Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Remove default chrono dep on time for sqlx-cli #2089

Merged
merged 1 commit into from
Sep 13, 2022
Merged

fix: Remove default chrono dep on time for sqlx-cli #2089

merged 1 commit into from
Sep 13, 2022

Conversation

TravisWhitehead
Copy link
Contributor

@TravisWhitehead TravisWhitehead commented Sep 11, 2022
edited
Loading

TL;DR: Remove unnecessary dependency on time 0.1 in sqlx-cli; that version of time is deprecated and contains a vulnerability flagged by cargo audit.

Effects of Change: This change adjusts the feature flags configured for the chrono crate for sqlx-cli. It disables default features for chrono and enables the clock flag only. The outcome is that chrono will no longer include the default oldtime feature flag which removes the dependency on time.

Why? time 0.1 is deprecated and vulnerable to RUSTSEC-2020-0071. Although chrono's dependency on time is not actually vulnerable, it causes cargo audit to be noisey:

Crate:     time
Version:   0.1.44
Title:     Potential segfault in the time crate
Date:      2020-11-18
ID:        RUSTSEC-2020-0071
URL:       https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:  Upgrade to >=0.2.23
Dependency tree:
time 0.1.44
└── chrono 0.4.19
    ├── sqlx-core 0.6.1
    │   ├── sqlx-macros 0.6.1
    │   │   └── sqlx 0.6.1
    │   │       ├── sqlx-test 0.1.0
    │   │       │   └── sqlx 0.6.1
    │   │       ├── sqlx-example-sqlite-todos 0.1.0
    │   │       ├── sqlx-example-postgres-transaction 0.1.0
    │   │       ├── sqlx-example-postgres-todos 0.1.0
    │   │       ├── sqlx-example-postgres-mockable-todos 0.1.0
    │   │       ├── sqlx-example-postgres-listen 0.1.0
    │   │       ├── sqlx-example-postgres-axum-social 0.1.0
    │   │       ├── sqlx-example-mysql-todos 0.1.0
    │   │       ├── sqlx-core 0.6.1
    │   │       ├── sqlx-cli 0.6.1
    │   │       ├── sqlx-bench 0.1.0
    │   │       ├── json 0.1.0
    │   │       └── files 0.1.0
    │   └── sqlx 0.6.1
    ├── sqlx-cli 0.6.1
    ├── sqlx-bench 0.1.0
    └── serde_with 2.0.0
        └── sqlx-example-postgres-axum-social 0.1.0

Unfortunately chrono 0.4.19 also generates noise with cargo audit, but 🤷

@TravisWhitehead
fix: Remove default chrono dep on time for sqlx-cli
c732804 
chrono v0.4.19 includes time 0.1 via default feature flag oldtime.
time 0.1 is deprecated and flagged for: https://rustsec.org/advisories/RUSTSEC-2020-0071
@abonander abonander merged commit 09717e1 into launchbadge:main Sep 13, 2022
@TravisWhitehead TravisWhitehead deleted the disable-chrono-oldtime-flag-for-sqlx-cli branch September 13, 2022 02:29
@jhpratt
Copy link

jhpratt commented Dec 23, 2022

It's worth noting that chrono itself is vulnerable for the exact reason that time 0.1 is.

@raviqqe raviqqe mentioned this pull request Aug 25, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abonander abonander abonander approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@TravisWhitehead @jhpratt @abonander