Remove explicit 'url' version pin from Cargo.toml to address RUSTSEC-2024-0421

[acpiccolo]

The 'idna' crate has a known security vulnerability that is exploited by your specified 'url' version 2.5.0. Details can be found in the Rust Security Advisory Database RUSTSEC-2024-0421.

Since the 'url' crate is not used directly in the project's source code, I removed it completely from the Cargo.toml file. This successfully resolved the security warning on my Linux system.

Is the version pin really necessary, and could the version pin for the “time” dependency perhaps also be removed?

[adnan-kamili]

@ahmad-kemsan FYI

[ahmad-kemsan]

Hi @acpiccolo,

Thank you for bringing this security issue to our attention.

You are correct — the url dependency was pinned to =2.5.0 in order to control our MSRV. Since url is only a transitive dependency (coming from ureq) and not used directly in our code, this pin prevented Cargo from resolving newer versions that address the RUSTSEC-2024-0421 advisory.

We have decided to update our approach: rather than pinning transitive dependencies to enforce MSRV, we will allow the MSRV to evolve naturally with our dependency graph. This avoids version conflicts and reduces the risk of blocking security fixes for downstream users.

We will remove the url version pin from Cargo.toml, which will allow Cargo to pick a patched version and resolve the security advisory automatically. This fix will be included in the next release.

[acpiccolo]

Hi @ahmad-kemsan,

I hope you are well and wish you a happy new year! When will the next version be released? This problem has been known for a month now, and the solution seems clear. Are there any problems with it?

[adnan-kamili]

Hi @acpiccolo , @ahmad-kemsan will be available after two weeks, so this may get delayed.