Dear maintainer(s), 'cargo audit' reports one or more bundled CRATES as vulnerable. To reproduce please install dev-util/cargo-audit and run: cargo audit --file Cargo.lock where Cargo.lock is generated during the build of this package. For simplicity, I'm attaching here the content of 'cargo audit' here: Loaded 433 security advisories (from /tmp/advisory-db) Scanning Cargo.lock for vulnerabilities (113 crate dependencies) Crate: chrono Version: 0.4.19 Title: Potential segfault in `localtime_r` invocations Date: 2020-11-10 ID: RUSTSEC-2020-0159 URL: https://rustsec.org/advisories/RUSTSEC-2020-0159 Solution: Upgrade to >=0.4.20 Dependency tree: chrono 0.4.19 Crate: nix Version: 0.17.0 Title: Out-of-bounds write in nix::unistd::getgrouplist Date: 2021-09-27 ID: RUSTSEC-2021-0119 URL: https://rustsec.org/advisories/RUSTSEC-2021-0119 Solution: Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0 Dependency tree: nix 0.17.0 Crate: regex Version: 1.5.4 Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse Date: 2022-03-08 ID: RUSTSEC-2022-0013 URL: https://rustsec.org/advisories/RUSTSEC-2022-0013 Solution: Upgrade to >=1.5.5 Dependency tree: regex 1.5.4 Crate: time Version: 0.1.44 Title: Potential segfault in the time crate Date: 2020-11-18 ID: RUSTSEC-2020-0071 URL: https://rustsec.org/advisories/RUSTSEC-2020-0071 Solution: Upgrade to >=0.2.23 Dependency tree: time 0.1.44 Crate: difference Version: 2.0.0 Warning: unmaintained Title: difference is unmaintained Date: 2020-12-20 ID: RUSTSEC-2020-0095 URL: https://rustsec.org/advisories/RUSTSEC-2020-0095 Dependency tree: difference 2.0.0 Crate: serde_cbor Version: 0.11.2 Warning: unmaintained Title: serde_cbor is unmaintained Date: 2021-08-15 ID: RUSTSEC-2021-0127 URL: https://rustsec.org/advisories/RUSTSEC-2021-0127 Dependency tree: serde_cbor 0.11.2 error: 4 vulnerabilities found! warning: 2 allowed warnings found
weggli-0.2.4 still has the vulnerable crates in its lockfile. Unsure how impactful these vulnerabilities as they are used in this package, but I will try and find the time to update them and send a patch upstream. (I imagine that chrono-0.4.19 -> chrono-0.4.20 will be trivial, while nix-0.17.0->nix-0.24.2 will require changes.)