'cargo audit' reports one or more bundled CRATES as vulnerable.
To reproduce please install dev-util/cargo-audit and run:
cargo audit --file Cargo.lock
where Cargo.lock is generated during the build of this package.
For simplicity, I'm attaching here the content of 'cargo audit' here:
Loaded 433 security advisories (from /tmp/advisory-db)
Scanning Cargo.lock for vulnerabilities (113 crate dependencies)
Title: Potential segfault in `localtime_r` invocations
Solution: Upgrade to >=0.4.20
Title: Out-of-bounds write in nix::unistd::getgrouplist
Solution: Upgrade to ^0.20.2 OR ^0.21.2 OR ^0.22.2 OR >=0.23.0
Title: Regexes with large repetitions on empty sub-expressions take a very long time to parse
Solution: Upgrade to >=1.5.5
Title: Potential segfault in the time crate
Solution: Upgrade to >=0.2.23
Title: difference is unmaintained
Title: serde_cbor is unmaintained
error: 4 vulnerabilities found!
warning: 2 allowed warnings found
weggli-0.2.4 still has the vulnerable crates in its lockfile.
Unsure how impactful these vulnerabilities as they are used in this package, but I will try and find the time to update them and send a patch upstream. (I imagine that chrono-0.4.19 -> chrono-0.4.20 will be trivial, while nix-0.17.0->nix-0.24.2 will require changes.)