From 703a25efadb7717507e8030831939add634ffb41 Mon Sep 17 00:00:00 2001 From: Matt Riggott Date: Sat, 2 Jul 2022 20:03:22 +0000 Subject: [PATCH] Update stderrlog dependency to v0.5.1 Oxipng has an optional dependency on stderrlog, which itself has a dependency on thread_local. Versions of thread_local < 1.1.4 have a vulnerability caused by a data race in Iter and IterMut. Updating to stderrlog v0.5.1 ensures that Oxipng uses a patched version of thread_local. https://rustsec.org/advisories/RUSTSEC-2022-0006.html --- Cargo.lock | 4 ++-- Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3e5f0d16..22bbc5aa 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -506,9 +506,9 @@ checksum = "a4a3381e03edd24287172047536f20cabde766e2cd3e65e6b00fb3af51c4f38d" [[package]] name = "stderrlog" -version = "0.5.1" +version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "45a53e2eff3e94a019afa6265e8ee04cb05b9d33fe9f5078b14e4e391d155a38" +checksum = "5b81364c25bf70a0f9beae4ae704d466bf37e704e887ebac89eb9a28d01d491f" dependencies = [ "atty", "chrono", diff --git a/Cargo.toml b/Cargo.toml index 8926b0bb..19c28bf7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -33,7 +33,7 @@ rgb = "0.8.25" indexmap = "1.6.1" libdeflater = { version = "0.8.0", optional = true } log = "0.4.14" -stderrlog = { version = "0.5.1", optional = true } +stderrlog = { version = "0.5.2", optional = true } crossbeam-channel = "0.5.0" [dependencies.filetime]