Switch from chrono to time?

Question

Switch from chrono to time?

Closed this issue 2 years ago · 3 comments

I am evaluating using this library but there is a problem with the chrono dependency using an old version of time which is vulnerable to a potential segfault. This is the cargo audit output:

Crate:         time
Version:       0.1.44
Title:         Potential segfault in the time crate
Date:          2020-11-18
ID:            RUSTSEC-2020-0071
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0071
Solution:      Upgrade to >=0.2.23
Dependency tree:
time 0.1.44
└── chrono 0.4.22
    └── vcard_parser 0.1.0
        └── vcard-test 0.1.0

error: 1 vulnerability found!

Recent versions of time do not have this vulnerability and in most cases it is possible to replace chrono with time completely.

Would you be interested in a PR that switches chrono for time?

Answer 1 · 2022-10-29T23:18:49.000Z

Yes, I briefly looked at this and thought that it had been fixed, but now that I look more closely I see that time 0.1 is a dep of chrono when set with default features. I just committed a fix that replaces chrono with time. I will release once the other couple issues are cleaned up.

Answer 2 · 2022-10-30T10:16:23.000Z

Thanks @kenianbei, look forward to seeing this land and taking your parser for a spin 🙏

Answer 3 · 2022-10-30T10:17:50.000Z

Oops, i see you published already, thanks!