You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
But given that servo/rust-url#999 is the only PR in v2.5.4 , and it landed in v2.5.3 , there is a good chance that it is the problem.
And very likely that problem is a large one, probably even CVE territory.
And that is commonly why versions are yanked - a problem is found & fixed before a CVE has been created.
And because it is a yanked version, quite likely nobody will invest in creating a CVE.
Note https://github.com/EmbarkStudios/cargo-deny does detect yanked versions in the lock file, and most Rust projects will be using cargo-deny (however I am often asked why we use both cargo-deny and osv-scanner), so it isnt an urgent problem for me. cargo deny output (in red!)
That said, the tooling for other ecosystems may not be tuned to treat yanked versions as probable CVEs. NPM's left-pad yanking problem probably still has many people wary of trusting yanks ("unpublish"), so it would be good IMO to have osv-scanner detecting & reporting these.
osv-scanner doesnt detect yanked versions, such as yanked crate version https://crates.io/crates/url/2.5.3
deps.dev knows this version is deprecated - see https://deps.dev/cargo/url/2.5.3
There is no CVE listed for this https://osv.dev/list?q=url&ecosystem=crates.io
But given that servo/rust-url#999 is the only PR in v2.5.4 , and it landed in v2.5.3 , there is a good chance that it is the problem.
And very likely that problem is a large one, probably even CVE territory.
And that is commonly why versions are yanked - a problem is found & fixed before a CVE has been created.
And because it is a yanked version, quite likely nobody will invest in creating a CVE.
Note https://github.com/EmbarkStudios/cargo-deny does detect yanked versions in the lock file, and most Rust projects will be using cargo-deny (however I am often asked why we use both cargo-deny and osv-scanner), so it isnt an urgent problem for me. cargo deny output (in red!)
That said, the tooling for other ecosystems may not be tuned to treat yanked versions as probable CVEs. NPM's left-pad yanking problem probably still has many people wary of trusting yanks ("unpublish"), so it would be good IMO to have osv-scanner detecting & reporting these.
There is a bit of overlap with google/osv.dev#2407
The text was updated successfully, but these errors were encountered: