Skip to content
Rust

Rust #7908

Sign in to view logs

Rust

Rust #7908

GitHub Actions / Security audit succeeded Nov 20, 2025 in 0s

Security advisories found

10 unmaintained, 1 unsound, 1 other

Details

Warnings

RUSTSEC-2025-0052

async-std has been discontinued

Details
Status unmaintained
Package async-std
Version 1.13.0
URL https://github.com/async-rs/async-std
Date 2025-08-24

The async-std has been discontinued.

Alternatives:

RUSTSEC-2025-0012

backoff is unmaintained.

Details
Status unmaintained
Package backoff
Version 0.4.0
URL ihrwein/backoff#66
Date 2025-03-04

The backoff crate is no longer actively maintained. For exponential backoffs/retrying, you can use the backon crate.

RUSTSEC-2024-0388

derivative is unmaintained; consider using an alternative

Details
Status unmaintained
Package derivative
Version 2.2.0
URL mcarton/rust-derivative#117
Date 2024-06-26

The derivative crate is no longer maintained.
Consider using any alternative, for instance:

RUSTSEC-2025-0057

fxhash - no longer maintained

Details
Status unmaintained
Package fxhash
Version 0.2.1
URL cbreeden/fxhash#20
Date 2025-09-05

The fxhash crate is no longer maintained.

The repository is stale and owner is no longer active on GitHub.

Please take a look at rustc-hash instead.

### [RUSTSEC-2024-0384](https://rustsec.org/advisories/RUSTSEC-2024-0384.html)

> `instant` is unmaintained

| Details             |                                                |
| ------------------- | ---------------------------------------------- |
| Status              | unmaintained                |
| Package             | `instant`                      |
| Version             | `0.1.13`                   |
| Date                | 2024-09-01                         |

This crate is no longer maintained, and the author recommends using the maintained [`web-time`] crate instead.

[`web-time`]: https://crates.io/crates/web-time
### [RUSTSEC-2020-0168](https://rustsec.org/advisories/RUSTSEC-2020-0168.html)

> mach is unmaintained

| Details             |                                                |
| ------------------- | ---------------------------------------------- |
| Status              | unmaintained                |
| Package             | `mach`                      |
| Version             | `0.3.2`                   |
| URL                 | [https://github.com/fitzgen/mach/issues/63](https://github.com/fitzgen/mach/issues/63) |
| Date                | 2020-07-14                         |

Last release was almost 4 years ago.

Maintainer(s) seem to be completely unreachable. 

## Possible Alternative(s)

These may or may not be suitable alternatives and have not been vetted in any way;
- [mach2](https://crates.io/crates/mach2) - direct fork
### [RUSTSEC-2022-0061](https://rustsec.org/advisories/RUSTSEC-2022-0061.html)

> Crate `parity-wasm` deprecated by the author

| Details             |                                                |
| ------------------- | ---------------------------------------------- |
| Status              | unmaintained                |
| Package             | `parity-wasm`                      |
| Version             | `0.45.0`                   |
| URL                 | [https://github.com/paritytech/parity-wasm/pull/334](https://github.com/paritytech/parity-wasm/pull/334) |
| Date                | 2022-10-01                         |

[This PR](https://github.com/paritytech/parity-wasm/pull/334) explicitly deprecates `parity-wasm`.
The author recommends switching to [wasm-tools](https://github.com/bytecodealliance/wasm-tools).
### [RUSTSEC-2024-0436](https://rustsec.org/advisories/RUSTSEC-2024-0436.html)

> paste - no longer maintained

| Details             |                                                |
| ------------------- | ---------------------------------------------- |
| Status              | unmaintained                |
| Package             | `paste`                      |
| Version             | `1.0.15`                   |
| URL                 | [https://github.com/dtolnay/paste](https://github.com/dtolnay/paste) |
| Date                | 2024-10-07                         |

The creator of the crate `paste` has stated in the [`README.md`](https://github.com/dtolnay/paste/blob/master/README.md) 
that this project is not longer maintained as well as archived the repository

## Possible Alternative(s)

- [pastey](https://crates.io/crates/pastey), a fork of paste and is aimed to be a drop-in replacement with additional features for paste crate
### [RUSTSEC-2024-0370](https://rustsec.org/advisories/RUSTSEC-2024-0370.html)

> proc-macro-error is unmaintained

| Details             |                                                |
| ------------------- | ---------------------------------------------- |
| Status              | unmaintained                |
| Package             | `proc-macro-error`                      |
| Version             | `1.0.4`                   |
| URL                 | [https://gitlab.com/CreepySkeleton/proc-macro-error/-/issues/20](https://gitlab.com/CreepySkeleton/proc-macro-error/-/issues/20) |
| Date                | 2024-09-01                         |

proc-macro-error's maintainer seems to be unreachable, with no commits for 2 years, no releases pushed for 4 years, and no activity on the GitLab repo or response to email.

proc-macro-error also depends on `syn 1.x`, which may be bringing duplicate dependencies into dependant build trees.

## Possible Alternative(s)

- [manyhow](https://crates.io/crates/manyhow)
- [proc-macro-error2](https://crates.io/crates/proc-macro-error2)
- [proc-macro2-diagnostics](https://github.com/SergioBenitez/proc-macro2-diagnostics)
### [RUSTSEC-2025-0010](https://rustsec.org/advisories/RUSTSEC-2025-0010.html)

> Versions of *ring* prior to 0.17 are unmaintained.

| Details             |                                                |
| ------------------- | ---------------------------------------------- |
| Status              | unmaintained                |
| Package             | `ring`                      |
| Version             | `0.16.20`                   |
| URL                 | [https://github.com/briansmith/ring/discussions/2450](https://github.com/briansmith/ring/discussions/2450) |
| Date                | 2025-03-05                         |

*ring* 0.16.20 was released over 4 years ago and isn't maintained, tested, etc.

Additionally, the project's general policy is to only patch the latest release,
which is 0.17.12 now. It will be difficult for anybody to backport future fixes
to versions earlier than 0.17.10 due to license changes.
### [RUSTSEC-2024-0442](https://rustsec.org/advisories/RUSTSEC-2024-0442.html)

> Dump Undefined Memory by `JitDumpFile`

| Details             |                                                |
| ------------------- | ---------------------------------------------- |
| Status              | unsound                |
| Package             | `wasmtime-jit-debug`                      |
| Version             | `8.0.1`                   |
| URL                 | [https://github.com/bytecodealliance/wasmtime/issues/8905](https://github.com/bytecodealliance/wasmtime/issues/8905) |
| Date                | 2024-07-06                         |

The unsound function `dump_code_load_record` uses `from_raw_parts` to directly convert 
the pointer `addr` and `len` into a slice without any validation and that memory block 
would be dumped.

Thus, the 'safe' function dump_code_load_record is actually 'unsafe' since it requires 
the caller to guarantee that the addr is valid and len must not overflow.
Otherwise, the function could dump the memory into file illegally, causing memory leak.

> **Note**: this is an internal-only crate in the Wasmtime project not intended for
external use and is more strongly signaled nowadays as of
[bytecodealliance/wasmtime#10963](https://github.com/bytecodealliance/wasmtime/pull/10963).
Please open an issue in Wasmtime if you're using this crate directly.
### Crate `critical-section` is yanked

No extra details provided.
View more details on GitHub Actions