Note: Time dependency is outdated #629
Comments
|
Bump on this, there are related advisories against both
Both are due to CVE-2020-26235, which is a 5.3 (Medium) under CVSS 3.1. |
2 tasks
|
Related to #602! |
|
I don't think we'll be updating the version of time used in chrono. Since #478, chrono has a minimal dependency on time (that notably does not call any of the code that is vulnerable per RUSTSEC-2020-0071), and in the next semver-incompatible version we'll remove the dependency entirely. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi
When I created a PR, I noticed many outdated dependencies.
I got some problems with "time" dependencies (no problem with others dependencies when I updated them).
If someone want to update, for removed num_XXX it's easy to replace with whole_XXX.
The problem is with num_nanoseconds. Before time 0.1.43 returned an Option, now whole_nanoseconds returns i32 or i128, but Duration::nanoseconds need a i64 ( Duration::nanoseconds_i128(nanoseconds: i128) is private).
It wasn't connected with my PR and I don't know when I will have enough time to check that deeper so I let the information for someone else.
The text was updated successfully, but these errors were encountered: