Dear maintainer(s), 'cargo audit' reports one or more bundled CRATES as vulnerable. To reproduce please install dev-util/cargo-audit and run: cargo audit --file Cargo.lock where Cargo.lock is generated during the build of this package. For simplicity, I'm attaching here the content of 'cargo audit' here: Loaded 433 security advisories (from /tmp/advisory-db) Scanning Cargo.lock for vulnerabilities (133 crate dependencies) Crate: regex Version: 1.5.4 Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse Date: 2022-03-08 ID: RUSTSEC-2022-0013 URL: https://rustsec.org/advisories/RUSTSEC-2022-0013 Solution: Upgrade to >=1.5.5 Dependency tree: regex 1.5.4 Crate: term Version: 0.5.2 Warning: unmaintained Title: term is looking for a new maintainer Date: 2018-11-19 ID: RUSTSEC-2018-0015 URL: https://rustsec.org/advisories/RUSTSEC-2018-0015 Dependency tree: term 0.5.2 error: 1 vulnerability found! warning: 1 allowed warning found
As noted in https://github.com/Stebalien/term/issues/93, term isn't unmaintained, it just isn't getting new features anymore. Note also that https://rustsec.org/advisories/RUSTSEC-2018-0015 says that >0.6.1 is "unaffected" (which is weird to me, how can something be unmaintained but also be unaffected with a newer version at the same time?). rpick-0.8.13 is currently in testing and has term-0.7.0. So we could consider this "fixed" by that version of rpick, but I would argue that there is no vulnerability here to begin with since the crate is not truly unmaintained. As for regex, it is only used for tests as you can see here: https://github.com/bowlofeggs/rpick/blob/0.8.13/Cargo.toml. Also, both in-tree versions of rpick use a version of regex that is fixed. Since I believe term isn't truly vulnerable, and since regex is only used for tests (and both versions of rpick in tree currently have the fix), I suggest we mark this ticket as fixed. I don't actually have the permissions to set the status on this ticket, so someone else will need to do that if they agree with my assessment here.
(In reply to Randy Barlow from comment #1) > As noted in https://github.com/Stebalien/term/issues/93, term isn't > unmaintained, it just isn't getting new features anymore. Note also that > https://rustsec.org/advisories/RUSTSEC-2018-0015 says that >0.6.1 is > "unaffected" (which is weird to me, how can something be unmaintained but > also be unaffected with a newer version at the same time?). rpick-0.8.13 is > currently in testing and has term-0.7.0. So we could consider this "fixed" > by that version of rpick, but I would argue that there is no vulnerability > here to begin with since the crate is not truly unmaintained. > > As for regex, it is only used for tests as you can see here: > https://github.com/bowlofeggs/rpick/blob/0.8.13/Cargo.toml. Also, both > in-tree versions of rpick use a version of regex that is fixed. > > Since I believe term isn't truly vulnerable, and since regex is only used > for tests (and both versions of rpick in tree currently have the fix), I > suggest we mark this ticket as fixed. > > I don't actually have the permissions to set the status on this ticket, so > someone else will need to do that if they agree with my assessment here. Plausible reason to presume a borderline spam bug report is fixed? Sure!