Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

minor: remove time transitive dep and clock feature flag from chrono #316

Merged
merged 2 commits into from
Nov 8, 2021

Conversation

roccodev
Copy link
Contributor

Currently, chrono depends on a really old version of time, which is affected by CVE-2020-26235.
This dependency is withheld by the oldtime feature in chrono, which is enabled by default.

Unfortunately, Cargo doesn't support disabling specific default features just yet, so the only way to get rid of the default feature is to re-import them all.

Code-wise, all tests seem to pass and I couldn't find any re-exports of the time crate (or even chrono's replacements, for that matter), so this shouldn't break the API.

@patrickfreed
Copy link
Contributor

Hi @roccodev, thanks for the PR! It looks like chrono itself is also vulnerable to this issue when it has the clock feature flag enabled. Could you update this to disable that feature as well? I don't believe we need it.

@roccodev
Copy link
Contributor Author

roccodev commented Nov 8, 2021

Disabling the feature worked, though it's still needed for tests as they use Utc::now().

Copy link
Contributor

@patrickfreed patrickfreed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for your contribution! Tagging in the other team members for review.

Copy link
Contributor

@abr-egn abr-egn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Copy link
Contributor

@isabelatkinson isabelatkinson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, can we update the PR title to begin with "minor:" before merging?

@patrickfreed patrickfreed merged commit 563f382 into mongodb:master Nov 8, 2021
@patrickfreed patrickfreed changed the title deps: Remove time transitive dep from chrono minor: remove time transitive dep and clock feature flag from chrono Nov 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants