Dependabot alerts #2 - Segmentation fault in time

[jtmoon79]

This Issue is to acknowledge Dependabot Alert #2. (I'm unable to comment or otherwise acknowledge the Dependabot Alert unless it's closed!? 😒)

The dependency bringing in the vulnerability is chrono

$ cargo tree -v -v --all-features
...
├── chrono v0.4.23
│   ├── iana-time-zone v0.1.48
│   ├── num-integer v0.1.45
│   │   └── num-traits v0.2.15
│   │       [build-dependencies]
│   │       └── autocfg v1.1.0
│   │   [build-dependencies]
│   │   └── autocfg v1.1.0
│   ├── num-traits v0.2.15 (*)
│   └── time v0.1.44
│       └── libc v0.2.138
...

As of January 2023, I'm using the latest chrono version 0.4.23 which, according to cargo tree, has the vulnerable time crate.

It is discussed in chronotope/chrono#602 (comment) which is Closed.

djc commented Mar 22, 2022
I'm going to close this because in its current version, chrono does not call the vulnerable APIs in time 0.1. Since chronotope/chrono#478 the dependency on time is fairly minimal and in the next semver-compatible version we'll remove it entirely.

According to the comment, this vulnerability should not be possible to hit.

When chrono is updated to remove the dependency, then this Issue should be Closed.

[jtmoon79]

chrono bumped to 0.4.35 in 89209f9