Please unpin lru

[andrewhop]

The S3 crate is pinned to lru 0.16.3 which is affected by GHSA-rhfx-m35p-ff5j and is being picked up by my dependency scanner. Based on the comment in your Cargo.toml it's auto generated but I can't figure out how. Please consider updating to 0.16.4 or 0.17.0. Additionally it would be nice to not specify so many parts of the semantic version so updates are picked up automatically and applications that want reproducible builds can use their lock file.

[landonxjames]

Maybe I am reading it incorrectly, but 0.16.3 does not seem to be impacted by the linked GHSA since it is listed as the patched version?

Package      Affected versions      Patched versions
lru          >= 0.9.0, < 0.16.3     0.16.3

Also, the entry in the S3 Cargo.toml you link is:

[dependencies.lru]
version = "0.16.3"

Which isn't pinning lru to 0.16.3 but is instead saying >=0.16.3, <0.17.0 (see docs), so it is free to resolve to a higher version that is still semver compatible. If it were pinned the entry would be version = "=0.16.3".

Was a particular tool like cargo audit showing this as a violation?

[jlizen]

can you share a sanitized version of your cargo tree @andrewhop ? as well as verify behavior after flushing cargo lockfile and syncing with crates.io?