to >=0.9.20

Crate:     quick-xml
Version:   0.38.4
Title:     Quadratic run time when checking a start tag for duplicate attribute names
Date:      2026-06-29
ID:        RUSTSEC-2026-0194
URL:       https://rustsec.org/advisories/RUSTSEC-2026-0194
Severity:  7.5 (high)
Solution:  Upgrade to >=0.41.0

Crate:     quick-xml
Version:   0.38.4
Title:     Unbounded namespace-declaration allocation in `NsReader` enables memory-exhaustion denial of service
Date:      2026-06-29
ID:        RUSTSEC-2026-0195
URL:       https://rustsec.org/advisories/RUSTSEC-2026-0195
Severity:  7.5 (high)
Solution:  Upgrade to >=0.41.0

Crate:     quick-xml
Version:   0.39.2
Title:     Quadratic run time when checking a start tag for duplicate attribute names
Date:      2026-06-29
ID:        RUSTSEC-2026-0194
URL:       https://rustsec.org/advisories/RUSTSEC-2026-0194
Severity:  7.5 (high)
Solution:  Upgrade to >=0.41.0

Crate:     quick-xml
Version:   0.39.2
Title:     Unbounded namespace-declaration allocation in `NsReader` enables memory-exhaustion denial of service
Date:      2026-06-29
ID:        RUSTSEC-2026-0195
URL:       https://rustsec.org/advisories/RUSTSEC-2026-0195
Severity:  7.5 (high)
Solution:  Upgrade to >=0.41.0

Crate:     quinn-proto
Version:   0.11.14
Title:      Remote memory exhaustion in quinn-proto from unbounded out-of-order stream reassembly
Date:      2026-06-22
ID:        RUSTSEC-2026-0185
URL:       https://rustsec.org/advisories/RUSTSEC-2026-0185
Severity:  7.5 (high)
Solution:  Upgrade to >=0.11.15

Crate:     bincode
Version:   1.3.3
Warning:   unmaintained
Title:     Bincode is unmaintained
Date:      2025-12-16
ID:        RUSTSEC-2025-0141
URL:       https://rustsec.org/advisories/RUSTSEC-2025-0141

Crate:     paste
Version:   1.0.15
Warning:   unmaintained
Title:     paste - no longer maintained
Date:      2024-10-07
ID:        RUSTSEC-2024-0436
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0436

Crate:     rustybuzz
Version:   0.20.1
Warning:   unmaintained
Title:     `rustybuzz` is unmaintained
Date:      2026-07-11
ID:        RUSTSEC-2026-0206
URL:       https://rustsec.org/advisories/RUSTSEC-2026-0206

Crate:     ttf-parser
Version:   0.25.1
Warning:   unmaintained
Title:     `ttf-parser` is unmaintained
Date:      2026-06-28
ID:        RUSTSEC-2026-0192
URL:       https://rustsec.org/advisories/RUSTSEC-2026-0192

Crate:     yaml-rust
Version:   0.4.5
Warning:   unmaintained
Title:     yaml-rust is unmaintained.
Date:      2024-03-20
ID:        RUSTSEC-2024-0320
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0320

Crate:     anyhow
Version:   1.0.102
Warning:   unsound
Title:     Unsoundness in `Error::downcast_mut()`
Date:      2026-06-25
ID:        RUSTSEC-2026-0190
URL:       https://rustsec.org/advisories/RUSTSEC-2026-0190

Crate:     memmap2
Version:   0.9.10
Warning:   unsound
Title:     Unchecked pointer offset in crate `memmap2`
Date:      2026-06-20
ID:        RUSTSEC-2026-0186
URL:       https://rustsec.org/advisories/RUSTSEC-2026-0186

Crate:     rand
Version:   0.8.5
Warning:   unsound
Title:     Rand is unsound with a custom logger using `rand::rng()`
Date:      2026-04-09
ID:        RUSTSEC-2026-0097
URL:       https://rustsec.org/advisories/RUSTSEC-2026-0097

Crate:     spin
Version:   0.9.8
Warning:   yanked

error: 6 vulnerabilities found!
warning: 9 allowed warnings found

Metadata

Metadata

Assignees

No one assigned

    Labels

    backendIssues or pull requests that relate to the backend

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Current

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions