-
Notifications
You must be signed in to change notification settings - Fork 129
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refinery dependency on chrono
leads to security issues
#191
Comments
Hi, and thanks for your interest! Yeah I plan to add |
@jxs thanks for the response! Unfortunately I'm working with refinery in a company context, and our company is very small (I'm the only Rust dev there). There are no resources to spend there at all. So sorry for that, but still thanks for the project! |
Hi, no worries :) It's fixed now. I will also add |
Yaay, thanks! 🎉 |
Hi. Currently, refinery_core depends on
chrono
: https://github.com/rust-db/refinery/blob/main/refinery_core/Cargo.toml#L22chrono
in turn seems to have a security issue that isn't fixed for a long while already: https://rustsec.org/advisories/RUSTSEC-2020-0159Which is raised in the bug tracker as well (see also the last comments there): chronotope/chrono#499
Currently many libraries are evaluating ways to move away from
chrono
, such as depending ontime
directly (example).Question: is it possible for
refinery_core
to not depend onchrono
and thus eliminate the troublesome library from its dependencies? What can we do?The text was updated successfully, but these errors were encountered: