Skip to content

Disabling default features on the chrono crate#210

Merged
eminence merged 1 commit intoeminence:masterfrom
DevlabSecurity:master
Nov 9, 2022
Merged

Disabling default features on the chrono crate#210
eminence merged 1 commit intoeminence:masterfrom
DevlabSecurity:master

Conversation

@Will-Low
Copy link
Contributor

@Will-Low Will-Low commented Oct 14, 2022

Situation

The chrono crate depends on an outdated version of the time crate, which has a known vulnerability. chrono apparently does not use the vulnerable element, but it has breaking backwards compatibility issues and will not be removed until they upgrade the major version. There is a workaround suggested in chronotope/chrono#602 (comment). I've compiled it myself and confirm the vulnerable crate no longer is a dependency in Cargo.lock.

Target

Remove the vulnerability to prevent vulnerability-tool noise.

Proposal

In accordance with the workaround, disable the default features of chrono and instead replace it with the "clock" feature, which does not compile the vulnerable crate.

@eminence
Copy link
Owner

eminence commented Oct 22, 2022

Hi, sorry for the delay in sending a reply. Thanks for this PR. My understanding is that this change is fully semver compatible, since it's only removing features that procfs never used in the first place. Is that right?

@eminence
Copy link
Owner

eminence commented Nov 9, 2022

This change still looks good to me, so I'm going ahead an merging this.

@eminence eminence merged commit 6e53463 into eminence:master Nov 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Will-Low @eminence