Update rustsec-audit.yml to include additional security advisory RUST… #1790
GitHub Actions / Security audit
succeeded
Nov 13, 2025 in 0s
Security advisories found
10 unmaintained, 1 unsound, 1 other
Details
Warnings
RUSTSEC-2025-0052
async-std has been discontinued
| Details | |
|---|---|
| Status | unmaintained |
| Package | async-std |
| Version | 1.13.0 |
| URL | https://github.com/async-rs/async-std |
| Date | 2025-08-24 |
The async-std has been discontinued.
Alternatives:
RUSTSEC-2025-0012
backoffis unmaintained.
| Details | |
|---|---|
| Status | unmaintained |
| Package | backoff |
| Version | 0.4.0 |
| URL | ihrwein/backoff#66 |
| Date | 2025-03-04 |
The backoff crate is no longer actively maintained. For exponential backoffs/retrying, you can use the backon crate.
RUSTSEC-2024-0388
derivativeis unmaintained; consider using an alternative
| Details | |
|---|---|
| Status | unmaintained |
| Package | derivative |
| Version | 2.2.0 |
| URL | mcarton/rust-derivative#117 |
| Date | 2024-06-26 |
The derivative crate is no longer maintained.
Consider using any alternative, for instance:
RUSTSEC-2025-0057
fxhash - no longer maintained
| Details | |
|---|---|
| Status | unmaintained |
| Package | fxhash |
| Version | 0.2.1 |
| URL | cbreeden/fxhash#20 |
| Date | 2025-09-05 |
The fxhash crate is no longer maintained.
The repository is stale and owner is no longer active on GitHub.
Please take a look at rustc-hash instead.
### [RUSTSEC-2024-0384](https://rustsec.org/advisories/RUSTSEC-2024-0384.html)
> `instant` is unmaintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `instant` |
| Version | `0.1.13` |
| Date | 2024-09-01 |
This crate is no longer maintained, and the author recommends using the maintained [`web-time`] crate instead.
[`web-time`]: https://crates.io/crates/web-time
### [RUSTSEC-2020-0168](https://rustsec.org/advisories/RUSTSEC-2020-0168.html)
> mach is unmaintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `mach` |
| Version | `0.3.2` |
| URL | [https://github.com/fitzgen/mach/issues/63](https://github.com/fitzgen/mach/issues/63) |
| Date | 2020-07-14 |
Last release was almost 4 years ago.
Maintainer(s) seem to be completely unreachable.
## Possible Alternative(s)
These may or may not be suitable alternatives and have not been vetted in any way;
- [mach2](https://crates.io/crates/mach2) - direct fork
### [RUSTSEC-2022-0061](https://rustsec.org/advisories/RUSTSEC-2022-0061.html)
> Crate `parity-wasm` deprecated by the author
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `parity-wasm` |
| Version | `0.45.0` |
| URL | [https://github.com/paritytech/parity-wasm/pull/334](https://github.com/paritytech/parity-wasm/pull/334) |
| Date | 2022-10-01 |
[This PR](https://github.com/paritytech/parity-wasm/pull/334) explicitly deprecates `parity-wasm`.
The author recommends switching to [wasm-tools](https://github.com/bytecodealliance/wasm-tools).
### [RUSTSEC-2024-0436](https://rustsec.org/advisories/RUSTSEC-2024-0436.html)
> paste - no longer maintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `paste` |
| Version | `1.0.15` |
| URL | [https://github.com/dtolnay/paste](https://github.com/dtolnay/paste) |
| Date | 2024-10-07 |
The creator of the crate `paste` has stated in the [`README.md`](https://github.com/dtolnay/paste/blob/master/README.md)
that this project is not longer maintained as well as archived the repository
## Possible Alternative(s)
- [pastey](https://crates.io/crates/pastey), a fork of paste and is aimed to be a drop-in replacement with additional features for paste crate
### [RUSTSEC-2024-0370](https://rustsec.org/advisories/RUSTSEC-2024-0370.html)
> proc-macro-error is unmaintained
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `proc-macro-error` |
| Version | `1.0.4` |
| URL | [https://gitlab.com/CreepySkeleton/proc-macro-error/-/issues/20](https://gitlab.com/CreepySkeleton/proc-macro-error/-/issues/20) |
| Date | 2024-09-01 |
proc-macro-error's maintainer seems to be unreachable, with no commits for 2 years, no releases pushed for 4 years, and no activity on the GitLab repo or response to email.
proc-macro-error also depends on `syn 1.x`, which may be bringing duplicate dependencies into dependant build trees.
## Possible Alternative(s)
- [manyhow](https://crates.io/crates/manyhow)
- [proc-macro-error2](https://crates.io/crates/proc-macro-error2)
- [proc-macro2-diagnostics](https://github.com/SergioBenitez/proc-macro2-diagnostics)
### [RUSTSEC-2025-0010](https://rustsec.org/advisories/RUSTSEC-2025-0010.html)
> Versions of *ring* prior to 0.17 are unmaintained.
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unmaintained |
| Package | `ring` |
| Version | `0.16.20` |
| URL | [https://github.com/briansmith/ring/discussions/2450](https://github.com/briansmith/ring/discussions/2450) |
| Date | 2025-03-05 |
*ring* 0.16.20 was released over 4 years ago and isn't maintained, tested, etc.
Additionally, the project's general policy is to only patch the latest release,
which is 0.17.12 now. It will be difficult for anybody to backport future fixes
to versions earlier than 0.17.10 due to license changes.
### [RUSTSEC-2024-0442](https://rustsec.org/advisories/RUSTSEC-2024-0442.html)
> Dump Undefined Memory by `JitDumpFile`
| Details | |
| ------------------- | ---------------------------------------------- |
| Status | unsound |
| Package | `wasmtime-jit-debug` |
| Version | `8.0.1` |
| URL | [https://github.com/bytecodealliance/wasmtime/issues/8905](https://github.com/bytecodealliance/wasmtime/issues/8905) |
| Date | 2024-07-06 |
The unsound function `dump_code_load_record` uses `from_raw_parts` to directly convert
the pointer `addr` and `len` into a slice without any validation and that memory block
would be dumped.
Thus, the 'safe' function dump_code_load_record is actually 'unsafe' since it requires
the caller to guarantee that the addr is valid and len must not overflow.
Otherwise, the function could dump the memory into file illegally, causing memory leak.
> **Note**: this is an internal-only crate in the Wasmtime project not intended for
external use and is more strongly signaled nowadays as of
[bytecodealliance/wasmtime#10963](https://github.com/bytecodealliance/wasmtime/pull/10963).
Please open an issue in Wasmtime if you're using this crate directly.
### Crate `critical-section` is yanked
No extra details provided.
Loading