cargo deny advisories #3155
Description
This issue lists the security warnings found by cargo deny check advisories. Currently we have downgraded these errors to warnings to make the CI pass. but the following issues still need to be fixed.
Vulnerabilities
- crossbeam-channel 0.5.14: Advisory RUSTSEC-2025-0024 - Solution: Upgrade to >=0.5.15. Pulled in by:
crossbeam v0.8.2. - h2 0.3.16: Advisory RUSTSEC-2024-0003 - Solution: Upgrade to ^0.3.24 OR >=0.4.2. Pulled in by:
hyper v0.14.25,reqwest v0.11.15. - h2 0.3.16: Advisory RUSTSEC-2023-0034 - Solution: Upgrade to >=0.3.17. Pulled in by:
hyper v0.14.25,reqwest v0.11.15. - h2 0.3.16: Advisory RUSTSEC-2024-0332 - Solution: Upgrade to ^0.3.26 OR >=0.4.4. Pulled in by:
hyper v0.14.25,reqwest v0.11.15. - idna 0.1.5: Advisory RUSTSEC-2024-0421 - Solution: Upgrade to >=1.0.0. Pulled in by:
url v1.7.2. - libgit2-sys 0.14.2+1.5.1: Advisory RUSTSEC-2024-0013 - Solution: Upgrade to >=0.16.2. Pulled in by:
git2 v0.16.1. - openssl 0.10.64: Advisory RUSTSEC-2025-0022 - Solution: Upgrade to >=0.10.72. Pulled in by:
diem-crypto v0.1.0,native-tls v0.2.11,vrf v0.2.4. - openssl 0.10.64: Advisory RUSTSEC-2024-0357 - Solution: Upgrade to >=0.10.66. Pulled in by:
diem-crypto v0.1.0,native-tls v0.2.11,vrf v0.2.4. - openssl 0.10.64: Advisory RUSTSEC-2025-0004 - Solution: Upgrade to >=0.10.70. Pulled in by:
diem-crypto v0.1.0,native-tls v0.2.11,vrf v0.2.4. - remove_dir_all 0.5.3: Advisory RUSTSEC-2023-0018 - Solution: Upgrade to >=0.8.0. Pulled in by:
tempdir v0.3.7. - ring 0.17.8: Advisory RUSTSEC-2025-0009 - Solution: Upgrade to >=0.17.12. Pulled in by:
rustls v0.23.20,rustls-webpki v0.102.8. - time 0.1.45: Advisory RUSTSEC-2020-0071 - Solution: Upgrade to >=0.2.23. Pulled in by:
cfxstore v0.2.1. - tokio 0.1.22: Advisory RUSTSEC-2021-0124 - Solution: Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1. Pulled in by:
jsonrpc-server-utils v15.1.0. - tokio 0.2.25: Advisory RUSTSEC-2021-0124 - Solution: Upgrade to >=1.8.4, <1.9.0 OR >=1.13.1. Pulled in by:
cfx-storage v1.0.0,cfx-stratum v1.12.0 (dev). - yaml-rust 0.3.5: Advisory RUSTSEC-2018-0006 - Solution: Upgrade to >=0.4.1. Pulled in by:
clap v2.34.0.
Unsoundness
- atty 0.2.14: Advisory RUSTSEC-2021-0145 - Solution: No safe upgrade is available!. Pulled in by:
clap v2.34.0,criterion v0.3.6. - crossbeam-utils 0.7.2: Advisory RUSTSEC-2022-0041 - Solution: Upgrade to >=0.8.7. Pulled in by:
crossbeam-channel v0.4.4,crossbeam-deque v0.7.4,crossbeam-epoch v0.8.2,crossbeam-queue v0.2.3,tokio-executor v0.1.10,tokio-reactor v0.1.12,tokio-threadpool v0.1.18,tokio-timer v0.2.13. - failure 0.1.8: Advisory RUSTSEC-2019-0036 - Solution: No safe upgrade is available!. Pulled in by:
vrf v0.2.4. - lock_api 0.3.4: Advisory RUSTSEC-2020-0070 - Solution: Upgrade to >=0.4.2. Pulled in by:
parking_lot v0.10.2,parking_lot v0.9.0. - memoffset 0.5.6: Advisory RUSTSEC-2023-0045 - Solution: Upgrade to >=0.6.2. Pulled in by:
cfx-storage v1.0.0,crossbeam-epoch v0.8.2. - secp256k1 0.20.3: Advisory RUSTSEC-2022-0070 - Solution: Upgrade to >=0.22.2, <0.23.0 OR >=0.23.5, <0.24.0 OR >=0.24.2. Pulled in by:
parity-crypto v0.9.0. - tokio 0.2.25: Advisory RUSTSEC-2025-0023 - Solution: Upgrade to >=1.38.2, <1.39.0 OR >=1.42.1, <1.43.0 OR >=1.43.1, <1.44.0 OR >=1.44.2. Pulled in by:
cfx-storage v1.0.0,cfx-stratum v1.12.0 (dev). - tokio 0.2.25: Advisory RUSTSEC-2023-0005 - Solution: Upgrade to >=1.18.5, <1.19.0 OR >=1.20.4, <1.21.0 OR >=1.24.2. Pulled in by:
cfx-storage v1.0.0,cfx-stratum v1.12.0 (dev).
Unmaintained / Yanked
- aes-ctr 0.6.0: Advisory RUSTSEC-2021-0061 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
parity-crypto v0.9.0. - aes-soft 0.6.4: Advisory RUSTSEC-2021-0060 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
aes v0.6.0,aes-ctr v0.6.0. - aesni 0.10.0: Advisory RUSTSEC-2021-0059 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
aes v0.6.0,aes-ctr v0.6.0. - ansi_term 0.12.1: Advisory RUSTSEC-2021-0139 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
clap v2.34.0,tracing-subscriber v0.3.0. - atty 0.2.14: Advisory RUSTSEC-2024-0375 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
clap v2.34.0,criterion v0.3.6. - cpuid-bool 0.2.0: Advisory RUSTSEC-2021-0064 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
polyval v0.4.5. - derivative 2.2.0: Advisory RUSTSEC-2024-0388 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
cfx-internal-common v1.0.0,cfx-storage v1.0.0,log4rs v1.3.0. - failure 0.1.8: Advisory RUSTSEC-2020-0036 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
vrf v0.2.4. - instant 0.1.12: Advisory RUSTSEC-2024-0384 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
fastrand v1.9.0,parking_lot v0.11.2,parking_lot_core v0.8.6. - net2 0.2.38: Advisory RUSTSEC-2020-0016 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
jsonrpc-http-server v18.0.0,mio v0.6.23,miow v0.2.2. - parity-util-mem 0.5.2: Advisory RUSTSEC-2022-0080 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
cfx-storage v1.0.0,kvdb v0.4.0,kvdb-rocksdb v0.1.6. - paste 1.0.14: Advisory RUSTSEC-2024-0436 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
syn-solidity v0.7.5. - proc-macro-error 1.0.4: Advisory RUSTSEC-2024-0370 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
alloy-sol-macro v0.7.5,alloy-sol-macro-expander v0.7.5,getset v0.1.2,impl-tools v0.10.0,impl-tools-lib v0.10.0. - serde_cbor 0.11.2: Advisory RUSTSEC-2021-0127 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
criterion v0.3.6. - tempdir 0.3.7: Advisory RUSTSEC-2018-0017 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
cfxcore-accounts v0.1.0 (dev),cfxstore v0.2.1,cfxstore-cli v0.1.1 (dev),client v2.4.0,conflux v2.4.0,kvdb-rocksdb v0.1.6 (dev). - yaml-rust 0.3.5: Advisory RUSTSEC-2024-0320 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
clap v2.34.0. - yaml-rust 0.4.5: Advisory RUSTSEC-2024-0320 (Unmaintained) - Solution: No safe upgrade is available!. Pulled in by:
serde_yaml v0.8.26,log4rs v1.3.0. - crossbeam-channel 0.5.14: Yanked - Solution: cargo update -p crossbeam-channel. Pulled in by:
crossbeam v0.8.2. (Note: Also listed under High Urgency due to RUSTSEC-2025-0024). - futures-util 0.3.30: Yanked - Solution: cargo update -p futures-util. Pulled in by:
cfx-rpc-middlewares v2.4.0,cfx-tasks v2.4.0,futures v0.3.30,futures-executor v0.3.30,h2 v0.3.16,http-body-util v0.1.2,hyper v0.14.25,hyper v1.4.1,hyper-util v0.1.8,jsonrpc-core v18.0.0,jsonrpsee-client-transport v0.24.4,jsonrpsee-core v0.24.4,jsonrpsee-server v0.24.4,reqwest v0.11.15,reqwest v0.12.9,tower v0.4.13.